Welcome to the July 2022 report from the Reproducible Builds project!
In our reports we attempt to outline the most relevant things that have been going on in the past month. As a brief introduction, the reproducible builds effort is concerned with ensuring no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website.
Reproducible Builds summit 2022
Despite several delays, we are pleased to announce that registration is open for our in-person summit this year:
The event will happen in Venice (Italy). We intend to pick a venue reachable via the train station and an international airport. However, the precise venue will depend on the number of attendees.
Please see the announcement email for information about how to register.
Ludovic Courtès published an informative blog post this month asking the important question: Is reproducibility practical?:
Our attention was recently caught by a nice slide deck on the methods and tools for reproducible research in the R programming language. Among those, the talk mentions Guix, stating that it is “for professional, sensitive applications that require ultimate reproducibility”, which is “probably a bit overkill for Reproducible Research”. While we were flattered to see Guix suggested as good tool for reproducibility, the very notion that there’s a kind of “reproducibility” that is “ultimate” and, essentially, impractical, is something that left us wondering: What kind of reproducibility do scientists need, if not the “ultimate” kind? Is “reproducibility” practical at all, or is it more of a horizon?
The post goes on to outlines the concept of reproducibility, situating examples within the context of the GNU Guix operating system.
diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions
220 to Debian, as well as made the following changes:
On our mailing list this month:
Roland Clobus posted his Eleventh status update about reproducible [Debian] live-build ISO images, noting — amongst many other things! — that “all major desktops build reproducibly with bullseye, bookworm and sid.”
Santiago Torres-Arias announced a Call for Papers (CfP) for a new SCORED conference, an “academic workshop around software supply chain security”. As Santiago highlights, this new conference “invites reviewers from industry, open source, governement and academia to review the papers [and] I think that this is super important to tackle the supply chain security task”.
The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. This month, however, we submitted the following patches:
Bernhard M. Wiedemann
- openSUSE monthly report
acarsdec(embeds CPU info with
casacore(embeds CPU info with
kubernetes(uses random name of temporary directory)
sysstat(FTBFS in ‘single CPU’ mode)
sundials(FTBFS in ‘single CPU’ mode)
nim(FTBFS in ‘single CPU’ mode)
jsonrpc-glib(FTBFS in ‘single CPU’ mode)
slurm(Link-Time Optimisation and
wasi-libc(sort the output from
reprotest is the Reproducible Builds project’s end-user tool to build the same source code twice in widely and deliberate different environments, and checking whether the binaries produced by the builds have any differences. This month, the following changes were made:
Reproducible builds website
A number of changes were made to the Reproducible Builds website and documentation this month, including:
- Correct some grammar. […]
- Add talk from FOSDEM 2015 presented by Holger and Lunar. […]
- Show date of presentations if we have them. […][…]
- Add my presentation from DebConf22 […] and from Debian Reunion Hamburg 2022 […].
- Add dhole to the speakers of the DebConf15 talk. […]
- Add raboof’s talk “Reproducible Builds for Trustworthy Binaries” from May Contain Hackers. […]
- Drop some Debian-related suggested ideas which are not really relevant anymore. […]
- Add a link to list of packages with patches ready to be NMUed. […]
The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, Holger Levsen made the following changes:
- Create graphs displaying existing
.buildinfofiles per each Debian suite/arch. […][…]
- Fix a typo in the Debian dashboard. […][…]
- Fix some issues in the
pkg-rpackage set definition. […][…][…]
- Improve the “builtin-pho” HTML output. […][…][…][…]
- Temporarily disable all live builds as our snapshot mirror is offline. […]
- Create graphs displaying existing
Automated node health checks:
- Test that FreeBSD virtual machine has been updated to version 13.1. […]
- Add a reminder about powercycling the
- Fix a number of typos. […][…]
- Update documentation. […][…]
- Fix Munin monitoring configuration for some nodes. […]
- Fix the static IP address for a node. […]
As ever, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via: