Welcome to the October 2020 report from the Reproducible Builds project.
In our monthly reports, we outline the major things that we have been up to over the past month. As a brief reminder, the motivation behind the Reproducible Builds effort is to ensure flaws have not been introduced in the binaries we install on our systems. If you are interested in contributing to the project, please visit our main website.
General
On Saturday 10th October, Morten Linderud gave a talk at Arch Conf Online 2020 on The State of Reproducible Builds in Arch. The video should be available later this month, but as a teaser:
The previous year has seen great progress in Arch Linux to get reproducible builds in the hands of the users and developers. In this talk we will explore the current tooling that allows users to reproduce packages, the rebuilder software that has been written to check packages and the current issues in this space.
During the Reproducible Builds summit in Marrakesh in 2019, developers from the GNU Guix, NixOS and Debian distributions were able to produce a bit-for-bit identical GNU Mes binary despite using three different versions of GCC. Since this summit, additional work resulted in a bit-for-bit identical Mes binary using tcc
, and last month a fuller update was posted to this effect by the individuals involved. This month, however, David Wheeler updated his extensive page on Fully Countering Trusting Trust through Diverse Double-Compiling, remarking that:
GNU Mes rebuild is definitely an application of [Diverse Double-Compiling]. [..] This is an awesome application of DDC, and I believe it’s the first publicly acknowledged use of DDC on a binary
There was a small, followup discussion on our mailing list.
In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update.
This month, the Reproducible Builds project restarted our IRC meetings, managing to convene twice: the first time on October 12th (summary & logs), and later on the 26th (logs). As mentioned in previous reports, due to the unprecedented events throughout 2020, there will be no in-person summit event this year.
On our mailing list this month Elías Alejandro posted a request for help with a local configuration
Debian-related work
In August, Lucas Nussbaum performed an archive-wide rebuild of packages to test enabling the reproducible=+fixfilepath
Debian build flag by default. Enabling this fixfilepath
feature will likely fix reproducibility issues in an estimated 500-700 packages. However, this month Vagrant Cascadian posted to the debian-devel mailing list:
It would be great to see the
reproducible=+fixfilepath
feature enabled by default indpkg-buildflags
, and we would like to proceed forward with this soon unless we hear any major concerns or other outstanding issues. […] We would like to move forward with this change soon, so please raise any concerns or issues not covered already.
Debian Developer Stuart Prescott has been improving python-debian
, a Python library that is used to parse Debian-specific files such as changelogs, .dscs
, etc. In particular, Stuart is working on adding support for .buildinfo
files used for recording reproducibility-related build metadata:
This can mostly be a very thin layer around the existing
Deb822
types, using the existingChanges
code for the file listings, the existingPkgRelations
code for the package listing andgpg_*
functions for signature handling.
A total of 159 Debian packages were categorised, 69 had their categorisation updated, and 33 had their classification removed this month, adding to our knowledge about identified issues. As part of this, Chris Lamb identified and classified two new issues: build_path_captured_in_emacs_el_file
and rollup_embeds_build_path
.
Software development
This month, we tried to fix a large number of currently-unreproducible packages, including:
-
Bernhard M. Wiedemann:
go
(version 1.15.3 has improved reproducibility over 1.14)goxel
(sort SCons-related filesystem ordering issue)lal
(rework an old date-related patch)lalmetaio
(date)libsemigroups
(build failure in single-CPU mode)memcached
(build failure in 2025 due to expired SSL certificate)octant
(SUSE-specific date issue)openmpi4
(date-related problem, revive old patch)sbcl
(datetime and hostname issue)selinux-policy/policycoreutils
(date-related issue in timezone)
-
Chris Lamb:
- #970383 filed against
evince
(forwarded upstream). - #971527 filed against
libsass-python
(forwarded upstream). - #972077 filed against
pitivi
. - #972078 filed against
sound-juicer
. - #972147 filed against
pcbasic
. - #972336 filed against
ora2pg
(forwarded upstream). - #972378 filed against
fckit
. - #972493 filed against
gita
. - #972494 filed against
libgrokj2k
. - #972496 filed against
softether-vpn
. - #972559 filed against
perl
. - #972561 filed against
ruby-appraiser
. - #972562 filed against
gmerlin-avdecoder
. - #972631 filed against
node-proxy
. - #972668 filed against
yard
. - #972861 filed against
emacs
. - #972930 filed against
netcdf-parallel
. - #965255 re-opened with new patch
dh-fortran-mod
.
- #970383 filed against
Bernhard M. Wiedemann also reported three issues against bison
, ibus
and postgresql12
.
Tools
diffoscope is our in-depth and content-aware diff utility. Not only could you locate and diagnose reproducibility issues, it provides human-readable diffs of all kinds too. This month, Chris Lamb uploaded version 161
to Debian (later backported by Mattia Rizzolo), as well as made the following changes:
- Move
test_ocaml
to theassert_diff
helper. […] - Update tests to support OCaml version 4.11.1. Thanks to Sebastian Ramacher for the report. (#972518)
- Bump minimum version of the Black source code formatter to
20.8b1
. (#972518)
In addition, Jean-Romain Garnier temporarily updated the dependency on radare2
to ensure our test pipelines continue to work […], and for the GNU Guix distribution Vagrant Cascadian diffoscope to version 161 […].
In related development, trydiffoscope is the web-based version of diffoscope. This month, Chris Lamb made the following changes:
- Mark a
--help
-only test as being a ‘superficial’ test. (#971506) - Add a real, albeit flaky, test that interacts with the
try.diffoscope.org
service. […] - Bump
debhelper
compatibility level to 13 […] and bumpStandards-Version
to 4.5.0 […].
Lastly, disorderfs version 0.5.10-2
was uploaded to Debian unstable by Holger Levsen, which enabled security hardening via DEB_BUILD_MAINT_OPTIONS
[…] and dropped debian/disorderfs.lintian-overrides
[…].
Website and documentation
This month, a number of updates to the main Reproducible Builds website and related documentation were made by Chris Lamb:
- Add a citation link to the academic article regarding
dettrace
[…], and added yet another supply-chain security attack publication […]. - Reformatted the Jekyll’s Liquid templating language and CSS formatting to be consistent […] as well as expand a number of tab characters […].
- Used
relative_url
to fix missing translation icon on various pages. […] - Published two announcement blog posts regarding the restarting of our IRC meetings. […][…]
- Added an explicit note regarding the lack of an in-person summit in 2020 to our events page. […]
Testing framework
The Reproducible Builds project operates a Jenkins-based testing framework that powers tests.reproducible-builds.org
. This month, Holger Levsen made the following changes:
-
Debian-related changes:
-
System health checks:
-
Misc:
- Make a number of updates to reflect that our sponsor Profitbricks has renamed itself to IONOS. […][…][…][…]
- Run a F-Droid maintenance routine twice a month to utilise its cleanup features. […]
- Fix the target name in OpenWrt builds to
ath79
fromath97
. […] - Add a missing Postfix configuration for a node. […]
- Temporarily disable Arch Linux builds until a core node is back. […]
- Make a number of changes to our “thanks” page. […][…][…]
Build node maintenance was performed by both Holger Levsen […][…] and Vagrant Cascadian […][…][…], Vagrant Cascadian also updated the page listing the variations made when testing to reflect changes for in build paths […] and Hans-Christoph Steiner made a number of changes for F-Droid, the free software app repository for Android devices, including:
- Do not fail reproducibility jobs when their cleanup tasks fail. […]
- Skip libvirt-related
sudo
command if we are not actually runninglibvirt
. […] - Use direct URLs in order to eliminate a useless HTTP redirect. […]
If you are interested in contributing to the Reproducible Builds project, please visit the Contribute page on our website. However, you can also get in touch with us via:
-
IRC:
#reproducible-builds
onirc.oftc.net
. -
Mailing list:
[email protected]
-
Social media: @ReproBuilds, @[email protected] & Reddit