Welcome to the September 2022 report from the Reproducible Builds project! In our reports we try to outline the most important things that we have been up to over the past month. As a quick recap, whilst anyone may inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries. If you are interested in contributing to the project, please visit our Contribute page on our website.
David A. Wheeler reported to us that the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI) have released a document called Securing the Software Supply Chain: Recommended Practices Guide for Developers (PDF).
As David remarked in his post to our mailing list, it “expressly recommends having reproducible builds as part of ‘advanced’ recommended mitigations”. The publication of this document has been accompanied by a press release.
Holger Levsen was made aware of a small Microsoft project called oss-reproducible. Part of, OSSGadget, a larger “collection of tools for analyzing open source packages”, the purpose of oss-reproducible is to:
analyze open source packages for reproducibility. We start with an existing package (for example, the NPM
left-pad
package, version 1.3.0), and we try to answer the question, Do the package contents authentically reflect the purported source code?
More details can be found in the README.md
file within the code repository.
David A. Wheeler also pointed out that there are some potential upcoming changes to the OpenSSF Best Practices badge for open source software in relation to reproducibility. Whilst the badge programme has three certification levels (“passing”, “silver” and “gold”), the “gold” level includes the criterion that “The project MUST have a reproducible build”.
David reported that some projects have argued that this reproducibility criterion should be slightly relaxed as outlined in an issue on the best-practices-badge
GitHub project. Essentially, though, the claim is that the reproducibility requirement doesn’t make sense for projects that do not release built software, and that timestamp differences by themselves don’t necessarily indicate malicious changes. Numerous pragmatic problems around excluding timestamps were raised in the discussion of the issue.
Sonatype, a “pioneer of software supply chain management”, issued a press release month to report that they had found:
[…] a massive year-over-year increase in cyberattacks aimed at open source project ecosystems. According to early data from Sonatype’s 8th annual State of the Software Supply Chain Report, which will be released in full this October, Sonatype has recorded an average 700% jump in repository attacks over the last three years.
More information is available in the press release.
A number of changes were made to the Reproducible Builds website and documentation this month, including Chris Lamb adding a redirect from /projects/
to /who/
in order to keep old or archived links working […], Jelle van der Waa added a Rust programming language example for SOURCE_DATE_EPOCH
[…][…] and Mattia Rizzolo included Protocol Labs amongst our project-level sponsors […].
Debian
There was a large amount of reproducibility work taking place within Debian this month:
-
The
nfft
source package was removed from the archive, and now all packages in Debian bookworm now have a corresponding.buildinfo
file. This can be confirmed and tracked on the associated page on the tests.reproducible-builds.org site. -
Vagrant Cascadian announced on our mailing list an informal online sprint to help “clear the huge backlog of reproducible builds patches submitted” by performing NMU (Non-Maintainer Uploads). The first such sprint took place on September 22nd with the following results:
-
Holger Levsen:
- Mailed #1010957 in
man-db
asking for an update and whether to remove the patch tag for now. This was subsequently removed and the maintainer started to address the issue. - Uploaded
gmp
toDELAYED/15
, fixing #1009931. - Emailed #1017372 in
plymouth
and asked for the maintainer’s opinion on the patch. This resulted in the maintainer improving Vagrant’s original patch (and uploading it) as well as filing an issue upstream. - Uploaded
time
toDELAYED/15
, fixing #983202.
- Mailed #1010957 in
-
Vagrant Cascadian:
- Verify and updated patch for
mylvmbackup
(#782318) - Verified/updated patches for
libranlip
. (#788000, #846975 & #1007137) - Uploaded
libranlip
toDELAYED/10
. - Verified patch for
cclive
. (#824501) - Uploaded
cclive
toDELAYED/10
. - Vagrant was unable to reproduce the underlying issue within #791423 (
linuxtv-dvb-apps
) and so the bug was marked as “done”. - Researched #794398 (in
clhep
).
- Verify and updated patch for
The plan is to repeat these sprints every two weeks, with the next taking place on Thursday October 6th at 16:00 UTC on the
#debian-reproducible
IRC channel. -
-
Roland Clobus posted his 13th update of the status of reproducible Debian ISO images on our mailing list. During the last month, Roland ensured that the live images are now automatically fed to openQA for automated testing after they have been shown to be reproducible. Additionally Roland asked on the debian-devel mailing list about a way to determine the canonical timestamp of the Debian archive. […]
-
Following up on last month’s work on reproducible bootstrapping, Holger Levsen filed two bugs against the debootstrap and cdebootstrap utilities. (#1019697 & #1019698)
Lastly, 44 reviews of Debian packages were added, 91 were updated and 17 were removed this month adding to our knowledge about identified issues. A number of issue types have been updated too, including the descriptions of cmake_rpath_contains_build_path
[…], nondeterministic_version_generated_by_python_param
[…] and timestamps_in_documentation_generated_by_org_mode
[…]. Furthermore, two new issue types were created: build_path_used_to_determine_version_or_package_name
[…] and captures_build_path_via_cmake_variables
[…].
Other distributions
In openSUSE, Bernhard M. Wiedemann published his usual openSUSE monthly report.
diffoscope
diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 222
and 223
to Debian, as well as made the following changes:
-
The
cbfstools
utility is now provided in Debian via thecoreboot-utils
package so we can enable that functionality within Debian. […] -
Looked into Mach-O support.
-
Fixed the try.diffoscope.org service by addressing a compatibility issue between
glibc
/seccomp
that was preventing the Docker-contained diffoscope instance from spawning any external processes whatsoever […]. I also updated therequirements.txt
file, as some of the specified packages were no longer available […][…].
In addition Jelle van der Waa added support for file
version 5.43 […] and Mattia Rizzolo updated the packaging:
- Also include
coreboot-utils
in theBuild-Depends
andTest-Depends
fields so that it is available for tests. […] - Use `pep517 and pip to load the requirements. […]
- Remove packages in
Breaks
/Replaces
that have been obsoleted since the release of Debian bullseye. […]
Reprotest
reprotest is our end-user tool to build the same source code twice in widely and deliberate different environments, and checking whether the binaries produced by the builds have any differences. This month, reprotest version 0.7.22
was uploaded to Debian unstable by Holger Levsen, which included the following changes by Philip Hands:
- Actually ensure that the
setarch(8)
utility can actually execute before including an architecture to test. […] - Include all files matching
*.*deb
in the defaultartifact_pattern
in order to archive all results of the build. […] - Emit an error when building the Debian package if the Debian packaging version does not patch the “Python” version of reprotest. […]
- Remove an unneeded invocation of the
head(1)
utility. […]
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
-
Bernhard M. Wiedemann (18 bugs):
DateTime
(fails to build in 2038)FreeRCT
(date-related issue)clanlib1
(filesystem ordering)cli
(fails to build in 2038)deepin-gettext-tools
(patch+version update toolchain sort python glob)mariadb
(fails to build in 2038)mercurial
(fails to build in 2038)mirrormagic
(parallelism-related issue)ocaml-extlib
(parallelism-related issue)python-xmlrpc/python-softlayer
(fails to build in 2038)python
(fails to build in 2038)q3rally
(zip-related issue)rnd_jue
(parallelism-related issue)rsync
(workaround an issue in GCC 7.x)scons
(SOURCE_DATE_EPOCH
-related issue)stratagus
(date-related issue)triplane
(nondeterminism caused by uninitialised memory)tyrquake
(date-related issue)
-
Chris Lamb:
- #1019382 filed against
gnome-online-accounts
. - There was renewed activity on a reproducibility-related bug in the Sphinx documentation tool this month. Originally filed in October 2021 by Chris Lamb, the bug in question relates to contents of the
LANGUAGE
environment variable inconsistently affecting the output ofobjects.inv
files.
- #1019382 filed against
-
Jelle van der Waa:
mp4v2
(date-related issue)mm-common
(uid/gid issue)aardvark-dns
(date-related issue)
-
Vagrant Cascadian (70 bugs!):
- #1020648 filed against
extrepo-data
. - #1020650 filed against
tmpreaper
. - #1020651 filed against
xmlrpc-epi
. - #1020653 filed against
pal
. - #1020656 filed against
nvram-wakeup
. - #1020657 filed against
netris
. - #1020658 filed against
netpbm-free
. - #1020659 filed against
lookup
. - #1020660 filed against
logtools
. - #1020661 filed against
libid3tag
. - #1020662 filed against
log4cpp
. - #1020665 filed against
libimage-imlib2-perl
. - #1020668 filed against
jnettop
. - #1020670 filed against
gwaei
. - #1020671 filed against
ipfm
. - #1020672 filed against
tarlz
. - #1020673 filed against
w3cam
. - #1020674 filed against
ifstat
. - #1020715 filed against
xserver-xorg-input-joystick
. - #1020719 filed against
chibicc
. - #1020723 filed against
python-omegaconf
. - #1020724 and #1020725 filed against
snapper
. - #1020736 filed against
libreswan
. - #1020743 filed against
pure-ftpd
. - #1020748 filed against
xcolmix
. - #1020749 filed against
gigalomania
. - #1020750 filed against
xjump
. - #1020751 filed against
waili
. - #1020752 filed against
sjeng
. - #1020753 filed against
seqtk
. - #1020754 filed against
shapetools
. - #1020755 filed against
rotter
. - #1020756 filed against
rakarrack
. - #1020757 filed against
rig
. - #1020759 filed against
postal
. - #1020798 filed against
netkit-rsh
. - #1020800 filed against
libapache-mod-evasive
. - #1020804 filed against
paxctl
. - #1020805 filed against
png23d
. - #1020806 filed against
perl-byacc
. - #1020807 filed against
poster
. - #1020808 filed against
powerdebug
. - #1020809 filed against
aespipe
. - #1020810 filed against
aewm++-goodies
. - #1020811 filed against
apache-upload-progress-module
. - #1020812 filed against
ascii2binary
. - #1020813 filed against
bible-kjv
. - #1020814 filed against
dradio
. - #1020815 filed against
libapache2-mod-python
. - #1020816 filed against
tempest-for-eliza
. - #1020817 filed against
aplus-fsf
. - #1020866 filed against
wrapsrv
. - #1020867 filed against
uclibc
. - #1020870 filed against
xppaut
. - #1020872 filed against
xvier
. - #1020873 filed against
xserver-xorg-video-glide
. - #1020875 filed against
z80asm
. - #1020876 filed against
yaskkserv
. - #1020877 filed against
edid-decode
. - #1020878 filed against
dustmite
. - #1020879 filed against
dustmite
. - #1020880 filed against
libapache2-mod-authnz-pam
. - #1020881 filed against
kafs-client
. - #1020882 filed against
yaku-ns
. - #1020884 filed against
bplay
. - #1020886 filed against
chise-base
. - #1020887 filed against
checkpw
. - #1020888 filed against
clamz
. - #1020889 filed against
libapache2-mod-auth-pgsql
.
- #1020648 filed against
Testing framework
The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility. This month, however, the following changes were made:
-
Holger Levsen:
-
Mattia Rizzolo:
- Enable syncing of results from building live Debian ISO images. […]
- Use
scp -p
in order to preserve modification times when syncing live ISO images. […] - Apply the shellcheck shell script analysis tool. […]
- In a build node wrapper script, remove some debugging code which was messing up calling
scp(1)
correctly […] and consquently add support to use bothscp -p
and regularscp
[…].
-
Roland Clobus:
Contact
As ever, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
-
IRC:
#reproducible-builds
onirc.oftc.net
. -
Twitter: @ReproBuilds
-
Mailing list:
[email protected]