Bits from Debian: Debian Project Leader election 2025 is over, Andreas Tille re-elected!

The 2020 Solarwinds attack was a tipping point that caused a heightened awareness about the security of the software supply chain and in particular the large amount of trust placed in build systems. Reproducible Builds (R-Bs) provide a strong foundation to build defenses for arbitrary attacks against build systems by ensuring that given the same source code, build environment, and build instructions, bitwise-identical artifacts are created. (PDF)
I have identified 16 root causes for unreproducible builds in my empirical study, which I have linked to the corresponding documentation. The initial MR right now contains information about 10 root causes. For each root cause, I have provided a definition, a notable instance, and a workaround. However, I have only found workarounds for 5 out of the 10 root causes listed in this merge request. In the upcoming commits, I plan to add an additional 6 root causes. I kindly request you review the text for any necessary refinements, modifications, or corrections. Additionally, I would appreciate the help with documentation for the solutions/workarounds for the remaining root causes: Archive Metadata, Build ID, File System Ordering, File Permissions, and Snippet Encoding. Your input on the identified root causes for unreproducible builds would be greatly appreciated. [ ]
while packaginggovulncheck
for Arch Linux I noticed a checksum mismatch for a tar file I downloaded fromgo.googlesource.com
. I used diffoscope to compare the.tar
file I downloaded with the.tar
file the build server downloaded, and noticed the timestamps are different.
ffile_prefix_map_passed_to_clang
being fixed since Debian bullseye [ ] and adding a Debian bug tracker reference for the nondeterminism_added_by_pyqt5_pyrcc5
issue [ ].
In addition, Roland Clobus posted another detailed update of the status of reproducible Debian ISO images on our mailing list. In particular, Roland helpfully summarised that live images are looking good, and the number of (passing) automated tests is growing .
util.inspect.object_description
attempts to sort collections, but this can fail. The change handles the failure case by using string-based object descriptions as a
fallback deterministic sort ordering, as well as adding recursive object-description calls for list and tuple datatypes. As a result,
documentation generated by Sphinx will be more likely to be automatically reproducible.
Lastly in news, kpcyrd posted to our mailing list announcing a new repro-env
tool:
My initial interest in reproducible builds was how do I distribute pre-compiled binaries on GitHub without people raising security concerns about them . I ve cycled back to this original problem about 5 years later and built a tool that is meant to address this. [ ]
django-graphql-jwt
(fails to build in 2038)doxygen
(filesystem ordering issue)git-interactive-rebase-tool
(date-related issue)obs-build
procmeter
(parallelism race condition)promu
python-cx_Freeze
(version update for year 2038 fix)python-zope.deprecation
python310
(ASLR-related issue)python-control
(fails to build-j4)python-DateTime
(fails to build in 2038)python-pyface
(date/time-related issue)python-quantities
(date/time-related issue)python-scipy
(date/time-related issue)rpmlint
starship
(filesystem ordering issue)Telethon
xindy
(fails to build in 2036)yt
(filesystem ordering issue)python-bpython
, python-flup
, python-mysqlclient
, python-waitress
, python-WebOb
, python-WebTest
, python-zope.event
, python-zope.hookable
& python-zope.i18nmessageid
dotenv-cli
.unity-java
.ruby-babosa
(forwarded upstream).guidata
(forwarded upstream).SOURCE_DATE_EPOCH
, a three-and-a-half year effort started by Bernhard M. Wiedemann in January 2020, taken over by John Neffenger in March 2021, integrated upstream in June 2023, and available starting with JavaFX 21 on September 19, 2023.244
, 245
and 246
were uploaded to Debian unstable by Chris Lamb, who also made the following changes:
libarchive-5
. [ ]test_dex::test_javap_14_differences
test requires the procyon
tool. [ ]assert_diff
in the .ico
and .jpeg
tests. [ ]XFAIL
due to Debian bugs #1040941 & #1040916. [ ]create_meta_pkg_sets
job into two (for Debian unstable and Debian testing) to half the job runtime to approximately 90 minutes. [ ][ ]postgresql_autodoc
is back in Debian bookworm. [ ]kfreebsd
-related tests now that it s officially dead. [ ]dpkg-db-backup
[ ] and munin-node services
[ ].#reproducible-builds
on irc.oftc.net
.
rb-general@lists.reproducible-builds.org
246
. This version includes the following changes:
[ Gianfranco Costamagna ]
* Add support for LLVM 16.
224
. This version includes the following changes:
[ Mattia Rizzolo ]
* Fix rlib test failure with LLVM 15. Thanks to Gianfranco Costamagna
(locutusofborg) for the patch.
$HTTP_PROXY
isn t set.:wq
for today.
160
. This version includes the following changes:
* Check that pgpdump is actually installed before attempting to run it.
Thanks to Gianfranco Costamagna (locutusofborg). (Closes: #969753)
* Add some documentation for the EXTERNAL_TOOLS dictionary.
* Ensure we check FALLBACK_FILE_EXTENSION_SUFFIX, otherwise we run pgpdump
against all files that are recognised by file(1) as "data".
reproducible-check is our script to determine which packages actually installed on your system are reproducible or not.
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.
disorderfs is our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues.
.oct
files.-fdebug-prefix-map
to clang to match GCC, another patch against gcc-5 to backport the removal of -fdebug-prefix-map
from DW_AT_producer
, and finally by proposing the addition of a normalizedebugpath
to the reproducible
feature set of dpkg-buildflags
that would use -fdebug-prefix-map
to replace the current directory with .
using -fdebug-prefix-map
.
Sergey Poznyakoff merged the --clamp-mtime
option so that it will be featured in the next Tar release. This option is likely to be used by dpkg-deb
to implement deterministic mtimes for packaged files.
Packages fixed
The following packages have become reproducible due to changes in their
build dependencies:
augeas,
gmtkbabel,
ktikz,
octave-control,
octave-general,
octave-image,
octave-ltfat,
octave-miscellaneous,
octave-mpi,
octave-nurbs,
octave-octcdf,
octave-sockets,
octave-strings,
openlayers,
python-structlog,
signond.
The following packages became reproducible after getting fixed:
i386
build nodes have been setup by converting 2 of the 4 amd64
nodes to i386
. (h01ger)
Package reviews
92 reviews have been removed, 66 added and 31 updated in the previous week.
New issues: timestamps_generated_by_xbean_spring, timestamps_generated_by_mangosdk_spiprocessor.
Chris Lamb filed 7 FTBFS bugs.
Misc.
On March 20th, Chris Lamb gave a talk at FOSSASIA 2016 in Singapore.
The very same day, but a few timezones apart, h01ger did a presentation at LibrePlanet 2016 in Cambridge, Massachusetts.
Seven GSoC/Outreachy applications were made by potential interns to work on various aspects of the reproducible builds effort. On top of interacting with several applicants, prospective mentors gathered to review the applications.
.oct
files.-fdebug-prefix-map
to clang to match GCC, another patch against gcc-5 to backport the removal of -fdebug-prefix-map
from DW_AT_producer
, and finally by proposing the addition of a normalizedebugpath
to the reproducible
feature set of dpkg-buildflags
that would use -fdebug-prefix-map
to replace the current directory with .
using -fdebug-prefix-map
.
As succesful result of lobbying at LibrePlanet 2016, the --clamp-mtime
option will be featured in the next Tar release. This option is likely to be used by dpkg-deb
to implement deterministic mtimes for packaged files.
i386
build nodes have been setup by converting 2 of the 4 amd64
nodes to i386
. (h01ger)
d-devlibdeps
stable accross locales. Original patch by Reiner Herrmann.
giotypefuncs.c
is generated.readelf --decompress
.
pkg(8)
now supports SOURCE_DATE_EPOCH
.
Ross Karchner did a lightning talk about reproducible builds at his work place and shared the slides.
SOURCE_DATE_EPOCH
to docs/gendocs.sh
and normalizes tarball permissions. Sent upstream.armhf
caught up with amd64
with 80%.
The schroot name used for running diffoscope when testing OpenWrt, NetBSD, Coreboot, and Arch Linux has been fixed. (h01ger, Mattia Rizzolo)
Documentation update
Paul Gevers documented timestamps in unit files created by the Free Pascal Compiler.
reproducible-builds.org is now live. It contains a comprehensive documentation on all aspects that have been identified so far of what we call reproducible builds . It makes room for pointers to projects working on reproducible builds, news, dedicated tools, and community events.
Package reviews
206 reviews have been removed, 171 added and 196 updated this week.
Chris Lamb reported 28 failing to build from source issues.
New issues identified this week: timestamps_in_pdf_content, different_encoding_in_html_by_docbook_xsl, timestamps_in_ppu_generated_by_fpc, method_may_never_be_called_in_documentation_generated_by_javadoc.
Misc.
Andrei Borzenkov has proposed a fix for uninitialized memory in GRUB's mkimage. Uninitialized memory is one source of hard to track down reproducibility errors.
Holger Levsen presented the efforts on reproduible builds at Festival de Software Libre in Puerto Vallarta, Mexico.
ocamldoc
to build reproducible manpages using a patch by Valentin Lorentz.DEBIANDOC_DATE
environment variable to override the content of the <date>
tag.PODDATE
to the date of the latest debian/changelog
entry.pod2man
to use the date of the latest debian/changelog
entry.SOURCE_DATE_EPOCH
as source for the manpage date instead of the currentdate.TZ
to UTC
when using zip
.grep
to cope with non-UTF8 files.SOURCE_DATE_EPOCH
as source for the manpage date instead of the currentdate.TZ=UTC
in debian/rules
.Week 1 | Week 2 | Week 3 | Week 4 | Week 5 | Week 6 | Week 7 | |
---|---|---|---|---|---|---|---|
# Packages | 10 | 15 | 10 | 14 | 10 | - | - |
Total | 10 | 25 | 35 | 49 | 59 | - | - |