Reproducible Builds: Reproducible Builds in July 2022
Welcome to the July 2022 report from the Reproducible Builds project!
In our reports we attempt to outline the most relevant things that have been going on in the past month. As a brief introduction, the reproducible builds effort is concerned with ensuring no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website.
Reproducible Builds summit 2022
Despite several delays, we are pleased to announce that registration is open for our in-person summit this year:
November 1st November 3rd
Reproducible Builds summit 2022
Despite several delays, we are pleased to announce that registration is open for our in-person summit this year:
November 1st November 3rd
The event will happen in Venice (Italy). We intend to pick a venue reachable via the train station and an international airport. However, the precise venue will depend on the number of attendees.
Please see the announcement email for information about how to register.
Is reproducibility practical?
Ludovic Court s published an informative blog post this month asking the important question: Is reproducibility practical?:
Our attention was recently caught by a nice slide deck on the methods and tools for reproducible research in the R programming language. Among those, the talk mentions Guix, stating that it is for professional, sensitive applications that require ultimate reproducibility , which is probably a bit overkill for Reproducible Research . While we were flattered to see Guix suggested as good tool for reproducibility, the very notion that there s a kind of reproducibility that is ultimate and, essentially, impractical, is something that left us wondering: What kind of reproducibility do scientists need, if not the ultimate kind? Is reproducibility practical at all, or is it more of a horizon?
The post goes on to outlines the concept of reproducibility, situating examples within the context of the GNU Guix operating system.
diffoscope
diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 218
, 219
and 220
to Debian, as well as made the following changes:
-
New features:
- Support Haskell 9.x series files. [ ]
-
Bug fixes:
-
Output improvements:
- Improve output of Markdown and reStructuredText to use code blocks with highlighting. [ ]
-
Codebase improvements:
Mailing list
On our mailing list this month:
-
Roland Clobus posted his Eleventh status update about reproducible [Debian] live-build ISO images, noting amongst many other things! that all major desktops build reproducibly with bullseye, bookworm and sid.
-
Santiago Torres-Arias announced a Call for Papers (CfP) for a new SCORED conference, an academic workshop around software supply chain security . As Santiago highlights, this new conference invites reviewers from industry, open source, governement and academia to review the papers [and] I think that this is super important to tackle the supply chain security task .
Upstream patches
The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. This month, however, we submitted the following patches:
-
Bernhard M. Wiedemann
- openSUSE monthly report
acarsdec
(embeds CPU info with march=native
)
casacore
(embeds CPU info with march=native
)
kubernetes
(uses random name of temporary directory)
setuptools/python-brotlicffi
(toolchain, filesys/readdir)
sysstat
(FTBFS in single CPU mode)
sundials
(FTBFS in single CPU mode)
nim
(FTBFS in single CPU mode)
doxygen/libzypp
(toolchain readdir)
python-pyquil
(build failure)
openssl-1_0_0
(build failure)
jsonrpc-glib
(FTBFS in single CPU mode)
slurm
(Link-Time Optimisation and .tar
issues)
wasi-libc
(sort the output from find
)
-
Chris Lamb:
-
Philip Rinn:
-
Vagrant Cascadian:
Reprotest
reprotest is the Reproducible Builds project s end-user tool to build the same source code twice in widely and deliberate different environments, and checking whether the binaries produced by the builds have any differences. This month, the following changes were made:
-
Holger Levsen:
-
Mattia Rizzolo:
Reproducible builds website
A number of changes were made to the Reproducible Builds website and documentation this month, including:
-
Arnout Engelen:
- Add a link to recent May Contain Hackers 2022 conference talk slides. [ ]
-
Chris Lamb:
-
Holger Levsen:
- Add talk from FOSDEM 2015 presented by Holger and Lunar. [ ]
- Show date of presentations if we have them. [ ][ ]
- Add my presentation from DebConf22 [ ] and from Debian Reunion Hamburg 2022 [ ].
- Add dhole to the speakers of the DebConf15 talk. [ ]
- Add raboof s talk Reproducible Builds for Trustworthy Binaries from May Contain Hackers. [ ]
- Drop some Debian-related suggested ideas which are not really relevant anymore. [ ]
- Add a link to list of packages with patches ready to be NMUed. [ ]
-
Mattia Rizzolo:
Testing framework
The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, Holger Levsen made the following changes:
-
Debian-related changes:
- Create graphs displaying existing
.buildinfo
files per each Debian suite/arch. [ ][ ]
- Fix a typo in the Debian dashboard. [ ][ ]
- Fix some issues in the
pkg-r
package set definition. [ ][ ][ ]
- Improve the builtin-pho HTML output. [ ][ ][ ][ ]
- Temporarily disable all live builds as our snapshot mirror is offline. [ ]
-
Automated node health checks:
-
Misc changes:
- Test that FreeBSD virtual machine has been updated to version 13.1. [ ]
- Add a reminder about powercycling the
armhf
-architecture mst0X
node. [ ]
- Fix a number of typos. [ ][ ]
- Update documentation. [ ][ ]
- Fix Munin monitoring configuration for some nodes. [ ]
- Fix the static IP address for a node. [ ]
In addition, Vagrant Cascadian updated host keys for the cbxi4pro0
and wbq0
nodes [ ] and, finally, node maintenance was also performed by Mattia Rizzolo [ ] and Holger Levsen [ ][ ][ ].
Contact
As ever, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
-
IRC:
#reproducible-builds
on irc.oftc.net
.
-
Twitter: @ReproBuilds
-
Mailing list:
rb-general@lists.reproducible-builds.org
Our attention was recently caught by a nice slide deck on the methods and tools for reproducible research in the R programming language. Among those, the talk mentions Guix, stating that it is for professional, sensitive applications that require ultimate reproducibility , which is probably a bit overkill for Reproducible Research . While we were flattered to see Guix suggested as good tool for reproducibility, the very notion that there s a kind of reproducibility that is ultimate and, essentially, impractical, is something that left us wondering: What kind of reproducibility do scientists need, if not the ultimate kind? Is reproducibility practical at all, or is it more of a horizon?The post goes on to outlines the concept of reproducibility, situating examples within the context of the GNU Guix operating system.
diffoscope
diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 218
, 219
and 220
to Debian, as well as made the following changes:
-
New features:
- Support Haskell 9.x series files. [ ]
-
Bug fixes:
-
Output improvements:
- Improve output of Markdown and reStructuredText to use code blocks with highlighting. [ ]
-
Codebase improvements:
Mailing list
On our mailing list this month:
-
Roland Clobus posted his Eleventh status update about reproducible [Debian] live-build ISO images, noting amongst many other things! that all major desktops build reproducibly with bullseye, bookworm and sid.
-
Santiago Torres-Arias announced a Call for Papers (CfP) for a new SCORED conference, an academic workshop around software supply chain security . As Santiago highlights, this new conference invites reviewers from industry, open source, governement and academia to review the papers [and] I think that this is super important to tackle the supply chain security task .
Upstream patches
The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. This month, however, we submitted the following patches:
-
Bernhard M. Wiedemann
- openSUSE monthly report
acarsdec
(embeds CPU info with march=native
)
casacore
(embeds CPU info with march=native
)
kubernetes
(uses random name of temporary directory)
setuptools/python-brotlicffi
(toolchain, filesys/readdir)
sysstat
(FTBFS in single CPU mode)
sundials
(FTBFS in single CPU mode)
nim
(FTBFS in single CPU mode)
doxygen/libzypp
(toolchain readdir)
python-pyquil
(build failure)
openssl-1_0_0
(build failure)
jsonrpc-glib
(FTBFS in single CPU mode)
slurm
(Link-Time Optimisation and .tar
issues)
wasi-libc
(sort the output from find
)
-
Chris Lamb:
-
Philip Rinn:
-
Vagrant Cascadian:
Reprotest
reprotest is the Reproducible Builds project s end-user tool to build the same source code twice in widely and deliberate different environments, and checking whether the binaries produced by the builds have any differences. This month, the following changes were made:
-
Holger Levsen:
-
Mattia Rizzolo:
Reproducible builds website
A number of changes were made to the Reproducible Builds website and documentation this month, including:
-
Arnout Engelen:
- Add a link to recent May Contain Hackers 2022 conference talk slides. [ ]
-
Chris Lamb:
-
Holger Levsen:
- Add talk from FOSDEM 2015 presented by Holger and Lunar. [ ]
- Show date of presentations if we have them. [ ][ ]
- Add my presentation from DebConf22 [ ] and from Debian Reunion Hamburg 2022 [ ].
- Add dhole to the speakers of the DebConf15 talk. [ ]
- Add raboof s talk Reproducible Builds for Trustworthy Binaries from May Contain Hackers. [ ]
- Drop some Debian-related suggested ideas which are not really relevant anymore. [ ]
- Add a link to list of packages with patches ready to be NMUed. [ ]
-
Mattia Rizzolo:
Testing framework
The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, Holger Levsen made the following changes:
-
Debian-related changes:
- Create graphs displaying existing
.buildinfo
files per each Debian suite/arch. [ ][ ]
- Fix a typo in the Debian dashboard. [ ][ ]
- Fix some issues in the
pkg-r
package set definition. [ ][ ][ ]
- Improve the builtin-pho HTML output. [ ][ ][ ][ ]
- Temporarily disable all live builds as our snapshot mirror is offline. [ ]
-
Automated node health checks:
-
Misc changes:
- Test that FreeBSD virtual machine has been updated to version 13.1. [ ]
- Add a reminder about powercycling the
armhf
-architecture mst0X
node. [ ]
- Fix a number of typos. [ ][ ]
- Update documentation. [ ][ ]
- Fix Munin monitoring configuration for some nodes. [ ]
- Fix the static IP address for a node. [ ]
In addition, Vagrant Cascadian updated host keys for the cbxi4pro0
and wbq0
nodes [ ] and, finally, node maintenance was also performed by Mattia Rizzolo [ ] and Holger Levsen [ ][ ][ ].
Contact
As ever, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
-
IRC:
#reproducible-builds
on irc.oftc.net
.
-
Twitter: @ReproBuilds
-
Mailing list:
rb-general@lists.reproducible-builds.org
- Support Haskell 9.x series files. [ ]
- Improve output of Markdown and reStructuredText to use code blocks with highlighting. [ ]
- Roland Clobus posted his Eleventh status update about reproducible [Debian] live-build ISO images, noting amongst many other things! that all major desktops build reproducibly with bullseye, bookworm and sid.
- Santiago Torres-Arias announced a Call for Papers (CfP) for a new SCORED conference, an academic workshop around software supply chain security . As Santiago highlights, this new conference invites reviewers from industry, open source, governement and academia to review the papers [and] I think that this is super important to tackle the supply chain security task .
Upstream patches
The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. This month, however, we submitted the following patches:
-
Bernhard M. Wiedemann
- openSUSE monthly report
acarsdec
(embeds CPU info with march=native
)
casacore
(embeds CPU info with march=native
)
kubernetes
(uses random name of temporary directory)
setuptools/python-brotlicffi
(toolchain, filesys/readdir)
sysstat
(FTBFS in single CPU mode)
sundials
(FTBFS in single CPU mode)
nim
(FTBFS in single CPU mode)
doxygen/libzypp
(toolchain readdir)
python-pyquil
(build failure)
openssl-1_0_0
(build failure)
jsonrpc-glib
(FTBFS in single CPU mode)
slurm
(Link-Time Optimisation and .tar
issues)
wasi-libc
(sort the output from find
)
-
Chris Lamb:
-
Philip Rinn:
-
Vagrant Cascadian:
Reprotest
reprotest is the Reproducible Builds project s end-user tool to build the same source code twice in widely and deliberate different environments, and checking whether the binaries produced by the builds have any differences. This month, the following changes were made:
-
Holger Levsen:
-
Mattia Rizzolo:
Reproducible builds website
A number of changes were made to the Reproducible Builds website and documentation this month, including:
-
Arnout Engelen:
- Add a link to recent May Contain Hackers 2022 conference talk slides. [ ]
-
Chris Lamb:
-
Holger Levsen:
- Add talk from FOSDEM 2015 presented by Holger and Lunar. [ ]
- Show date of presentations if we have them. [ ][ ]
- Add my presentation from DebConf22 [ ] and from Debian Reunion Hamburg 2022 [ ].
- Add dhole to the speakers of the DebConf15 talk. [ ]
- Add raboof s talk Reproducible Builds for Trustworthy Binaries from May Contain Hackers. [ ]
- Drop some Debian-related suggested ideas which are not really relevant anymore. [ ]
- Add a link to list of packages with patches ready to be NMUed. [ ]
-
Mattia Rizzolo:
Testing framework
The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, Holger Levsen made the following changes:
-
Debian-related changes:
- Create graphs displaying existing
.buildinfo
files per each Debian suite/arch. [ ][ ]
- Fix a typo in the Debian dashboard. [ ][ ]
- Fix some issues in the
pkg-r
package set definition. [ ][ ][ ]
- Improve the builtin-pho HTML output. [ ][ ][ ][ ]
- Temporarily disable all live builds as our snapshot mirror is offline. [ ]
-
Automated node health checks:
-
Misc changes:
- Test that FreeBSD virtual machine has been updated to version 13.1. [ ]
- Add a reminder about powercycling the
armhf
-architecture mst0X
node. [ ]
- Fix a number of typos. [ ][ ]
- Update documentation. [ ][ ]
- Fix Munin monitoring configuration for some nodes. [ ]
- Fix the static IP address for a node. [ ]
In addition, Vagrant Cascadian updated host keys for the cbxi4pro0
and wbq0
nodes [ ] and, finally, node maintenance was also performed by Mattia Rizzolo [ ] and Holger Levsen [ ][ ][ ].
Contact
As ever, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
-
IRC:
#reproducible-builds
on irc.oftc.net
.
-
Twitter: @ReproBuilds
-
Mailing list:
rb-general@lists.reproducible-builds.org
- openSUSE monthly report
acarsdec
(embeds CPU info withmarch=native
)casacore
(embeds CPU info withmarch=native
)kubernetes
(uses random name of temporary directory)setuptools/python-brotlicffi
(toolchain, filesys/readdir)sysstat
(FTBFS in single CPU mode)sundials
(FTBFS in single CPU mode)nim
(FTBFS in single CPU mode)doxygen/libzypp
(toolchain readdir)python-pyquil
(build failure)openssl-1_0_0
(build failure)jsonrpc-glib
(FTBFS in single CPU mode)slurm
(Link-Time Optimisation and.tar
issues)wasi-libc
(sort the output fromfind
)
- Holger Levsen:
- Mattia Rizzolo:
Reproducible builds website
A number of changes were made to the Reproducible Builds website and documentation this month, including:
-
Arnout Engelen:
- Add a link to recent May Contain Hackers 2022 conference talk slides. [ ]
-
Chris Lamb:
-
Holger Levsen:
- Add talk from FOSDEM 2015 presented by Holger and Lunar. [ ]
- Show date of presentations if we have them. [ ][ ]
- Add my presentation from DebConf22 [ ] and from Debian Reunion Hamburg 2022 [ ].
- Add dhole to the speakers of the DebConf15 talk. [ ]
- Add raboof s talk Reproducible Builds for Trustworthy Binaries from May Contain Hackers. [ ]
- Drop some Debian-related suggested ideas which are not really relevant anymore. [ ]
- Add a link to list of packages with patches ready to be NMUed. [ ]
-
Mattia Rizzolo:
Testing framework
The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, Holger Levsen made the following changes:
-
Debian-related changes:
- Create graphs displaying existing
.buildinfo
files per each Debian suite/arch. [ ][ ]
- Fix a typo in the Debian dashboard. [ ][ ]
- Fix some issues in the
pkg-r
package set definition. [ ][ ][ ]
- Improve the builtin-pho HTML output. [ ][ ][ ][ ]
- Temporarily disable all live builds as our snapshot mirror is offline. [ ]
-
Automated node health checks:
-
Misc changes:
- Test that FreeBSD virtual machine has been updated to version 13.1. [ ]
- Add a reminder about powercycling the
armhf
-architecture mst0X
node. [ ]
- Fix a number of typos. [ ][ ]
- Update documentation. [ ][ ]
- Fix Munin monitoring configuration for some nodes. [ ]
- Fix the static IP address for a node. [ ]
In addition, Vagrant Cascadian updated host keys for the cbxi4pro0
and wbq0
nodes [ ] and, finally, node maintenance was also performed by Mattia Rizzolo [ ] and Holger Levsen [ ][ ][ ].
Contact
As ever, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
-
IRC:
#reproducible-builds
on irc.oftc.net
.
-
Twitter: @ReproBuilds
-
Mailing list:
rb-general@lists.reproducible-builds.org
- Add a link to recent May Contain Hackers 2022 conference talk slides. [ ]
- Add talk from FOSDEM 2015 presented by Holger and Lunar. [ ]
- Show date of presentations if we have them. [ ][ ]
- Add my presentation from DebConf22 [ ] and from Debian Reunion Hamburg 2022 [ ].
- Add dhole to the speakers of the DebConf15 talk. [ ]
- Add raboof s talk Reproducible Builds for Trustworthy Binaries from May Contain Hackers. [ ]
- Drop some Debian-related suggested ideas which are not really relevant anymore. [ ]
- Add a link to list of packages with patches ready to be NMUed. [ ]
-
Debian-related changes:
- Create graphs displaying existing
.buildinfo
files per each Debian suite/arch. [ ][ ] - Fix a typo in the Debian dashboard. [ ][ ]
- Fix some issues in the
pkg-r
package set definition. [ ][ ][ ] - Improve the builtin-pho HTML output. [ ][ ][ ][ ]
- Temporarily disable all live builds as our snapshot mirror is offline. [ ]
- Create graphs displaying existing
- Automated node health checks:
-
Misc changes:
- Test that FreeBSD virtual machine has been updated to version 13.1. [ ]
- Add a reminder about powercycling the
armhf
-architecturemst0X
node. [ ] - Fix a number of typos. [ ][ ]
- Update documentation. [ ][ ]
- Fix Munin monitoring configuration for some nodes. [ ]
- Fix the static IP address for a node. [ ]
cbxi4pro0
and wbq0
nodes [ ] and, finally, node maintenance was also performed by Mattia Rizzolo [ ] and Holger Levsen [ ][ ][ ].
Contact
As ever, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
-
IRC:
#reproducible-builds
on irc.oftc.net
.
-
Twitter: @ReproBuilds
-
Mailing list:
rb-general@lists.reproducible-builds.org
#reproducible-builds
on irc.oftc.net
.
rb-general@lists.reproducible-builds.org