Welcome to the August 2023 report from the Reproducible Builds project!
In these reports we outline the most important things that we have been up to over the past month. As a quick recap, whilst anyone may inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries.
The motivation behind the reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. If you are interested in contributing to the project, please visit our Contribute page on our website.
serde_derive
macro as a precompiled binary. As Ax Sharma writes:
The move has generated a fair amount of push back among developers who worry about its future legal and technical implications, along with a potential for supply chain attacks, should the maintainer account publishing these binaries be compromised.After intensive discussions, use of the precompiled binary was phased out.
[ ] an overview about reproducible builds, the past, the presence and the future. How it started with a small [meeting] at DebConf13 (and before), how it grew from being a Debian effort to something many projects work on together, until in 2021 it was mentioned in an executive order of the president of the United States. (HTML slides)Holger repeated the talk later in the month at Chaos Communication Camp 2023 in Zehdenick, Germany: A video of the talk is available online, as are the HTML slides.
Vagrant walks us through his role in the project where the aim is to ensure identical results in software builds across various machines and times, enhancing software security and creating a seamless developer experience. Discover how this mission, supported by the Software Freedom Conservancy and a broad community, is changing the face of Linux distros, Arch Linux, openSUSE, and F-Droid. They also explore the challenges of managing random elements in software, and Vagrant s vision to make reproducible builds a standard best practice that will ideally become automatic for users. Vagrant shares his work in progress and their commitment to the last mile problem.The episode is available to listen (or download) from the Sustain podcast website. As it happens, the episode was recorded at FOSSY 2023, and the video of Vagrant s talk from this conference (Breaking the Chains of Trusting Trust is now available on Archive.org: It was also announced that Vagrant Cascadian will be presenting at the Open Source Firmware Conference in October on the topic of Reproducible Builds All The Way Down.
hello-traditional
package from Debian. The entire thread can be viewed from the archive page, as can Vagrant Cascadian s reply.
247
, 248
and 249
were uploaded to Debian unstable by Chris Lamb, who also added documentation for the new specialize_as
method and expanding the documentation of the existing specialize
as well [ ]. In addition, Fay Stegerman added specialize_as
and used it to optimise .smali
comparisons when decompiling Android .apk
files [ ], Felix Yan and Mattia Rizzolo corrected some typos in code comments [ , ], Greg Chabala merged the RUN commands into single layer in the package s Dockerfile
[ ] thus greatly reducing the final image size. Lastly, Roland Clobus updated tool descriptions to mark that the xb-tool
has moved package within Debian [ ].
timestamp_in_documentation_using_sphinx_zzzeeksphinx_theme
toolchain issue.
arimo
(modification time in build results)apptainer
(random Go build identifier)arrow
(fails to build on single-CPU machines)camlp
(parallelism-related issue)developer
(Go ordering-related issue)elementary-xfce-icon-theme
(font-related problem)gegl
(parallelism issue)grommunio
(filesystem ordering issue)grpc
(drop nondetermistic log)guile-parted
(parallelism-related issue)icinga
(hostname-based issue)liquid-dsp
(CPU-oriented problem)memcached
(package fails to build far in the future)openmpi5/openpmix
(date/copyright year issue)openmpi5
(date/copyright year issue)orthanc-ohif+orthanc-volview
(ordering related issue plus timestamp in a Gzip)perl-Net-DNS
(package fails to build far in the future)postgis
(parallelism issue)python-scipy
(uses an arbitrary build path)python-trustme
(package fails to build far in the future)qtbase/qmake/goldendict-ng
(timestamp-related issue)qtox
(date-related issue)ring
(filesytem ordering related issue)scipy
(1 & 2) (drop arbtirary build path and filesytem-ordering issue)snimpy
(1 & 3) (fails to build on single-CPU machines as well far in the future)tango-icon-theme
(font-related issue)reproducible-tracker.json
data file. [ ]pbuilder.tgz
for Debian unstable due to #1050784. [ ][ ]usrmerge
. [ ][ ]armhf
nodes (wbq0
and jtx1a
) as down; investigation is needed. [ ]buildd.debian.org
. [ ][ ]
#reproducible-builds
on irc.oftc.net
.
rb-general@lists.reproducible-builds.org
(The picture is of the previous edition.) Almost two years after the previous Norwegian Bokm l translation of the "The Debian Administrator's Handbook" was published, a new edition is finally being prepared. The english text is updated, and it is time to start working on the translations. Around 37 percent of the strings have been updated, one way or another, and the translations starting from a complete Debian Buster edition now need to bring their translation up from 63% to 100%. The complete book is licensed using a Creative Commons license, and has been published in several languages over the years. The translations are done by volunteers to bring Linux in their native tongue. The last time I checked, it complete text was available in English, Norwegian Bokm l, German, Indonesian, Brazil Portuguese and Spanish. In addition, work has been started for Arabic (Morocco), Catalan, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, French, Greek, Italian, Japanese, Korean, Persian, Polish, Romanian, Russian, Swedish, Turkish and Vietnamese. The translation is conducted on the hosted weblate project page. Prospective translators are recommeded to subscribe to the translators mailing list and should also check out the instructions for contributors. I am one of the Norwegian Bokm l translators of this book, and we have just started. Your contribution is most welcome. As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.
snapshot.debian.org
for fun and profit about various tools they have developed to interact with the snapshot.debian.org wayback machine for Debian packages. In particular, they mention how they are using the service to reproduce and validate builds as well as touch on an alternative snapshot service that has been mentioned in previous reports.
a practical attempt at shipping a program and having reasonably solid evidence there s probably no backdoor. All source code is annotated and there are instructions explaining how to use reproducible builds to rebuild the artifacts distributed in this repository from source. The idea is shifting the burden of proof from you need to prove there s a backdoor to we need to prove there s probably no backdoor . This repository is less about code (we re going to try to keep code at a minimum actually) and instead contains technical writing that explains why these controls are effective and how to verify them. You are very welcome to adopt the techniques used here in your projects. ( )As the project s
README
goes on the mention: the techniques used to rebuild the binary artifacts are only possible because the builds for this project are reproducible . This was also announced on our mailing list this month in a thread titled i-probably-didnt-backdoor-this: Reproducible Builds for upstreams.
kpcyrd also wrote a detailed blog post about the problems surrounding Linux distributions (such as Alpine and Arch Linux) that distribute compiled Python bytecode in the form of .pyc
files generated during the build process.
GCC
lines that differ on a single prefix byte either. These are distracting, not very useful and are simply the strings(1) command s idea of the build ID, which is displayed elsewhere in the diff. [ ][ ].debug
-like lines in the ELF-related output, as it is invariably a duplicate of the debug ID that exists better in the readelf(1)
differences for this file. [ ]java -jar /path/to/apksigner.jar
if we have an apksigner.jar
as newer versions of apksigner
in Debian use a shell wrapper script which will be rejected if passed directly to the JVM. [ ]apksigner
in order to compare .apk
files using apktool
. [ ]odt2txt
. [ ]HUGE_TOOLS
Python dictionary. [ ]-f
to apktool to avoid creating a strangely-named subdirectory. [ ]File
import. [ ]logging
variable in a specific place, so alias it to an underscore (ie. _ ) instead. [ ]passwd(5)
mapping. [ ]python-libarchive-c
version 3.1-1
to Debian experimental for the new 3.x branch python-libarchive-c
is used by diffoscope.
awkward
(timestamp issue)ck
(build fails in single-CPU mode)cri-o
(build ID issue related to Go parallelism)kernel-obs-build
(cpio
metadata issue)python-PyQt6
(.pyc
-related issue)python-dulwich
(fails to build in 2023)python-xkbgroup
(.pyc
-related issue)rnp
(fails to build in 2024)dosfstools
(from December 2018) was eventually merged.mapcache
.spatialindex
.pytsk
.surgescript
.rust-coreutils
.translate
.spirv-cross
.numcodecs
.tty-solitaire
.samtools
.pkg-config
.pkgconf
.ncftp
.backuppc
.sharutils
.cfengine3
.nbdkit
.nbdkit
.python3.9
.supermin
.virt-p2v
.gnunet
.mpb
.ng
.position:fixed
CSS statement that is negatively affecting with some width settings. [ ]reprotest
to mention how ldconfig
conflicts with the kernel variation. [ ]LANG=C.UTF-8
to match the official Debian build servers. [ ]rsync
output if the $DEBUG
variable is enabled. [ ]mock
, a tool used to build Fedora packages some time ago. [ ]rsync
job related to Debian Live images. [ ]BUILD_TAG
and BUILD_URL
environment for the Debian Live jobs. [ ]master_wrapper
script to use a Bash array for the parameters. [ ]safe_load()
function over the unsafe variant. [ ]armhf
nodes for DebConf21. [ ][ ]#reproducible-builds
on irc.oftc.net
.
rb-general@lists.reproducible-builds.org
/rw/config/suspend-module-blacklist
in the NetVM the wireless comes back nicely (on my X230) after Suspend/Resume.% time ./bin/eierskap-dotty 958033540 > dagbladet.dot real 0m2.841s user 0m0.184s sys 0m0.036s %The script accept several organisation numbers on the command line, allowing a cluster of companies to be graphed in the same image. The resulting dot file for the example above look like this. The edges are labeled with the ownership percentage, and the nodes uses the organisation number as their name and the name as the label:
digraph ownership rankdir = LR; "Aller Holding A/s" -> "910119877" [label="100%"] "910119877" -> "998689015" [label="100%"] "998689015" -> "958033540" [label="99%"] "974530600" -> "958033540" [label="1%"] "958033540" [label="AS DAGBLADET"] "998689015" [label="Berner Media Holding AS"] "974530600" [label="Dagbladets Stiftelse"] "910119877" [label="Aller Media AS"]To view the ownership graph, run "dotty dagbladet.dot" or convert it to a PNG using "dot -T png dagbladet.dot > dagbladet.png". The result can be seen below: Note that I suspect the "Aller Holding A/S" entry to be incorrect data in the official ownership register, as that name is not registered in the official company register for Norway. The ownership register is sensitive to typos and there seem to be no strict checking of the ownership links. Let me know if you improve the script or find better data sources. The code is licensed according to GPL 2 or newer. Update 2015-06-15: Since the initial post I've been told that "Aller Holding A/S" is a Danish company, which explain why it did not have a Norwegian organisation number. I've also been told that there is a web services API available from Br nn ysundsregistrene, for those willing to accept the terms or pay the price.
the Debian Edu / Skolelinux project is pleased to announce the first *beta* release of Debian Edu "Jessie" 8.0+edu0~b1, which for the first time is composed entirely of packages from the current Debian stable release, Debian 8 "Jessie". (As most reading this will know, Debian "Jessie" hasn't actually been released by now. The release is still in progress but should finish later today ;) We expect to make a final release of Debian Edu "Jessie" in the coming weeks, timed with the first point release of Debian Jessie. Upgrades from this beta release of Debian Edu Jessie to the final release will be possible and encouraged! Please report feedback to debian-edu@lists.debian.org and/or submit bugs: http://wiki.debian.org/DebianEdu/HowTo/ReportBugs Debian Edu - sometimes also known as "Skolelinux" - is a complete operating system for schools, universities and other organisations. Through its pre- prepared installation profiles administrators can install servers, workstations and laptops which will work in harmony on the school network. With Debian Edu, the teachers themselves or their technical support staff can roll out a complete multi-user, multi-machine study environment within hours or days. Debian Edu is already in use at several hundred schools all over the world, particularly in Germany, Spain and Norway. Installations come with hundreds of applications pre-installed, plus the whole Debian archive of thousands of compatible packages within easy reach. For those who want to give Debian Edu Jessie a try, download and installation instructions are available, including detailed instructions in the manual explaining the first steps, such as setting up a network or adding users. Please note that the password for the user your prompted for during installation must have a length of at least 5 characters! == Where to download == A multi-architecture CD / usbstick image (649 MiB) for network booting can be downloaded at the following locations: http://ftp.skolelinux.org/skolelinux-cd/debian-edu-8.0+edu0~b1-CD.iso rsync -avzP ftp.skolelinux.org::skolelinux-cd/debian-edu-8.0+edu0~b1-CD.iso . The SHA1SUM of this image is: 54a524d16246cddd8d2cfd6ea52f2dd78c47ee0a Alternatively an extended DVD / usbstick image (4.9 GiB) is also available, with more software included (saving additional download time): http://ftp.skolelinux.org/skolelinux-cd/debian-edu-8.0+edu0~b1-USB.iso rsync -avzP ftp.skolelinux.org::skolelinux-cd/debian-edu-8.0+edu0~b1-USB.iso The SHA1SUM of this image is: fb1f1504a490c077a48653898f9d6a461cb3c636 Sources are available from the Debian archive, see http://ftp.debian.org/debian-cd/8.0.0/source/ for some download options. == Debian Edu Jessie manual in seven languages == Please see https://wiki.debian.org/DebianEdu/Documentation/Jessie/ for the English version of the Debian Edu jessie manual. This manual has been fully translated to German, French, Italian, Danish, Dutch and Norwegian Bokm l. A partly translated version exists for Spanish. See http://maintainer.skolelinux.org/debian-edu-doc/ for online version of the translated manual. More information about Debian 8 "Jessie" itself is provided in the release notes and the installation manual: - http://www.debian.org/releases/jessie/releasenotes - http://www.debian.org/releases/jessie/installmanual == Errata / known problems == It takes up to 15 minutes for a changed hostname to be updated via DHCP (#780461). The hostname script fails to update LTSP server hostname (#783087). Workaround: run update-hostname-from-ip on the client to update the hostname immediately. Check https://wiki.debian.org/DebianEdu/Status/Jessie for a possibly more current and complete list. == Some more details about Debian Edu 8.0+edu0~b1 Codename Jessie released 2015-04-25 == === Software updates === Everything which is new in Debian 8 Jessie, e.g.: * Linux kernel 3.16.7-ctk9; for the i386 architecture, support for i486 processors has been dropped; oldest supported ones: i586 (like Intel Pentium and AMD K5). * Desktop environments KDE Plasma Workspaces 4.11.13, GNOME 3.14, Xfce 4.12, LXDE 0.5.6 * new optional desktop environment: MATE 1.8 * KDE Plasma Workspaces is installed by default; to choose one of the others see the manual. * the browsers Iceweasel 31 ESR and Chromium 41 * LibreOffice 4.3.3 * GOsa 2.7.4 * LTSP 5.5.4 * CUPS print system 1.7.5 * new boot framework: systemd * Educational toolbox GCompris 14.12 * Music creator Rosegarden 14.02 * Image editor Gimp 2.8.14 * Virtual stargazer Stellarium 0.13.1 * golearn 0.9 * tuxpaint 0.9.22 * New version of debian-installer from Debian Jessie. * Debian Jessie includes about 43000 packages available for installation. * More information about Debian 8 Jessie is provided in its release notes and the installation manual, see the link above. === Installation changes === Installations done via PXE now also install firmware automatically for the hardware present. === Fixed bugs === A number of bugs have been fixed in this release; the most noticeable from a user perspective: * Inserting incorrect DNS information in Gosa will no longer break DNS completely, but instead stop DNS updates until the incorrect information is corrected (710362) * shutdown-at-night now shuts the system down if gdm3 is used (775608). === Sugar desktop removed === As the Sugar desktop was removed from Debian Jessie, it is also not available in Debian Edu jessie. == About Debian Edu / Skolelinux == Debian Edu, also known as Skolelinux, is a Linux distribution based on Debian providing an out-of-the box environment of a completely configured school network. Directly after installation a school server running all services needed for a school network is set up just waiting for users and machines being added via GOsa , a comfortable Web-UI. A netbooting environment is prepared using PXE, so after initial installation of the main server from CD or USB stick all other machines can be installed via the network. The provided school server provides LDAP database and Kerberos authentication service, centralized home directories, DHCP server, web proxy and many other services. The desktop contains more than 60 educational software packages and more are available from the Debian archive, and schools can choose between KDE, GNOME, LXDE, Xfce and MATE desktop environment. == About Debian == The Debian Project was founded in 1993 by Ian Murdock to be a truly free community project. Since then the project has grown to be one of the largest and most influential open source projects. Thousands of volunteers from all over the world work together to create and maintain Debian software. Available in 70 languages, and supporting a huge range of computer types, Debian calls itself the universal operating system. == Thanks == Thanks to everyone making Debian and Debian Edu / Skolelinux happen! You rock.
The Debian Edu Team is pleased to announce the release of Debian Edu Jessie 8.0+edu0~alpha0 Debian Edu is a complete operating system for schools. Through its various installation profiles you can install servers, workstations and laptops which will work together on the school network. With Debian Edu, the teachers themselves or their technical support can roll out a complete multi-user multi-machine study environment within hours or a few days. Debian Edu comes with hundreds of applications pre-installed, but you can always add more packages from Debian. For those who want to give Debian Edu Jessie a try, download and installation instructions are available, including detailed instructions in the manual[1] explaining the first steps, such as setting up a network or adding users. Please note that the password for the user your prompted for during installation must have a length of at least 5 characters! [1] <URL: https://wiki.debian.org/DebianEdu/Documentation/Jessie > Would you like to give your school's computer a longer life? Are you tired of sneaker administration, running from computer to computer reinstalling the operating system? Would you like to administrate all the computers in your school using only a couple of hours every week? Check out Debian Edu Jessie! Skolelinux is used by at least two hundred schools all over the world, mostly in Germany and Norway. About Debian Edu and Skolelinux =============================== Debian Edu, also known as Skolelinux[2], is a Linux distribution based on Debian providing an out-of-the box environment of a completely configured school network. Immediately after installation a school server running all services needed for a school network is set up just waiting for users and machines being added via GOsa , a comfortable Web-UI. A netbooting environment is prepared using PXE, so after initial installation of the main server from CD or USB stick all other machines can be installed via the network. The provided school server provides LDAP database and Kerberos authentication service, centralized home directories, DHCP server, web proxy and many other services. The desktop contains more than 60 educational software packages[3] and more are available from the Debian archive, and schools can choose between KDE, Gnome, LXDE, Xfce and MATE desktop environment. [2] <URL: http://www.skolelinux.org/ > [3] <URL: http://people.skolelinux.org/pere/blog/Educational_applications_included_in_Debian_Edu___Skolelinux__the_screenshot_collection____.html > Full release notes and manual ============================= Below the download URLs there is a list of some of the new features and bugfixes of Debian Edu 8.0+edu0~alpha0 Codename Jessie. The full list is part of the manual. (See the feature list in the manual[4] for the English version.) For some languages manual translations are available, see the manual translation overview[5]. [4] <URL: https://wiki.debian.org/DebianEdu/Documentation/Jessie/Features > [5] <URL: http://maintainer.skolelinux.org/debian-edu-doc/ > Where to get it --------------- To download the multiarch netinstall CD release (624 MiB) you can use * ftp://ftp.skolelinux.org/skolelinux-cd/debian-edu-8.0+edu0~alpha0-CD.iso * http://ftp.skolelinux.org/skolelinux-cd/debian-edu-8.0+edu0~alpha0-CD.iso * rsync -avzP ftp.skolelinux.org::skolelinux-cd/debian-edu-8.0+edu0~alpha0-CD.iso . The SHA1SUM of this image is: 361188818e036ce67280a572f757de82ebfeb095 New features for Debian Edu 8.0+edu0~alpha0 Codename Jessie released 2014-10-27 =============================================================================== Installation changes -------------------- * PXE installation now installs firmware automatically for the hardware present. Software updates ---------------- Everything which is new in Debian Jessie 8.0, eg: * Linux kernel 3.16.x * Desktop environments KDE "Plasma" 4.11.12, GNOME 3.14, Xfce 4.10, LXDE 0.5.6 and MATE 1.8 (KDE "Plasma" is installed by default; to choose one of the others see manual.) * the browsers Iceweasel 31 ESR and Chromium 38 * !LibreOffice 4.3.3 * GOsa 2.7.4 * LTSP 5.5.4 * CUPS print system 1.7.5 * new boot framework: systemd * Educational toolbox GCompris 14.07 * Music creator Rosegarden 14.02 * Image editor Gimp 2.8.14 * Virtual stargazer Stellarium 0.13.0 * golearn 0.9 * tuxpaint 0.9.22 * New version of debian-installer from Debian Jessie. * Debian Jessie includes about 42000 packages available for installation. * More information about Debian Jessie 8.0 is provided in the release notes[6] and the installation manual[7]. [6] <URL: http://www.debian.org/releases/jessie/releasenotes > [7] <URL: http://www.debian.org/releases/jessie/installmanual > Fixed bugs ---------- * Inserting incorrect DNS information in Gosa will no longer break DNS completely, but instead stop DNS updates until the incorrect information is corrected (Debian bug #710362) * and many others. Documentation and translation updates ------------------------------------- * The Debian Edu Jessie Manual is fully translated to German, French, Italian, Danish and Dutch. Partly translated versions exist for Norwegian Bokmal and Spanish. Other changes ------------- * Due to new Squid settings, powering off or rebooting the main server takes more time. * To manage printers localhost:631 has to be used, currently www:631 doesn't work. Regressions / known problems ---------------------------- * Installing LTSP chroot fails with a bug related to eatmydata about exim4-config failing to run its postinst (see Debian bug #765694 and Debian bug #762103). * Munin collection is not properly configured on clients (Debian bug #764594). The fix is available in a newer version of munin-node. * PXE setup for Main Server and Thin Client Server setup does not work when installing on a machine without direct Internet access. Will be fixed when Debian bug #766960 is fixed in Jessie. See the status page[8] for the complete list. [8] <URL: https://wiki.debian.org/DebianEdu/Status/Jessie > How to report bugs ------------------ <URL: http://wiki.debian.org/DebianEdu/HowTo/ReportBugs > About Debian ============ The Debian Project was founded in 1993 by Ian Murdock to be a truly free community project. Since then the project has grown to be one of the largest and most influential open source projects. Thousands of volunteers from all over the world work together to create and maintain Debian software. Available in 70 languages, and supporting a huge range of computer types, Debian calls itself the universal operating system. Contact Information For further information, please visit the Debian web pages[9] or send mail to press@debian.org. [9] <URL: http://www.debian.org/ >
Filed under: English Phpmyadmin 0 comments Flattr this!
Filed under: English Phpmyadmin 0 comments Flattr this!
Filed under: English Phpmyadmin 2 comments Flattr this!
Filed under: English Phpmyadmin 0 comments Flattr this!
Next.