Search Results: "kapouer"

5 March 2023

Reproducible Builds: Reproducible Builds in February 2023

Welcome to the February 2023 report from the Reproducible Builds project. As ever, if you are interested in contributing to our project, please visit the Contribute page on our website.

FOSDEM 2023 was held in Brussels on the 4th & 5th of February and featured a number of talks related to reproducibility. In particular, Akihiro Suda gave a talk titled Bit-for-bit reproducible builds with Dockerfile discussing deterministic timestamps and deterministic apt-get (original announcement). There was also an entire track of talks on Software Bill of Materials (SBOMs). SBOMs are an inventory for software with the intention of increasing the transparency of software components (the US National Telecommunications and Information Administration (NTIA) published a useful Myths vs. Facts document in 2021).
On our mailing list this month, Larry Doolittle was puzzled why the Debian verilator package was not reproducible [ ], but Chris Lamb pointed out that this was due to the use of Python s datetime.fromtimestamp over datetime.utcfromtimestamp [ ].
James Addison also was having issues with a Debian package: in this case, the alembic package. Chris Lamb was also able to identify the Sphinx documentation generator as the cause of the problem, and provided a potential patch that might fix it. This was later filed upstream [ ].
Anthony Harrison wrote to our list twice, first by introducing himself and their background and later to mention the increasing relevance of Software Bill of Materials (SBOMs):

As I am sure everyone is aware, there is a growing interest in [SBOMs] as a way of improving software security and resilience. In the last two years, the US through the Exec Order, the EU through the proposed Cyber Resilience Act (CRA) and this month the UK has issued a consultation paper looking at software security and SBOMs appear very prominently in each publication. [ ]

Tim Retout wrote a blog post discussing AlmaLinux in the context of CentOS, RHEL and supply-chain security in general [ ]:

Alma are generating and publishing Software Bill of Material (SBOM) files for every package; these are becoming a requirement for all software sold to the US federal government. What s more, they are sending these SBOMs to a third party (CodeNotary) who store them in some sort of Merkle tree system to make it difficult for people to tamper with later. This should theoretically allow end users of the distribution to verify the supply chain of the packages they have installed?

Debian

Vagrant Cascadian noted that the Debian bookworm distribution has finally surpassed bullseye for reproducibility: 96.1% vs. 96.0%, despite having over 3500 more packages in the distribution.

Roland Clobus posted his latest update of the status of reproducible Debian ISO images noting that all major desktops build reproducibly with bullseye, bookworm and sid, with the caveat that when non-free firmware is activated, some non-reproducible files are generated .

FC Stegerman submitted a new Intent to Package (ITP) bug report representing an intention to package `repro-apk`, a set of scripts to make Android `.apk` files reproducible.

23 reviews of Debian packages were added, 24 were updated and 20 were removed this month adding to our knowledge about identified issues. A new issue was added and identified by Chris Lamb [ ], and the `timestamps_embedded_in_manpages_by_node_marked_man` issue has been marked as resolved [ ].

F-Droid & Android

This month, F-Droid added 21 apps published with reproducible builds (out of 33 new apps in total), the overview of F-Droid apps published with Reproducible Builds now includes graphs, and there are now also some graphs of F-Droid apps verified by the Verification Server.

FC Stegerman noticed that signatures made by older versions of Android Gradle plugin cannot be copied because the signing method differs too much from that used by apksigner (and signflinger).

FC Stegerman also created a helpful HOWTO page on the F-Droid Wiki detailing how to compare and subsequently make APKs reproducible.

A long-running thread on Hiding data/code in Android APK embedded signatures continued on our mailing list this month; apksigcopier `v1.1.1` and reproducible-apk-tools `v0.2.2` + `v0.2.3` were also announced on the same list.

Lastly, FC Stegerman reported two issues on Google s own issue tracker: one related to a non-deterministic Dependency Info Block [ ] and another about a virtual entry added by the signflinger tool causing unexpected differences between signed and unsigned APKs [ ].

diffoscope diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb released versions `235` and `236`; Mattia Rizzolo later released version `237`. Contributions include:

Chris Lamb:

Fix compatibility with PyPDF2 (re. issue #331) [ ][ ][ ].

Fix compatibility with ImageMagick version 7.1 [ ].

Require at least version 23.1.0 to run the Black source code tests [ ].

Update `debian/tests/control` after merging changes from others [ ].

Don t write test data during a test [ ].

Update copyright years [ ].

Merged a large number of changes from others.

Akihiro Suda edited the `.gitlab-ci.yml` configuration file to ensure that versioned tags are pushed to the container registry [ ].

Daniel Kahn Gillmor provided a way to migrate from PyPDF2 to pypdf (#1029741).

Efraim Flashner updated the tool metadata for `isoinfo` on GNU Guix [ ].

FC Stegerman added support for Android `resources.arsc` files [ ], improved a number of file-matching regular expressions [ ][ ] and added support for Android `dexdump` [ ]; they also fixed a test failure (#1031433) caused by Debian s `black` package having been updated to a newer version.

Mattia Rizzolo:

updated the release documentation [ ],

fixed a number of Flake8 errors [ ][ ],

updated the autopkgtest configuration to only install `aapt` and `dexdump` on architectures where they are available [ ], making sure that the latest diffoscope release is in a good fit for the upcoming Debian bookworm freeze.

reprotest Reprotest version 0.7.23 was uploaded to both PyPI and Debian unstable, including the following changes:

Holger Levsen improved a lot of documentation [ ][ ][ ], tidied the documentation as well [ ][ ], and experimented with a new `--random-locale` flag [ ].

Vagrant Cascadian adjusted reprotest to no longer randomise the build locale and use a UTF-8 supported locale instead [ ] (re. #925879, #1004950), and to also support passing `--vary=locales.locale=LOCALE` to specify the locale to vary [ ].

Separate to this, Vagrant Cascadian started a thread on our mailing list questioning the future development and direction of reprotest.

Upstream patches The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

Bernhard M. Wiedemann:

`aiohttp` (build fails in the future)

`diff-pdf`

`dpdk`

`ebumeter` (CPU-related issue)

`firecracker` (hashmap ordering issue)

`jhead/gcc` (used random temporary directory name)

`libhugetlbfs` (drop unused unreproducible file)

`prosody` (generates nondeterministic example SSL certificates)

`python-sqlalchemy-migrate` (clean files leftover by Sphinx)

`tigervnc` (random RSA key)

Chris Lamb:

#1030708 filed against `gap-browse`.

#1030714 filed against `cwltool`.

#1030715 filed against `adacgi`.

#1030724 filed against `node-marked-man` (forwarded upstream).

#1030727 filed against `multipath-tools`.

#1031030 filed against `ruby-pgplot`.

#1031412 filed against `pysdl2`.

#1031829 filed against `gawk`.

#1032057 filed against `pyproject-api`.

Gioele Barabucci:

#1032056 filed against `systemtap`.

Larry Doolittle:

#1031711 filed against `verilator`.

Vagrant Cascadian:

#1030270 filed against `libreoffice`.

Testing framework The Reproducible Builds project operates a comprehensive testing framework (available at tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In February, the following changes were made by Holger Levsen:

Add three new OSUOSL nodes [ ][ ][ ] and decommission the `osuosl174` node [ ].

Change the order of listed Debian architectures to show the 64-bit ones first [ ].

Reduce the frequency that the Debian package sets and `dd-list` HTML pages update [ ].

Sort Tested suite consistently (and Debian unstable first) [ ].

Update the Jenkins shell monitor script to only query disk statistics every 230min [ ] and improve the documentation [ ][ ].

Other development work disorderfs version `0.5.11-3` was uploaded by Holger Levsen, fixing a number of issues with the manual page [ ][ ][ ].
Bernhard M. Wiedemann published another monthly report about reproducibility within openSUSE.
If you are interested in contributing to the Reproducible Builds project, please visit the Contribute page on our website. You can get in touch with us via:

IRC: `#reproducible-builds` on `irc.oftc.net`.

Twitter: @ReproBuilds

Mastodon: @reproducible_builds@fosstodon.org

Mailing list: `rb-general@lists.reproducible-builds.org`

31 July 2017

Chris Lamb: Free software activities in July 2017

Here is my monthly update covering what I have been doing in the free software world during July 2017 (previous month):

Updated travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds:
- Moved the default mirror from ftp.de.debian.org to deb.debian.org. [ ]
- Create a sensible debian/changelog file if one does not exist. [ ]
Updated django-slack, my library to easily post messages to the Slack group-messaging utility:
- Merged a PR to clarify the error message when a channel could not be found. [ ]
- Reviewed and merged a suggestion to add a TestBackend. [ ]
Added Pascal support to Louis Taylor's anyprint hack to add support for "print" statements from other languages into Python. [ ]
Filed a PR against Julien Danjou's daiquiri Python logging helper to clarify an issue in the documentation. [ ]
Merged a PR to Strava Enhancement Suite my Chrome extension that improves and fixes annoyances in the web interface of the Strava cycling and running tracker to remove Zwift activities with maps. [ ]
Submitted a pull request for Redis key-value database store to fix a spelling mistake in a binary. [ ]
Sent patches upstream to the authors of the OpenSVC cloud engine and the Argyll Color Management System to fix some "1204" typos.
Fixed a number of Python and deployment issues in my stravabot IRC bot. [ ]
Correct a "1204" typo in Facebook's RocksDB key-value store. [ ]
Corrected =+ typos in the Calibre e-book reader software. [ ]
Filed a PR against the diaspy Python interface to the DIASPORA social network to correct the number of seconds in a day. [ ]
Sent a pull request to remedy a =+ typo in sparqlwrapper, a SPARQL endpoint interface for Python. [ ]
Filed a PR against Postfix Admin to fix some =+ typos. [ ]
Fixed a "1042" typo in ImageJ, a Java image processing library. [ ]
On a less-serious note, I filed an issue for Brad Abraham's bot for the Reddit sub-reddit to add some missing "hit the gym" advice. [ ]

I also blogged about my recent lintian hacking and installation-birthday package.

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced either maliciously or accidentally during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. (I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.) This month I:

Assisted Mattia with a draft of an extensive status update to the debian-devel-announce mailing list. There were interesting follow-up discussions on Hacker News and Reddit.
Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
- apt: Make the output of apt-ftparchive reproducible. Thanks to Colin Percival from Tarsnap for the initial bug report. (#869557)
- gconf: Make the output of /var/lib/gconf/defaults/%gconf-tree-*.xml files reproducible. (#867848, forwarded upstream)
- grunt: Make the output reproducible. (#867753, forwarded upstream)
- node-marked-man: Make the output reproducible. (#868321, forwarded upstream)
- xorg-server: Make BUILD_ DATE,TIME reproducible. (#868843)
I also submitted 5 patches to fix specific reproducibility issues in autopep8, castle-game-engine, grep, libcdio & tinymux.
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
Worked on publishing our weekly reports. (#114 #115, #116 & #117)

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

comparators.xml:
- Fix EPUB "missing file" tests; they ship a META-INF/container.xml file. [ ]
- Misc style fixups. [ ]
APK files can also be identified as "DOS/MBR boot sector". (#868486)
comparators.sqlite: Simplify file detection by rewriting manual recognizes call with a Sqlite3Database.RE_FILE_TYPE definition. [ ]
comparators.directory:
- Revert the removal of a try-except. (#868534)
- Tidy module. [ ]

strip-nondeterminism

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.

Add missing File::Temp imports in the JAR and PNG handlers. This appears to have been exposed by lazily-loading handlers in #867982. (#868077)

buildinfo.debian.net

buildinfo.debian.net is my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them.

Avoid a race condition between check-and-creation of Buildinfo instances. [ ]

Debian My activities as the current Debian Project Leader are covered in my "Bits from the DPL emails to the debian-devel-announce mailing list.

Patches contributed

obs-studio: Remove annoying "click wrapper" on first startup. (#867756)
vim: Syntax highlighting for debian/copyright files. (#869965)
moin: Incorrect timezone offset applied due to "84600" typo. (#868463)
ssss: Add a simple autopkgtest. (#869645)
dch: Please bump $latest_bpo_dist to current stable release. (#867662)
python-kaitaistruct: Remove Markdown and homepage references from package long descriptions. (#869265)
album-data: Correct invalid Vcs-Git URI. (#869822)
pytest-sourceorder: Update Homepage field. (#869125)

I also made a very large number of contributions to the Lintian static analysis tool. To avoid duplication here, I have outlined them in a separate post.

Debian LTS

This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:

"Frontdesk" duties, triaging CVEs, etc.
Issued DLA 1014-1 for libclamunrar, a library to add unrar support to the Clam anti-virus software to fix an arbitrary code execution vulnerability.
Issued DLA 1015-1 for the libgcrypt11 crypto library to fix a "sliding windows" information leak.
Issued DLA 1016-1 for radare2 (a reverse-engineering framework) to prevent a remote denial-of-service attack.
Issued DLA 1017-1 to fix a heap-based buffer over-read in the mpg123 audio library.
Issued DLA 1018-1 for the sqlite3 database engine to prevent a vulnerability that could be exploited via a specially-crafted database file.
Issued DLA 1019-1 to patch a cross-site scripting (XSS) exploit in phpldapadmin, a web-based interface for administering LDAP servers.
Issued DLA 1024-1 to prevent an information leak in nginx via a specially-crafted HTTP range.
Issued DLA 1028-1 for apache2 to prevent the leakage of potentially confidential information via providing Authorization Digest headers.
Issued DLA 1033-1 for the memcached in-memory object caching server to prevent a remote denial-of-service attack.

Uploads

redis:
- 4:4.0.0-1 Upload new major upstream release to unstable.
- 4:4.0.0-2 Make /usr/bin/redis-server in the primary package a symlink to /usr/bin/redis-check-rdb in the redis-tools package to prevent duplicate debug symbols that result in a package file collision. (#868551)
- 4:4.0.0-3 Add -latomic to LDFLAGS to avoid a FTBFS on the mips & mipsel architectures.
- 4:4.0.1-1 New upstream version. Install 00-RELEASENOTES as the upstream changelog.
- 4:4.0.1-2 Skip non-deterministic tests that rely on timing. (#857855)
python-django:
- 1:1.11.3-1 New upstream bugfix release. Check DEB_BUILD_PROFILES consistently, not DEB_BUILD_OPTIONS.
bfs:
- 1.0.2-2 & 1.0.2-3 Use help2man to generate a manpage.
- 1.0.2-4 Set hardening=+all for bindnow, etc.
- 1.0.2-5 & 1.0.2-6 Don't use upstream's release target as it overrides our CFLAGS & install RELEASES.md as the upstream changelog.
- 1.1-1 New upstream release.
libfiu:
- 0.95-4 Apply patch from Steve Langasek to fix autopkgtests. (#869709)
python-daiquiri:
- 1.0.1-1 Initial upload. (ITP)
- 1.1.0-1 New upstream release.
- 1.1.0-2 Tidy package long description.
- 1.2.1-1 New upstream release.

I also reviewed and sponsored the uploads of gtts-token 1.1.1-1 and nlopt 2.4.2+dfsg-3.

Debian bugs filed

ITP: python-daiquiri Python library to easily setup basic logging functionality. (#867322)
twittering-mode: Correct incorrect time formatting due to "84600" typo. (#868479)

FTP Team

As a Debian FTP assistant I ACCEPTed 45 packages: 2ping, behave, cmake-extras, cockpit, cppunit1.13, curvedns, flask-mongoengine, fparser, gnome-shell-extension-dash-to-panel, graphene, gtts-token, hamlib, hashcat-meta, haskell-alsa-mixer, haskell-floatinghex, haskell-hashable-time, haskell-integer-logarithms, haskell-murmur-hash, haskell-quickcheck-text, haskell-th-abstraction, haskell-uri-bytestring, highlight.js, hoel, libdrm, libhtp, libpgplot-perl, linux, magithub, meson-mode, orcania, pg-dirtyread, prometheus-apache-exporter, pyee, pytest-pep8, python-coverage-test-runner, python-digitalocean, python-django-imagekit, python-rtmidi, python-transitions, qdirstat, redtick, ulfius, weresync, yder & zktop. I additionally filed 5 RC bugs against packages that had incomplete debian/copyright files against: cockpit, cppunit, cppunit1.13, curvedns & highlight.js.