Reproducible Builds in January 2022

Welcome to the January 2022 report from the Reproducible Builds project. In our reports, we try outline the most important things that have been happening in the past month. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website.

An interesting blog post was published by Paragon Initiative Enterprises about Gossamer, a proposal for securing the PHP software supply-chain. Utilising code-signing and third-party attestations, Gossamer aims to mitigate the risks within the notorious PHP world via publishing attestations to a transparency log. Their post, titled Solving Open Source Supply Chain Security for the PHP Ecosystem goes into some detail regarding the design, scope and implementation of the system.

This month, the Linux Foundation announced SupplyChainSecurityCon, a conference focused on exploring the security threats affecting the software supply chain, sharing best practices and mitigation tactics. The conference is part of the Linux Foundation’s Open Source Summit North America and will take place June 21st — 24th 2022, both virtually and in Austin, Texas.

Debian

There was a significant progress made in the Debian Linux distribution this month, including:

• Roland Clobus continued work on reproducible ‘live’ images in the past month, and some of his work was merged into live-build itself. The ReproducibleInstalls/LiveImages page on the Debian Wiki as well as the existing/custom Jenkins hooks were updated to match.

• Related to this, it is now possible to create a bit-by-bit reproducible chroots using mmdebstrap when SOURCE_DATE_EPOCH is set. As of Debian 11 Bullseye, this worksfor all variants, except for the variant that includes all so-called ‘Priority: standard’ packages where fontconfig caches, *.pyc files and man-db index.db are unreproducible. (These issues have been addressed in Tails and live-build by removing *.pyc files, in addition to removing index.db files as well. (Whilst index.db files can be regenerated, there is no straightforward method to re-creating *.pyc files, and the resulting installation will suffer from reduced performance of Python scripts. Ideally, no removal would be necessary as all files would be created reproducibly in the first place.)

• Further to this work, Roland wrote up a comprehensive status update about live-build ISO images to our mailing list as well.

• The PackageRebuilder instance running at beta.tests.reproducible-builds.org is now aware/capable of building packages for Debian bookworm.

• A longstanding issue around fontconfig’s cache files being unreproducible saw some progress this month. Debian bug number #864082 (originally filed in June 2017) was NMU’d by josch, although this resulted in a small number of minor side-effects which have already been addressed with a follow-up patch.

• 120 reviews of Debian packages were added, 272 were updated and 31 were removed this month, all adding to our index of identified issues. A number of issue types were updated too […][…][…][…].

• kpcyrd blogged this month about Debian binary NMUs and .buildinfo files in a post entitled, Reproducible Builds: Debian and the case of the missing version string.

Other distributions

kpcyrd reported on Twitter about the release of version 0.2.0 of pacman-bintrans, an experiment with binary transparency for the Arch Linux package manager, pacman. This new version is now able to query rebuilderd to check if a package was independently reproduced.

In the world of openSUSE, however, Bernhard M. Wiedemann posted his monthly reproducible builds status report.

diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 199, 200, 201 and 202 to Debian unstable (that were later backported to Debian bullseye-backports by Mattia Rizzolo), as well as made the following changes to the code itself:

• New features:

  • First attempt at incremental output support with a timeout. Now passing, for example, --timeout=60 will mean that diffoscope will not recurse into any sub-archives after 60 seconds total execution time has elapsed. Note that this is not a fixed/strict timeout due to implementation issues. […][…]
  • Support both variants of odt2txt, including the one provided by the unoconv package. […]

• Bug fixes:

  • Do not return with a UNIX exit code of 0 if we encounter with a file whose human-readable metadata matches literal file contents. […]
  • Don’t fail if comparing a nonexistent file with a .pyc file (and add test). […][…]
  • If the debian.deb822 module raises any exception on import, re-raise it as an ImportError. This should fix diffoscope on some Fedora systems. […]
  • Even if a Sphinx .inv inventory file is labelled The remainder of this file is compressed using zlib, it might not actually be. In this case, don’t traceback and simply return the original content. […]

• Documentation:

  • Improve documentation for the new --timeout option due to a few misconceptions. […]
  • Drop reference in the manual page claiming the ability to compare non-existent files on the command-line. (This has not been possible since version 32 which was released in September 2015). […]
  • Update ‘X has been modified after NT_GNU_BUILD_ID has been applied’ messages to, for example, not duplicating the full filename in the diffoscope output. […]

• Codebase improvements:

  • Tidy some control flow. […]
  • Correct a ‘recompile’ typo. […]

In addition, Alyssa Ross fixed the comparison of CBFS names that contain spaces […], Sergei Trofimovich fixed whitespace for compatibility with version 21.12 of the Black source code reformatter […] and Zbigniew Jędrzejewski-Szmek fixed JSON detection with a new version of file […].

Testing framework

The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, the following changes were made:

Upstream patches

The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. In January, we wrote a large number of such patches, including:

And finally…

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

from Hacker News https://ift.tt/Llp4KmU