planet.donarmstrong.com

Welcome to the December 2021 report from the Reproducible Builds project! In these reports, we try and summarise what we have been up to over the past month, as well as what else has been occurring in the world of software supply-chain security.

As a quick recap of what reproducible builds is trying to address, whilst anyone may inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries. The motivation behind the reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. As always, if you would like to contribute to the project, please get in touch with us directly or visit the Contribute page on our website.

Early in December, Julien Voisin blogged about setting up a rebuilderd instance in order to reproduce Tails images. Working on previous work from 2018, Julien has now set up a public-facing instance which is providing build attestations.

As Julien dryly notes in his post, “Currently, this isn’t really super-useful to anyone, except maybe some Tails developers who want to check that the release manager didn’t backdoor the released image.” Naturally, we would contend — sincerely — that this is indeed useful.

The secure/anonymous Tor browser now supports reproducible source releases. According to the project’s changelog, version 0.4.7.3-alpha of Tor can now build reproducible tarballs via the make dist-reprod command. This issue was tracked via Tor issue #26299.

Fabian Keil posted a question to our mailing list this month asking how they might analyse differences in images produced with the FreeBSD and ElectroBSD’s mkimg and makefs commands:

After rebasing ElectroBSD from FreeBSD stable/11 to stable/12
I recently noticed that the "memstick" images are unfortunately
still not 100% reproducible.

Fabian’s original post generated a short back-and-forth with Chris Lamb regarding how diffoscope might be able to support the particular format of images generated by this command set.

diffoscope

diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploading versions 195, 196, 197 and 198 to Debian, as well as made the following changes:

• Support showing Ordering differences only within .dsc field values. […]
• Add support for ‘XMLb’ files. […]
• Also add, for example, /usr/lib/x86_64-linux-gnu to our local binary search path. […]
• Support OCaml versions 4.11, 4.12 and 4.13. […]
• Drop some unnecessary has_same_content_as logging calls. […]
• Replace token variable with an anonymously-named variable instead to remove extra lines. […]
• Don’t use the runtime platform’s native endianness when unpacking .pyc files. This fixes test failures on big-endian machines. […]

Mattia Rizzolo also made a number of changes to diffoscope this month as well, such as:

• Also recognize GnuCash files as XML. […]
• Support the pgpdump PGP packet visualiser version 0.34. […]
• Ignore the new Lintian tag binary-with-bad-dynamic-table. […]
• Fix the Enhances field in debian/control. […]

Finally, Brent Spillner fixed the version detection for Black ‘uncompromising code formatter’ […], Jelle van der Waa added an external tool reference for Arch Linux […] and Roland Clobus added support for reporting when the GNU_BUILD_ID field has been modified […]. Thank you for your contributions!

Distribution work

In Debian this month, 70 reviews of packages were added, 27 were updated and 41 were removed, adding to our database of knowledge about specific issues. A number of issue types were created as well, including:

• build_path_identifiers_in_documentation_generated_by_doxygen
• non_deterministic_doc_base_file_for_javadoc
• nondeterministic_ordering_in_guile_binaries

strip-nondeterminism version 1.13.0-1 was uploaded to Debian unstable by Holger Levsen. It included contributions already covered in previous months as well as new ones from Mattia Rizzolo, particularly that the dh_strip_nondeterminism Debian integration interface uses the new get_non_binnmu_date_epoch() utility when available: this is important to ensure that strip-nondeterminism does not break some kinds of binNMUs.

In the world of openSUSE, however, Bernhard M. Wiedemann posted his monthly reproducible builds status report.

In NixOS, work towards the longer-term goal of making the graphical installation image reproducible is ongoing. For example, Artturin made the gnome-desktop package reproducible.

Upstream patches

The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. In December, we wrote a large number of such patches, including:

• Bernhard M. Wiedemann:

  • g++7/rsync (randomness in output)
  • python-eventlet (build fails in the future)
  • python-PyQRCode (incorporates copyright year)

• Chris Lamb:

  • #1001227 filed against locust.
  • #1001277 filed against cwltool.
  • #1001553 filed against mate-submodules.

• Simon McVittie:

  • #1001210 filed against ksh93u+m.
  • #1001223 filed against dx.

• Vagrant Cascadian:

  • #1000944 filed against apbs.
  • #1000945 filed against binutils-riscv64-unknown-elf.
  • #1000946 filed against gcc-riscv64-unknown-elf.
  • #1001850 filed against userbindmount.
  • #1001853 filed against nanomsg.
  • #1001854 filed against freediameter.
  • #1001856 filed against gr-satellites.
  • #1001859 filed against kjs.
  • #1001860 filed against xeus-python.
  • #1001866 filed against libime.
  • #1001867 filed against fcitx5-gtk.
  • #1001868 filed against fcitx.
  • #1001869 filed against libpodofo.
  • #1001870 filed against meshlab.
  • #1001872 filed against eiskaltdcpp.
  • #1001873 filed against editorconfig-core.
  • #1002671 filed against python-parse-type.
  • #1002673 filed against sphinx-copybutton.
  • #1002674 filed against fcitx5-qt.

• Roland Clobus:

  • libxmlb#110 filed upstream against libxmlb, fixed by Richard Hughes. Waiting for an upstream release.

Testing framework

The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, the following changes were made:

• Holger Levsen:

  • Run the Debian scheduler less often. […]
  • Fix the name of the Debian ‘testing’ suite name. […]
  • Detect builds that are rescheduling due to problems with the diffoscope container. […]
  • No longer special-case particular machines having a different /boot partition size. […]
  • Automatically fix failed apt-daily and apt-daily-upgrade services […], failed e2scrub_all.service & user@ systemd units […][…] as well as ‘generic’ build failures […].
  • Simplify a script to powercycle arm64 architecture nodes hosted at/by codethink.co.uk. […]
  • Detect if the udd-mirror.debian.net service is down. […]
  • Various miscellaneous node maintenance. […][…]

• Roland Clobus (Debian ‘live’ image generation):

  • If the latest snapshot is not complete yet, try to use the previous snapshot instead. […]
  • Minor: whitespace correction + comment correction. […]
  • Use unique folders and reports for each Debian version. […]
  • Turn off debugging. […]
  • Add a better error description for incorrect/missing arguments. […]
  • Report non-reproducible issues in Debian sid images. […]

Lastly, Mattia Rizzolo updated the automatic logfile parsing rules in a number of ways (eg. to ignore a warning about the Python setuptools deprecation) […][…] and Vagrant Cascadian adjusted the config for the Squid caching proxy on a node. […]

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• Mailing list: rb-general@lists.reproducible-builds.org

• IRC: #reproducible-builds on irc.oftc.net.

• Mastodon: @reproducible_builds@fosstodon.org

My 4×2 has been in action again, trying to find the remainder of the mystery sometimes-4mm/sometimes-2.5mm/sometimes-1.5mm cable. It finally appeared in the tiniest gap possible between back wall and joist.

As we had suspected by tracing everything else, the junction is an unfused union of all three cable types with a 230V 32A circuit breaker on one end and a light switch on the other. So in the event of fault current at the kitchen lights, the 1.5mm cable is definitely going to burn out and almost certainly set fire to the flat roof. Delightful.

It is no longer like this.

More hunting for the mystery cable (bonus glimpse of one of the new light fittings)

The 4×2 ceiling removal device in action

At last, quarry in sight!

Mystery Cable Junction Box of Fire and Doom ?

All the terrifying branches removed and ready to go back into the ceiling for now, until the next room is refurbished

The FAI.me service for creating customized installation and cloud images now supports a backports kernel for the stable release Debian 11 (aka bullseye). If you enable the backports option, you will currently get kernel 5.14. This will help you if you have newer hardware that is not support by the default kernel 5.10. The backports option is also still available for the images when using the old Debian 10 (buster) release.

The URL of the FAI.me service is

https://fai-project.org/FAIme/

FAI.me