Re: Sticker Giveaway: Read code
On 2024-04-01, kpcyrd wrote: > in February I printed about 2k stickers to manifest the concept of > reviewing source code, picturing a bug throwing a party within the > codebases nobody reads. > > I usually spread these in my communities in person, due to recent events > I've decided to give some of them away by mail. To keep things simple > I'm going to eat the shipping cost. Does shipping include the cat? Or was that just to demonstrate size? live well, vagrant signature.asc Description: PGP signature
OBS/rpm & java-21 success
Hi, today I want to share with you two successes on our path to total reproducibility in openSUSE: Through the persistence of my colleague Jan Zerebecki and the help of mls (SUSE's rpm maintainer) we made nice progress on https://bugzilla.opensuse.org/show_bug.cgi?id=1148824 to finally normalize mtimes in official openSUSE Tumbleweed rpms. Together with a workaround for https://github.com/rpm-software-management/rpm/issues/2965 this allowed me to create bit-identical rpms to the ones pulled from build.opensuse.org , processed with rpm --delsign Now everything that was reproducible in my QA-tests is also reproducible+verifiable in practice. The other success is that I saw 2 bit-identical java-21-openjdk rpm builds, but only when both were done on 1-core VMs, so there might only be some raciness left. [1] javadoc output still has an issue from filesystem-readdir-order. We have a build-tool workaround for that in place [2] Ciao Bernhard M. [1] https://rb.zq1.de/compare.factory-20240331/diffs/java-21-openjdk-compare.out [2] https://github.com/bmwiedemann/openSUSE/blob/54e27e1/packages/_/_project/_config#L19-L20 OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Two questions about build-path reproducibility in Debian
Hi James, > Approximately thirty are still set to other severity levels, and I plan to > update those with the following adjusted messaging […] Looks good to me. :) Completely out of interest, are any of those 30 bugs tagged both "buildpath" and "toolchain"? It's written nowhere in Policy (and I can't remember if it's ever been discussed before), but if package X is causing package Y to be unreproducible, I feel that has some bearing on the severity of the bug for that issue filed against X… completely independent of whether package X is reproducible itself or not. :) Just to underscore that this is simply my curiosity before you reassign: in the particular case of *buildpath* AND toolchain, these should almost certainly be wishlist anyway because, as discussed, we "aren't testing buildpath". Best wishes, -- o ⬋ ⬊ Chris Lamb o o reproducible-builds.org ⬊ ⬋ o
Re: Reproducible Builds for recent Debian security updates
Hi, On Sat, Mar 30, 2024 at 03:30:57PM -0700, Vagrant Cascadian wrote: > On 2024-03-30, Vagrant Cascadian wrote: > > On 2024-03-30, Salvatore Bonaccorso wrote: > >> On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote: > >>> Philipp Kern asked about trying to do reproducible builds checks for > >>> recent security updates to try to gain confidence about Debian's buildd > >>> infrastructure, given that they run builds in sid chroots which may have > >>> used or built or run a vulnerable xz-utils... > > ... > >> There would be an upcoming (or actually postponed) util-linux update > >> as well. Could you as extra paranoia please verify these here as well > >> (I assume its enough for you that the source package is signed, I > >> stripped the signature from the changes): > >> > >> https://people.debian.org/~carnil/tmp/util-linux/ > > > > I don't see any source packages there, just .deb .changes and signed > > .buildinfo files! The signed .buildinfo files are great, but would > > definitely need the source code ... looks like the util-linux changes > > are in a git branch, but a signed .dsc would be nice just to be sure I > > am testing the same thing. That said, testing from git and getting > > bit-for-bit identical results ... would be confidence inspiring! > > Hmmm. Might just go for it, and if we have issues, maybe try to dig up > > the .dsc? :) > > Hah. Almost in the time it took me to wonder about git vs. .dsc builds, > even with some minor differences in the build-depends, managed a > bit-for-bit identical build of util-linux:amd64 and util-linux:all! > > Tarball of build logs and .buildinfo files: > > > https://people.debian.org/~vagrant/util-linux-2.38.1-5+deb12u1.verification.tar.zst Thanks a lot! Regards, Salvatore
Irregular status update about reproducible live-build ISO images
Hello lists, here is the 24th update of the status for reproducible live-build ISO images [1]. Single line summary: 79.5% reproducible live images (yup, lower than last time; see below for the calculation) Reproducible status: * All major desktops build reproducibly with bullseye, bookworm, trixie ... ** ... provided they are built for a second time within the same DAK run (i.e. 6 hours) * All major desktops built reproducibly for the official Debian live images for bookworm (12.5.0) at any later moment ... ** ... except for KDE, which has only 1 issue left in 12.5.0 (fix is prepared for 12.6.0 [2]) * For sid the images cannot be generated, ... ** ... occasionally debootstrap breaks (due to the 64-bit time_t transition) ** ... currently the installer FTBFS (due to the 64-bit time_t transition) ** ... currently the installer FTBFS (due to a version mismatch of grub-efi-amd64-signed and grub-common) ** ... but the smallest image can be generated, however only with shim-support for secure UEFI boot Functionality status: * On sid the smallest image only has the shim boot, so you'll need to enroll the hash for the grubx64.efi file yourself (see openQA for the steps [3]) * Calamares got (temporarily) removed from trixie during the 64-bit time_t transition [4] My activities in March: * Visit to the MiniDebCamp in Hamburg [5] ** Worked with ema on arm64 native and cross-builds (MR pending) ** Worked with elbrus on stabilising a flaky test [6] ** Worked with fil on openQA tests * Prepared a small documentation update for the live-manual [7] * Bug report on diffoscope [8] * Added support for shim without signed grub [9] Work to be done: * Currently in progress: disable apt updates when persistence is not used (saves bandwidth and stabilises tests) * Currently in progress: finalise arm64 support (native and cross-build) * Currently in progress: firmware support in live-build (it looks like /usr-merge affects the location of the firmware files) * See the TODO page [10] With kind regards, Roland Clobus [1] https://wiki.debian.org/ReproducibleInstalls/LiveImages [2] https://salsa.debian.org/live-team/live-build/-/merge_requests/339 [3] https://openqa.debian.net/tests/246742#step/bootwalk_0/2 Breadcrumb: Debian Live | *_sid_smallest_build | walk-boot-options@uefi-secure | bootwalk_0 [4] https://bugs.debian.org/1061330 [5] https://wiki.debian.org/DebianEvents/de/2024/MiniDebCampHamburg [6] https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/e9cae80b3792ff97bf79d01c506a06ab7497eab3 [7] https://salsa.debian.org/live-team/live-manual/-/merge_requests/36 [8] https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/367 and https://bugs.debian.org/1065498 [9] https://salsa.debian.org/live-team/live-build/-/merge_requests/344 [10] https://wiki.debian.org/DebianLive/TODO 79.5%: based on 4 versions x 9 variants + 8 variants; 8 FTBFS, 1 non-reproducible OpenPGP_signature.asc Description: OpenPGP digital signature
