Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced ― either maliciously or accidentally ― during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month:
The 2nd Reproducible Builds World Summit was held in Berlin. The event was a great success with enthusiastic participation from an extremely diverse group of projects. Many thanks to our sponsors for making this event possible. I wrote a patch for dak to preserve .buildinfo files on the local ftp-master filesystem . This is a temporary measure to prevent "historical" data loss; the files were previously being silently discarded. My talk proposal for linux.conf.au was accepted. I submitted the following patches to fix reproducibility-related toolchain issues within Debian: apt: Please make the "moo" reproducible python-setuptools: Please make the generated install_files.txt reproducible I submitted 7 patches to fix specific reproducibility issues in hoichess , jupyter-notebook , libcorelinux , minicoredumper , nethogs , node-gulp & tinyeartrainer . Made a number of updates to the reproducible-builds.org website including editing the language of our definitiom, updating the "Tools" section and adding previous talks of mine to the relevant section, as well as many sthetic changes to accomodate mobile browsers, etc. Worked on publishing our weekly reports. ( #84 . #85 . #86 & #87 )I also made the following changes to our tooling:
diffoscopediffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
Optimisations: Avoid unnecessary string manipulation writing --text output (~20x speedup). Avoid n iterations over archive files (~8x speedup). Don't analyse .deb s twice when comparing .changes files (2x speedup). Avoid shelling out to colordiff by implementing color support directly. Memoize calls to distutils.spawn.find_executable to avoid excessive stat(1) syscalls. Progress bar: Show current file / ELF section under analysis etc. in progress bar. Move the --status-fd output to use JSON and to include the current filename. Code tidying: Split out the try.diffoscope.org client so that it can be released separately on PyPI . Completely rework the diffoscope and diffoscope.comparators modules, grouping similar utilities into their own modules, etc. Miscellaneous: Update dex_expected_diffs test to ensure compatibility with enjarify ≥ 1.0.3. Ensure that running from Git will always use that checkout's Python modules. Add a simple profiling framework. strip-nondeterminismstrip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.
Makefile.PL : Change NAME argument to a Perl package name. Ensure our binaries are available in autopkgtest tests. try.diffoscope.orgtrydiffoscope is a web-based version of the diffoscope in-depth and content-aware diff utility. Continued thanks to Bytemark for sponsoring the hardware.
Show progress bar and position in queue, etc. ( #25 & #26 ) Promote command-line client with PyPI instructions. Increase comparison time limit to 90 seconds. buildinfo.debian.netbuildinfo.debian.net is my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them.
Added support for version 0.2 .buildinfo files. (