A number of formats, including #EPUB, #ODT, #docx, and #PDF (via #TeXLaTeX, #Typst, ...) include the document's build time. This can be an issue for reproducible builds. Set the SOURCE_DATE_EPOCH environment variable to an integer value¹ to use a fixed time instead.
SOURCE_DATE_EPOCH=682984800 pandoc …
¹ Seconds in the Unix epoch. Get the current epoch time with date +%s.
I am also pleased to say the official build servers for Debian produced a bit-for-bit identical .deb as my local build on bookworm amd64. Yay #ReproducibleBuilds yay!
This morning, my "[PATCH v3 0/4] Reproducible `make dist' tarball: Avoid override stamp-N warnings." was included in #Guix master. The title is somewhat misleading, but the gist is that we now have reproducible source tarballs. Hopefully the discussion on minimal/pure source tarballs continues.
Great work providing reproducible tarballs (similar to what @janneke did for Guix), source-only tarballs, and setting up continuous integration to detect non-reproducibility across a variety of Linux distros. 👍
I think “make dist”-generated tarballs are just one part of the xz debacle (and not the most frightening part), but at least we can do something about them: when they’re the byproduct of a build process, we can build them from source (like Debian does); when they add something that’s not in the VCS (such as .po files), we can at least ensure a reproducible build process as Simon advocates here.
That sounds like a rather trivial effort, but #GNU standards mandate inclusion of pre-built documentation...and there seems to be a "let's add a timestamp" fetishism that has spread like a virus.
There are several tools to change the timestamp of a PDF; and there is a specification (v1.7 I believe) that mandates the new timestamp to be appended. Which all of these tools now do.
So, Philipp Kern dropped by asking if we could do some #ReproducibleBuilds verifications of recent Debian Security updates, given, well the whole #xz mess... and that our build infrastructure may have run compromised code at some point...
So I did a quick pass at a handful of updates and everything verified ok so far, though I skipped some of the probably more juicy targets such as chromium and firefox:
There was a bunch of activity around Reproducible Builds at #FOSDEM! A 🧵...
On the main stage, core #ReproducibleBuilds dev Holger 'h01ger' Levsen presented "Titled Reproducible Builds: The First Ten Years" giving an overview: how it started with a small BoF at DebConf13 (and before), then grew from being a Debian effort to something many projects work on together, until in 2021 it was mentioned in an Executive Order of the President of the United States.
I set up some shiny new virtual machines mostly for #ReproducibleBuilds on a #HoneyCombLX2 packed with 64GB of ram and 16 cores of modest ARM compute power...
only to be stumped on the networking.
The virtual machines were set up to use macvtap via virt-manager in the same way as several other machines... no network.
Today I tried using a USB ethernet adatper. Worked like a charm!
I'm someone who used to be a huge video art junkie, regularly scheduling viewing sessions at Electronic Arts Intermix where I'd spend hours working through their extensive catalogue (massive shame its not online), but I've never been a cinephile, having a handful of directors I absolutely love (Farocki, Godard, Pasolini, Vertov, Suleiman, Lynch and some others), with computer animated films being something I never got into, despite working in (mostly live/realtime/for events) 3D professionally since I was 20. But I've started subscribing to #BlenderStudio and have really enjoyed digging into their "open movies", which at the level of craft are truly impressive, and its a fun way to support #Blender development, which I am more than happy to do -- Blender has become simply the most powerful design tool on the planet, and the first production #VFX non-linear editor that I've ever actually enjoyed using, and it improves rapidly and as well as gracefully.
That being said, I think there is a massive missed opportunity with the Blender open movies, because AFAIK the studio internally collaborates over #SVN to version their films, yet there is no advertised links to download the repositories. I imagine they are massive, but I would still love to spend a weekend working through the history of #SpriteFight. Its also somewhere #reproduciblebuilds should prove to be indispensable.
Not just archaeologists actually: it’s something you need to rebuild packages that include “time traps” (fail to build after some time). It’s relatively rare, but when you need them, you’d rather have a simple way to work around the problem.
@macmittens@sterophonick OFC it is a quality-of-life improvement to have the option to grab a binary instead if having to compile it yourself, and espechally on #i486-SX and early #amd64 machines I can see having an install take minutes or hours instead of days or a week as a undisputed bonus.
I do kinda follow the same with OS/1337 in that I want things to be provided as binaries ready to go but also make #reproducibleBuilds the norm and thus allow full verifyability of everything!
Very glad to receive #IEEESoftware best paper award (for year 2022) for "Reproducible Builds: Increasing the Integrity of Software Supply Chains" with C. Lamb https://ieeexplore.ieee.org/document/9403390 (#OpenAccess preprint also available). I hope it will help to spread the word even more about the importance of #ReproducibleBuilds among both researchers and practitioners.
PHPUnit 8.5.35, PHPUnit 9.6.14, and PHPUnit 10.5.0 are the first versions of PHPUnit where composer.lock is under version control and part of the (signed, of course) release tag.
The PHAR binary of PHPUnit now has a --composer-lock CLI option that prints the composer.lock that was used to build the PHAR.
Making the build of PHPUnit's PHAR reproducible is another step towards a more secure #PHP#SoftwareSupplyChain.
🔣 The Full-Source Bootstrap: Building from source all the way down | GNU Guix
"Software is bootstrappable when it does not depend on a binary seed that cannot be built from source. Software that is not bootstrappable---even if it is free software---is a serious security risk (supply chain security) for a variety of reasons. The Bootstrappable Builds project aims to reduce the number and size of binary seeds to a bare minimum."
@janneke You may appreciate a breakdown of Ken Thompson's in/famous compiler backdoor, which he alluded to in his famous lecture, Reflections On Trusting Trust: https://research.swtch.com/nih
@indieterminacy Yes, that was an interesting read.
Also, quite encouraging that #ReproducibleBuilds is finally gaining some influence, and similarly discouraging that #Bootstrappablebuilds and the full-source Bootstrap isn't widely known about.