News

Simon Josefsson: Towards Idempotent Rebuilds?

by

After rebuilding all added/modified packages in Trisquel, I have been circling around the elephant in the room: 99% of the binary packages in Trisquel comes from Ubuntu, which to a large extent are built from Debian source packages. Is it possible to rebuild the official binary packages identically? Does anyone make an effort to do so? Does anyone care about going through the differences between the official package and a rebuilt version? Reproducible-build.org‘s effort to track reproducibility bugs in Debian (and other systems) is amazing. However as far as I know, they do not confirm or deny that their rebuilds match the official packages. In fact, typically their rebuilds do not match the official packages, even when they say the package is reproducible, which had me surprised at first. To understand why that happens, compare the buildinfo file for the official coreutils 9.1-1 from Debian bookworm with the buildinfo file for reproducible-build.org’s build and you will see that the SHA256 checksum does not match, but still they declare it as a reproducible package. As far as I can tell of the situation, the purpose of their rebuilds are not to say anything about the official binary build, instead the purpose is to offer a QA service to maintainers by performing two builds of a package and declaring success if both builds match.

I have felt that something is lacking, and months have passed and I haven’t found any project that address the problem I am interested in. During my earlier work I created a project called debdistreproduce which performs rebuilds of the difference between two distributions in a GitLab pipeline, and display diffoscope output for further analysis. A couple of days ago I had the idea of rewriting it to perform rebuilds of a single distribution. A new project debdistrebuild was born and today I’m happy to bless it as version 1.0 and to announces the project! Debdistrebuild has rebuilt the top-50 popcon packages from Debian bullseye, bookworm and trixie, on amd64 and arm64, as well as Ubuntu jammy and noble on amd64, see the summary status page for links. This is intended as a proof of concept, to allow people experiment with the concept of doing GitLab-based package rebuilds and analysis. Compare how Guix has the guix challenge command.

Or I should say debdistrebuild has attempted to rebuild those distributions. The number of identically built packages are fairly low, so I didn’t want to waste resources building the rest of the archive until I understand if the differences are due to consequences of my build environment (plain apt-get build-dep followed by dpkg-buildpackage in a fresh container), or due to some real difference. Summarizing the results, debdistrebuild is able to rebuild 34% of Debian bullseye on amd64, 36% of bookworm on amd64, 32% of bookworm on arm64. The results for trixie and Ubuntu are disappointing, below 10%.

So what causes my rebuilds to be different from the official rebuilds? Some are trivial like the classical problem of varying build paths, resulting in a different NT_GNU_BUILD_ID causing a mismatch. Some are a bit strange, like a subtle difference in one of perl’s headers file. Some are due to embedded version numbers from a build dependency. Several of the build logs and diffoscope outputs doesn’t make sense, likely due to bugs in my build scripts, especially for Ubuntu which appears to strip translations and do other build variations that I don’t do. In general, the classes of reproducibility problems are the expected. Some are assembler differences for GnuPG’s gpgv-static, likely triggered by upload of a new version of gcc after the original package was built. There are at least two ways to resolve that problem: either use the same version of build dependencies that were used to produce the original build, or demand that all packages that are affected by a change in another package are rebuilt centrally until there are no more differences.

The current design of debdistrebuild uses the latest version of a build dependency that is available in the distribution. We call this a “idempotent rebuild“. This is usually not how the binary packages were built originally, they are often built against earlier versions of their build dependency. That is the situation for most binary distributions.

Instead of using the latest build dependency version, higher reproducability may be achieved by rebuilding using the same version of the build dependencies that were used during the original build. This requires parsing buildinfo files to find the right version of the build dependency to install. We believe doing so will lead to a higher number of reproducibly built packages. However it begs the question: can we rebuild that earlier version of the build dependency? This circles back to really old versions and bootstrappable builds eventually.

While rebuilding old versions would be interesting on its own, we believe that is less helpful for trusting the latest version and improving a binary distribution: it is challenging to publish a new version of some old package that would fix a reproducibility bug in another package when used as a build dependency, and then rebuild the later packages with the modified earlier version. Those earlier packages were already published, and are part of history. It may be that ultimately it will no longer be possible to rebuild some package, because proper source code is missing (for packages using build dependencies that were never part of a release); hardware to build a package could be missing; or that the source code is no longer publicly distributable.

I argue that getting to 100% idempotent rebuilds is an interesting goal on its own, and to reach it we need to start measure idempotent rebuild status.

One could conceivable imagine a way to rebuild modified versions of earlier packages, and then rebuild later packages using the modified earlier packages as build dependencies, for the purpose of achieving higher level of reproducible rebuilds of the last version, and to reach for bootstrappability. However, it may be still be that this is insufficient to achieve idempotent rebuilds of the last versions. Idempotent rebuilds are different from a reproducible build (where we try to reproduce the build using the same inputs), and also to bootstrappable builds (in which all binaries are ultimately built from source code). Consider a cycle where package X influence the content of package Y, which in turn influence the content of package X. These cycles may involve several packages, and it is conceivable that a cycle could be circular and infinite. It may be difficult to identify these chains, and even more difficult to break them up, but this effort help identify where to start looking for them. Rebuilding packages using the same build dependency versions as were used during the original build, or rebuilding packages using a bootsrappable build process, both seem orthogonal to the idempotent rebuild problem.

Our notion of rebuildability appears thus to be complementary to reproducible-builds.org’s definition and bootstrappable.org’s definition. Each to their own devices, and Happy Hacking!

Google extends Linux kernel support to keep Android devices secure for longer

by
Android, like many other operating systems, uses the open-source Linux kernel. There are several different types of Linux kernel releases, but the type that’s most important to Android is the long-term support (LTS) one, as they’re updated regularly with important bug fixes and security patches. Starting in 2017, the support lifetime of LTS releases of Linux was extended from two years to six years, but early last year, this extension was reversed. Fortunately, Google has announced that moving forward, they’ll support their own LTS kernel releases for four years. Here’s why that’s important for the security of Android devices. ↫ Mishaal Rahman at Android Authority I fully support the Linux kernel maintainers dropping the LTS window from six to two years. The only places where such old kernels were being used were embedded devices and things like smartphones vendors refused to update to newer Android releases, and it makes no sense for kernel maintainers to be worrying about that sort of stuff. If an OEM wants to keep using such outdated kernels, the burden should be on that OEM to support that kernel, or to update affected devices to a newer, supported kernel. It seems Google, probably wisely, realised that most OEMs weren’t going to properly upgrade their devices and the kernels that run on them, and as such, the search giant decided to simply create their own LTS releases instead, which will be supported for four years. Google already maintains various Android-specific Linux kernel branches anyway, so it fits right into their existing development model for the Android Linux kernel. Some of the more popular OEMs, like Google itself or Samsung, have promised longer support life cycles for new Android versions on their devices, so even with this new Android-specific LTS policy, there’s still going to be cases where an OEM will have to perform a kernel upgrade where they didn’t have to before with the six year LTS policy. I wonder if this is going to impact any support promises made in recent years.

Relaxing Music Nature Beauty ❤️ Beautiful Nature

by
Relaxing Music Nature Beauty ❤️ Beautiful Nature

Immerse yourself in the breathtaking beauty of nature with this captivating video. From majestic mountains and serene lakes to lush forests and vibrant sunsets, experience the wonder and tranquility of the natural world. Perfect for nature lovers and those seeking relaxation, this video showcases some of the most stunning landscapes on Earth. Enjoy a visual escape and let the beauty of nature soothe your soul.

Beautiful nature relaxing, beautiful nature relaxing music, winter relaxing music with beautiful nature, piano & guitar relaxing music with beautiful nature, beautiful relaxing music with stunning nature in 4K, beautiful relaxing music with nature sounds, beautiful relaxing nature, beautiful melody nature relaxing music, beautiful relaxing music Norway’s nature, nature beautiful relaxing pictures, beautiful nature video & relaxing music, beautiful scenery and relaxing music, best nature relaxing sounds app, beautiful nature places to live, beautiful nature vacations, most beautiful nature, beautiful nature scenery relaxing peaceful soothing music, relaxing music along with beautiful nature videos, relaxing music and beautiful nature, beautiful nature states, piano & guitar relaxing music with beautiful nature YouTube.

66-HD.Shrouding The Heaven – Subtitle (Zhe Tian)(遮天) PREVIEW

by
Shrouding the Heavens,66,遮天,Shrounding the Heavens,Shrounding the Heavens 66,Shrounding the Heavens Sub indo,Shrounding the Heavens 66 Subtitle
At the edge of the dark and frozen universe, nine giant dragon corpses were bound in ancient bronze coffins. It seemed they had been there since the birth of the universe. This amazing view was captured by a spacecraft hovering in outer space.
The nine dragons and the mysterious bronze coffin made people wonder whether they went back to ancient times or had just reached another shore in the universe. A giant mythical world opens up, where immortality gradually emerges and paranormal events continue to occur.
Many people began to find their own traces (Dao) in these mythical realms. Their passion was like the turbulent and unrelenting waves of the sea. The heat in their blood was like an erupting volcano. Their desire for power and immortality drags them into the abyss without realizing it.
#ShroudingtheHeaven
#66
#遮天66
#ShroundingtheHeavens
#Zhetian

Understanding Civil 3D Files سول تھری ڈی فائلوں کو سمجھنا Part-10

by
Your Queries:-
civil 3d
civil 3d tutorial
autodesk civil 3d
autocad civil 3d
civil 3d beginner
civil engineering
civil 3d tutorial for beginners
civil 3d 2017
autocad civil 3d 2017
civil 3d introduction
civil 3d student
learn civil 3d
mastering civil 3d
civil 3d for dummies
civil 3d road design
how to create conduits pipes in civil 3d
how to import shapefile in civil 3d
civil 3d course
civil 3d kml
civil 3d beginners
civil 3d jobs
civil 3d full course
#quantitysurveyor #quantitysurvey #quantification #surveying #surveyors #viralreels #viralreelsfb #foryoupage #livestreaming #tiktokvideo #LiveBroadcast #Pakistan #CR7FIFAWORLDCUP2023
#civilengineer #civilengineering #civil3d #animation #urdunews #animations #rendering #render #surface #urdustories #autocad_hindi_tutorial #urdunews #Tiktoklives #dubai #tiktok #entertainment
#Sialkot #BIGOLIVE #pkmatch #reelsfb #tiktoklivematch #facebook #foryou #million #viralvideo #trending #trend #viralpage #viralpost #aecindustry #architecture #construction #aec #design #bim
#architect #architects #engineering #cohubcoworkingspace #projectmanagement #revit #constructionindustry #contractor #autodesk #laserscanning #archdaily #subcontractor #cohubindonesia #builder
#kelasonlinecohub #cohubmedan #arsitekmedan #arsitekindonesia #building #churchrenovation #womenarchitects #womenarchitect #laborburden #youngarchitect #aecindustry #architecture #construction #aec
#design #bim #architect #architects #engineering #cohubcoworkingspace #projectmanagement #revit #constructionindustry #contractor #autodesk #laserscanning #archdaily #subcontractor #cohubindonesia #builder
#kelasonlinecohub #cohubmedan #arsitekmedan #arsitekindonesia #building #churchrenovation #womenarchitects #womenarchitect #laborburden #youngarchitect

Talking Drupal: Talking Drupal #458 – Drupal & Next.js

by

Today we are talking about Next.js, what it is, and how to integrate it with Drupal with guest John Albin Wilkins. We’ll also cover Next.js Webform as our module of the week.

For show notes visit: www.talkingDrupal.com/458

Topics

  • What is Next.js
  • What kind of server do you need
  • How is it used on the web
  • Does it only work on react based systems
  • Why would someone want to integrate with Drupal
  • When changes are made in the content how do you update the app
  • On the module page there are a lot of references to Preview, is this something Next does well
  • What is server side rendering
  • How does Next work with menus and views
  • Any preference on the api for json api vs graphql
  • Performance
  • Editorial experience
  • Responsive images
  • Will Drupal ever ship with a headless front end
  • Winner of the TPOTM

Resources

Guests

John Albin Wilkins – john.albin.net JohnAlbin

Hosts

Nic Laflin – nLighteneddevelopment.com nicxvan John Picozzi – epam.com johnpicozzi Baddý Sonja Breidert – 1xINTERNET baddysonja

MOTW Correspondent

Martin Anderson-Clutz – mandclu.com mandclu

  • Brief description:
    • Have you ever wanted to build a webform in Drupal and have the corresponding Next.js template automatically created for you? There’s a Next.js library for that.
  • Module name/project name:
  • Brief history
    • How old: created in Aug 2022 by Lauri Timmanee (lauriii), who listeners may know as the Drupal Core Product Manager, and one of the people leading the Starshot initiative
    • Versions available: 1.1.1
  • Maintainership
    • Test coverage
    • Documentation – Lengthy README and a tutorial on the Acquia Dev Portal
    • Number of open issues: 17 open issues, 3 of which are bugs
  • Usage stats:
    • 2,246 weekly downloads according to npmjs.com
  • Module features and usage
    • Using this library does require some setup on the Drupal side, including installing the Webform and Webform REST modules. There’s also an extra patch to install if you want to use any autocomplete fields, and some configuration needed for both the REST resources that will be used to exchange data, and the permissions for the account that will be used to retrieve and submit data
    • Out of the box, the library supports over 40 webform components, but you can also provide custom elements if you need something additional. The library also supports conditional logic, so fields can show or hide in the Next.js front end based on conditions defined in your Drupal backend
    • The library also provides front-end validation for email confirmation, date list, and datetime fields, but back end validation is also processed for every submission
    • There is a crowded field of headless CMS competitors, but I thought this library is a good example of the extra power and flexibility you get by using a robust, open source CMS like Drupal as the back end in your headless architecture

Ruby 3.3.4 Released

by

Ruby 3.3.4 has been released.

This release fixes a regression in Ruby 3.3.3 that dependencies are missing in the gemspec
of some bundled gems: net-pop, net-ftp, net-imap, and prime
[Bug #20581].
The fix allows Bundler to successfully install those gems on platforms like Heroku.
If your bundle install runs correctly now, you may not have this issue.

Other changes are mostly minor bug fixes.
Please see the GitHub releases for further details.

Release Schedule

Going forward, we intend to release the latest stable Ruby version (currently Ruby 3.3) every 2 months after a .1 release.
For Ruby 3.3, 3.3.5 is supposed to be released on Sep 3rd, 3.3.6 on Nov 5th, and 3.3.7 on Jan 7th.

If there’s any change that affects a considerable amount of people, e.g. Ruby 3.3.3 users on Heroku for this release,
we may release a new version earlier than expected.

Download

  • https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.4.tar.gz

    SIZE: 22110179
SHA1: 408362dfb0413122e09d35bafdcced8922b54e71
SHA256: fe6a30f97d54e029768f2ddf4923699c416cdbc3a6e96db3e2d5716c7db96a34
SHA512: 56a0b88954a4efd0236626e49cc90cdb15d9bfd42b27d7fc34efae61f500058e58cb32c73fdef5f1505a36602f4632d6148bf3bd1df539cb5581ae157c78c22b

  • https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.4.tar.xz

    SIZE: 16366580
SHA1: 4fac2e1609535f71cbdbf9ab9dcea6f6e80a304a
SHA256: 1caaee9a5a6befef54bab67da68ace8d985e4fb59cd17ce23c28d9ab04f4ddad
SHA512: b26461a13ff82a08a282f10108028bb2a2e4a28da6182a291062fc54089c6655d79c22cc69d59156f9b11cb10a17fe8c69d489343fbae123a45f03361b95c9eb

  • https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.4.zip

    SIZE: 26995054
SHA1: dcd35f8d428e61807b5c95b6e2e79444fb32f214
SHA256: 3cf0ee03dd4c98e78e8ab5e191af926870415770ef4995088ed069caef639b2a
SHA512: c24ca2e6b1114f9c489c049c07acccb0db0916c42c68ea90eaa9acc430973de68342df19710c58130fe264a291958c89e60815c5b00f91decf5a4d1d674a0b32

Release Comment

Many committers, developers, and users who provided bug reports helped us make this release.
Thanks for their contributions.

Posted by k0kubun on 9 Jul 2024