Here's what happened in the Reproducible Builds effort between Sunday December 3 and Saturday December 9 2017:

Documentation update

There was more discussion on different logos being proposed for the project.

Reproducible work in other projects

Cyril Brulebois wrote about Tails' work on reproducibility

Gabriel Scherer submitted a pull request to the OCaml compiler to honour the BUILD_PATH_PREFIX_MAP environment variable.

Packages reviewed and fixed

Patches filed upstream:

  • Bernhard M. Wiedemann:
  • Eli Schwartz:
  • Foxboron
    • gopass: - use SOURCE_DATE_EPOCH in Makefile
  • Jelle
    • PHP: - use SOURCE_DATE_EPOCH for Build Date
  • Chris Lamb:
    • pylint - file ordering, nondeterminstic data structure
    • tlsh - clarify error message (via diffoscope development)
  • Alexander "lynxis" Couzens:

Patches filed in Debian:

Patches filed in OpenSUSE:

  • Bernhard M. Wiedemann:
    • build-compare (merged) - handle .egg as .zip
    • neovim (merged) - hostname, username
    • perl (merged) - date, hostname, username
    • sendmail - date, hostname, username

Patches filed in OpenWRT:

  • Alexander "lynxis" Couzens:

Reviews of unreproducible packages

17 package reviews have been added, 31 have been updated and 43 have been removed in this week, adding to our knowledge about identified issues.

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (13)
  • Andreas Beckmann (2)
  • Emilio Pozuelo Monfort (3)

reprotest development

  • Santiago Torres:
    • Use uname -m instead of arch.

trydiffoscope development

Version 66 was uploaded to unstable by Chris Lamb. It included contributions already covered by posts of the previous weeks as well as new ones from:

  • Chris Lamb:
    • Parse dpkg-parsechangelog instead of hard-coding version
    • Bump Standards-Version to 4.1.2
    • flake8 formatting

reproducible-website development

tests.reproducible-builds.org

reproducible Arch Linux:

reproducible F-Droid:

Misc.

This week's edition was written by Ximin Luo, Alexander Couzens, Holger Levsen, Chris Lamb, Bernhard M. Wiedemann and Santiago Torres & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Here's what happened in the Reproducible Builds effort between Sunday, November 26 and Saturday, December 2, 2017:

Media coverage

Arch Linux imap key leakage

A security issue was found in the imap package in Arch Linux thanks to the reproducible builds effort in that distribution.

Due to a hardcoded key-generation routine in the build() step of imap's PKGBUILD (the standard packaging file for Arch Linux packages), a default secret key was generated and leaked on all imap installations. This was prompty reviewed, confirmed and fixed by the package maintainers.

This mirrors similar security issues found in Debian, such as #833885.

Debian packages reviewed and fixed, and bugs filed

In addition, 73 FTBFS bugs were detected and reported by Adrian Bunk.

Reviews of unreproducible Debian packages

83 package reviews have been added, 41 have been updated and 33 have been removed in this week, adding to our knowledge about identified issues.

1 issue type was updated:

LEDE / OpenWrt packages updates:

diffoscope development

reprotest development

Version 0.7.4 was uploaded to unstable by Ximin Luo. It included contributions already covered by posts of the previous weeks as well as new ones from:

reproducible-website development

tests.reproducible-builds.org

Misc.

This week's edition was written by Alexander Couzens, Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Santiago Torres-Arias, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-12-05 14:10:34 UTC Tags: reproducible builds

Here's what happened in the Reproducible Builds effort between Sunday November 19 and Saturday November 25 2017:

Upcoming events

Reproducible Builds will have an assembly at 34c3, the "Galactic Congress". ;-) Currently we are discussing to informally meet there every day at 13:37 UTC.

Reproducible Arch Linux

Since November 23 2017, Arch Linux is again being continuously tested for reproducibility. However, this time a patched pacman is being used which can create reproducible packages. After 4 days of testing, 18% of all packages in the core, extra, multilib and community Arch repos has been tested, with these — very preliminary — results:

  • core: 77.1% reproducible, all 197 packages tested.
  • extra: 75.2% reproducible, 514 packages (of 2250 total) tested.
  • multilib: 82.6% reproducible, all 259 packages tested.
  • community: 76.5% reproducible, 487 packages (of 7739 total) tested.

Jelle van der Waa also wrote a blog post explaining more details detailing how this already had lead to more QA work in Arch.

So all in all, it looks like 77.2% of the tested Arch Linux packages are now reproducible! With an unreleased pacman version and without some variations we apply when testing Debian… still this is a very good start! Kudos to all involved.

Packages reviewed and fixed, and bugs filed

Patches filed upstream:

  • Bernhard M. Wiedemann:
  • Chris Lamb:
    • gpaw - (merged) embedded logging output
    • bitz-server (merged) - build path

Patches filed in Debian:

Patches filed in OpenSUSE:

Reviews of unreproducible packages

97 package reviews have been added, 56 have been updated and 42 have been removed in this week, adding to our knowledge about identified issues.

2 issue types have been added:

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (62)
  • Gilles Filippini (1)
  • Gregor Riepl (1)
  • James Cowgill (1)
  • Laurent Bigonville (1)
  • Matthias Klose (1)
  • Sylvestre Ledru (2)
  • gregor herrmann (1)

reproducible-faketools

  • reproducible-faketools 0.3.10 was released with support for:
    • Reduced randomness (/dev/random and urandom are actually /dev/zero)
    • Disabled ASLR and
    • Building with fixed PIDs.
    • Also the tar wrapper script got a bug fix.

reprotest development

reproducible-website development

tests.reproducible-builds.org

  • anthraxx worked on reproducible Arch Linux (19 commits)
  • Holger Levsen did some work on reproducible Debian:
    • aa9ce22d6 - Update email subject of status change mails to use t.r-b.o/debian - thanks to lamby for #882186
  • Holger mostly worked on reproducible Arch Linux that week (56 commits).
  • Misc tests.r-b.o work by Holger:
    • 0d79ab54a - reproducible Fedora: be explicit that this is stalled atm
    • Holger also reviewed and deployed 25 commits from other people.
    • Finally, Holger moved IRC notifications for jenkins.debian.net from #debian-reproducible to #reproducible-builds (and kept them on #debian-qa as well).
  • Johannes Löthberg worked on Arch Linux as well (2 commits)
  • kpcyrd also worked on Arch Linux (5 commits)

Finally there was discussion to how to generalise the database schema for supporting several projects, triggered by the recent work on reproducible Arch, but also previously discussed in the context of openSUSE, LEDE and FreeBSD.

Misc.

This week's edition was written by Ximin Luo, Bernhard M. Wiedemann, Holger Levsen and Chris Lamb & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-11-29 20:45:52 UTC Tags: reproducible builds

Here's what happened in the Reproducible Builds effort between Sunday November 12 and Saturday November 18 2017:

Past and upcoming events

We plan to hold an assembly at 34C3 - hope to see you there!

On November 17th Chris Lamb presented at the Open Compliance Summit in Yokohama, Japan on how reproducible builds can ensure the long-term sustainability of technology infrastructure.

GSoC and Outreachy updates

We are pleased to announce that Juliana Oliveira R (jwnx) will be mentored by Mattia Rizzolo on Reproducible Builds / diffoscope in this round of Outreachy!

Reproducible work in other projects

Bootstrapping and Diverse Double Compilation

Work on bootstrapping also made progress in MesCC from Jan Nieuwenhuizen. MesCC now compiles a less heavily patched TinyCC into a mes-tcc which passes 41/69 of mescc's C tests.

Qt tests and __FILE__

Our patched GCC that we use for testing Debian unstable has uncovered an interesting issue with certain Qt build-time test suites. The issue is that test suites using QFINDTESTDATA depend on __FILE__ to expand to something that may be reused after compilation as a real filesystem path when starting from the same working directory as the original compilation.

However, this behaviour is not explicitly guaranteed by formal documentation about __FILE__, and thus when it is rewritten to be build-path-independent (by a combination of our patched dpkg and GCC), the Qt tests break because their usage is no longer expanded to a real path as they expected.

Several very short patches were suggested to resolve this issue, including a one-liner that allows our patched GCC to specifically rewrite __FILE__ in Qt test code to a real path which takes advantage of the ability to specify multiple mappings using BUILD_PATH_PREFIX_MAP.

Separately, work is under way to address the other unrelated concerns raised about the patch by GCC upstream back in August.

Packages reviewed and fixed, and bugs filed

Reviews of unreproducible packages

35 package reviews have been added, 56 have been updated and 31 have been removed in this week, adding to our knowledge about identified issues.

1 issue type has been updated:

tests.reproducible-builds.org

  • Ed Maste (FreeBSD support):

    • Give ntpd a moment to write its PID file.
    • Start with the correct time.
  • kpcyrd (Archlinux support):

    • Pass SOURCE_DATE_EPOCH from jenkins_node_wrapper.sh.
    • Set SOURCE_DATE_EPOCH.
    • Use $ROOTCMD properly.
    • Set pkgext to .pkg.tar.xz.
    • Fix lost packages.
    • Correctly recognize __END__.
    • pacman.conf is owned by root after upgrade.
    • Add repos to pacman.conf.
  • Holger Levsen:

    • Arch Linux:
      • Re-enable the builders.
      • Add a third builder job to use new resources.
    • FreeBSD:
      • Ignore freebsd_master_git?????????.tar.xz when looking for unreproducible artifacts.
      • Document that munin-node was finally configured (and how denyhosts was configured too).
      • Our test VM has been upgraded to 11.1.
      • Document that poudriere was installed, user mattia created and filesystem resized.
    • Debian: Update documentation to reflect that the database is now kept in PostgreSQL.
    • Redistribute 13 cores and 24GB RAM from pb17 to pb3 and pb4 (used to build LEDE, Arch & coreboot) and the FreeBSD VM.

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adam Borowski (1)
  • Adrian Bunk (30)
  • Andreas Beckmann (2)
  • Christoph Biedl (1)
  • Helmut Grohne (2)
  • James Cowgill (1)
  • Matthias Klose (4)

reproducible-website development

  • Chris Lamb:
    • Update some broken links and references on the contribute" page (1, 2, 3)
    • Add a missing ")" Thanks to itd for the patch!

Misc.

This week's edition was written by Chris Lamb, Holger Levsen and Ximin Luo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-11-25 14:12:28 UTC Tags: reproducible builds

Here's what happened in the Reproducible Builds effort between Sunday November 5 and Saturday November 11 2017:

Upcoming events

On November 17th Chris Lamb will present at Open Compliance Summit, Yokohama, Japan on how reproducible builds ensures the long-term sustainability of technology infrastructure.

We plan to hold an assembly at 34C3 - hope to see you there!

LEDE CI tests

Thanks to the work of lynxis, Mattia and h01ger, we're now testing all LEDE packages in our setup. This is our first result for the ar71xx target: "502 (100.0%) out of 502 built images and 4932 (94.8%) out of 5200 built packages were reproducible in our test setup." - see below for details how this was achieved.

Bootstrapping and Diverse Double Compilation

As a follow-up of a discussion on bootstrapping compilers we had on the Berlin summit, Bernhard and Ximin worked on a Proof of Concept for Diverse Double Compilation of tinycc (aka tcc).

Ximin Luo did a successful diverse-double compilation of tinycc git HEAD using gcc-7.2.0, clang-4.0.1, icc-18.0.0 and pgcc-17.10-0 (pgcc needs to triple-compile it). More variations are planned for the future, with the eventual aim to reproduce the same binaries cross-distro, and extend it to test GCC itself.

Packages reviewed and fixed, and bugs filed

Patches filed upstream:

  • Bernhard M. Wiedemann:
    • clang - ASLR affects objective-C binaries.
  • Chris Lamb:
    • nbsphinx (merged) - Random UUIDs used as element selectors.
    • stardicter (merged) - SOURCE_DATE_EPOCH support.
    • stetl - Build path in documentation.

Patches filed in Debian:

Patches filed in OpenSUSE:

  • Bernhard M. Wiedemann:
    • i4l-base (merged) - Uninitialized memory written to output.

Reviews of unreproducible packages

73 package reviews have been added, 88 have been updated and 40 have been removed in this week, adding to our knowledge about identified issues.

4 issue types have been updated:

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (69)
  • Andreas Beckmann (3)
  • Dmitry Shachnev (1)
  • Graham Inggs (1)

diffoscope development

Mattia Rizzolo uploaded version 88~bpo9+1 to stretch-backports.

reprotest development

  • Ximin Luo:
    • build: add comment that util-linux confirmed bug in nsenter, awaiting fix.
    • Make --print-sudoers work for --env-build as well.

reproducible-website development

  • Holger Levsen:
    • rws3: add OTF as sponsor
    • rws3: add F-Droid, riot-os.org
  • Chris Lamb:
    • Move the "contribute" page from the Debian wiki to /contribute/ on our main website.
  • Eitan Adler:
    • Fix typo in FreeBSD mailing list.

theunreproduciblepackage development

tests.reproducible-builds.org in detail

  • Mattia Rizzolo:

    • reproducible archlinux: enable debugging mode
    • reproducible archlinux: don't use hidden files for the package lists
    • reproducible fedora: don't use hidden files for the package lists
    • udd-query: move from public-udd-mirror.xvm.mit.edu to udd-mirror.debian.net
    • udd-query: remove the temporary file with a trap in case this script is called with the wrong argument, and in case of failures, etc, the temporary file would be left around otherwise
    • reproducible debian: schroot-create: drop the reproducible gpg keyring into /etc/apt/trusted.gpg.d/ instead of using apt-key add
    • reproducible debian: setup_pbuilder: drop the reproducible gpg keyring into /etc/apt/trusted.gpg.d/ instead of using apt-key add
    • reprodocible debian: setup_pbuilder: stop installing gnupg2 in our chroot, not needed anymore now
    • Mattia also merged and deployed some commits from others this week.
  • Alexander 'lynxis' Couzens

    • reproducible_lede: use correct place/variable to save results: Results on remote nodes are expected to be under $TMPDIR, which defined by openwrt_build. RESULTSDIR is undefined on the remote node
    • reproducible_lede: enable building all packages again, after it was disabled to improve the debug speed.
    • reproducible_lede: correct given path for node_cleanup_tmpdirs & node_save_logs- reproducible_lede: enable CONFIG_BUILDBOT to reduce inodes while building.
  • kpcyrd:

    • reproducible-archlinux: try porting abs to asp
    • reproducible-archlinux: explicitly sync packages
    • reproducible-archlinux: use sudo for pacman
  • Hans-Christoph Steiner:

    • reproducible fdroid: point jenkins to canonical URL
    • reproducible_fdroid: separate testsuite into its own job
    • reproducible fdroid: sync upstream script names with jenkins.debian.net, make things self-documenting by reusing the same names everywhere.
    • reproducible_fdroid_test: make script executable
  • Chris Lamb:

    • Move some IRC announcements to #debian-reproducible-changes.
  • Holger Levsen:

    • reproducible LEDE: try to deal gracefully with problems and report
    • as usual, Holger merged many of the above commits and deployed them.

Misc.

This week's edition was written by Ximin Luo, Bernhard M. Wiedemann, Chris Lamb and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Here's what happened in the Reproducible Builds effort between Sunday October 29 and Saturday November 4 2017:

Past events

  • From October 31st — November 2nd we held the 3rd Reproducible Builds summit in Berlin, Germany. A full, in-depth report will be posted in the next week or so.

Upcoming events

  • On November 8th Jonathan Bustillos Osornio (jathan) will present at CubaConf Havana.

  • On November 17th Chris Lamb will present at Open Compliance Summit, Yokohama, Japan on how reproducible builds ensures the long-term sustainability of technology infrastructure.

Reproducible work in other projects

Packages reviewed and fixed, and bugs filed

Reviews of unreproducible packages

7 package reviews have been added, 43 have been updated and 47 have been removed in this week, adding to our knowledge about identified issues.

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (44)
  • Andreas Moog (1)
  • Lucas Nussbaum (7)
  • Steve Langasek (1)

Documentation updates

diffoscope development

Version 88 was uploaded to unstable by Mattia Rizzolo. It included contributions (already covered by posts of the previous weeks) from:

  • Mattia Rizzolo
    • tests/comparators/dtb: compatibility with version 1.4.5. (Closes: #880279)
  • Chris Lamb
    • comparators:
      • binwalk: improve names in output of "internal" members. #877525
      • Omit misleading "any of" prefix when only complaining about one module in ImportError messages.
    • Don't crash on malformed "md5sums" files. (Closes: #877473)
    • tests/comparators:
      • ps: ps2ascii > 9.21 now varies on timezone, so skip this test for now.
      • dtby: only parse the version number, not any "-dirty" suffix.
    • debian/watch: Use HTTPS URI.
  • Ximin Luo
    • comparators:
      • utils/file: Diff container metadata centrally. This fixes a last remaining bug in fuzzy-matching across containers. (Closes: #797759)
      • Fix all the affected comparators after the above change.
  • Holger Levsen
    • Bump Standards-Version to 4.1.1, no changes needed.

strip-nondeterminism development

Version 0.040-1 was uploaded to unstable by Mattia Rizzolo. It included contributions already covered by posts of the previous weeks, as well as new ones from:


Version 0.5.2-2 was uploaded to unstable by Holger Levsen.

It included contributions already covered by posts of the previous weeks, as well as new ones from:

reprotest development

buildinfo.debian.net development

tests.reproducible-builds.org

  • Mattia Rizzolo:
    • archlinux: enable schroot building on pb4 as well
    • archlinux: don't install the deprecated abs tool
    • archlinux: try to re-enable one schroot creation job
  • lynxis
    • lede: replace TMPDIR -> RESULTSDIR
    • lede: openwrt_get_banner(): use locals instead of globals
    • lede: add newline to $CONFIG
    • lede: show git log -1 in jenkins log
  • Holger Levsen:
    • lede: add very simple landing page
  • Juliana Oliveira Rodrigues
    • archlinux: adds pacman-git dependencies
  • kpcyrd
    • archlinux: disable signature verification when running in the future
    • archlinux: use pacman-git until the next release
    • archlinux: make pacman fail less early
    • archlinux: use sudo to prepare chroot
    • archlinux: remove -rf for regular file
    • archlinux: avoid possible TOCTOU issue
    • archlinux: Try to fix tar extraction
    • archlinux: fix sha1sums parsing

Misc.

This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Here's what happened in the Reproducible Builds effort between Sunday October 22 and Saturday October 28 2017:

Past Events

Upcoming/current events

Documentation updates

Bernhard Wiedemann started The Unreproducible Package which "is meant as a practical way to demonstrate the various ways that software can break reproducible builds using just low level primitives without requiring external existing programs that implement these primitives themselves.

It is structured so that one subdirectory demonstrates one class of issues in some variants observed in the wild."

Reproducible work in other projects

Hush, a fork of ZCash, opened an issue into reproducible builds.

A new tag was added to lintian (lint checker for Debian packages) to ensure that changelog entry timestamps are strictly increasing. This avoids certain real-world issues with identical timestamps, documented in Debian #843773.

Packages reviewed and fixed, and bugs filed

Patches sent upstream:

  • Bernhard M. Wiedemann:
    • gtranslator, embedded build timestamps
    • libgda, embedded build timestamps
    • mariadb, embedded build timestamps
    • nim, embedded build timestamps

Debian bug reports:

Reviews of unreproducible packages

14 package reviews have been added, 35 have been updated and 28 have been removed in this week, adding to our knowledge about identified issues.

1 issue type has been updated:

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (4)

strip-nondeterminism development

Version 0.040-1 was uploaded to unstable by Mattia Rizzolo. It included contributions already covered by posts of the previous weeks, as well as new ones from:

  • Mattia Rizzolo:
    • png.pm: Don't open the original file in write mode

reprotest development

Development continued in git:

  • Ximin Luo:
    • New features:
      • Support a domain_host variation.
      • Support a --print-sudoers feature.
    • Documentation:
      • Note some caveats about the existing git versions as a self-reminder not to release it yet.
      • Updates about our assumptions and rearrange sudo into its own section.
    • Bug fixes:
      • main: When dropping privs, make sure the user can still move in theroot.
      • tests: fix, need to preserve env for su
      • build: Don't fail when the build produces a broken symlink
      • main, presets: Properly drop privs when running the build. (Closes: #877813)
    • Code quality:
      • Improve logging to try to get to the bottom of the jenkins failures
      • Tweak tests to avoid some build dependencies
      • build: Name temporary directories after reprotest not autopkgtest

buildinfo.debian.net development

Development continued in git:

  • Chris Lamb:
    • New features:
      • Add API endpoint to fetch specific .buildinfo files for a certain package/version/architecture, and optimise it. (Closes: #25)
    • Bug fixes:
      • Always show SHA256, regardless of viewport size. (Closes: #27)
      • Actually filter by source package (!)

reproducible-website development

  • Holger Levsen:
    • RWS3 Berlin 2017:
      • Add CoyIM, Arch Linux, LEDE, LEAP, subuser.org, Bazel, coreboot.
      • Make some sponsors visible.
      • Add short paragraph explaining that registration is mandatory.

Misc.

This week's edition was written by Ximin Luo, Chris Lamb, Bernhard M. Wiedemann and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-11-03 17:58:12 UTC Tags: reproducible builds

Here's what happened in the Reproducible Builds effort between Sunday October 15 and Saturday October 21 2017:

  • The Tails project published a report on how they made their ISO images reproducible.

  • dpkg 1.19.0 was uploaded, including support for:

    • Ordering the "unused substitution" warnings to prevent superfluous differences between logs of package builds on the Reproducible Builds test framework. (#870221)

    • A new Build-Kernel-Version field in .buildinfo files that can be generated with a new dpkg-genbuildinfo --always-include-kernel option. (#873937)

Past events

Upcoming events

New York University sessions

A three week session will be held at New York University to work on reproducibilty issues in conjunction with the reproducible builds community. Students from the Application Security course will be working for two weeks to work on the reproducible builds effort.

  • On Tuesday 24th Oct Ed Maste from FreeBSD will be presenting some reproducible builds work for students.

  • On From Tuesday 24th of October to Monday 7th of November students will work on fixing reproducibility issues brought up by the community. A milestone presentation will be held by Santiago Torres-Arias and Preston Moore.

  • On Tuesday 7th November Holger Levsen will join the NYU team to wrap up the work.

Packages reviewed and fixed, and bugs filed

The following reproducible builds-related NMUs were accepted:

Patches sent upstream:

Reviews of unreproducible packages

41 package reviews have been added, 119 have been updated and 54 have been removed in this week, adding to our knowledge about identified issues. 2 issue types were removed as they were fixed:

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Aaron M. Ucko (1)
  • Adrian Bunk (49)
  • Anthony DeRobertis (1)
  • Daniel Schepler (1)
  • Gilles Filippini (1)
  • James Cowgill (1)
  • Matthias Klose (1)
  • Matthias Klumpp (1)
  • Nobuhiro Iwamatsu (1)

diffoscope development

strip-nondeterminism development

Version 0.039-1 was uploaded to unstable by Chris Lamb. It included contributions already covered by posts of the previous weeks, including:

  • Chris Lamb:
    • Clojure considers the .class file to be stale if it shares the same timestamp of the .clj. We thus adjust the timestamps of the .clj to always be younger. (#877418)
    • dh_strip_nondeterminism: Log which handler processed a file. (#876140)
    • bin/strip-nondeterminism: Print a warning in --verbose mode if no canonical time specified.
    • Use HTTPS URI in debian/watch.

reprotest development

tests.reproducible-builds.org

  • Holger Levsen:

    • Install rustc on Jenkins for the reproducible-html-build-path-prefix-map-spec job.
  • Mattia Rizzolo:

    • health_check: Include the running kernel version when reporting multiple kernel installed in /boot.

Website updates

Misc.

This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Santiago Torres & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-10-24 12:53:12 UTC Tags: reproducible builds

Here's what happened in the Reproducible Builds effort between Sunday October 8 and Saturday October 14 2017:

Upcoming events

  • On Saturday 21st October, Holger Levsen will present at All Systems Go! in Berlin, Germany on reproducible builds.

  • On Tuesday 24th October, Chris Lamb will present at All Things Open 2017 in Raleigh, NC, USA on reproducible builds.

  • On Wednesday 25th October, Holger Levsen will present at the Open Source Summit Europe in Prague, Czech Republic on reproducible builds.

  • From October 31st - November 2nd we will be holding the 3rd Reproducible Builds summit in Berlin. If you are working in the field of reproducible builds, you should totally be there. Please contact us if you have any questions! Quoting from the public invitation mail:

    These dates are inclusive, ie. the summit will be 3 full days from "9 to 5".
    Best arrive on Monday October 30th and leave on the evening of Thursday, 3rd
    at the earliest.
    
    
    Meeting content
    ===============
    
    The exact content of the meeting is going to be shaped by the
    participants, but here are the main goals:
    
     - Update & exchange about the status of reproducible builds in various
       projects.
     - Establish spaces for more strategic and long-term thinking than is possible
       in virtual channels.
     - Improve collaboration both between and inside projects.
     - Expand the scope and reach of reproducible builds to more projects.
     - Brainstorming / Designing several things, eg:
      - designing tools enabling end-users to get the most benefits from
        reproducible builds.
      - design of back-ends needed for that.
     - Work together and hack on solutions.
    
    There will be a huge variety of topics to be discussed. To give a few
    examples:
    - continuing design and development work on .buildinfo infrastructure
    - build-path issues everywhere
    - future directions for diffoscope, reprotest & strip-nondeterminism
    - reproducing signed artifacts such as RPMs
    - discussing formats and tools we can share
    - sharing proposals for standards and documentation helpful to spreading the
      reproducible effort
    - and many many more.
    
    Please think about what you want discuss, brainstorm & learn about at this
    meeting!
    
    
    Schedule
    ========
    
    Preliminary schedule for the three days:
    
    9:00 Welcome and breakfast
    9:30 Meeting starts
    12:30 Lunch
    17:00 End of the official schedule
    
    Gunner and Beatrice from Aspiration will help running the meeting. We will
    collect your input in subsequent emails to make the best of everyone's time.
    Feel free to start thinking about what you want to achieve there. We will also
    adjust topics as the meeting goes.
    
    Please note that we are very likely to spend large parts of the meeting away
    from laptops and closer to post-it notes. So make sure you've answered any
    critical emails *before* Tuesday morning! :)
    

Reproducible work in other projects

Pierre Pronchery reported that that he has built the foundations for doing more reproducibility work in NetBSD.

Packages fixed

Upstream bugs and patches:

  • Bernhard M. Wiedemann:
    • qutim used RANDOM which is unpredictable and unreproducible.
    • dpdk used locale-dependent sort.

Reproducibility non-maintainer uploads in Debian:

QA fixes in Debian:

Reviews of unreproducible packages

6 package reviews have been added, 30 have been updated and 37 have been removed in this week, adding to our knowledge about identified issues.

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (40)
  • Eric Valette (1)
  • Markus Koschany (1)

diffoscope development

  • Ximin Luo:
    • Containers: diff the metadata of containers in one central location in the code, so that deep-diff works between all combinations of different container types. This lets us finally close #797759.
    • Tests: add a complete set of cases to test all pairs of container types.
  • Chris Lamb:
    • Temporarily skip the test for ps2ascii(1) in ghostscript > 9.21 which now outputs text in a slightly different format.
    • UI wording improvements.

reprotest development

Version 0.7.3 was uploaded to unstable by Ximin Luo. It included contributions already covered by posts of the previous weeks, as well as new ones:

  • Ximin Luo:
    • Add a --env-build option for testing builds under different sets of environment variables. This is meant to help the discussion over at #876055 about how we should deal with different types of environment variables in a stricter definition of reproducibility.
    • UI and logging tweaks and improvements.
    • Simplify the _shell_ast module and merge it into shell_syn.

Misc.

This week's edition was written by Ximin Luo, Chris Lamb and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-10-17 19:29:02 UTC Tags: reproducible builds

Here's what happened in the Reproducible Builds effort between Sunday October 1 and Saturday October 7 2017:

Media coverage

Documentation updates

Packages reviewed and fixed, and bugs filed

Reviews of unreproducible packages

32 package reviews have been added, 46 have been updated and 62 have been removed in this week, adding to our knowledge about identified issues.

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (27)

diffoscope development

strip-nondeterminism development

Rob Browning noticed that strip-nondeterminism was causing serious performance regressions in the Clojure programming language within Debian. After some discussion, Chris Lamb also posted a query to debian-devel in case there were any other programming languages that might be suffering from the same problem.

reprotest development

Versions 0.7.1 and 0.7.2 were uploaded to unstable by Ximin Luo:

  • New features:
    • Add a --auto-build option to try to determine which specific variations cause unreproducibility.
    • Add a --source-pattern option to restrict copying of source_root, and set this automatically in our presets.
  • Usability improvements:
    • Improve error messages in some common scenarios.
      • Fiving a source_root or build_command that doesn't exist
      • Using reprotest with default settings after not installing Recommends
    • Output hashes after a successful --auto-build.
    • Print a warning message if we reproduced successfully but didn't vary everything.
  • Fix varying both umask and user_group at the same time.
  • Have dpkg-source extract to different build dir if varying the build-path.
  • Pass --exclude-directory-metadata to diffoscope(1) by default as this is the majority use-case.
  • Various bug fixes to get the basic dsc+schroot example working.

It included contributions already covered by posts of the previous weeks, as well as new ones from:

tests.reproducible-builds.org

Misc.

This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-10-10 08:08:10 UTC Tags: reproducible builds

This blog is powered by ikiwiki.