Here's what happened in the Reproducible Builds effort between Sunday July 23 and Saturday July 29 2017:

Toolchain development and fixes

  • Chris Lamb sent an experimental patch to apt to make the output of apt-ftparchive reproducible. Thanks to David Kalnischkies for reworking the result. (#869557)

Packages reviewed and fixed, and bugs filed

Reviews of unreproducible packages

4 package reviews have been added, 2 have been updated and 24 have been removed in this week, adding to our knowledge about identified issues.

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Aaron M. Ucko (1)
  • Adrian Bunk (35)
  • Helmut Grohne (4)
  • Stefan Tatschner (1)

diffoscope development

Misc.

This week's edition was written by Chris Lamb, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-08-01 14:05:00 UTC Tags: reproducible builds

Here's what happened in the Reproducible Builds effort between Sunday July 30 and Saturday August 5 2017:

Media coverage

We were mentioned on Late Night Linux Episode 17, around 29:30.

Packages reviewed and fixed, and bugs filed

Upstream packages:

  • Bernhard M. Wiedemann:
    • efl (merged), unique ids based on memory address
    • 389-ds (merged), SOURCE_DATE_EPOCH support.
    • plowshare, SOURCE_DATE_EPOCH support
    • sphinx, file ordering
    • sphinx, SOURCE_DATE_EPOCH support

Debian packages:

Reviews of unreproducible packages

29 package reviews have been added, 72 have been updated and 151 have been removed in this week, adding to our knowledge about identified issues.

4 issue types have been updated:

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (36)
  • Andreas Beckmann (2)
  • Daniel Schepler (2)
  • Logan Rosen (1)
  • Lucas Nussbaum (93)

diffoscope development

Version 85 was uploaded to unstable by Mattia Rizzolo. It included contributions from:

  • Mattia Rizzolo:
    • Add an explicit Recommends: on the defusedxml python package.
    • Various other code quality tweaks.
  • Juliana Oliveira Rodrigues:
    • Fix test_ico_image for ImageMagick identify >= 6.9.8.
    • Use the defusedxml XML library by default in the XML comparator, if it's available. This protects against various XML parser DoS attacks and other security holes, which other Python XML libraries are vulnerable to.
  • Ximin Luo:
    • Force a flush when writing output to diff. (Closes: #870049).

as well as previous weeks' contributions, summarised in the changelog.

There were also further commits in git, which will be released in a later version:

  • Guangyuan Yang:
    • tests/iso9660: support isoinfo's output coming from cdrtools' version instead of genisoimage's
  • Mattia Rizzolo:
    • Code quality and test fixes.
  • Chris Lamb:
    • Code quality and test fixes.

Misc.

This week's edition was written by Ximin Luo, Bernhard M. Wiedemann and Chris Lamb & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-08-14 23:30:01 UTC Tags: reproducible builds

Here's what happened in the Reproducible Builds effort between Sunday 6th and Saturday 12th August 2017:

Notes about reviews of unreproducible packages

13 package reviews have been added, 7 have been updated and 34 have been removed in this week, adding to our knowledge about identified issues.

Packages reviewed and fixed, and reproducibility related bugs filed

Upstream packages:

Other bugs filed

  • During our reproducibility testing, Adrian Bunk filed 48 FTBFS bugs this week.

diffoscope development

trydiffoscope development

tests.reproducible-builds.org

  • Mattia:
    • Notify the#debian-reproducible-changes` IRC channel for unreproducible -> FTBFS transitions.
    • Update squid.conf for all nodes to 5.2.23 (and fixup some).
    • Enable the Munin Squid plugin on the Codethink arm64 nodes as well.
    • Force reconfiguration of Apache and Munin when update_jdn.sh is updated.
  • Holger worked on slides for his DebConf17 BoF about migrating to jenkins.debian.org, which affects tests.r-b.o as well.

Misc.

This week's edition was written by Chris Lamb & Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-08-17 21:48:55 UTC Tags: reproducible builds

Here's what happened in the Reproducible Builds effort between Sunday August 13 and Saturday August 19 2017:

Reproducible Builds finally mandated by Debian Policy

"Packages should build reproducibly" was merged into Debian policy! The added text is as follows and has been included into debian-policy 4.1.0.0:

Reproducibility
---------------

Packages should build reproducibly, which for the purposes of this
document [#]_ means that given

- a version of a source package unpacked at a given path;
- a set of versions of installed build dependencies;
- a set of environment variable values;
- a build architecture; and
- a host architecture,

repeatedly building the source package for the build architecture on
any machine of the host architecture with those versions of the build
dependencies installed and exactly those environment variable values
set will produce bit-for-bit identical binary packages.

It is recommended that packages produce bit-for-bit identical binaries
even if most environment variables and build paths are varied.  It is
intended for this stricter standard to replace the above when it is
easier for packages to meet it.

.. [#]
   This is Debian's precisification of the `reproducible-builds.org
   definition `_.

  • Holger Levsen wrote a blog post briefly describing the background and implications of this. To quote him: "we are not 94% done yet, rather more like half done or so. We still need tools and processes to enable anyone to indepently verify that a given binary comes from the sources it is said to be coming, this will involve distributing .buildinfo files and providing user interfaces in APT and elsewhere and probably also systematic rebuilds by us and other parties. And 6% or 7% of the archive is still a lot of packages, eg. in Buster we currently still have 273 unreproducible key packages and for a large part we don't have patches yet so there is still a lot of work ahead."
  • There were discussion threads on Hacker News and Reddit.
  • Our long-term goal is that Policy mandates that packages "must" be reproducible, but for that we need to show further progress and also reach a consensus on .buildinfo files and much more.

Reproducible work in other projects

Bernhard M. Wiedemann's reproducibleopensuse scripts now work on Debian buster on the openSUSE Build Service with the latest versions of osc and obs-build.

Toolchain development and fixes

#872514 was opened on devscripts by Chris Lamb to add a reproducible-check program to report on the reproducibility status of installed packages.

Packages reviewed and fixed, and bugs filed

Upstream reports:

  • Bernhard M. Wiedemann:

Debian reports:

Debian non-maintainer uploads:

Reviews of unreproducible packages

47 package reviews have been added, 58 have been updated and 39 have been removed in this week, adding to our knowledge about identified issues.

4 issue types have been updated:

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (59)
  • Bastien Roucariès (1)
  • James Clarke (1)
  • Jeremy Bicha (1)

diffoscope development

Development continued in git, including the following contributions:

  • Ximin Luo:
    • presenters: html: Don't traverse children whose parents were already limited (Closes: #871413)
    • On a non-GNU system, prefer tools that start with "g" for certain whitelisted commands. (Closes: #871029)
    • Add a --tool-prefix-binutils CLI flag. (Closes: #869868)
  • Chris Lamb:
    • Temporarily revert "Bump Standards-Version to 4.0.1" to avoid spurious CI test failures.
    • comparators.xml: Use name attribute over path to avoid leaking comparison full path in output.
    • Code style fixes.

disorderfs development

Development continued in git, including the following contributions:

  • Chris Lamb:
    • Add simple autopkgtest.

reprotest development

Development continued in git, including the following contributions:

  • Ximin Luo:
    • Choose an existent HOME for the "control" build. (Closes: #860428)
    • Update debian/changelog with Santiago's changes.
  • Santiago Torres:
    • Abstract parts of autopkgtest to support running on non-Debian systems.
    • Add a --host-distro flag to support that too.

tests.reproducible-builds.org

Mattia fixed the script which creates the HTML representation of our database scheme to not append .html twice to the filename.

Misc.

This week's edition was written by Ximin Luo, Chris Lamb and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-08-25 19:50:21 UTC Tags: reproducible builds

Here's what happened in the Reproducible Builds effort between Sunday August 20 and Saturday August 26 2017:

Debian development

  • "Packages should build reproducibly" was released in Debian Policy 4.1.0.0. For more background please see last week's post.
  • A patch by Chris Lamb to make Dpkg::Substvars warnings output deterministic was merged by Guillem Jover. This helps the Reproducible Builds effort as it removes unnecessary differences in logs of two package builds. (#870221)

Packages reviewed and fixed, and bugs filed

Forwarded upstream:

Accepted repoducibility NMUs in Debian:

Other issues:

Reviews of unreproducible packages

16 package reviews have been added, 38 have been updated and 48 have been removed in this week, adding to our knowledge about identified issues.

2 issue types have been updated:

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (37)
  • Dmitry Shachnev (1)
  • James Cowgill (1)

diffoscope development

disorderfs development

Version 0.5.2-1 was uploaded to unstable by Ximin Luo. It included contributions from:

reprotest development

Misc.

This week's edition was written — in alphabetical order — by Bernhard M. Wiedemann, Chris Lamb, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-08-29 15:13:27 UTC Tags: reproducible builds