Here's what happened in the Reproducible Builds effort between Sunday, November 26 and Saturday, December 2, 2017:

Media coverage

Arch Linux imap key leakage

A security issue was found in the imap package in Arch Linux thanks to the reproducible builds effort in that distribution.

Due to a hardcoded key-generation routine in the build() step of imap's PKGBUILD (the standard packaging file for Arch Linux packages), a default secret key was generated and leaked on all imap installations. This was prompty reviewed, confirmed and fixed by the package maintainers.

This mirrors similar security issues found in Debian, such as #833885.

Debian packages reviewed and fixed, and bugs filed

In addition, 73 FTBFS bugs were detected and reported by Adrian Bunk.

Reviews of unreproducible Debian packages

83 package reviews have been added, 41 have been updated and 33 have been removed in this week, adding to our knowledge about identified issues.

1 issue type was updated:

LEDE / OpenWrt packages updates:

diffoscope development

reprotest development

Version 0.7.4 was uploaded to unstable by Ximin Luo. It included contributions already covered by posts of the previous weeks as well as new ones from:

reproducible-website development

tests.reproducible-builds.org

Misc.

This week's edition was written by Alexander Couzens, Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Santiago Torres-Arias, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-12-05 14:10:34 UTC Tags: reproducible builds

Here's what happened in the Reproducible Builds effort between Sunday December 3 and Saturday December 9 2017:

Documentation update

There was more discussion on different logos being proposed for the project.

Reproducible work in other projects

Cyril Brulebois wrote about Tails' work on reproducibility

Gabriel Scherer submitted a pull request to the OCaml compiler to honour the BUILD_PATH_PREFIX_MAP environment variable.

Packages reviewed and fixed

Patches filed upstream:

  • Bernhard M. Wiedemann:
  • Eli Schwartz:
  • Foxboron
    • gopass: - use SOURCE_DATE_EPOCH in Makefile
  • Jelle
    • PHP: - use SOURCE_DATE_EPOCH for Build Date
  • Chris Lamb:
    • pylint - file ordering, nondeterminstic data structure
    • tlsh - clarify error message (via diffoscope development)
  • Alexander "lynxis" Couzens:

Patches filed in Debian:

Patches filed in OpenSUSE:

  • Bernhard M. Wiedemann:
    • build-compare (merged) - handle .egg as .zip
    • neovim (merged) - hostname, username
    • perl (merged) - date, hostname, username
    • sendmail - date, hostname, username

Patches filed in OpenWRT:

  • Alexander "lynxis" Couzens:

Reviews of unreproducible packages

17 package reviews have been added, 31 have been updated and 43 have been removed in this week, adding to our knowledge about identified issues.

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (13)
  • Andreas Beckmann (2)
  • Emilio Pozuelo Monfort (3)

reprotest development

  • Santiago Torres:
    • Use uname -m instead of arch.

trydiffoscope development

Version 66 was uploaded to unstable by Chris Lamb. It included contributions already covered by posts of the previous weeks as well as new ones from:

  • Chris Lamb:
    • Parse dpkg-parsechangelog instead of hard-coding version
    • Bump Standards-Version to 4.1.2
    • flake8 formatting

reproducible-website development

tests.reproducible-builds.org

reproducible Arch Linux:

reproducible F-Droid:

Misc.

This week's edition was written by Ximin Luo, Alexander Couzens, Holger Levsen, Chris Lamb, Bernhard M. Wiedemann and Santiago Torres & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Here's what happened in the Reproducible Builds effort between Sunday December 10 and Saturday December 16 2017:

Upcoming events

The Reproducible Builds project are organising an assembly at 34C3 (the "Galactic Congress") in Leipzig, Germany. We will informally meet every day at 13:37 UTC and would be delighted if you joined us there.

Packages reviewed and fixed, and bugs filed

Reviews of unreproducible packages

43 package reviews have been added, 48 have been updated and 51 have been removed in this week, adding to our knowledge about identified issues.

4 issue types have been updated:

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (55)
  • Andreas Beckmann (2)
  • Laurent Bigonville (1)
  • Michael Biebl (1)
  • Pierre Saramito (2)

diffoscope development

reprotest development

Version 0.7.5, 0.7.6 and 0.7.7 was uploaded to unstable by Ximin Luo.

It included contributions already covered by posts of the previous weeks as well as new changes:

buildinfo.debian.net development

reproducible-website development

jenkins.debian.net development

Misc.

This week's edition was written by Alexander Couzens, Bernhard M. Wiedemann, Chris Lamb and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Posted 2017-12-19 14:35:00 UTC Tags: reproducible builds

Here's what happened in the Reproducible Builds effort between Sunday December 17 and Saturday December 23 2017:

Packages reviewed and fixed, and bugs filed

Bugs filed in Debian:

Bugs filed in openSUSE:

  • Bernhard M. Wiedemann:
    • WindowMaker (merged) - use modification date of ChangeLog, upstreamable
    • ntp (merged) - drop date
    • bzflag - version upgrade to include already-upstreamed SOURCE_DATE_EPOCH patch

Reviews of unreproducible packages

20 package reviews have been added, 36 have been updated and 32 have been removed in this week, adding to our knowledge about identified issues.

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (6)
  • Matthias Klose (8)

diffoscope development

strip-nondeterminism development

disorderfs development

reprotest development

reproducible-website development

  • Chris Lamb:
    • rws3:
      • Huge number of formatting improvements, typo fixes, capitalisation
      • Add section headings to make splitting up easier.
  • Holger Levsen:
    • rws3:
      • Add a disclaimer that this part of the website is a Work-In-Progress.
      • Split notes from each session into separate pages (6 sessions).
      • Other formatting and style fixes.
      • Link to Ludovic Courtès' notes on GNU Guix.
  • Ximin Luo:
    • rws3:
      • Format agenda.md to look like previous years', and other fixes
      • Split notes from each session into separate pages (1 session).

jenkins.debian.net development

Misc.

This week's edition was written by Ximin Luo and Bernhard M. Wiedemann & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.