What happened in the Reproducible Builds effort between June 19th and June 25th 2016.

Media coverage

  • Holger Levsen gave a talk at openSUSE Conference 2016 explaining the general idea and status of Reproducible Builds. This talk is available as video recording.

  • This was followed by Bernhard Wiedemannn, detailing his work on Reproducible Builds for openSUSE which is also available as video recording:

    • openSUSE uses SOURCE_DATE_EPOCH now too
    • How to create bit-for-bit identical RPMs
    • How strip-nondeterminism is Python and thus unsuitable for the openSUSE base system
  • Mozilla awarded $77k to work on reproducible builds for Tails. The goal is to enable anyone (given sufficient technical skills and hardware resources) to rebuild from source a given Tails release, in order to independently verify that it matches the ISO image that was published. A substantial part of this work will be done in Debian: for example, to make the side-effects of some packages' post-installation scripts deterministic. On the longer term, this work should benefit other projects that want to make their own builds reproducible (e.g. operating system images for the cloud and embedded systems, operating system installation media, other Live systems).

GSoC and Outreachy updates

Toolchain fixes

Other upstream fixes

Emil Velikov searched on IRC for hints on how to guarantee unique values during build to invalidate shader caches in Mesa, when also no VCS information is available. A possible solution is a timestamp, which is unique enough for local builds, but can still be reproducible by allowing it to be overwritten with SOURCE_DATE_EPOCH.

Packages fixed

The following 9 packages have become reproducible due to changes in their build dependencies:

cclib librun-parts-perl llvm-toolchain-snapshot python-crypto python-openid r-bioc-shortread r-bioc-variantannotation ruby-hdfeos5 sqlparse

The following packages have become reproducible after being fixed:

Some uploads have fixed some reproducibility issues, but not all of them:

Patches submitted that have not made their way to the archive yet:

  • #827684 against cgoban by Chris Lamb: set SHELL to static value.
  • #827731 against tin by Alexis Bienvenüe: drop patch which overwrites __DATE__/__TIME__ macros, since gcc can handle it now
  • #827863 against swedish by Alexis Bienvenüe: use C locale for sorting.
  • #827987 against glances by Chris Lamb: Use SOURCE_DATE_EPOCH for embedded timestamp.
  • #827994 against cmtk by Chris Lamb: use C locale for sorting.
  • #828008 against aghermann by Chris Lamb: honour SOURCE_DATE_EPOCH for timestamps embedded into manpages.
  • #828012 against bind9 by Chris Lamb: honour SOURCE_DATE_EPOCH for embedded timestamp.
  • #828017 against frog by Chris Lamb: don't include pyc/pyo files in the package.
  • #828021 against extra-cmake-modules by Scarlett Clark: normalize permission and file order in tarballs.
  • #828060 against libffado by Chris Lamb: exclude file with test output from package.
  • #828066 against gsmlib by Chris Lamb: honour SOURCE_DATE_EPOCH for timestamps embedded into manpages.
  • #828067 against grib-api by Chris Lamb: exclude pyc files from package.
  • #828122 against libxmlbird by Chris Lamb: sort list of globbed files.
  • #828123 against magnum by Chris Lamb: use static value for embedded hostname.
  • #828131 against pyjwt by Chris Lamb: exclude coverage data from package.
  • #828145 against mkdocs by Chris Lamb: honour SOURCE_DATE_EPOCH for embedded timestamp.
  • #828164 against zeal by Chris Lamb: use UTC for embedded timestamp.
  • #828168 against x42-plugins by Daniel Shahaf: use printf instead of non-portable echo.

Package reviews

139 reviews have been added, 20 have been updated and 21 have been removed in this week.

New issues found:

53 FTBFS bugs have been reported by Chris Lamb, Santiago Vila and Mateusz Łukasik.

diffoscope development

Quote of the week

"My builds are so reproducible, they fail exactly every second time." — Johannes Ziemke (@discordianfish)

Misc.

This week's edition was written by Chris Lamb (lamby), Reiner Herrmann and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.