What happened in the Reproducible Builds effort between Sunday July 31 and Saturday August 6 2016:

Toolchain development and fixes

  • dpkg/1.18.10 by Guillem Jover.
    • Generate reproducible source tarballs by using the new GNU tar --clamp-mtime option
    • Enable fixdebugpath build flag feature by default, original patch by Mattia Rizzolo.
  • cython/0.24.1-1 by Yaroslav Halchenko.
  • Chris Lamb and Thomas Schmidt worked on some patches to make reproducible ISO images.
  • Johannes Schauer continued the discussion on #763822 regarding dak and buildinfo files.
  • Johannes Schauer continued the discussion on #774415 regarding srebuild and debrebuild.

Packages fixed and bugs filed

The following 24 packages have become reproducible - in our current test setup - due to changes in their build-dependencies: alglib aspcud boomaga fcl flute haskell-hopenpgp indigo italc kst ktexteditor libgroove libjson-rpc-cpp libqes luminance-hdr openscenegraph palabos petri-foo pgagent sisl srm-ifce vera++ visp x42-plugins zbackup

The following packages have become reproducible after being fixed:

The following newly-uploaded packages appear to be reproducible now, for reasons we were not able to figure out. (Relevant changelogs did not mention reproducible builds.)

  • libitext-java/2.1.7-1 by Emmanuel Bourg.
  • lice/1:4.2.5i-2 by Kurt Roeckx.
  • pgbackrest/1.04-1 by Adrian Vondendriesch.
  • pxlib/0.6.7-1 by Uwe Steinmann.
  • runit/2.1.2-5 by Dmitry Bogatov.
  • ssvnc/1.0.29-3 by Magnus Holmgren.
  • syncthing/0.14.3+dfsg1-3 by Alexandre Viau.
  • tachyon/0.99~b6+dsx-5 by Jerome Benoit.
  • tor/0.2.8.6-2 by Peter Palfrader.

Some uploads have addressed some reproducibility issues, but not all of them:

Patches submitted that have not made their way to the archive yet:

Package reviews and QA

These are reviews of reproduciblity issues of Debian packages.

276 package reviews have been added, 172 have been updated and 44 have been removed in this week.

7 FTBFS bugs have been reported by Chris Lamb.

Reproducibility tools

  • diffoscope/56~bpo8+1 uploaded to jessie-backports by Mattia Rizzolo
  • strip-nondeterminism/0.022-1~bpo8+1 uploaded to jessie-backports by Mattia Rizzolo

Test infrastructure

For testing the impact of allowing variations of the buildpath (which up until now we required to be identical for reproducible rebuilds), Reiner Herrmann contribed a patch which enabled build path variations on testing/i386. This is possible now since dpkg 1.18.10 enables the --fixdebugpath build flag feature by default, which should result in reproducible builds (for C code) even with varying paths. So far we haven't had many results due to disturbances in our build network in the last days, but it seems this would mean roughly between 5-15% additional unreproducible packages - compared to what we see now. We'll keep you updated on the numbers (and problems with compilers and common frameworks) as we find them.

lynxis continued work to test LEDE and OpenWrt on two different hosts, to include date variation in the tests.

Mattia and Holger worked on the (mass) deployment scripts, so that the - for space reasons - only jenkins.debian.net GIT clone resides in ~jenkins-adm/ and not anymore in Holger's homedir, so that soon Mattia (and possibly others!) will be able to fully maintain this setup, while Holger is doing siesta.

Miscellaneous

Chris, dkg, h01ger and Ximin attended a Core Infrastricture Initiative summit meeting in New York City, to discuss and promote this Reproducible Builds project. The CII was set up in the wake of the Heartbleed SSL vulnerability to support software projects that are critical to the functioning of the internet.

This week's edition was written by Ximin Luo and Holger Levsen and reviewed by a bunch of Reproducible Builds folks on IRC.