Here’s what happened in the Reproducible Builds effort between Sunday January 20 and Saturday January 26 2019:
-
There was considerable progress towards making the Debian Installer images reproducible with a number of rounds of code review, a subsequent merge of Chris Lamb’s merge request and the closing of the corresponding bug report for the time being, pending further testing.
-
At linux.conf.au 2019 in Christchurch, New Zealand there were at least two talks that touched on the topic of Reproducible Builds. First, Benno Rice gave a talk titled How Much Do You Trust That Package? Understanding The Software Supply Chain” (YouTube). In addition, Aleksandra Pawlik presented on Building reproducible computing environments: a workshop for non-experts (YouTube).
-
There were a few updates this week from Chris Lamb to diffoscope, our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages including not crashing if we were unable to successfully extract a guestfs filesystem […][…] (#901982), avoiding clumsy profiling “title length” calculations by switching to Markdown syntax […] and drop the printing of
dpkg-query(1)
output whilst running tests. […] -
The compiler for the Elixir language received a number of updates to make it compile in 2019 (and 2020) and to create its
.beam
files in a reproducible manner which permitted the creation of reproducible openSUSE packages. They also are adding reproducibility tests to their continuous-integration system to avoid future regressions. -
Chris Lamb’s historical summary and a request for action posted on Fontconfig’s mailing list in order that a solution may be found and included in Debian buster has resulted in a considerable rounds of discussion and progress on the upstream mailing list.
-
Hervé Boutemy made more updates to the reproducible-builds.org project website, including adding section on auditing a JVM build. […], defining
build.setup
as an optional field […], explaining the distinction between build instructions vs effective environment […] and detailed the Maven rebuild instructions […]. -
Marvin Humphrey started a thread on our mailing list this week on the Definition of “reproducible build”, referencing a thread thread on the Apache Software Foundation’s legal-discuss mailing list.
-
Bernhard M. Wiedemann posted his monthly Reproducible Builds status update for the openSUSE distribution.
-
Reproducible builds were mentioned in Episode 9 of the Libre Lounge podcast in a more-general discussion about funding free software development. (Direct link to 23m00)
-
The Nix “purely functional package manager” was uploaded to Debian as version
2.2.1-2
, pending processing from the NEW queue. -
Lukas Pühringer posted a report from the in-toto project’s participation in the recent Reproducible Builds summit in Paris.
-
10 Debian package reviews were added, 9 were updated and 20 were removed in this week, adding to our knowledge about identified issues. Two new issue types were added:
randomness_in_ids_generated_by_org-html-publish-to-html
andftbfs_due_to_f_file_prefix_map
by Chris Lamb and Mattia Rizzolo respectfully.
Packages reviewed and fixed, and bugs filed
- Bernhard M. Wiedemann:
- libqt5-qtwebengine: Date, already upstream.
- myman: Date & time.
- nDPI: Use changelog date.
- nsnake: date, filesystem ordering, also added in
distropatches.git
- pcre2: Profile-guided optimisation (PGO) / parallelism
- perl: Address space layout randomization (ASLR), fix a failure to build in 2020.
- python-IMDbPY: sort result from Python
glob.glob()
- mariadb fix a failure to build in 2020.
- Chris Lamb:
- #919566 filed against satpy (merged upstream).
- #920409 filed against splitpatch (forwarded upstream)
- #920411 filed against mongo-c-driver.
- #920591 filed against lambda-align2.
- #920592 filed against roaraudio.
- #920863 filed against papi.
- #920595 filed against ukui-themes.
Test framework development
We operate a comprehensive Jenkins-based testing framework that powers tests.reproducible-builds.org. This week:
- Eli Schwartz:
- Fix the “preseed” of Arch Linux’s PGP keys by sending output to
stdout
. […]
- Fix the “preseed” of Arch Linux’s PGP keys by sending output to
- Holger Levsen:
- Arch Linux-specific changes:
- Refactor the scheduler’s “interesting” use of
$repo
and$REPO
variables. […][…] - Correct a fencepost error in the scheduler; if we want to request
n
packages we need to set a limit ofn + 1
. […] - Include an
n builds in the last 3h
statistic in the IRC notifications. […] - Schedule packages six times a day instead of eight. […]
- Refactor the scheduler’s “interesting” use of
- F-Droid-specific changes:
- Run the setup job three times a week now, building all apps daily. […]
- LEDE/OpenWrt, coreboot and NetBSD changes:
- Misc/generic changes:
- Update status of the deployment of the new OSUOSL nodes. […]
- Fix the Debian
dsa-check-running-kernel
to deal with the Ubuntu LTS changes. […] - Correct KGB IRC interface’s directory permissions and create it if it does not exist. […][…]
- Fix a bug that was preventing OSUOSL hosts from running correctly in the future. […]
- Set the correct permissions on the
jenkins
user’s~/.ssh
directory. […]
- Node maintenance. ([…], […], […], etc.)
- Arch Linux-specific changes:
- Mattia Rizzolo:
- Update the expiration of the GPG key used to sign our experimental Debian archive. […]
- In our pbuilder configuration, use the APT dependency resolver […] simplify the section for
i386
/armhf
hosts […] and DRY theMIRRORSITE
configuration, now that is the same for everything. […] - Node maintenance. ([…], […], […], etc)
This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.