Reproducible Builds: Weekly report #11

Published: Jul 13, 2015.

Debian is undertaking a huge effort to develop a reproducible builds system. I’d like to thank you for that. This could be Debian’s most important project, with how badly computer security has been going.

— PerniciousPunk in Reddit’s Ask me anything! to Neil McGovern, DPL.

What happened in the reproducible builds effort this week:

Toolchain fixes

More tools are getting patched to use the value of the SOURCE_DATE_EPOCH environment variable as the current time:

libxslt in #791815 (Dhole),
texlive-bin via upstream (#792202) (akira),
sphinx via upstream (Dmitry Shachnev).

In the “reproducible” experimental toolchain which have been uploaded:

doxygen to support SOURCE_DATE_EPOCH (akira),
debhelper now set SOURCE_DATE_EPOCH to the time of the latest debian/changelog entry when exporting build flags, patch sent as #791823 (Dhole),
epydoc to support SOURCE_DATE_EPOCH (Reiner Herrmann),
texlive-bin (akira) and libxslt (Dhole) with the aforementioned support for SOURCE_DATE_EPOCH.

Johannes Schauer followed up on making sbuild build path deterministic with several ideas.

Packages fixed

The following 311 packages became reproducible due to changes in their build dependencies : 4ti2, alot, angband, appstream- glib, argvalidate, armada- backlight, ascii, ask, astroquery, atheist, aubio, autorevision, awesome- extra, bibtool, boot-info- script, bpython, brian, btrfs- tools, bugs- everywhere, capnproto, cbm, ccfits, cddlib, cflow, cfourcc, cgit, chaussette, checkbox- ng, cinnamon-settings- daemon, clfswm, clipper, compton, cppcheck, crmsh, cupt, cutechess, d-itg, dahdi- tools, dapl, darnwdl, dbusada, debian-security- support, debomatic, dime, dipy, dnsruby, doctrine, drmips, dsc- statistics, dune- common, dune- istl, dune- localfunctions, easytag, ent, epr- api, esajpip, eyed3, fastjet, fatresize, fflas- ffpack, flann, flex, flint, fltk1.3, fonts- dustin, fonts- play, fonts- uralic, freecontact, freedoom, gap- guava, gap- scscp, genometools, geogebra, git- reintegrate, git-remote- bzr, git-remote- hg, gitmagic, givaro, gnash, gocr, gorm.app, gprbuild, grapefruit, greed, gtkspellmm, gummiboot, gyp, heat- cfntools, herold, htp, httpfs2, i3status, imagetooth, imapcopy, imaprowl, irker, jansson, jmapviewer, jsdoc- toolkit, jwm, katarakt, khronos-opencl- man, khronos-opengl- man4, lastpass- cli, lava- coordinator, lava- tool, lavapdu, letterize, lhapdf, libam7xxx, libburn, libccrtp, libclaw, libcommoncpp2, libdaemon, libdbusmenu- qt, libdc0, libevhtp, libexosip2, libfreenect, libgwenhywfar, libhmsbeagle, libitpp, libldm, libmodbus, libmtp, libmwaw, libnfo, libpam- abl, libphysfs, libplayer, libqb, libsecret, libserial, libsidplayfp, libtime-y2038-perl, libxr, lift, linbox, linthesia, livestreamer, lizardfs, lmdb, log4c, logbook, lrslib, lvtk, m-tx, mailman- api, matroxset, miniupnpd, mknbi, monkeysign, mpi4py, mpmath, mpqc, mpris- remote, musicbrainzngs, network- manager, nifticlib, obfsproxy, ogre-1.9, opal, openchange, opensc, packaging- tutorial, padevchooser, pajeng, paprefs, pavumeter, pcl, pdmenu, pepper, perroquet, pgrouting, pixz, pngcheck, po4a, powerline, probabel, profitbricks- client, prosody, pstreams, pyacidobasic, pyepr, pymilter, pytest, python- amqp, python- apt, python- carrot, python- django, python- ethtool, python- mock, python- odf, python- pathtools, python- pskc, python- psutil, python- pypump, python- repoze.tm2, python- repoze.what, qdjango, qpid- proton, qsapecng, radare2, reclass, repsnapper, resource- agents, rgain, rttool, ruby- aggregate, ruby- albino, ruby-archive-tar- minitar, ruby- bcat, ruby- blankslate, ruby-coffee- script, ruby- colored, ruby-dbd- mysql, ruby-dbd- odbc, ruby-dbd- pg, ruby-dbd- sqlite3, ruby- dbi, ruby-dirty- memoize, ruby- encryptor, ruby- erubis, ruby-fast- xs, ruby- fusefs, ruby- gd, ruby- git, ruby- globalhotkeys, ruby- god, ruby- hike, ruby- hmac, ruby- integration, ruby-jnunemaker- matchy, ruby- memoize, ruby-merb- core, ruby-merb- haml, ruby-merb- helpers, ruby- metaid, ruby- mina, ruby-net- irc, ruby-net- netrc, ruby- odbc, ruby- ole, ruby- packet, ruby- parseconfig, ruby- platform, ruby- plist, ruby- popen4, ruby- rchardet, ruby- romkan, ruby- ronn, ruby- rubyforge, ruby- rubytorrent, ruby- samuel, ruby-shoulda- matchers, ruby- sourcify, ruby-test- spec, ruby- validatable, ruby- wirble, ruby-xml- simple, ruby- zoom, rumor, rurple- ng, ryu, sam2p, scikit- learn, serd, shellex, shorewall- doc, shunit2, simbody, simplejson, smcroute, soqt, sord, spacezero, spamassassin- heatu, spamprobe, sphinxcontrib- youtube, splitpatch, sratom, stompserver, syncevolution, tgt, ticgit, tinyproxy, tor, tox, transmissionrpc, tweeper, udpcast, units- filter, viennacl, visp, vite, vmfs- tools, waffle, waitress, wavtool- pl, webkit2pdf, wfmath, wit, wreport, x11proto- input, xbae, xdg- utils, xdotool, xsystem35, yapsy, yaz.

Please note that some packages in the above list are falsely reproducible. In the experimental toolchain, debhelper exported TZ=UTC and this made packages capturing the current date (without the time) reproducible in the current test environment.

The following packages became reproducible after getting fixed:

389-admin/1.1.42-1 uploaded by Timo Aaltonen, original patch by Chris Lamb.
aroarfw/0.1~beta5-2 uploaded by Patrick Matthäi, original patch by akira.
clfft/2.4-2 by Ghislain Antony Vaillant.
custom-tab-width/1.0.1-3 by Daniel Kahn Gillmor.
debirf/0.35 uploaded by Daniel Kahn Gillmor, original patch by Chris Lamb.
enigmail/2:1.8.2-3 by Daniel Kahn Gillmor.
flashproxy/1.7-4 by Ximin Luo.
getdns/0.2.0-2 by Daniel Kahn Gillmor.
glfw3/3.1.1-1 by James Cowgill, reported by akira.
gpgme1.0/1.5.5-3 by Daniel Kahn Gillmor.
jzmq/3.1.0-4 by Jan Niehusmann.
libcommons-cli-java/1.3.1-1 by tony mancill.
liblo/0.28-5 uploaded by Felipe Sateler, original patch by akira.
libmoe/1.5.8-2 uploaded by TANIGUCHI Takaki, original patch by Chris Lamb.
libnet-interface-perl/1.012-2 uploaded by gregor herrmann, original patch by Chris Lamb.
libxmlenc-java/0.52+dfsg-4 by Emmanuel Bourg.
lintian/2.5.33 by Niels Thykier.
litecoin/0.10.2.2-1 uploaded by Dmitry Smirnov, original patch by Chris Lamb.
node-ws/0.7.2+ds1.349b7460-1 by Ximin Luo.
pyevolve/0.6~rc1+svn398+dfsg-7 uploaded by Christian Kastner, original patch by Juan Picca.
sendmail/8.14.9-3 by Andreas Beckmann.
uthash/1.9.9.1+git20150507-2 by Ilias Tsitsimpis, report by Jakub Wilk.

Ben Hutchings upstreamed several patches to fix Linux reproducibility issues which were quickly merged.

Some uploads fixed some reproducibility issues but not all of them:

apt-dater/1.0.2-1 uploaded by Patrick Matthäi, original patch by Dhole, fixed upstream by Thomas Liske.
argyll/1.7.0+repack-4 by Jörg Frings-Fürst.
grads/2:2.0.2-4 by Alastair McKinstry.
kfreebsd-10 by Steven Chamberlain.
mariadb-10.0/10.0.20-2 by Otto Kekäläinen.
xtel/3.3.0-18 uploaded by Samuel Thibault, original patch by Dhole.

Uploads that should fix packages not in main :

fglrx-driver/1:15.7-1 uploaded by Patrick Matthäi, fixed by Andreas Beckmann.
pycuda/2015.1.2-1 uploaded by Tomasz Rybak, patch by Juan Picca.

Patches submitted which have not made their way to the archive yet:

#787675 on ricochet by Daniel Kahn Gillmor: use the debian/changelog date in the manpage.
#791648 on fish by Chris Lamb: sort header files in documentation.
#791691 on fritzing by Chris Lamb: sort the documentation author list using the C locale.
#791834 on bitcoin by Reiner Herrmann: sort sources files using the C locale.
#791845 on yacas by Reiner Herrmann: sort hints using the C locale.
#791851 on scowl by Reiner Herrmann: sort dictionary files using the C locale.
#791913 on ceph by Chris Lamb: sort configuration file names.
#791923 on alpine by Chris Lamb: use debian/changelog date as build date and use debian as the builder hostname.
#791960 on leveldb by Reiner Herrmann: sort sources files using th e C locale.
#792054 on ben by Reiner Herrmann: use debian/changelog date as bui ld date.
#792056 on val-and-rick by Reiner Herrmann: sort sources by filenames.

reproducible.debian.net

A new package set has been added for lua maintainers. (h01ger)

tracker.debian.org now only shows reproducibility issues for unstable.

Holger and Mattia worked on several bugfixes and enhancements: finished initial test setup for NetBSD, rewriting more shell scripts in Python, saving UDD requests, and more…

debbindiff development

Reiner Herrmann fixed text comparison of files with different encoding.

Documentation update

Juan Picca added to the commands needed for a local test chroot installation of the locales-all package.

Package reviews

286 obsolete reviews have been removed, 278 added and 243 updated this week.

43 new bugs for packages failing to build from sources have been filled by Chris West (Faux), Mattia Rizzolo, and h01ger.

The following new issues have been added: timestamps_in_manpages_generated_by_ronn, timestamps_in_documentation_generated_by_org_mode, and timestamps_in_pdf_generated_by_matplotlib.

Misc.

Reiner Herrmann has submitted patches for OpenWrt.

Chris Lamb cleaned up some code and removed cruft in the misc.git repository. Mattia Rizzolo updated the prebuilder script to match what is currently done on reproducible.debian.net.

← View all weekly reports

Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info