View all weekly reports

Reproducible Builds: Weekly report #131

Published: Nov 3, 2017.

Here’s what happened in the Reproducible Builds effort between Sunday October 22 and Saturday October 28 2017:

Past Events

Upcoming/current events

Documentation updates

Bernhard Wiedemann started The Unreproducible Package which “is meant as a practical way to demonstrate the various ways that software can break reproducible builds using just low level primitives without requiring external existing programs that implement these primitives themselves.

It is structured so that one subdirectory demonstrates one class of issues in some variants observed in the wild.”

Reproducible work in other projects

Hush, a fork of ZCash, opened an issue into reproducible builds.

A new tag was added to lintian (lint checker for Debian packages) to ensure that changelog entry timestamps are strictly increasing. This avoids certain real-world issues with identical timestamps, documented in Debian #843773.

Packages reviewed and fixed, and bugs filed

Patches sent upstream:

  • Bernhard M. Wiedemann:
    • gtranslator, embedded build timestamps
    • libgda, embedded build timestamps
    • mariadb, embedded build timestamps
    • nim, embedded build timestamps

Debian bug reports:

Reviews of unreproducible packages

14 package reviews have been added, 35 have been updated and 28 have been removed in this week, adding to our knowledge about identified issues.

1 issue type has been updated:

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (4)

strip-nondeterminism development

Version 0.040-1 was uploaded to unstable by Mattia Rizzolo. It included contributions already covered by posts of the previous weeks, as well as new ones from:

  • Mattia Rizzolo:
    • Don’t open the original file in write mode

reprotest development

Development continued in git:

  • Ximin Luo:
    • New features:
      • Support a domain_host variation.
      • Support a --print-sudoers feature.
    • Documentation:
      • Note some caveats about the existing git versions as a self-reminder not to release it yet.
      • Updates about our assumptions and rearrange sudo into its own section.
    • Bug fixes:
      • main: When dropping privs, make sure the user can still move in theroot.
      • tests: fix, need to preserve env for su
      • build: Don’t fail when the build produces a broken symlink
      • main, presets: Properly drop privs when running the build. (Closes: #877813)
    • Code quality:
      • Improve logging to try to get to the bottom of the jenkins failures
      • Tweak tests to avoid some build dependencies
      • build: Name temporary directories after reprotest not autopkgtest development

Development continued in git:

  • Chris Lamb:
    • New features:
      • Add API endpoint to fetch specific .buildinfo files for a certain package/version/architecture, and optimise it. (Closes: #25)
    • Bug fixes:
      • Always show SHA256, regardless of viewport size. (Closes: #27)
      • Actually filter by source package (!)

reproducible-website development

  • Holger Levsen:
    • RWS3 Berlin 2017:
      • Add CoyIM, Arch Linux, LEDE, LEAP,, Bazel, coreboot.
      • Make some sponsors visible.
      • Add short paragraph explaining that registration is mandatory.


This week’s edition was written by Ximin Luo, Chris Lamb, Bernhard M. Wiedemann and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

View all weekly reports