Reproducible Builds: Weekly report #136

Here’s what happened in the Reproducible Builds effort between Sunday, November 26 and Saturday, December 2, 2017:

Media coverage

• Jelle van der Waa wrote about Reproducible Arch Linux. (HN thread)

• On October 31st 2017, Ludovic Courtès wrote a summary about the status of Reproducible Guix, which even led to desirable side-effects such as faster downloads.

Arch Linux imap key leakage

A security issue was found in the imap package in Arch Linux thanks to the reproducible builds effort in that distribution.

Due to a hardcoded key-generation routine in the build() step of imap’s PKGBUILD (the standard packaging file for Arch Linux packages), a default secret key was generated and leaked on all imap installations. This was prompty reviewed, confirmed and fixed by the package maintainers.

This mirrors similar security issues found in Debian, such as #833885.

Debian packages reviewed and fixed, and bugs filed

• Adrian Bunk:
  • #882955 filed against ufo-filters.
  • #883100 filed against ksudoku.
  • #883353 filed against cc65.
• Bernhard M. Wiedemann:
  • systemtap (drop date)
  • python-fs (merged, fix build in 2018)
  • openSUSE/ltrace drop test results
• Chris Lamb:
  • #882727 filed against libffi-platypus-perl.
  • #882818 filed against fswatch (timestamps, upstream)
  • #883244 filed against simavr.
  • #883339 filed against properties-cpp.
  • #883348 filed against psychtoolbox-3.
  • #883359 filed against at-spi2-core.

In addition, 73 FTBFS bugs were detected and reported by Adrian Bunk.

Reviews of unreproducible Debian packages

83 package reviews have been added, 41 have been updated and 33 have been removed in this week, adding to our knowledge about identified issues.

1 issue type was updated:

• timestamps_in_source_generated_by_rcc

LEDE / OpenWrt packages updates:

• lynxis:
  • lpc21isp: remove build timestamp
  • ddns-scripts: remove gzip timestamp
  • open-plc-utils: remove build timestamp
  • libdbi-drivers: remove build timestamp
  • sysstat: remove build timestamp
  • smcroute: make build id optional
  • mrd6: remove build timestamp

diffoscope development

• Chris Lamb:
  • Handle case where a file to be “fuzzy” matched does not contain enough entropy (#882981)
  • Make cleanup of placeholders idempotent
• Mike Hommey:
  • Extract libarchive contents with a file extension
• Ximin Luo:
  • Bug fixes:
    • Run zipinfo on /dev/stdin instead of a variable path (Closes: #879011)
    • Looser matching for .deb archive members (Closes: #881937)
  • Features/cleanup:
    • Allow non-text formats to output an empty diff
    • Add a Difference.from_command_exc to distinguish excluded commands from empty diff
    • Simplify feed_stdin into a simple stdin() instead
  • tests:
    • Enable accidentally-disabled tests
    • Fix tests for new zipinfo behaviour [1, 2]
    • Remove the .egg file when cleaning & fix tests by adding PYTHONPATH

reprotest development

Version 0.7.4 was uploaded to unstable by Ximin Luo. It included contributions already covered by posts of the previous weeks as well as new ones from:

• Ximin Luo:
  • New features:
    • Allow the user to select a different diffoscope
    • Allow injection of experiment variables into diffoscope_args
  • Bug fixes:
    • Fix the time variation to actually make the time constant
    • fix diffoscope_args defaults for new behaviour
    • Make –no-clean-on-error more reliable
    • Don’t conflict –min-cpus with –auto-build etc
  • Tests:
    • Use double quotes to work around autopkgtest (see #870098)
    • Suppress some warnings [1, 2]
    • Autopkgtest work [1, 2, 3]
  • Documentation:
    • Fix syntax drop old comments
    • Move main package description to README.rst

reproducible-website development

• kpcyrd added a blog link to the navigation.

tests.reproducible-builds.org

• Holger Levsen:
  • A huge effort was made in introducing Archlinux to our testing framework, including:
    • Scheduler:
      • Add an extremely simple scheduler
      • Check for new packages every day (instead of every 2)
      • Schedule newer versions automatically
      • Prefer manually triggered packages over new packages
      • Detect versions of packages of any arch
      • Schedule ‘old’ packages which haven’t been tested yet
    • Features:
      • Generate graphs
      • Introduce IRC notifications for unreproducible packages
      • Improve summary page (1, 2)
    • Bug fixes:
      • Use ‘undetermined’ if we cannot determine the version…
      • Detect SSL verify failures within bzr
      • Atomically update repositories
    • Logging/Output:
      • Merge test date+duration and build1+build2.log into one column
      • Always log amounts
      • Improve job output
      • Record version being built and include prefer this when later determining version
      • Sort packages (1, 2)
      • Include timestamp since when the package is building
      • Write yesterdays stats today if they don’t exist yet
      • Improve test duration formatting
      • Record and display test duration
    • Documentation:
      • Outline further work on html and scheduler
      • Explain that actually hour/minute variations are also more likely
      • Emphasize the build path is not varied yet
  • General:
    • The hostname is varied in LEDE, Arch Linux and OpenWrt
  • Debian reproducibility:
    • Disable APT’s pdiffs
  • Misc:
    • Be more verbose when deploying jobs
    • Ignore some warnings in commit messages
    • Emit IRC notifications to #lede-dev on Freenode
• Chris Lamb:
  • Ignore “warning” etc. in commit messages
• Hans-Christoph Steiner continued his work on reproducible F-Droid:
  • Always wait for successful git fetch
  • Include new Python dependencies
• lynxis:
  • Update references to sources.debian.org

Misc.

This week’s edition was written by Alexander Couzens, Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Santiago Torres-Arias, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.