Reproducible Builds: Weekly report #160

Here’s what happened in the Reproducible Builds effort between Sunday May 13 and Saturday May 19 2018:

• At the MiniDebConfHamburg (full schedule):

  • Chris Lamb presented on diffoscope.org.

  • Chris Lamb, Holger Levsen, Jonathan Bustillos Osornio (jathan) and Steven Chamberlain will present on Sunday 20th May on Reproducible Builds, focusing on the status in Debian buster.

  • Benjamin Hof gave an interesting talk entitled Software transparency: package security beyond signatures and reproducible builds.

  • Jan Kiszka will also present on Sunday 20th May on Getting (more) Debian into our civil infrastructure which will touch on reproducible builds.

• Our Git repositories were migrated from the deprecated Alioth service to salsa.debian.org by Mattia Rizzolo and Chris Lamb. Thanks to the salsa administrators!

• Arnout Engelen opened the final vote on our logo which will close on Tuesday 22nd May.

• Mattia Rizollo migrated the diffoscope.org website to the jenkins.debian.net infrastucture.

• 134 package reviews have been added, 25 have been updated and 29 have been removed in this week, adding to our knowledge about identified issues.

• Chris Lamb updated the reproducible-builds.org website, including dropping unnecessary punctuation from opening paragraph on documentation page and updating URIs now that website has migrated to Salsa (1, 2).

• Mattia Rizzolo migrated our experimental toolchain repository to the jenkins.debian.net infrastructure, following the alioth.debian.org deprecation.

Packages reviewed and fixed, and bugs filed

• Bernhard M. Wiedemann:

  • python-oslo.versionedobjects (drop .pickle file)

  • python-pyqtgraph (merged, drop .pickle file)

  • python-pgmagic (merged, sort readdir)

  • ngspice (SOURCE_DATE_EPOCH)

  • lilypond (sort readdir(2))

• Chris Lamb:

  • #898912 against telepathy-gabble.

  • fontconfig (fixed upstream)

• Levente Polyak:

  • rubygems (make gemspec generation reproducible)

  • rubygems (make tarball generation reproducible)

  • rubygems (proposal to make gems set SOURCE_DATE_EPOCH by default to make all gems reproducible)

In addition, build failure bugs were reported by Adrian Bunk (2) and Gilles Filippini (1).

diffoscope development

diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages.

• Chris Lamb:

  • Update referencess to Alioth now that the repository has migrated to salsa. (1, 2)
  • Drop extra whitespace in supported file format output.

• Mattia Rizzolo:

  • Update URL in debian/watch to point to the new archive.
  • Make the dependency on python3-distutils an alternative on the previous versions of libpython3.*-stdlib that used to ship it.

reprotest development

reprotest is our tool to build software and check it for reproducibility.

• kpcyrd:
  • Add a Dockerfile.
• Chris Lamb:
  • Update referencess to Alioth now that the repository has migrated to Salsa. (1, 2, 3)

jenkins.debian.net development

There were a number of changes to our Jenkins-based testing framework, including:

• Mattia Rizzolo:

  • Web scheduler:

    This new facility will allow anyone with a Debian SSO user certificate to schedule package builds.

    • Add script and cronjob to update debian-sso CA certificate and revocation list.
    • Add a CGI script to schedule builds over HTTPS.
    • Configure apache to require authentication on the scheduler.
    • Fix several crashes from the first iteration (1, 2. 3).
    • Add an X-Error-Message header in case of ValidationError.
    • Disable the --dry-run mode therefore enabling the web scheduler.
    • Add ♻ links to the package pages to trigger new builds.

  • diffscope,org website migration:

    • Add Jenkins job to build the website.
    • Configure Apache to serve the website.
    • Configure SSL.
    • Build the website with Jekyll.
    • Also notify also #reproducible-builds about the website building jobs.

  • Debian package testing, related to the move of our packages repository to jenkins:

    • Drop special-casing for debbindiff/strip-nondeterminis/diffoscope/disorderfs as we are not going to upload them to our repo anymore.
    • Drop another special casing for our own packages.
    • Move our Debian package repository to tests.reproducible-builds.org and SSL.
    • Configure APT to ignore SSL validation errors on the nodes in the future.
    • Update the index_repositories page for the move (1)

  • Misc:

    • Update job descriptions for the Alioth to Salsa migration.
    • Move our git repositories from Alioth to Salsa.
    • Only print colours when the output is a tty.

• Eli Schwartz:

  • Move “UTC” printing directly into format string now that date is used.
  • Replace several occurrences of parsing ls with cut, by the date command.
  • Fix filepaths for cleaning up the old build files.

Misc.

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Levente Polyak and Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.