Reproducible Builds: Weekly report #164

Here’s what happened in the Reproducible Builds effort between Sunday June 10 and Saturday June 16 2018:

• Tom Yates published a post titled Toward a fully reproducible Debian (NB. non-subscriber “guest” link) on LWN based on Chris Lamb’s keynote presentation at FLOSSUK 2018 in Edinburgh, Scotland earlier this year.

• On Wednesday 13th June, Chris Lamb presented at foss-backstage.de in Berlin, Germany on reproducible builds and how they prevent developers being targets for malicious attacks (links).

• Elio Qoshi of Ura Design wrote about the new reproducible builds style guide on their blog (preview).

• Chris Lamb made a number of changes to the reproducible-builds.org website including importing presentations from the Debian wiki, adding a missing SEAGL talk and updating the contribution page to link to our Debian Installer tracking issue.

• Paul Wise filed Debian bug #901300 (bls: warn about strip-nondeterminism output in build logs) requesting that the scanner detects when strip-nondeterminism locates some non-determinism and warn about it in the build logs.

• Chris Lamb filed a wishlist bug #901473 to request that the Reproducible Builds testing framework varies on a merged /usr when comparing packages.

• This week, 15 package reviews were added, 16 were updated and 19 were removed adding to our knowledge about identified issues.

• strip-nondeterminism version 0.042-1 was uploaded to Debian unstable by Chris Lamb. It included contributions already covered in previous weeks as well as new ones from, respect nocheck build profile in DEB_BUILD\OPTIONS.

diffoscope development

diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week, version 96 was uploaded to Debian unstable by Chris Lamb. It includes contributions already covered by posts in previous weeks as well as new ones from:

• Chris Lamb:
  • Drop dependency on pdftk as it relies on GCJ, relying on the pdftotext fallback. (Closes: #893702)
• Xavier Briand:
  • Add merge request info to contributing documentation.

tests.reproducible-builds.org development

There were a number of changes to our Jenkins-based testing framework that powers tests.reproducible-builds.org, including:

• Chris Lamb:
  • Correct “diffscope” typo on HTML breakage page.
• Eli Schwartz:
  • Update Arch Linux’s reproducibility status.
  • Move old artifact cleanup to before the results HTML generated.
• Holger Levsen:
  • Update copyright year.
  • Update an URL now that the security-tracker has moved to Salsa.
• Jelle van der Waa:
  • Mention Arch Linux Reproducible Build IRC channel.
• Mattia Rizzolo:
  • Stop the worker and don’t try to build anything if any of a pair is offline.
  • Don’t start the worker if a node is marked as offline in the “black file”.
  • Bring up nodes on-demand.
  • Configure Apache to serve the Reproducible Builds style guide and add a job to build it from Git.
  • Huge number of changes splitting reproducible_common.py into a separate Python module including making a slew of attribute evaluations lazy, moving the UDD and bug-gathering logic in a separated module, removing the NotedPkg class and attach the notes to Build instead & moving various helper functions.

Packages reviewed and fixed, and bugs filed

• Bernhard M. Wiedemann:

  • curl (merged, FTBFS-2025)
  • cardpeek (.tar.gz, orphaned package)
  • enigmail (sort readdir(2))
  • ncftp (uname)
  • nant (date)

• Chris Lamb:

  • #901307 filed against sphinx-gallery (forwarded upstream).
  • #901428 filed against pyraf.
  • #901481 filed against cpl-plugin-uves.
  • #901587 filed against allegro4.4.
  • #901611 filed against enigmail.
  • #901615 filed against log4cxx.

Misc.

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.