Reproducible Builds: Weekly report #170

• Ludovic Courtès wrote a blog post titled “Multi-dimensional transactions and rollbacks” which promotes the functional aspects of the GNU Guix package manager as well as its “very strong guarantees in terms of reproducibility and provenance tracking.”

• Chris Lamb performed a Non Maintainer Upload (NMU) in Debian of the GNU mtools package in order to address two reproducibility-related bugs (#900409 & #900410) that were blocking the inclusion of his previous merge request to the Debian Installer to make the installation images bit-for-bit reproducible.

• NetBSD announced their 8.0 release which touts stability improvements and many other features including reproducible builds via MKREPRO.

• We are continuing to see “fallout” from the default GCC version in Debian unstable moving from GCC 7 to GCC 8. As outlined in our previous report, as we have not updated our build path patches for this newer version it is resulting in a large number of packages becoming unreproducible in our testing framework. Holger has temporarily disabled the scheduling of packages in unstable and experimental until we have a solution for this.

• Holger also added 26GB to the partition used for Debian reproducible tests on jenkins.debian.net so that there is enough free space. This is to cope with the increased space needs due to issues introduced due to the GCC transition 8. This fixed a number of Jenkins jobs that were constantly failing in the last days.

• The CircleCI continuous integration platform notes the importance of “deterministic builds” in a training video it has produced. As many projects use CircleCI, their emphasis on making builds deterministic should help spread that related concept elsewhere.

• Three Debian package reviews were added, one was updated and one was removed in this week, adding to our knowledge about identified issues.

• In the upcoming week a number of the Reproducible Builds team are at DebConf18, the annual Debian Developers conference. The schedule includes talks entitled:

  • “Reproducible Buster and beyond” by the Reproducible Builds team.
  • “My crush on GNU Guix” by Vagrant Cascadian.
  • “Software transparency: package security beyond signatures and reproducible builds” by Benjamin Hof.

Upstream work

• Bernhard M. Wiedemann:

  • sphinx (hostname, kernel-ver)
  • rnd_jue (date)
  • nmh (hostname, date, filed upstream)
  • gnubg (compile-time-CPU-detection)
  • mhvtl (date)
  • minikube (merged, date+time, use SOURCE_DATE_EPOCH)
  • gettext (merged, help2man date)
  • pytest (merged, fix date (copyright year))
  • efivar (ASLR, use memset(3))
  • gnu-cobol (date)
  • R-PKI/R-base (date)
  • rust (random cmpq - from hash order?)
  • util-linux (ask for easier disabling of ASLR)
  • perl-IO-Socket-SSL (FTBFS-2019-03)
  • ibutils (FTBFS with -j1)

tests.reproducible-builds.org development

There were a number of updates to our Jenkins-based testing framework that powers tests.reproducible-builds.org:

• Holger Levsen:
  • Show offline nodes as offline on nodes health overview page.
  • Stop scheduling sid and experimental altogether.
• Mattia Rizzolo:
  • Mark opi2a-armhf-rb.debian.net as offline for now.

Misc.

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.