Here’s what happened in the Reproducible Builds effort between Sunday August 5 and Saturday August 11 2018:
-
The Prototype Fund noted in a Tweet how two of its newly-supported projects complement each other, one of them being the Reproducible Builds and the other being the Briar Project, a secure messaging platform intended to “create safe spaces to debate any topic, plan events, and organise social movements.”
-
Levente Polyak’s proposal to make rubygems set
SOURCE_DATE_EPOCH
by default to make all gems reproducible was re-opened after it was previously closed as “wontfix”. -
Mes, a Scheme-based compiler for our “sister” bootstrappable builds effort, announced their 0.17 release.
-
The Briar Project wrote about their effort to make their Android app build reproducibly; their one remaining issue regards
readdir
order influencing an.arsc
file. -
Ryan Scott fixed the
--extra-build
flag inreprotest
, our “end-user” tool to build arbitrary software and check it for reproducibility. -
Vagrant Cascadian opened a wishlist request against buildinfo.debian.net (our experiment into how to process, store and distribute
.buildinfo
files after the Debian package management tools have generated them) to try and find a solution to checking matches against the actual Debian archive. -
There were a number of changes to our Jenkins-based testing framework that powers tests.reproducible-builds.org, including Chris Lamb submitting a merge request to ensure that we print “0” (and not an empty) string when a division denominator is zero and Mattia Rizzolo modifying Jekyll to run in incremental mode to improve the caching of our website.
-
On our mailing list, Arnout Engelen started two discussions around comparing the Debian and Archlinux approaches to
.buildinfo
files which came from a previous discussion about filename conventions. -
New sources of non-determinism regarding inode numbers,
ctime
and certain filesystem-dependent sizes have been added to Bernhard Wiedemann’s theunreproduciblepackage. -
14 package reviews were added, 10 were updated and 16 were removed in this week, adding to our knowledge about identified issues.
-
Holger renewed the reproducible-builds.org domain name for the fourth year and Chris Lamb added the recent DebConf18 presentations with metadata to our website’s Resources page (commit).
-
Don’t forget that a number of Reproducible Builds team were presenting at DebConf18 the annual Debian Developers conference: Benjamin Hof gave a talk titled Software transparency: package security beyond signatures and reproducible builds” and there was also a status update from the team entitled “Reproducible Buster and beyond”. These, and many more talks, are available Resources section of our website. Finally, the conference also featured the performance of a cover which to the best of our knowledge is the first time song lyrics refer to reproducible builds.
Packages reviewed and fixed, and bugs filed
- Toolchain patches:
- The GNU make project merged a patch to have sorted globs again, helping to make many packages more reproducible.
- util-linux made it easier to disable ASLR with
setarch -R $PROGRAM
.
- In addition, Bernhard M. Wiedemann worked on:
- gcompris (date)
- splint (username,
uname -a
) - libheimdal (hostname, date)
- docker (date)
- syncthing (date via a version update to
0.14.49
) - gromacs (CPU-detection, host, user)
- fwnn (orphaned, fix hostname,date, inode, random)
- gtranslator (merged, date)
- Simon Schricker:
- systemtap (drop date via version update)
- cleaned up reproducibleopensuse scripts
- fixed a Bashism in theunreproduciblepackage
diffoscope development
There were a handful of updates to diffoscope, our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages:
- Chris Lamb:
- Mattia Rizzolo:
- Ricardo Gaviria:
jenkins.debian.net development
Misc.
This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.