Here’s what happened in the Reproducible Builds effort between Sunday November 11 and Saturday November 17 2018:

  • Code review for the LLVM compiler to support the -fmacro-prefix-map argument is currently in progress. Like the -fdebug-prefix-map flag, this argument replaces a string prefix for the FILE pre-processor macro.

  • Kyle Rankin, the Chief Security Officer of Puri.sm authored a blog post entitled “Protecting the Digital Supply Chain” which describes how with Reproducible Builds you can show that no malicious code was injected in software supply chains:

    Think of it like the combination of a food safety inspector and an independent lab that verifies the nutrition claims on a box of cereal all rolled into one.

  • Chris Lamb gave a presentation at the SFScon conference in Bozen, Italy on reproducible builds and how they can prevent developers from becoming targets of various attacks.

  • Holger Levsen updated our website to add the Tor project as a participant at our upcoming Paris Summit. In addition, Bernhard M. Wiedemann applied a sitewide change to use consistent capitalisation for openSUSE [].

  • 38 Debian package reviews were added, 4 were updated and 19 were removed in this week, adding to our knowledge about identified issues. The nondeterminstic_output_in_pkgconfig_files_generated_by_meson was removed as a fix was applied upstream [], and the note for the randomness_in_binaries_generated_by_golang issue was updated. (1, 2)

  • diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week, Marius Gedminas provided a patch to add a python_requires field to diffoscope’s setup.py [] and Mattia Rizzolo sorted the list of recommended Python modules in debian/tests/control […].

  • Chris Lamb’s previously-authored patches for GNU mtools to ensure the Debian Installer images could become reproducible which were sent upstream last week (1 & 2) are now available in upstream’s 4.0.20 release.

  • Upstream chromium-70 now builds reproducibly in openSUSE (with a admittedly-normalised build environment) since it uses the Git commit date.

  • Chris Lamb uploaded strip-nondeterminism (our tool to post-process files to remove known non-deterministic output) version 0.45.0-1 to Debian unstable in order that catch invalid ZIP “local” field lengths — we were previously blindly trusting the value supplied in the ZIP file (#803503). As part of this upload he moved the utility to the SemVer versioning scheme.

  • We have received more than 45 registrations for the upcoming Reproducible Builds summit in Paris between 11th—13th December 2018 and have now closed registrations. Very much looking forward to seeing you there!

Packages reviewed and fixed, and bugs filed

Test framework development

There were a large number of updates to our Jenkins-based testing framework that powers tests.reproducible-builds.org by Holger Levsen this week, including:

  • Arch Linux-specific changes:

    • Make sed(1) calls for modifying pacman.conf more robust, fixing building in the future as well as using proxies for downloading package dependencies. (1
    • Improve the documentation of a multi-line sed(1) statement. []
    • Perform some administration on the package blacklists. (1, 2)
    • Move to using sudo(8) for cleaning old /tmp files left by package builds. []
  • Debian-specific changes:

  • Misc/generic changes:

    • Ensure all ProfitBricks (amd64 and i386) nodes in Karlsruhe use pb1 as a proxy and all nodes in Frankfurt use pb10. This might have produced some build failures but fixed issues with Squid running in the future. This complements previous work for the arm64 architecture.
    • Filed #913658: (“Broken links on packages pages”)
    • Document that the proxy setting for chroot installs are actually correct. []

In addition, Alexander Couzens provided workaround for an OpenWrt build system bug [], Eli Schwartz refactored our Arch Linux support [] and Mattia Rizzolo performed some node maintenance.


This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.