Reproducible Builds: Weekly report #188

Here’s what happened in the Reproducible Builds effort between Sunday November 25 and Saturday December 1 2018:

• Andrew Martin gave a talk at OWASP Norway Day entitled The State of Your Supply Chain. The section on reproducible builds starts at 15:05.

• On LWN this week, Jake Edge commented that:

  The flatmap-stream NPM package had an extra file added into it that was not in the GitHub repository […]

  … a clear use-case for reproducible builds.

• Chris Lamb fixed strip-nondeterminism (our tool to post-process files to remove known non-deterministic output) version to ignore encrypted ZIP files as we can never normalise them (#852207).

• Hervé Boutemy started a productive thread on our mailing list about Reproducible Java builds with Maven.

• diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week, Chris Lamb fixed an outstanding issue where a large number of warnings were generated if getfacl(1) was not available making the behaviour consistent with lsattr(1)’s presence. (#902369)

• Holger Levsen updated our website project to add Google Open Source Research as a sponsor at our upcoming Paris Summit […] and clarified that the registration is closed […].

• Chris Lamb added tagpending integration to some of our repositories hosted on Salsa.

• Various organisation and administrativa around our upcoming Reproducible Builds summit in Paris between 11th—13th December.

• 59 Debian package reviews were added, 7 were updated and 11 were removed in this week, adding to our knowledge about identified issues. A new ffile_prefix_map_passed_to_clang issue was added by Adrian Bunk.

Patches filed

• Bernhard M. Wiedemann:
  • deepin-qt-dbus-factory (filesystem ordering, merged)
  • python-xmlsec (filesystem ordering, merged)
  • openmpi (user & host, submitted to openSUSE, finally merged)
  • xpra (date, time, host & user, merged)
• Chris Lamb:
  • #914672 filed against netcdf-parallel.
• Niko Tyni:
  • #915209 filed against perl.

Test framework development

There were a number of updates to our Jenkins-based testing framework that powers tests.reproducible-builds.org this week, including:

• Chris Lamb prepared a merge request to generate and serve diffoscope JSON output in addition to the existing HTML and text formats (example output). This required Holger Levsen to increase the partition holding /var/lib/jenkins/userContent/reproducible from 255G to 400G. Thanks to Profitbricks for sponsoring this virtual hardware for more than 6 years now.

• Holger Levsen and Jelle van der Waa started to add integrate new Arch Linux build nodes, namely repro1.pkgbuild.com and repro2.pkgbuild.com,

• In addition, Holger Levsen installed the needrestart package everywhere […] updated an interface to always use short hostname […], explained what some nodes were doing […] as well as performed the usual node maintenance ([…], […], […], etc.).

• Jelle van der Waa also fixed a number of issues in the Arch Linux integration including showing the language in the first build […] and setting LANG/LC_ALL in the first build […].

---

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Jelle van der Waa & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.