Reproducible Builds: Weekly report #196

Here’s what happened in the Reproducible Builds effort between Sunday January 20 and Saturday January 26 2019:

• There was considerable progress towards making the Debian Installer images reproducible with a number of rounds of code review, a subsequent merge of Chris Lamb’s merge request and the closing of the corresponding bug report for the time being, pending further testing.

• At linux.conf.au 2019 in Christchurch, New Zealand there were at least two talks that touched on the topic of Reproducible Builds. First, Benno Rice gave a talk titled How Much Do You Trust That Package? Understanding The Software Supply Chain” (YouTube). In addition, Aleksandra Pawlik presented on Building reproducible computing environments: a workshop for non-experts (YouTube).

• There were a few updates this week from Chris Lamb to diffoscope, our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages including not crashing if we were unable to successfully extract a guestfs filesystem […][…] (#901982), avoiding clumsy profiling “title length” calculations by switching to Markdown syntax […] and drop the printing of dpkg-query(1) output whilst running tests. […]

• The compiler for the Elixir language received a number of updates to make it compile in 2019 (and 2020) and to create its .beam files in a reproducible manner which permitted the creation of reproducible openSUSE packages. They also are adding reproducibility tests to their continuous-integration system to avoid future regressions.

• Chris Lamb’s historical summary and a request for action posted on Fontconfig’s mailing list in order that a solution may be found and included in Debian buster has resulted in a considerable rounds of discussion and progress on the upstream mailing list.

• Hervé Boutemy made more updates to the reproducible-builds.org project website, including adding section on auditing a JVM build. […], defining build.setup as an optional field […], explaining the distinction between build instructions vs effective environment […] and detailed the Maven rebuild instructions […].

• Marvin Humphrey started a thread on our mailing list this week on the Definition of “reproducible build”, referencing a thread thread on the Apache Software Foundation’s legal-discuss mailing list.

• Bernhard M. Wiedemann posted his monthly Reproducible Builds status update for the openSUSE distribution.

• Reproducible builds were mentioned in Episode 9 of the Libre Lounge podcast in a more-general discussion about funding free software development. (Direct link to 23m00)

• The Nix “purely functional package manager” was uploaded to Debian as version 2.2.1-2, pending processing from the NEW queue.

• Lukas Pühringer posted a report from the in-toto project’s participation in the recent Reproducible Builds summit in Paris.

• 10 Debian package reviews were added, 9 were updated and 20 were removed in this week, adding to our knowledge about identified issues. Two new issue types were added: randomness_in_ids_generated_by_org-html-publish-to-html and ftbfs_due_to_f_file_prefix_map by Chris Lamb and Mattia Rizzolo respectfully.

Packages reviewed and fixed, and bugs filed

• Bernhard M. Wiedemann:
  • libqt5-qtwebengine: Date, already upstream.
  • myman: Date & time.
  • nDPI: Use changelog date.
  • nsnake: date, filesystem ordering, also added in distropatches.git
  • pcre2: Profile-guided optimisation (PGO) / parallelism
  • perl: Address space layout randomization (ASLR), fix a failure to build in 2020.
  • python-IMDbPY: sort result from Python glob.glob()
  • mariadb fix a failure to build in 2020.
• Chris Lamb:
  • #919566 filed against satpy (merged upstream).
  • #920409 filed against splitpatch (forwarded upstream)
  • #920411 filed against mongo-c-driver.
  • #920591 filed against lambda-align2.
  • #920592 filed against roaraudio.
  • #920594 filed against papi.
  • #920595 filed against ukui-themes.

Test framework development

We operate a comprehensive Jenkins-based testing framework that powers tests.reproducible-builds.org. This week:

• Eli Schwartz:
  • Fix the “preseed” of Arch Linux’s PGP keys by sending output to stdout. […]
• Holger Levsen:
  • Arch Linux-specific changes:
    • Refactor the scheduler’s “interesting” use of $repo and $REPO variables. […][…]
    • Correct a fencepost error in the scheduler; if we want to request n packages we need to set a limit of n + 1. […]
    • Include an n builds in the last 3h statistic in the IRC notifications. […]
    • Schedule packages six times a day instead of eight. […]
  • F-Droid-specific changes:
    • Run the setup job three times a week now, building all apps daily. […]
  • LEDE/OpenWrt, coreboot and NetBSD changes:
    • Test three times per week instead of just once. […]
    • Move building to OSUOSL nodes 171 & 172, from pb3 & pb4. […]
    • Build at different times to not interfere. […]
  • Misc/generic changes:
    • Update status of the deployment of the new OSUOSL nodes. […]
    • Fix the Debian dsa-check-running-kernel to deal with the Ubuntu LTS changes. […]
    • Correct KGB IRC interface’s directory permissions and create it if it does not exist. […][…]
    • Fix a bug that was preventing OSUOSL hosts from running correctly in the future. […]
    • Set the correct permissions on the jenkins user’s ~/.ssh directory. […]
  • Node maintenance. ([…], […], […], etc.)
• Mattia Rizzolo:
  • Update the expiration of the GPG key used to sign our experimental Debian archive. […]
  • In our pbuilder configuration, use the APT dependency resolver […] simplify the section for i386/armhf hosts […] and DRY the MIRRORSITE configuration, now that is the same for everything. […]
  • Node maintenance. ([…], […], […], etc)

---

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.