Reproducible Builds: Weekly report #198

Here’s what happened in the Reproducible Builds effort between Sunday February 3rd and Saturday February 9th 2019:

• The Reproducible Builds project intends to participate in Google Summer of Code in 2019. If you are interested in becoming a student or mentor please see our entry on the wiki page.

• In a blog post entitled “Huawei case demonstrates importance of Free Software for security” the FSFE raised their voice in the recent wider discussions regarding Huawei and 5G:

  To establish trust in critical infrastructure like 5G, it is a crucial precondition that all software code powering those devices is published under a Free and Open Source Software licence” and furthermore points out that in case of binary distribution it is “necessary that there are reproducible builds”.

• Reproducible Builds were present at both FOSDEM 2019 and CopyLeftConf handing out t-shirts to a number of contributors. The latter event was run under the auspices of the Software Freedom Conservancy who also act as the Reproducible Builds project fiscal sponsor and are a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

• diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week, Chris Lamb adjust the behaviour to not look for adjacent -dbgsym Debian package files automatically anymore to align better with users’ expectations. The existing behaviour can be re-enabled by specifying the new --use-dbgsym flag (#44 / #920701).

  Chris then released and uploaded this as part of version 110 but it was then reported that this introduced a regression where we had stopped using the -dbgsym packages when comparing .buildinfo or .changes files. This was subsequently fixed via issue #46.

• Bernhard M. Wiedemann a wrote script to export CSV data of openSUSE reproducibility statistics over time and graphed it using Debian’s graphing tool.

• The Nix “purely functional package manager” published a new r13y.com “single-page” website that documents the current state of reproducibility in that distribution, a possible partner to isdebianreproducibleyet.com.

• On Tuesday 26th February Chris Lamb will speak at Speck&Tech 31 “Open Security” on Reproducible Builds in Trento, Italy.

• Holger uploaded koji version 1.16.1-1 to Debian in order to package a new upstream version.

• Ten Debian package reviews were added, eleven were updated and nineteen were removed in this week, adding to our knowledge about identified issues. Two issue types were updated by Chris Lamb, adding a fix for the randomness_in_documentation_underscore_downloads_generated_by_sphinx toolchain issue and also categorising a new randomness_in_documentation_graphviz_generated_by_sphinx toolchain issue.

• Hervé Boutemy made more updates to the reproducible-builds.org project website, including specifying the implications of using -Dline.separator with respect to UNIX line endings […]. In addition, Holger Levsen added a link to the “who” page for the tests page for NixOS […] and Mykola Nikishov fixed a dead link to how-to contribute page […].

• Whilst reproducing Arch Linux packages Jelle van der Waa and Santiago Torres discovered that the size field in pacman’s package metadata is not reproducible on different filesystems. For example building on tmpfs versus ext4 results a different package size. More information may be found be found on the associated bug report.

Packages reviewed and fixed, and bugs filed

• Bernhard M. Wiedemann:
  • gnome-weather (libdir made a noarch package vary between architectures)
  • kiwi (sort perl readdir)
  • kiwi-ng (sort python readdir)
• Chris Lamb:
  • #921511 filed against python-octaviaclient (forwarded and merged upstream on GitHub and Gerrit).
  • #921513 filed against sphinx (forwarded upstream).
• Steffen Winterfeldt:
  • gfxboot (avoid variations in mtime values embedded in cpio archives)

Test framework development

We operate a comprehensive Jenkins-based testing framework that powers tests.reproducible-builds.org. This week, Holger Levsen made a large number of improvements including:

• Arch Linux-specific changes:
  • Correct information about the hostnames used. […]
  • Document that the kernel is not currently varied on rebuilds. […]
  • Improve IRC messages. […][…]
• Debian-specific changes:
  • Perform a large number of cleanups, updating documentation to match. […][…][…][…]
  • Avoid unnecessary apt install calls on every deployment run. […]
• LEDE/OpenWrt-specific changes:
  • Attempt to build all the packages again. […]
  • Mark a workaround for an iw issue in a better way. […]
• Misc/generic changes:
  • Clarify where NetBSD is actually built. […]
  • Improve jobs to check the version of diffoscope relative to upstream in various distributions. […][…]
  • Render the artificial date correctly in the build variation tables. […]
  • Work around a rare and temporary problem when restarting Munin. […]
  • Drop code relating to OpenSSH client ports as this is handled via ~/ssh/config now. […]
  • Fix various bits of documentation. […][…][…][…][…]
• Fedora-specific changes:
  • Correctly note that testing Fedora is currently disabled. […]
  • Abstract some behaviour to make possible testing of other distributions easier. […]
  • Only update mock on build nodes. […]

In addition, Mattia Rizzolo updated the configuration for df_inode […] and reverted a change to our pbuilder setup […] whilst Bernhard M. Wiedemann ported make_graph to using Python 3 […].

---

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Jelle van der Waa & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.