Here’s what happened in the Reproducible Builds effort between Sunday February 3rd and Saturday February 9th 2019:
In a blog post entitled “Huawei case demonstrates importance of Free Software for security” the FSFE raised their voice in the recent wider discussions regarding Huawei and 5G:
To establish trust in critical infrastructure like 5G, it is a crucial precondition that all software code powering those devices is published under a Free and Open Source Software licence” and furthermore points out that in case of binary distribution it is “necessary that there are reproducible builds”.
Reproducible Builds were present at both FOSDEM 2019 and CopyLeftConf handing out t-shirts to a number of contributors. The latter event was run under the auspices of the Software Freedom Conservancy who also act as the Reproducible Builds project fiscal sponsor and are a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week, Chris Lamb adjust the behaviour to not look for adjacent
-dbgsymDebian package files automatically anymore to align better with users’ expectations. The existing behaviour can be re-enabled by specifying the new
--use-dbgsymflag (#44 / #920701).
Chris then released and uploaded this as part of version
110but it was then reported that this introduced a regression where we had stopped using the
-dbgsympackages when comparing
.changes files. This was subsequently fixed via issue #46.
The Nix “purely functional package manager” published a new r13y.com “single-page” website that documents the current state of reproducibility in that distribution, a possible partner to isdebianreproducibleyet.com.
On Tuesday 26th February Chris Lamb will speak at Speck&Tech 31 “Open Security” on Reproducible Builds in Trento, Italy.
Holger uploaded koji version
1.16.1-1to Debian in order to package a new upstream version.
Ten Debian package reviews were added, eleven were updated and nineteen were removed in this week, adding to our knowledge about identified issues. Two issue types were updated by Chris Lamb, adding a fix for the
randomness_in_documentation_underscore_downloads_generated_by_sphinxtoolchain issue and also categorising a new
Hervé Boutemy made more updates to the reproducible-builds.org project website, including specifying the implications of using
-Dline.separatorwith respect to UNIX line endings […]. In addition, Holger Levsen added a link to the “who” page for the tests page for NixOS […] and Mykola Nikishov fixed a dead link to how-to contribute page […].
Whilst reproducing Arch Linux packages Jelle van der Waa and Santiago Torres discovered that the size field in pacman’s package metadata is not reproducible on different filesystems. For example building on
ext4results a different package size. More information may be found be found on the associated bug report.
Packages reviewed and fixed, and bugs filed
- Bernhard M. Wiedemann:
- Chris Lamb:
- Steffen Winterfeldt:
Test framework development
- Arch Linux-specific changes:
- Debian-specific changes:
- LEDE/OpenWrt-specific changes:
- Misc/generic changes:
- Clarify where NetBSD is actually built. […]
- Improve jobs to check the version of diffoscope relative to upstream in various distributions. […][…]
- Render the artificial date correctly in the build variation tables. […]
- Work around a rare and temporary problem when restarting Munin. […]
- Drop code relating to OpenSSH client ports as this is handled via
- Fix various bits of documentation. […][…][…][…][…]
- Fedora-specific changes:
This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Jelle van der Waa & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.