Reproducible Builds: Weekly report #201

Here’s what happened in the Reproducible Builds effort between Sunday February 24 and Saturday March 2 2019:

• On Tuesday 26th Chris Lamb spoke at Speck&Tech 31 “Open Security” on Reproducible Builds.

• On our mailing list this week:
  • Eric Myhre posted about the developer of Dwarf Fortress reporting some “butterfly-effect style” bugs in deterministic world generation in a post titled Reproducible builds: it’s not just for compilers, it’s for dwarfs too. And their entire universe…!.
  • Holger Levsen posted an update after he calculated that Debian is 54% reproducible in practice. This also revealed that 12% of all binary packages in buster/amd64 are unreproducible because they were built by binNMUs (#894441).

• On Saturday 3rd Holger participated in a panel at the demo day of the 4th round of the Prototype Fund were he talked about Reproducible Builds in reality which is summarised below:

• Alexander “lynxis” Couzens announced the first release of squashfskit, a set of utilities that create and manipulate read-only compressed file systems that was forked from squashfs-tools.

• Bernhard M. Wiedemann posted his monthly Reproducible Builds status update for the openSUSE distribution. This includes some verification of official builds, where 81.2%-similar (NB. not yet bit-identical build results were achieved.

• Graham Christensen corrected some broken links on the reproducible-builds.org project website. […][…]

• Holger uploaded version 1.16.2-1 of koji — the RPM building and tracking system — to Debian, fixing CVE-2018-1002161 to address a SQL injection attack. (#922922)

• A tool to compare the differences between between two versions of the same Node “npm” package was released, speaking to the same concerns for code provenance that the Reproducible Builds project has.

• 15 Debian package reviews were added, 3 were updated and 14 were removed in this week, adding to our knowledge about identified issues.

diffoscope development

diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week:

• Chris Lamb:
  • Improved the displayed comment when falling back to a binary diff to include the file type. (#49)
  • Tidied definition of “no file-specific differences were detected” message suffix. […]
  • Corrected a “recurse” typo. […]
• Vagrant Cascadian updated diffoscope in GNU Guix. […]

Packages reviewed and fixed, and bugs filed

• Bernhard M. Wiedemann:
  • scons (merged, hostname)
  • nfs-ganesha (hostname)
  • openstack-manila (hostname)
  • eigen3 (drop LaTeX .log, partially submitted and merged upstream)
  • python-HTTPolice (merged, fix FTBFS-2021)
  • python-keystoneclient (fix FTBFS-2020)
  • cassandra (fix date/copyright year)
  • various openstack rpms (drop .pickl files)
  • heimdal (report FTBFS with -j1)
• Chris Lamb:
  • #923169 filed against node-lunr.
  • #923170 filed against heudiconv.

In addition, one of Chris Lamb’s previous patches for the Sphinx documentation system was merged upstream. He also updated his branch against the shadow password utility.

Test framework development

We operate a comprehensive Jenkins-based testing framework that powers tests.reproducible-builds.org. This week, Holger Levsen made the following improvements:

• Improve the output of the Debian reproducible “SHA1” checker […], also including stats for non-reproducible binNMUs, arch:all and arch:amd64 packages […].
• Deal with zero results in the SHA1 checker. […]
• Move SHA1 checker to osuosl173 node. […]
• Add setup_schroot_buster_diffoscope job on osuosl173 node. […]
• Node maintenance. […][…][…]

In addition, Mattia Rizzolo performed some armhf node maintenance. […]

---

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.