Here’s what happened in the Reproducible Builds effort between Sunday February 24 and Saturday March 2 2019:
On Tuesday 26th Chris Lamb spoke at Speck&Tech 31 “Open Security” on Reproducible Builds.
- On our mailing list this week:
- Eric Myhre posted about the developer of Dwarf Fortress reporting some “butterfly-effect style” bugs in deterministic world generation in a post titled Reproducible builds: it’s not just for compilers, it’s for dwarfs too. And their entire universe…!.
- Holger Levsen posted an update after he calculated that Debian is 54% reproducible in practice. This also revealed that 12% of all binary packages in
buster/amd64are unreproducible because they were built by binNMUs (#894441).
On Saturday 3rd Holger participated in a panel at the demo day of the 4th round of the Prototype Fund were he talked about Reproducible Builds in reality which is summarised below:
Alexander “lynxis” Couzens announced the first release of
squashfskit, a set of utilities that create and manipulate read-only compressed file systems that was forked from
Bernhard M. Wiedemann posted his monthly Reproducible Builds status update for the openSUSE distribution. This includes some verification of official builds, where 81.2%-similar (NB. not yet bit-identical build results were achieved.
Graham Christensen corrected some broken links on the reproducible-builds.org project website. […][…]
Holger uploaded version
1.16.2-1of koji — the RPM building and tracking system — to Debian, fixing CVE-2018-1002161 to address a SQL injection attack. (#922922)
A tool to compare the differences between between two versions of the same Node “npm” package was released, speaking to the same concerns for code provenance that the Reproducible Builds project has.
- 15 Debian package reviews were added, 3 were updated and 14 were removed in this week, adding to our knowledge about identified issues.
diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week:
- Chris Lamb:
- Vagrant Cascadian updated diffoscope in GNU Guix. […]
Packages reviewed and fixed, and bugs filed
- Bernhard M. Wiedemann:
- scons (merged, hostname)
- nfs-ganesha (hostname)
- openstack-manila (hostname)
- eigen3 (drop LaTeX
.log, partially submitted and merged upstream)
- python-HTTPolice (merged, fix FTBFS-2021)
- python-keystoneclient (fix FTBFS-2020)
- cassandra (fix date/copyright year)
- various openstack rpms (drop
- heimdal (report FTBFS with
- Chris Lamb:
In addition, one of Chris Lamb’s previous patches for the Sphinx documentation system was merged upstream. He also updated his branch against the
shadow password utility.
Test framework development
We operate a comprehensive Jenkins-based testing framework that powers tests.reproducible-builds.org. This week, Holger Levsen made the following improvements:
- Improve the output of the Debian reproducible “SHA1” checker […], also including stats for non-reproducible binNMUs,
- Deal with zero results in the SHA1 checker. […]
- Move SHA1 checker to
- Node maintenance. […][…][…]
In addition, Mattia Rizzolo performed some
armhf node maintenance. […]
This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.