Here’s what happened in the Reproducible Builds effort between Sunday March 3 and Saturday March 9 2019:
On our mailing list this week Holger Levsen explained why Debian Buster will only be 54% reproducible (in short: due to Debian bugs #894441 and #900837). There was some follow-up discussion on Reddit and Hacker News.
Russ Cox and Filippo Vasorda submitted a formal change proposal to the Go programming language entitled Secure the Public Go Module Ecosystem with the Go Notary which speaks to reproducible builds and their impact on code provenance.
Wireshark (the popular network protocol analyser) revealed in their 3.0.0 release notes that their build system now produces reproducible builds. (#15163).
5 Debian package reviews were added, 6 were updated and 13 were removed in this week adding to our knowledge about identified issues. Two issue types were identified by Chris Lamb:
Holger Levsen updated the top-level navigation on the reproducible-builds.org project website to link tests.reproducible-builds.org more prominently. […]
diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week:
Chris Lamb uploaded version
113 to Debian unstable fixing a long list of issues. It included contributions already covered in previous weeks as well as new ones by Chris, including:
- Provide explicit help when the libarchive system package is missing or “incomplete”. (#50)
- Explicitly mention when the guestfs module is missing at runtime and we are falling back to a binary diff. (#45)
Vagrant Cascadian made the corresponding update to GNU Guix. […]
Packages reviewed and fixed, and bugs filed
- Bernhard M. Wiedemann:
- python-django-filter (report
- python-apache-libcloud (fix
- utox (merged, date)
- vimb (merged, date)
- pcp (fix date and PGO-like effects from
- python-django-filter (report
- Chris Lamb
Test framework development
We operate a comprehensive Jenkins-based testing framework that powers tests.reproducible-builds.org. This week, Holger Levsen made the following improvements:
- Analyse node maintenance job runs to determine whether to mark nodes offline. […]
- Detect hanging health check runs, not just failed ones. […]
- Allow members of the
jenkinsUNIX group to
jenkinsuser […] and simplify adding users to said group […].
- Improve the “SHA1 checker” script to deal with packages with more than one version […] and to re-download buildinfo.debian.net’s files if they are older than two weeks. […]
- Node maintenance. […][…][…][…]
- In the version checker, correctly deal with a rare situation when several, say, diffoscope versions are available in one Debian suite at the same time. […]
In addition, Alexander “lynxis” Couzens, made a number of changes to our OpenWrt support, including:
- Add OpenWrt support to our database. […]
- Adding a
- Strip unreproducible certificates from images. […]
Don’t forget that Reproducible Builds is part of May/August 2019 round of Outreachy. Outreachy provides internships to work free software. Internships are open to applicants around the world, working remotely and are not required to move. Interns are paid a stipend of $5,500 for the three month internship and have an additional $500 travel stipend to attend conferences/events.
So far, we received more than ten initial requests from candidates. The closing date for applicants is April 2nd. More information is available on the application page.
This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.