Here’s what happened in the Reproducible Builds effort between Sunday March 17 and Saturday March 23 2019:
-
On our mailing list this week, Mike Miller started a discussion around development toolchains embedding compiler options in binares. This can result in unreproducible builds, ironically caused by GCC flags that were intended to remove non-deterministic behaviour in the first place (eg.
-fdebug-prefix-map
and-ffile-prefix-map
). -
Arnout Engelen proposed a pull request for the Akka JVM-based library for concurrent and distributed programming to include a reproducible builds plugin which was subsequently merged.
-
Izaak “Zaak” Beekman announced that the 2.6.1 OpenCorrays parallelism library for Fortran 2018 compilers now supports reproducible builds.
-
David Prévot updated the reproducible-builds.org project website to specify that the PHP example for
SOURCE_DATE_EPOCH
uses an integer type as expected in strict mode. […] -
Holger Levsen gave a talk titled My life with free software at Cheikh Anta Diop University in Dakar, Senegal in which he also explained Reproducible Builds to the students and invited them to participate in Outreachy and Google Summer of Code. Another purpose was location scouting for the next Reproducible Builds summit which is tentatively planned to take place in late 2019. The event was well received by the local Linux Senegal community.
-
17 Debian package reviews were added, 2 were updated and 9 were removed in this week, adding to our knowledge about identified issues. Chris Lamb identified and categorised four new issues,
build_path_in_typelib_files_generated_by_gir_compiler
,build_path_in_qdoc
,bundle_name_in_java_manifest_mf
andrandomness_in_prolog_saved_stage
. -
Mattia Rizzolo started to set up a new mail server that will also serve our mailing lists, to migrate from of our current host, potager.org.
Don’t forget that Reproducible Builds is part of May/August 2019 round of Outreachy which offers paid internships to work on free software. Internships are open to applicants around the world and are paid a stipend for the three month internship with an additional travel stipend to attend conferences. So far, we received more than ten initial requests from candidates and the closing date for applicants is April 2nd. More information is available on the application page.
diffoscope development
diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week:
- Chris Lamb:
- Always warn if the
tlsh
module is not available (not just if a specific fuzziness threshold is specified) to match the epilog of the--help
output. This prevents missing support for file rename detection. (#29) - Fix a number of tests when using GhostScript
9.20
vs9.26
for Debianstable
vs. the same distribution with the security/point release applied. […]
- Always warn if the
- Mattia Rizzolo:
- Milena Boselli Rosa:
- Remove the
type
HTML attribute fromstyle
elements. […] - Prevent empty values for the
name
attribute name on HTML anchor tags and add anid
to its parentdiv
container. […] - Fix a Text run is not in Unicode Normalization Form C HTML validation warning. […]
- Fix a Table column x established by element ‘col’ has no cells beginning in it HTML validation error. […]
- Remove the
Packages reviewed and fixed, and bugs filed
- Bernhard M. Wiedemann:
- libqt5-qtdeclarative (ASLR / uninitialised memory written to output file)
- Chris Lamb:
- #925191 filed against toil (filed and merged upstream)
- #925192 filed against libappindicator.
Test framework development
We operate a comprehensive Jenkins-based testing framework that powers tests.reproducible-builds.org. This week, Mattia Rizzolo:
- Fixed the
dsa-check-running-kernel
script after Ubuntu updated their packages. […] - Do not blindly forward the
jenkins@
emails, otherwise procmail cannot filter them (breaking ouremail2irc
script). […] - Gave Vagrant Cascadian root everywhere. […]
This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo and Vagrant Cascadian & was reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.