Reproducible Builds: Weekly report #21

Published: Sep 21, 2015.

What happened in the reproducible builds effort this week:

Media coverage

Nathan Willis covered our DebConf15 status update in Linux Weekly News. Access to non-LWN subscribers will be given on Thursday 24th.

Linux Journal published a more general piece last Tuesday.

Unexpected praise for reproducible builds appeared this week in the form of several iOS applications identified as including spyware. The malware was undetected by Apple screening. This actually happened because application developers had simply downloaded a trojaned version of XCode through an unofficial source. While reproducible builds can’t really help users of non-free software, this is exactly the kind of attacks that we are trying to prevent in our systems.

Toolchain fixes

Mathieu Malaterre uploaded abi-compliance-checker/1.99.11-1 which drops the timestamps from the generated HTML reports and makes the generated .abi.tar.gz files reproducible. Original patches by Chris Lamb.

Niko Tyni wrote and uploaded a better patch for the source order problem in libmodule-build- perl.

Tristan Seligmann identified how the code generated by python-cffi could be emitted in random order in some cases. Upstream has already fixed the problem.

Packages fixed

The following 24 packages became reproducible due to changes in their build dependencies: apache-curator, checkbox-ng, gant, gnome- clocks, hawtjni, jackrabbit, jersey1, libjsr305-java, mathjax- docs, mlpy, moap, octave- geometry, paste, pdf.js, pyinotify, pytango, python- asyncssh, python- mock, python- openid, python- repoze.who, shadow, swift, tcpwatch- httpproxy, transfig.

The following packages became reproducible after getting fixed:

apparmor/2.10-2 uploaded by intrigeri, fixed upstream by Christian Boltz, with the same change suggested by Reiner Herrmann.
ardour/1:4.2~dfsg-2 by IOhannes m zmölnig.
dcmtk/3.6.1~20150629-1 uploaded by Andreas Tille, original patch by akira.
deap/1.0.1-4 by Daniel Stender.
firebird2.5/2.5.4.26856.ds4-2 by Damyan Ivanov.
gamera/3.4.2+svn1437-1 by Daniel Stender.
genometools/1.5.7-1 by Sascha Steinbiss.
golang-github-go-xorm-core/0.4.4-1 by Alexandre Viau.
klibc/2.0.4-4 by Ben Hutchings.
libgtk2-perl/2:1.2496-3 by intrigeri.
lsof/4.89+dfsg-0.1 uploaded by Laurent Bigonville, original patch by Lunar.
monotone/1.1-6 by Markus Wanner.
ndisc6/1.0.1-4 by Santiago Vila.
privoxy/3.0.23-4 by Roland Rosenfeld.
ruby-flexmock/2.0.0~rc1-1 by Antonio Terceiro.
ruby-html2haml/2.0.0-1 by Lunar.
tunnelx/20140102-3 uploaded by Wookey, original patch by Chris Lamb.
wtforms/2.0.2-1 by Orestis Ioannou, original patch by Juan Picca.

Some uploads fixed some reproducibility issues but not all of them:

maxima/5.37-1 by Camm Maguire, report by akira.

Patches submitted which have not made their way to the archive yet:

#783152 on kmod by Lunar: export SOURCE_DATE_EPOCH in debian/rules.
#799010 on 389-ds-base by Chris Lamb: use SOURCE_DATE_EPOCH value as the build date.
#799206 on python-sqlalchemy-utils by Chris Lamb: sort the list of extra requirement.
#799330 on cappuccino by Chris Lamb: pass a fixed seed to polygen.
#799410 on segment by Chris Lamb: use date of the latest debian/changelog entry as build date.

reproducible.debian.net

Tests for Coreboot, OpenWrt, NetBSD, and FreeBSD now runs weekly (instead of monthly).

diffoscope development

Python 3 offers new features (namely yield from and concurrent.futures) that could help implement parallel processing. The clear separation of bytes and unicode strings is also likely to reduce encoding related issues.

Mattia Rizolo thus kicked the effort of porting diffoscope to Python 3. tlsh was the only dependency missing a Python 3 module. This got quickly fixed by a new upload.

The rest of the code has been moved to the point where only incompatibilities between Python 2.7 and Pyhon 3.4 had to be changed. The commit stream still require some cleanups but all tests are now passing under Python 3.

Documentation update

The documentation on how to assemble the weekly reports has been updated. (Lunar)

The example on how to use SOURCE_DATE_EPOCH with CMake has been improved. (Ben Beockel, Daniel Kahn Gillmor)

The solution for timestamps in man pages generated by Sphinx now uses SOURCE_DATE_EPOCH. (Mattia Rizzolo)

Package reviews

45 reviews have been removed, 141 added and 62 updated this week.

67 new FTBFS reports have been filled by Chris Lamb, Niko Tyni, and Lisandro Damián Nicanor Pérez Meyer.

New issues added this week: randomness_in_r_rdb_rds_databases, python- ply_compiled_parse_tables.

Misc.

The prebuilder script is now properly testing umask variations again.

Santiago Villa started a discussion on debian- devel on how binNMUs would work for reproducible builds.

← View all weekly reports

Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info