Reproducible Builds: Weekly report #32

Published: Dec 11, 2015.

The first “reproducible world summit” was held in Athens, Greece, from December 1st-3rd with the support of the Linux Foundation, the Open Tech Fund, and Google. Faidon Liambotis has been an amazing help to sort out all local details. People at ImpactHub Athens have been perfect hosts.

North of Athens from the Acropolis with ImpactHub in the
center

Nearly 40 participants from 14 different free software project had very busy days sharing knowledge, building understanding, and producing actual patches.

Anyone interested in cross project discussions should join the rb- general mailing- list.

What follows focuses mostly on what happened for Debian this previous week. A more detailed report about the summit will follow soon. You can also read the ones from Joachim Breitner from Debian, Clemens Lang from MacPorts, Georg Koppen from Tor, Dhiru Kholia from Fedora, and Ludovic Courtès wrote one for Guix and for the GNU project.

The Acropolis from Μοναστηράκι

Infrastructure

Several discussions at the meeting helped refine a shared understanding of what kind of information should be recorded on a build, and how they could be used. Daniel Kahn Gillmor sent a detailed update on how .buildinfo files should become part of the Debian archive.

Some key changes compared to what we had in mind at DebConf15:

Two .buildinfo with different environment information can attest to the same exact binary artifact.
Multiple .buildinfo files can coexist for the same .deb as long as the listed checksums match the source and binary package in the archive.
.buildinfo can be signed in-line to certify where a build comes from.

Hopefully, ftpmasters will be able to comment on the updated proposal soon.

Packages fixed

The following packages have become reproducible due to changes in their build dependencies: fades, triplane, caml- crush, globus- authz.

The following packages became reproducible after getting fixed:

binutils/2.25.90.20151125-2 uploaded by Matthias Klose, original patch by Reiner Herrmann.
chocolate-doom/2.2.1-2 by Fabian Greffrath.
csound/1:6.05~dfsg1-7 by Felipe Sateler.
dispcalgui/3.0.5.0-1 uploaded by Christian Marillat, original patch by Reiner Herrmann.
drmips/2.0.1-1 by Bruno Nova.
ghc/7.10.1-5 by Joachim Breitner.
gitolite3/3.6.3-3 by David Bremner.
libdigidoc/3.10.1.1208+ds1-1 uploaded by Andrew Shadura, original patch by Reiner Herrmann.
liberasurecode/1.1.0-3 uploaded by Thomas Goirand, original patch by Chris Lamb.
libjs-jcrop/0.9.13+dfsg-1 uploaded by David Prévot, original patch by Chris Lamb.
libnet-interface-perl/1.012-3 uploaded by gregor herrmann, original patch by Reiner Herrmann.
libosmocore/0.9.0-1 uploaded by Ruben Undheim, original patch by Reiner Herrmann.
libperl-apireference-perl/0.21-2 fixed by Niko Tyni (#807111).
netrik/1.16.1-2 by Axel Beckert.
openssl/1.0.2e-1 by Kurt Roeckx.
snp-sites/2.0.2-2 uploaded by Sascha Steinbiss, original patch by Reiner Herrmann.
xfonts-shinonome/1:0.9.11-1 by Hideki Yamane, original patch by Chris Lamb.

Some uploads fixed some reproducibility issues, but not all of them:

raster3d/3.0-3-2 uploaded by Andreas Tille, original patch by Lunar.

Patches submitted which have not made their way to the archive yet:

#806580 on metview by Reiner Herrmann: remove timestamps from metview script.
#806974 on xpra by Reiner Herrmann: interpret the changelog date as UTC.
#807051 on why by Valentin Lorentz: removes extra timestamps from the build system.

akira sent proposals on how to make bash reproducible.

Alexander Couzens submitted a patch upstream to add support for SOURCE_DATE_EPOCH in grub image generator (#787795).

reproducible.debian.net

An issue with some armhf build nodes was tracked down to a bad interaction between uname26 personality and new glibc (Vagrant Cascadian).

A Debian package was created for koji, the RPM building and tracking system used by Fedora amongst others. It is currently waiting for review in the NEW queue. (Ximin Luo, Marek Marczykowski-Górecki)

diffoscope development

diffoscope now has a dedicated mailing list to better accommodate its growing user and developer base.

Going through diffoscope’s guts together enabled several new contributors. Baptiste Daroussin, Ed Maste, Clemens Lang, Mike McQuaid, Joachim Breitner all contributed their first patches to improve portability or add new features. Regular contributors Chris Lamb, Reiner Herrmann, and Levente Polyak also submitted improvements.

The next release should support more operating systems, filesystem image comparison via libguestfs, HTML reports with on-demand loading, and parallel processing for the most noticeable improvements.

Package reviews

27 reviews have been removed, 17 added and 14 updated in the previous week.

Chris Lamb and Val Lorentz filed 4 new FTBFS reports.

Misc.

Baptiste Daroussin has started to implement support for SOURCE_DATE_EPOCH in FreeBSD in libpkg and the ports tree.

Thanks Joachim Breitner and h01ger for the pictures.

← View all weekly reports

Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info