What happened in the reproducible builds effort between December 20th to December 26th:
Toolchain fixes
Mattia Rizzolo rebased our experimental versions of debhelper (twice!) and dpkg on top of the latest releases.
Reiner Herrmann submited a patch for
mozilla-devscripts to sort
the file list in generated preferences.js files.
To be able to lift the restriction that packages must be built in the same
path, translation support for the __FILE__ C pre-processor macro would also
be required. Joerg Sonnenberger submitted a
patch back in 2010 that
would still be useful today.
Chris Lamb started work on providing a deterministic mode for debootstrap.
Packages fixed
The following packages have become reproducible due to changes in their build dependencies: bouncycastle, cairo- dock-plug-ins, darktable, gshare, libgpod, pafy, ruby-redis- namespace, ruby- rouge, sparkleshare.
The following packages became reproducible after getting fixed:
- a7xpg/0.11.dfsg1-9 uploaded by Markus Koschany, original patch by Reiner Herrmann.
- at/3.1.18-1 uploaded by Laurent Bigonville, original patch by Reiner Herrmann, merged by Jose M Calhariz.
- bibtool/2.61+ds-2 by Jerome Benoit.
- bup/0.27-2 uploaded by Robert Edmonds, original patch by Chris Lamb.
- deja-dup/34.1-1 uploaded by Laurent Bigonville, original patch by Reiner Herrmann.
- gauche-gl/0.6-1 by NIIBE Yutaka.
- ifupdown/0.8 uploaded by Guus Sliepen, original patch by Lunar.
- jing-trang/20131210+dfsg+1-4 by Samuel Thibault.
- libp11/0.3.0-2 by Eric Dorland.
- pdns/4.0.0~alpha1-1 by Christian Hofstaedtler.
- pdns-recursor/4.0.0~alpha1-1 by Christian Hofstaedtler.
- qupzilla/1.8.9~dfsg1-1 uploaded by Georges Khaznadar, fixed upstream.
- ros-genpy/0.5.7-4 uploaded by Jochen Sprickerhof, original patch by Chris Lamb.
- signify/1.14-3 by Mattia Rizzolo, obsoleting patches submitted by Chris Lamb and akira.
- sleepyhead/0.9.8-2 by Sergio Durigan Junior.
- texi2html/1.82+dfsg1-5 by Mattia Rizzolo, previous patch by Juan Picca.
- titanion/0.3.dfsg1-6 by Markus Koschany, original patch by Reiner Herrmann.
- tj3/3.5.0-3 uploaded by Vincent Bernat, original patch by Vincent Bernat.
- vcsh/1.20151229-1 by Richard Hartmann.
- waitress/0.8.10-1 uploaded by Andrew Shadura, original patch by Juan Picca.
- xtel/3.3.0-19 by Samuel Thibault.
Some uploads fixed some reproducibility issues, but not all of them:
- kmod/22-1 uploaded by Marco d’Itri, original patch by Lunar.
- libgcrypt20/1.6.4-4 by Andreas Metzler.
- loadlin/1.6f-4 uploaded by Samuel Thibault, original patch by Chris Lamb.
- pathological/1.1.3-13 uploaded by Markus Koschany, original patch by Chris Lamb.
- yacas/1.3.6-1) uploaded by Muammar El Khatib, original patch by Reiner Herrmann.
Patches submitted which have not made their way to the archive yet:
- #808459 on pywavelets by Chris Lamb: add support for
SOURCE_DATE_EPOCHin the documentation generator. - #808652 on nexuiz-data by Reiner Herrmann: sorts with the locale set to C.
- #808667 on libmouse-perl by Reiner Herrmann: sorts the list of filenames to be embedded.
- #808679 on libcorelinux by Reiner Herrmann: sort the list of files in the generated
Makefile. - #808711 on ca-certificates by Reiner Herrmann: sort the list of certificates before it is embedded.
reproducible.debian.net
Statistics for package sets are now visible for the armhf architecture. (h01ger)
The second build now has a longer timeout (18 hours) than the first build (12 hours). This should prevent wasting resources when a machine is loaded. (h01ger)
Builds of Arch Linux packages are now done using a tmpfs. (h01ger)
200 GiB have been added to jenkins.debian.net (thanks to ProfitBricks!) to make room for new jobs. The current count is at 962 and growing!
diffoscope development
Aside from some minor bugs that have been fixed, a one-line change made huge memory (and time) savings as the output of transformation tool is now streamed line by line instead of loaded entirely in memory at once.
disorderfs development
Andrew Ayer released disorderfs version 0.4.2-1 on December 22th. It fixes a memory corruption error when processing command line arguments that could cause command line options to be ignored.
Documentation update
Many small improvements for the documentation on reproducible- builds.org sent by Georg Koppen were merged.
Package reviews
666 (!) reviews have been removed, 189 added and 162 updated in the previous week.
151 new fail to build from source reports have been made by Chris West, Chris Lamb, Mattia Rizzolo, and Niko Tyni.
New issues identified: unsorted_filelist_in_xul_ext_preferences, nondeterminstic_output_generated_by_moarvm.
Misc.
Steven Chamberlain drew our attention to one analysis of the Juniper ScreenOS Authentication Backdoor: “ Whilst this may have been added in source code, it was well-disguised in the disassembly and just 7 instructions long. I thought this was a good example of the current state-of-the-art, and why we’d like our binaries and eventually, installer and VM images reproducible IMHO. ”
Joanna Rutkowska has mentioned possible ways for Qubes to become reproducible on their development mailing-list.
