What happened in the reproducible builds effort between April 3rd and April 9th 2016:
Media coverage
Emily Ratliff wrote an article for SecurityWeek called Establishing Correspondence Between an Application and its Source Code - How Combining Two Completely Separate Open Source Projects Can Make Us All More Secure.
Tails have started work on a design for freezable APT repositories to make it easier and practical to perform reproductions of an entire distribution at a given point in time, which will be needed to create reproducible installation- or live-media.
Toolchain fixes
Alexis Bienvenüe submitted patches adding support for SOURCE_DATE_EPOCH in several tools: transfig, imagemagick, rdtool, and asciidoctor. boyska submitted one for python-reportlab.
Packages fixed
The following packages have become reproducible due to changes in their build dependencies: atinject-jsr330 brailleutils cglib3 gnugo libcobra-java libgnumail-java libjchart2d-java libjcommon-java libjfreechart-java libjide-oss-java liblaf-widget-java liblastfm-java liboptions-java octave-control octave-mpi octave-nan octave-parallel octave-stk octave-struct octave-tsa oar
The following packages became reproducible after getting fixed:
- apt-listchanges/2.88 by Robert Luberda.
- cgal/4.8-1 by Joachim Reichel.
- erlang-bitcask/2.0.2+dfsg-1 by Nobuhiro Iwamatsu.
- geneweb/6.08+git20160228+dfsg-2 by Guillaume Brochu.
- glance/2:12.0.0~rc2-1 uploaded by Thomas Goirand, original patch by Chris Lamb.
- gle-graphics/4.2.5-4 by Christian T. Steigies.
- maude uploaded by Andreas Tille, patch by Alexis Bienvenüe.
- psqlodbc/1:09.05.0100-3 by Christoph Berg.
- resource-agents/1:3.9.7-3 by Christoph Berg.
- vgabios/0.7a-6 by Reiner Herrmann.
- vim/2:7.4.1689-2 by James McCoy.
- xmhtml/1.1.10-2 by Graham Inggs with Reiner Herrmann’s help.
- xscreensaver/5.34-2 uploaded by Tormod Volden, original patch by Sascha Steinbiss.
Several uploads fixed some reproducibility issues, but not all of them:
- rkward/0.6.5-1 uploaded by Thomas Friedrichsmeier, original patch by Philip Rinn.
- mailfilter/0.8.4-1 uploaded by Elimar Riesebieter, original patch by Chris Lamb.
- bind9/1:9.10.3.dfsg.P4-6 uploaded by Michael Gilbert, original patch by Reiner Herrmann.
- bzr/2.7.0-{3,4} by Jelmer Vernooij.
- samba/2:4.3.6+dfsg-2 uploaded by Mathieu Parent, fix by Jelmer Vernooij.
- fwupdate/0.5-3 by Mario Limonciello.
- paraview/5.0.1+dfsg1-1 by Anton Gladky.
Patches submitted which have not made their way to the archive yet:
- #819883 on debootstrap by Reiner Herrmann: tell tar to sort the archive members.
- #819885 on chktex by Sascha Steinbiss: use the time of latest
debian/changelog
entry as documentation timestamp. - #819915 on kannel by Alexis Bienvenüe: use the time of latest
debian/changelog
entry as documentation timestamp. - #819921 on basket by Alexis Bienvenüe: remove build date from debug info.
- #819965 on openarena-data by Alexandre Detiste: normalize file permissions before creating
.pk3
archive. - #820016 on gabedit by Alexis Bienvenüe: sort object files used to build the executable.
- #820032 on bibledit-gtk by Alexis Bienvenüe: remove useless included
Makefile
. - #820072 on synfig by Alexis Bienvenüe: remove build date from info output.
- #820148 on autopkgtest by Alexis Bienvenüe: fix install order to cope with locales with case insensitive globbing.
- #820152 on anope by Alexis Bienvenüe: remove build date from the version string.
- #820179 on aodh by Alexis Bienvenüe: remove build date from the documentation.
- #820183 on cython by Alexis Bienvenüe: add support
SOURCE_DATE_EPOCH
. - #820194 on nasm by rain1: sorts keys when traversing hash tables used to build the documentation.
- #820226 on chrony by Alexis Bienvenüe: add support for
SOURCE_DATE_EPOCH
to preset thentp_era_split
parameter. - #820457 on recode by Alexis Bienvenüe: use system
help2man
. - #820522 on gtkspell by Alexis Bienvenüe: force shell to
/bin/sh
in exampleMakefile
.
Other upstream fixes
Alexander Batischev made a commit to make newsbeuter reproducible.
tests.reproducible-builds.org
- An architecture agnostic summary has been added to the reproducible-tracker.json by Valerie Young to make it easy to parse whether a package is unreproducible anywhere.
- To find more reproducibility issues a new variation was added to the i386 builders, so that one build is done using a 32 bit kernel (686-PAE) and the other build is using a 64 bit kernel (amd64). (h01ger)
- Niko Tyni was the first to notice a bug due to this: #821182 perl: embeds kernel architecture information
- The 2nd builds are now done in fr_CH on amd64, de_CH on i386 and it_CH on armhf. (h01ger)
- The variation table has been updated to reflect the recent changes and various small bugs have been fixed. (h01ger)
Package reviews
93 reviews have been removed, 66 added and 21 updated in the previous week.
12 new FTBFS bugs have been reported by Chris Lamb and Niko Tyni.
Misc.
This week’s edition was written by Lunar, Holger Levsen, Reiner Herrmann, Mattia Rizzolo and Ximin Luo.
With the departure of Lunar as a full-time contributor, Reproducible Builds Weekly News (this thing you’re reading) has moved from his personal Debian blog on Debian People to the Reproducible Builds team web site on Debian Alioth. You may want to update your RSS or Atom feeds.
Very many thanks to Lunar for writing and publishing this weekly news for so long, well & continuously!