What happened in the Reproducible Builds effort between June 19th and June 25th 2016.
Media coverage
-
Holger Levsen gave a talk at openSUSE Conference 2016 explaining the general idea and status of Reproducible Builds. This talk is available as video recording.
- This was followed by Bernhard Wiedemannn, detailing his work on Reproducible Builds for openSUSE which is also available as video recording:
- openSUSE uses SOURCE_DATE_EPOCH now too
- How to create bit-for-bit identical RPMs
- How strip-nondeterminism is Python and thus unsuitable for the openSUSE base system
- Mozilla awarded $77k to work on reproducible builds for Tails. The goal is to enable anyone (given sufficient technical skills and hardware resources) to rebuild from source a given Tails release, in order to independently verify that it matches the ISO image that was published. A substantial part of this work will be done in Debian: for example, to make the side-effects of some packages’ post-installation scripts deterministic. On the longer term, this work should benefit other projects that want to make their own builds reproducible (e.g. operating system images for the cloud and embedded systems, operating system installation media, other Live systems).
GSoC and Outreachy updates
- Valerie Young published a report detailing what she did the last week regarding improving tests.reproducible-builds.org/debian.
- Ceridwen announced reprotest’s arrival in the NEW queue and discussed autopkgtest’s layout.
Toolchain fixes
- Anton Gladky uploaded an NMU of python-setuptools, which sorts entries in
native_libs.txt
files (#825857).
Other upstream fixes
Emil Velikov searched on IRC for hints on how to guarantee unique values during
build to invalidate
shader caches in Mesa, when also no
VCS information
is available. A possible solution is a timestamp, which is unique enough for
local builds, but can still be reproducible by allowing it to be overwritten
with SOURCE_DATE_EPOCH
.
Packages fixed
The following 9 packages have become reproducible due to changes in their build dependencies:
cclib librun-parts-perl llvm-toolchain-snapshot python-crypto python-openid r-bioc-shortread r-bioc-variantannotation ruby-hdfeos5 sqlparse
The following packages have become reproducible after being fixed:
- allegro4.4/2:4.4.2-9 by Tobias Hansen, #824140 by Reiner Herrmann.
- atomicparsley/0.9.6-1 by Jonas Smedegaard.
- dwarfutils/20160613-1 by Fabian Wolff, #827382 by Reiner Herrmann.
- dwm/6.1-3 by Hugo Lefeuvre, #825545 by Reiner Herrmann.
- funtools/1.4.6+git150811-3 by Ole Streicher, #827864 by Alexis Bienvenüe.
- golang-github-appc-spec/0.8.4+dfsg-1 by Dmitry Smirnov.
- golang-github-appc-docker2aci/0.11.1+dfsg-1 Dmitry Smirnov.
- hdf-eos5/5.1.15.dfsg.1-7 by Alastair McKinstry.
- hmmer2/2.3.2-11 by Sascha Steinbiss, #828065 by Chris Lamb.
- jpy/0.8-2 by Alastair McKinstry.
- lazarus/1.6+dfsg-4 by Paul Gevers.
- pgbackrest/1.02-2 by Adrian Vondendriesch.
- siege/4.0.2-1 by Josue Abarca.
- starlink-pal/0.5.0-4 by Ole Streicher, #803908 by Chris Lamb.
- stylish-haskell/0.5.17.0-2 by Sean Whitton.
- xprobe/0.3-3 by Sophie Brun, #827572 by Reiner Herrmann.
Some uploads have fixed some reproducibility issues, but not all of them:
- hdfeos4/2.19v1.00+dfsg.1-5 by Alastair McKinstry.
- icu4j/57.1-2 by Tony Mancill, #827985 by Chris Lamb.
- pari/2.7.6-1 by Bill Allombert,
Patches submitted that have not made their way to the archive yet:
- #827684 against cgoban by Chris Lamb: set
SHELL
to static value. - #827731 against tin by Alexis Bienvenüe: drop patch which overwrites
__DATE__
/__TIME__
macros, since gcc can handle it now - #827863 against swedish by Alexis Bienvenüe: use C locale for sorting.
- #827987 against glances by Chris Lamb: Use
SOURCE_DATE_EPOCH
for embedded timestamp. - #827994 against cmtk by Chris Lamb: use C locale for sorting.
- #828008 against aghermann by Chris Lamb: honour
SOURCE_DATE_EPOCH
for timestamps embedded into manpages. - #828012 against bind9 by Chris Lamb: honour
SOURCE_DATE_EPOCH
for embedded timestamp. - #828017 against frog by Chris Lamb: don’t include pyc/pyo files in the package.
- #828021 against extra-cmake-modules by Scarlett Clark: normalize permission and file order in tarballs.
- #828060 against libffado by Chris Lamb: exclude file with test output from package.
- #828066 against gsmlib by Chris Lamb: honour
SOURCE_DATE_EPOCH
for timestamps embedded into manpages. - #828067 against grib-api by Chris Lamb: exclude pyc files from package.
- #828122 against libxmlbird by Chris Lamb: sort list of globbed files.
- #828123 against magnum by Chris Lamb: use static value for embedded hostname.
- #828131 against pyjwt by Chris Lamb: exclude coverage data from package.
- #828145 against mkdocs by Chris Lamb: honour
SOURCE_DATE_EPOCH
for embedded timestamp. - #828164 against zeal by Chris Lamb: use UTC for embedded timestamp.
- #828168 against x42-plugins by Daniel Shahaf: use
printf
instead of non-portableecho
.
Package reviews
139 reviews have been added, 20 have been updated and 21 have been removed in this week.
New issues found:
- timestamps_in_pdf_generated_by_reportlab
- r_base_appends_built_header_to_description_files
- timestamps_in_documentation_generated_by_mkdocs
53 FTBFS bugs have been reported by Chris Lamb, Santiago Vila and Mateusz Łukasik.
diffoscope development
- Satyam Zode added argument completion.
- Chris Lamb made the confusing “No differences found inside, yet data differs” message less confusing.
Quote of the week
“My builds are so reproducible, they fail exactly every second time.” — Johannes Ziemke (@discordianfish)
Misc.
This week’s edition was written by Chris Lamb (lamby), Reiner Herrmann and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.