Reproducible Builds: Weekly report #67

Published: Aug 9, 2016.

What happened in the Reproducible Builds effort between Sunday July 31 and Saturday August 6 2016:

Toolchain development and fixes

dpkg/1.18.10 by Guillem Jover.
- Generate reproducible source tarballs by using the new GNU tar –clamp-mtime option
- Enable fixdebugpath build flag feature by default, #832179 by Mattia Rizzolo.
cython/0.24.1-1 by Yaroslav Halchenko.
- Fix a file ordering issue, #806493 by Chris Lamb.
Chris Lamb and Thomas Schmidt worked on some patches to make reproducible ISO images.
Johannes Schauer continued the discussion on #763822 regarding dak and buildinfo files.
Johannes Schauer continued the discussion on #774415 regarding srebuild and debrebuild.

Packages fixed and bugs filed

The following 24 packages have become reproducible - in our current test setup - due to changes in their build-dependencies: alglib aspcud boomaga fcl flute haskell-hopenpgp indigo italc kst ktexteditor libgroove libjson-rpc-cpp libqes luminance-hdr openscenegraph palabos petri-foo pgagent sisl srm-ifce vera++ visp x42-plugins zbackup

The following packages have become reproducible after being fixed:

cvs2svn/2.4.0-3 by Laszlo Boszormenyi, #831066 by Chris Lamb.
dapl/2.1.8-2 by 2.1.8-1 by Ana Beatriz Guerrero Lopez, #833410 by Chris Lamb.
fonts-noto/20160116-3 by Vasudev Kamath, #833005 by Chris Lamb.
fortunes-bg/1.3 by Anton Zinoviev, #777484 by Chris Lamb.
fsvs/1.2.7-1 by Reiner Herrmann.
infernal/1.1.2-1 by Sascha Steinbiss.
libitpp/4.3.1-7 by Kumar Appaiah, #795394 by Eduard Sanou.
libtar/1.2.20-6 by Magnus Holmgren.
libterralib/4.3.0+dfsg.2-9 by Alastair McKinstry, #831093 by Eduard Sanou.
mknbi/1.4.4-12 Ralf Treinen, #831432 by Chris Lamb.
node-iscroll/5.2.0+dfsg1-1 by Balint Reczey.
octave-communications/1.2.1-2 by Rafael Laboissiere.
python-mkdocs/0.15.3-5 by Brian May, #831648 by Chris Lamb.
remake/4.1+dbg1.1+dfsg-1 by Yaroslav Halchenko, #806552 by Reiner Herrmann.
sa-exim/4.2.1-16 by Magnus Holmgren.
seqan/1.4.2+dfsg-1 by Andreas Tille, #809058 by Chris Lamb.
sbuild/0.70.0-1 by Johannes Schauer, #825991 from Aurelien Jarno.
trscripts/1.18 by Anton Zinoviev, #776927 by Chris Lamb.
ui-auto/1.2.9-1 by Stephan Sürken.
ui-utilcpp/1.8.5-1 by Stephan Sürken.
xfonts-cronyx/2.3.8-8 by Anton Zinoviev, #778230 by Chris Lamb.

The following newly-uploaded packages appear to be reproducible now, for reasons we were not able to figure out. (Relevant changelogs did not mention reproducible builds.)

libitext-java/2.1.7-1 by Emmanuel Bourg.
lice/1:4.2.5i-2 by Kurt Roeckx.
pgbackrest/1.04-1 by Adrian Vondendriesch.
pxlib/0.6.7-1 by Uwe Steinmann.
runit/2.1.2-5 by Dmitry Bogatov.
ssvnc/1.0.29-3 by Magnus Holmgren.
syncthing/0.14.3+dfsg1-3 by Alexandre Viau.
tachyon/0.99~b6+dsx-5 by Jerome Benoit.
tor/0.2.8.6-2 by Peter Palfrader.

Some uploads have addressed some reproducibility issues, but not all of them:

apg/2.2.3.dfsg.1-4 by Marc Haber, #833141 by Daniel Shahaf.
atheme-services/7.2.6-1 by Antoine Beaupré.
gradle-debian-helper/1.3 by Emmanuel Bourg
hyperscan/4.2.0-2 by Robert Haist, #832917 by Eduard Sanou
kodi 17.0~alpha3+dfsg1-1 by Balint Reczey, #825285 by Lukas Rechberger
python-dtcwt/0.11.0-2 by Ghislain Antony Vaillant.
sollya/5.0+ds-3 by Jerome Benoit.
supercat/0.5.5-4.1 by Craig Sanders, #793725 by Maria Valentina Marin, #777396 by Chris Lamb.

Patches submitted that have not made their way to the archive yet:

#833070 against wget by Reiner Herrmann.
#833088 against xine-lib-1.2 by Daniel Shahaf.
#833162 against qemu by Daniel Shahaf.
#833176 against trafficserver by Reiner Herrmann.
#833179 against openldap by Daniel Shahaf.
#833340 against mini-buildd by Chris Lamb.
#833379 against hardinfo by Chris Lamb.
#833380 against roaraudio by Chris Lamb.
#833395 against emacspeak by Chris Lamb.
#833399 against wims by Chris Lamb.
#833408 against amora-server by Chris Lamb.
#833437 against mp4h by Chris Lamb.
#833438 against rest2web by Chris Lamb.
#833439 against forkstat by Chris Lamb.
#833440 against wmweather+ by Chris Lamb.
#833441 against rc by Chris Lamb.
#833443 against vit by Chris Lamb.
#833444 against openhackware by Chris Lamb.
#833445 against pd-pdstring by Chris Lamb.
#833472 against aghermann by Daniel Shahaf.
#833581 against xshisen by Chris Lamb.
#833594 against fizmo by Chris Lamb.
#833610 against ara by Chris Lamb.
#833611 against fntsample by Chris Lamb.
#833612 against nsnake by Chris Lamb.

Package reviews and QA

These are reviews of reproduciblity issues of Debian packages.

276 package reviews have been added, 172 have been updated and 44 have been removed in this week.

New issues:
- unknown_ada_issue
- timestamps_in_documentation_generated_by_phpdox
Updated issues:
- randomness_in_documentation_generated_by_sphinx

7 FTBFS bugs have been reported by Chris Lamb.

Reproducibility tools

diffoscope/56~bpo8+1 uploaded to jessie-backports by Mattia Rizzolo
strip-nondeterminism/0.022-1~bpo8+1 uploaded to jessie-backports by Mattia Rizzolo

Test infrastructure

For testing the impact of allowing variations of the buildpath (which up until now we required to be identical for reproducible rebuilds), Reiner Herrmann contribed a patch which enabled build path variations on testing/i386. This is possible now since dpkg 1.18.10 enables the --fixdebugpath build flag feature by default, which should result in reproducible builds (for C code) even with varying paths. So far we haven’t had many results due to disturbances in our build network in the last days, but it seems this would mean roughly between 5-15% additional unreproducible packages - compared to what we see now. We’ll keep you updated on the numbers (and problems with compilers and common frameworks) as we find them.

lynxis continued work to test LEDE and OpenWrt on two different hosts, to include date variation in the tests.

Mattia and Holger worked on the (mass) deployment scripts, so that the - for space reasons - only jenkins.debian.net GIT clone resides in ~jenkins-adm/ and not anymore in Holger’s homedir, so that soon Mattia (and possibly others!) will be able to fully maintain this setup, while Holger is doing siesta.

Miscellaneous

Chris, dkg, h01ger and Ximin attended a Core Infrastricture Initiative summit meeting in New York City, to discuss and promote this Reproducible Builds project. The CII was set up in the wake of the Heartbleed SSL vulnerability to support software projects that are critical to the functioning of the internet.

This week’s edition was written by Ximin Luo and Holger Levsen and reviewed by a bunch of Reproducible Builds folks on IRC.

← View all weekly reports

Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info