Reproducible Builds: Weekly report #7

What happened about the reproducible builds effort for this week:

Presentations

On June 7th, Reiner Herrmann presented the project at the Gulaschprogrammiernacht 15 in Karlsruhe, Germany. Video and audio recordings in German are available, and so are the slides in English.

Toolchain fixes

• Joachim Breitner uploaded ghc/7.8.4-9 which uses a hash of the command line instead of the pid when calculating a “random” directory name.
• Lunar uploaded mozilla-devscripts/0.42 which now properly sets the timezone. Patch by Reiner Herrmann.
• Dmitry Shachnev uploaded python-qt4/4.11.4+dfsg-1 which now outputs the list of imported module in a stable order. The issue has been fixed upstream. Original patch by Reiner Herrmann.
• Norbert Preining uploaded tex-common/6.00 which tries to ensure reproducible builds in files generated by dh_installtex.
• Barry Warsaw uploaded wheel/0.24.0-2 which makes the output deterministic. Barry has submitted the fixes upstream based on patches by Reiner Herrman.

Daniel Kahn Gillmor’s report on help2man started a discussion with Brendan O’Dea and Ximin Luo about standardizing a common environment variable that would provide a replacement for an embedded build date. After various proposals and research by Ximin about date handling in several programming languages, the best solution seems to define SOURCE_DATE_EPOCH with a value suitable for gmtime(3).

W. Martin Borgert wondered if Sphinx could be changed in a way that would avoid having to tweak debian/rules in packages using it to produce HTML documentation.

Daniel Kahn Gillmor opened a new report about icont producing unreproducible binaries.

Packages fixed

The following 32 packages became reproducible due to changes in their build dependencies: agda, alex, c2hs, clutter-1.0, colorediffs- extension, cpphs, darcs- monitor, dispmua, haskell- curl, haskell- glfw, haskell- glib, haskell- gluraw, haskell- glut, haskell- gnutls, haskell- gsasl, haskell- hfuse, haskell-hledger- interest, haskell- hslua, haskell- hsqml, haskell- hssyck, haskell-libxml- sax, haskell- openglraw, haskell- readline, haskell- terminfo, haskell-x11, jarjar-maven- plugin, kxml2, libcgi-struct-xs- perl, libobject-id- perl, maven-docck- plugin, parboiled, pegdown.

The following packages became reproducible after getting fixed:

• acorn/0.12.0-1 by Bas Couwenberg, original patch by Reiner Herrmann.
• cabal-debian/4.17.4-3 by Joachim Breitner.
• coin3/3.1.4~abc9f50-9 by Anton Gladky.
• deets/0.2.1-4 by Clint Adams.
• elinks/0.12~pre6-8 by Moritz Muehlenhoff.
• fiona/1.5.1-1 uploaded by Johan Van de Wauw, original patch by Juan Picca.
• gcc-mingw-w64/15.2 by Stephen Kitt.
• glance/2015.1.0-2 uploaded by Thomas Goirand, original patch by Juan Picca.
• hamlib/1.2.15.3-3 uploaded by Colin Tuckley, original patch by akira.
• ikiwiki/3.20150610 by Simon McVittie, Joey Hess and Daniel Kahn Gillmor. Cheers!
• lava-dispatcher/2015.06-1 by Neil Williams.
• libur-perl/0.430-3 by gregor herrmann, fix suggested by Niko Tyni.
• lrzsz/0.12.21-8 uploaded by Martin A. Godisch, original patch by Dhole.
• makehuman/1.0.2-9 uploaded by Muammar El Khatib, original patch by Juan Picca.
• murano/2015.1.0-4 uploaded by Thomas Goirand, original patch by Juan Picca.
• ocl-icd/2.2.7-2 by Vincent Danjean.
• oslo-config/1:1.9.3-2 uploaded by Thomas Goirand, original patch by Juan Picca.
• piuparts/0.64 by Holger Levsen.
• posh/0.12.5 by Clint Adams.
• python-glance-store/0.4.0-3 uploaded by Thomas Goirand, original patch by Juan Picca.
• python-osprofiler/0.3.0-2 uploaded by Thomas Goirand, original patch by Juan Picca.
• wheel/0.24.0-2 uploaded by Barry Warsaw, original patch by Reiner Herrman.
• xfonts-nexus/0.0.2-17 uploaded by Simon Horman, original patch by Chris Lamb.
• zec/0.12-4 by Clint Adams.
• zomg/0.8-2 by Clint Adams.

Some uploads fixed some reproducibility issues but not all of them:

• brickos/0.9.0.dfsg-11 uploaded by Michael Tautschnig, original patch by akira.
• colobot/0.1.5-1 uploaded by Didier Raboud, original patch by akira.
• pyopencl/2015.1-1) by Tomasz Rybak.
• rockdodger/1.0.0-2 uploaded by Martin A. Godisch, original patch by Chris Lamb.
• salt/2014.7.2+ds-1) by Joe Healy.
• wmpuzzle/0.5.2-2 uploaded by Martin A. Godisch, original patch by Chris Lamb.
• wmwork/0.2.6-2 uploaded by Martin A. Godisch, original patch by Chris Lamb.

Patches submitted which did not make their way to the archive yet:

• #776618 on dactyl by Reiner Herrmann: use UTC when computing the build date.
• #787996 on cloop by Dhole: set --mtime when creating source tarball.
• #787997 on scotch by Dhole: removes extra timestamps from gzip headers.
• #787998 on perdition by Dhole: removes extra timestamps from gzip headers.
• #787999 on libwebcam by Dhole: removes extra timestamps from gzip headers.
• #788000 on libranlip by Dhole: strip extra timestamps from gzip headers, fix mtimes of packaged files.
• #788001 on libf2c2 by Dhole: fix mtimes of packages files.
• #788010 on givaro by akira: set HTML_TIMESTAMP to NO in Doxygen configuration file.
• #788012 on geis by akira: set HTML_TIMESTAMP to NO in Doxygen configuration file.
• #788122 on libfile-scan-perl by Niko Tyni: sort hash keys in Makefile.PL.
• #788238 on kfreebsd-10 by Steven Chamberlain: fix mtimes in source tarball.
• #788246 on pyepr by Juan Picca: set documentation date for Sphinx.
• #788247 on grapefruit by Juan Picca: set documentation date for Sphinx.
• #788249 on pastescript by Juan Picca: set documentation date for Sphinx.
• #788275 on geoip-database by Reiner Herrmann: sets the embedded timestamp to the date from the latest changelog entry and normalizes the used timezone to UTC..
• #788336 on irrlicht by akira: removes $datetime from the file footer.html. Now fixed upstream..
• #788393 on brian by Juan Picca: set documentation date for Sphinx.
• #788402 on linop by Juan Picca: set documentation date for Sphinx.
• #788403 on pyevolve by Juan Picca: set documentation date for Sphinx.
• #788406 on argvalidate by Juan Picca: set documentation date for Sphinx.
• #788467 on astroquery by Juan Picca: set documentation date for Sphinx.
• #788476 on mpi4py by Juan Picca: set documentation date for Sphinx.
• #788477 on musicbrainzngs by Juan Picca: set documentation date for Sphinx.
• #788480 on oslo.messaging by Juan Picca: set documentation date for Sphinx.
• #788486 on pyopencl by Juan Picca: set documentation date for Sphinx.
• #788487 on python-amqp by Juan Picca: set documentation date for Sphinx.
• #788501 on python-fudge by Juan Picca: set documentation date for Sphinx.
• #788504 on python-psutil by Juan Picca: set documentation date for Sphinx.
• #788505 on python-pypump by Juan Picca: set documentation date for Sphinx.
• #788507 on python-repoze.tm2 by Juan Picca: set documentation date for Sphinx.
• #788592 on python-repoze.what by Juan Picca: set documentation date for Sphinx.
• #788593 on python-scrapy by Juan Picca: set documentation date for Sphinx.
• #788593 on python-scrapy by Juan Picca: set documentation date for Sphinx.
• #788594 on pywavelets by Juan Picca: set documentation date for Sphinx.
• #788595 on sahara by Juan Picca: set documentation date for Sphinx.
• #788596 on simplejson by Juan Picca: set documentation date for Sphinx.
• #788597 on waitress by Juan Picca: set documentation date for Sphinx.
• #788598 on transmissionrpc by Juan Picca: set documentation date for Sphinx.
• #788599 on wtforms by Juan Picca: set documentation date for Sphinx.
• #788618 on rumor by Holger Levsen: set TZ to UTC when building the documentation.
• #788722 on thuban by Reiner Herrmann: set the date embedded in man pages to the changelog date.

reproducible.debian.net

A new variation to better notice when a package captures the environment has been introduced. (h01ger)

The test on Debian packages works by building the package twice in a short time frame. But sometimes, a mirror push can happen between the first and the second build, resulting in a package built in a different build environment. This situation is now properly detected and will run a third build automatically. (h01ger)

OpenWrt, the distribution specialized in embedded devices like small routers, is now being tested for reproducibility. The situation looks very good for their packages which seems mostly affected by timestamps in the tarball. System images will require more work on debbindiff to be better understood. (h01ger)

debbindiff development

Reiner Herrmann added support for decompling Java .class file and .ipk package files (used by OpenWrt). This is now available in version 22 released on 2015-06-14.

Documentation update

Stephen Kitt documented the new --insert-timestamp available since binutils- mingw-w64 version 6.2 available to insert a ready-made date in PE binaries built with mingw-w64.

Package reviews

195 obsolete reviews have been removed, 65 added and 126 updated this week.

New identified issues:

• PATH getting captured,
• UR::Namespace::Command::Update::Doc genarating documentation with timestamps.

Misc.

Holger Levsen reported an issue with the locales-all package that Provides: locales but is actually missing some of the files provided by locales.

Coreboot upstream has been quick to react after the announcement of the tests set up the week before. Patrick Georgi has fixed all issues in a couple of days and all Coreboot images are now reproducible (without a payload). SeaBIOS is one of the most frequently used payload on PC hardware and can now be made reproducible too.

Paul Kocialkowski wrote to the mailing list asking for help on getting U-Boot tested for reproducibility.

Lunar had a chat with maintainers of Open Build Service to better understand the difference between their system and what we are doing for Debian.