What happened in the Reproducible Builds effort between Sunday November 6 and Saturday November 12 2016:
Media coverage
Matthew Garrett blogged about Tor, TPMs and service integrity attestation and how reproducible builds are the base for systems integrity.
The Linux Foundation announced renewed funding for us as part of the Core Infrastructure Initiative. Thank you!
Outreachy updates
Maria Glukhova has been accepted into the Outreachy winter internship and will work with us the Debian reproducible builds team.
siamezzze: I've been accepted to #outreachy winter internship - going to work with Debian reproducible builds team. So excited about that! <3 Debian
Toolchain development and fixes
dpkg:
- Thanks to a series of dpkg uploads by Guillem Jover, all our toolchain changes are now finally available in sid!
- This means your packages should now be reproducible without having to use our custom APT repository.
- Ximin Luo opened #843925 to remind the fact that dpkg-buildpackage should sign buildinfo files.
- We hope to have detailed post about the new dpkg and the new .buildinfo files for debian-devel-announce soon!
debrebuild:
- srebuild / debrebuild work was resumed by Johannes Schauer and others in #774415.
Bugs filed
Chris Lamb:
- #844102 filed against lava-dispatcher
- #844103 filed against lava-server
- #844111 filed against python-defaults
- #843698 filed against tunnelx
- #843967 filed against asyncpg
- #843865 filed against keystone
- #844101 filed against suil
Daniel Shahaf:
- #844232 filed against daisy-player
- #844236 filed against libhtml-lint-perl
- #844228 filed against ebook-speaker
Niko Tyni:
- #843432 filed against libwww-curl-perl
Reiner Herrman:
Reviews of unreproducible packages
136 package reviews have been added, 5 have been updated and 7 have been removed in this week, adding to our knowledge about identified issues.
3 issue types have been updated:
- Added: random_order_in_dh_pythonX_substvars, valac_permutes_get_type_calls
- Updated: timestamps_in_static_libraries
Weekly QA work
During of reproducibility testing, some FTBFS bugs have been detected and reported by:
- Chris Lamb (29)
- Niko Tyni (1)
diffoscope development
A new version of diffoscope 62~bpo8+1
was
uploaded
to jessie-backports by Mattia Rizzolo.
Meanwhile in git, Ximin Luo greatly improved speed by fixing a O(n^2) lookup which was causing diffs of large packages such as GCC and glibc to take many more hours than was necessary. When this commit is released, we should hopefully see full diffs for such packages again. Currently we have 197 source packages which - when built - diffoscope fails to analyse.
buildinfo.debian.net development
- Submissions with duplicate Installed-Build-Depends entries are rejected now that a bug in dpkg causing them has been fixed. Thanks to Guillem Jover.
- Add a new page for every (source, version) combination, for example diffoscope 62.
- DigitalOcean have generously offered to sponsor the hardware buildinfo.debian.net is running on.
tests.reproducible-builds.org
Debian:
- For privacy reasons, the new
dpkg-genbuildinfo
includesBuild-Path
only if it is under/build
. HW42 updated our jobs so this is the case for our builds too, so you can see the build path in the .buildinfo files. - HW42 also updated our jobs to vary the basename of the source extraction
directory. This detects packages that incorrectly assume a
$pkg-$version
directory naming scheme (which is whatdpkg-source -x
gives but is not mandated by Debian nor always-true) or that they’re being built from a SCM. - The new
dpkg-genbuildinfo
also records a sanitisedEnvironment
. This is different in our builds, so HW42, Reiner and Holger updated our jobs to hide these differences from diffoscope output. - Package-set improvements:
- Holger refactored the create_meta_pkg_sets job so that it’s easier to add new package sets.
- This job is now also using dose-extra from jessie-backports so that it can deal with versioned provides.
- Added 4 new package sets: debian-edu, debian-edu_build-depends, maint_pkg-grass-devel, maint_debian-accessibility, maint_pkg-openstack.
- Switched to using the new URL for tails manifests to generate the tails package set.
- Renamed maint_lua to maint_debian-lua
- Valerie Young contributed four patches for our long-planned transition from SQLite to PostgreSQL.
- In anticipation of the freeze, already-tested packages from unstable and testing on amd64 are now scheduled with equal priority.
reproducible-builds.org website
F-Droid was finally added to our list of partner projects. (This was an oversight and they had already been working with us for some time.)
Misc.
This week’s edition was written by Ximin Luo and Holger Levsen and reviewed by a bunch of Reproducible Builds folks on IRC.