Reproducible Builds: Weekly report #92

Here’s what happened in the Reproducible Builds effort between Sunday January 22 and Saturday January 28 2017:

Media coverage

• The Reproducible Build Zoo was presented by Vagrant Cascadian at the Embedded Linux Conference in Portland, Oregon on February 22nd.

• Dennis Gilmore and Holger Levsen presented “Reproducible Builds and Fedora” at Devconf.cz on February 27th.

Upcoming Events

• Introduction to Reproducible Builds will be presented by Vagrant Cascadian at Scale15x in Pasadena, California, March 5th.

• “Verifying Software Freedom with Reproducible Builds” will be presented by Vagrant Cascadian at Libreplanet2017 in Boston, March 25th-26th.

Reproducible work in other projects

John Gilmore wrote an interesting mail about how Cygnus.com worked on reproducible builds in the early 1990s. It’s eye opening to see how the dealt with basically the very same problems we’re dealing with today, how they solved them and then to realize that most of this has been forgotten and bit-rotted in the last 20 years. How will we prevent history repeating itself here?

Toolchain development and fixes

Christoph Biedl wrote a mail describing an interesting problem in to the way binNMUs are done in Debian.

Guillem Jover made a number of changes to dpkg that affect the Reproducible Builds effort within Debian:

• Always set SOURCE_DATE_EPOCH in dpkg-buildpackage and dpkg-source. Use the current date if the changelog does not have one. Closes: #849081

• Add initial support for DEB_BUILD_OPTIONS to dpkg-genbuildinfo. This will make it possible to enable or disable specific features that should be recorded in the .buildinfo file. For now only “all” and “path” are supported. Closes: #848705

• Include .buildinfo files also for source-only uploads in dpkg-genchanges. Closes: #846164

• Add support for signed .buildinfo files to dpkg-buildpackage. Add new -ui and --unsigned-buildinfo options. Closes: #843925

• Make dpkg-buildpackage --unsigned-changes not sign .buildinfo either. This breaks the expectations of users and tools, because there was no way previously to request no signing at all. Closes: #852822

Packages reviewed and fixed, and bugs filed

Chris Lamb:

• #852482 filed against flask-limiter.
• #853039 filed against fontypython.

Dhole:

• #852289 filed against python-passlib.

Reviews of unreproducible packages

17 package reviews have been added, 4 have been updated and 6 have been removed in this week, adding to our knowledge about identified issues.

2 issue types have been added:

• python_versioneer_uses_parentdir
• captures_kernel_version_via_CMAKE_SYSTEM

1 issue type has been removed:

• ftbfs_due_to_jenkins_semaphore_setup

Weekly QA work

During our reproducibility testing, the following FTBFS bugs have been detected and reported by:

• Chris Lamb (6)
• Holger Levsen (1)

diffoscope development

• diffoscope 70 was uploaded to unstable by Mattia Rizzolo. It included contributions from:

• Chris Lamb:

  • tests.presenters: Prevent FTBFS by loading fixtures as UTF-8 in case surrounding terminal is not Unicode-aware. (Closes: #852926)
  • comparators: Tidy re_tests with list comprehensions and implicit “x, y” unpacking over indexing; lambda/filter is not idiomatic Python 3.
  • tests: Increase coverage by adding “# noqa” in relevant parts.
  • tests: Test that no arguments (beyond the filenames) prints the text output.
  • tests: Test –text-color output format.
  • tests: Add a test comparing two empty directories.
  • tests: Don’t warn about coverage lines that raise NotImplementedError.
• anthraxx:
  • tools: switch Arch Linux dependency for pedump to mono
• Ximin Luo:
  • Fix lazy expression, filter is lazy in Python 3
  • Fix bug introduced in commit 36d1c964 that only worked “accidentally”

reprotest development

• reprotest 0.6 was uploaded to unstable by Holger Levsen. It included contributions:

• Ximin Luo:

  • Test the extra variations we added recently and ensure they don’t get missed in the future
  • Better logging messages that actually get controlled by the verbosity flag
  • Add a man page using rst2man and help2man
  • Add a –config-file option and fix the loading of configs
  • Fix the reading of config options
  • Fix a bug where the sha256sum of a reproduction won’t be displayed if –store-dir is not given

buildinfo.debian.net development

• Chris Lamb:
  • Show SHA256 checksums on larger displays
  • Move default storage to S3.
  • Store files directly onto S3.
  • Add tool to move data to S3.
  • Load data from S3 if we don’t have it locally.

tests.reproducible-builds.org

• h01ger experimented with reusing SSH control connections but stopped that experiment when we ran into more network issues than before. To be continued, as we’re having 10k SSH connections per day and saving 2 seconds each time would sum up, especially on the Jenkins host itself.
• h01ger made the scheduler run 3 times a day, 2.5h after dinstall runs, instead of every 3h as before.
• h01ger restructured the https://tests.reproducible-builds.org/debian/index_breakages.html and improved the corresponding Jenins job.
• h01ger also unblacklisted xmds2, sofia-sip and ck - if you think other packages should be unblacklisted (maybe only on some architectures), please do tell us.

Misc.

This week’s edition was written by Chris Lamb and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.