Here’s what happened in the Reproducible Builds effort between Sunday June 3 and Saturday June 9 2018:

• Sylvain Beucler published a blog post about his latest progress in making reproducible Windows builds using the MXE cross-build environment, SOURCE_DATE_EPOCH, etc.

• A new version of the u-boot Universal Boot Loader was released, merging a changeset from Vagrant Cascadian fixing time and umask embedded into generated images.

• Within Debian, Holger Levsen enquired about the status of Debian bug #802241 (“dpkg: please store the hash of the installed .deb and allow one to query it”) which resulted in bug #774415 (“Please add the srebuild wrapper for reproducible builds”) being reassigned to the devscripts package.

• Mattia Rizollo updated our patched gcc-7 package and uploaded it to our experimental Debian toolchain repository

• The next next reproducible builds IRC meeting has been scheduled for Tuesday the 19th at 16:00 UTC and an agenda is being collected.

Development work

• Chris Lamb submitted a merge request to the Debian Installer to make the installation images (ISO, hd-media, netboot, etc,) bit-for-bit reproducible. It currently requires a rebuild of the GNU mtools that has patches from Debian bugs #900409 & #900410 applied. A tracking bug for this feature was filed in the BTS as #900918.

• Bernhard M. Wiedemann:
  • gcc – sort input file list
  • python-fastnumbers – sort input file list
  • openSUSE/acl – date in gettext
• In diffoscope, Chris Lamb rewrote a call to readdir\_r(3) to use readdir(3) instead as the former has been deprecated in glibc 2.24. This silences a -Wdeprecated-declarations GCC warning.

Upcoming events

• On Wednesday 13th June, Chris Lamb will present at foss-backstage.de in Berlin, Germany on reproducible builds and how they prevent developers being targets for malicious attacks.

• Kirill Nikitin’s talk entitled “Securing Debian Software Updates with Skipchains and Verified Builds” was accepted by the DebConf18 programme committee.

• Our talk on “Reproducible Buster and beyond” was also accepted for DebConf18.

tests.reproducible-builds.org development

There were a number of changes to our Jenkins-based testing framework that powers tests.reproducible-builds.org, including:

• Holger Levsen:
  • Use our own SSL cert for tests.reproducible-builds.org.
  • Update a number of URLs to match the migration to salsa.debian.org. (1, 2, 3. 4. 5)
  • Handle a false-positive diskspace issue when building clisp.
• Jelle van der Waa:
  • Remove installation of pacman-git in Arch Linux reproducibility testing.

In addition, Mattia Rizzolo has been working in a large refactor of the Python part of the setup.

Documentation updates

• Mattia Rizzolo updated various README files in our tools on how to release the tarballs after moving to new infrastructure. (1, 2, 3), 4)

• Chris Lamb also updated our reproducible-builds.org website to add Steven Chamberlain’s “Fun with .buildinfo” and update the entry our DebConf17 status update to the Talks & Resources page.

• Anxhelo Lushka from Ura Design provided us with a new visual layout and style guide for our website. This will hopefully be integrated in the next week or so.

• This week, 40 package reviews were been added, 16 have been updated and 37 have been removed, adding to our knowledge about identified issues.

Misc.

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo, Santiago Torres, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.