Here’s what happened in the Reproducible Builds effort between Sunday July 8 and Saturday July 14 2018:
-
Derek Zimmer wrote a post entitled Solving an Old Open Source Problem to Improve Security on the PrivateinternetAccess blog.
-
Mathias Clasen wrote a short text about reproducing flatpacks from source
-
Ross Vandegrift posted to our mailing list asking a question about the doxygen documentatin generators’s
$yearvariable andSOURCE_DATE_EPOCH. -
Chris Lamb added a link to our website’s resources page to add a video link for the talk he gave on Wednesday 13th June at foss-backstage.de in Berlin, Germany on reproducible builds and how they prevent developers being targets for malicious attacks.
-
Vagrant Cascadian removed various
armhfsystems with only 1GB of RAM from the Reproducible Builds testing framework. -
There was significant progress on Debian bug #894476 (“rcc: please honour
SOURCE_DATE_EPOCH”) -
Vagrant Cascadian worked on Debian packaging for Mes, with help from Jan Nieuwenhuizen.
-
6 package reviews were added, 3 have been updated and 6 were removed in this week, adding to our knowledge about identified issues. In addition, two issue types (variations_from_march_native and randomness_in_documentation_generated_by_lua_ldoc) were added. Lastly, two new classes of issue were added to theunreproduciblepackage.
Packages reviewed and fixed, and bugs filed
- Bernhard M. Wiedemann:
- bash (strcpy memory corruption, sent upstream)
- courier-imap (merged, date, use
SOURCE_DATE_EPOCH) - dapl (date, use
SOURCE_DATE_EPOCH) - dosemu (merged, submitted and merged upstream date, use
SOURCE_DATE_EPOCH) - fflas-ffpack (compile time CPU detection)
- form (drop
march=native) - givaro (compile time CPU detection)
- glucat (drop
march=native(bug)) - infinipath-psm (date, use
SOURCE_DATE_EPOCH) - lam (fix date and hostname)
- legion (drop march=native)
- librsb (don’t store compile CPU cache details)
- linux-glibc-devel (
uname -r) - lv2 (use upstreamed patches)
- opa-fm (date, use
SOURCE_DATE_EPOCH) - openSUSE build env (fix all
pdflatextimestamps) - pidentd (
uname -r) - python-annoy (drop march=native)
- python-libsass (sort
readdir(2)) - qore (
uname -a) - redis (date and hostname)
- sudo (build races?)
- trigger-rally (drop
march=nativeandmtune=native) - tuxpaint-config (date, use
SOURCE_DATE_EPOCH) - tuxpaint (date, use
SOURCE_DATE_EPOCH; submitted upstream)
- Chris Lamb:
- Evgeny Kapun:
diffoscope development
diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week, diffoscope version 99 was uploaded to Debian unstable by Mattia Rizzolo. It includes contributions already covered in previous weeks as well as new ones from:
anthraxx:- Chris Lamb:
- Mattia Rizzolo:
- Do not shadow original import errors when loading comparators.
- Fix
override_dh_clean-does-not-call-dh_cleanLintian warning. - Autogenerate
debian/tests/controlwith all the recommends listed as dependencies. - Add a build-dependency on
procyon-decompilerto run the tests. - Always clean the line before printing a log message.
- Clean the terminal line before printing a traceback.
- Remove terminal line cleaning; it is handled by the logging module.
- Fix a test if
/sbincontains a directory.
reprotest development
reprotest is our “end-user” tool to build arbitrary software and check it for reproducibility. This week, version 0.7.8 was uploaded to Debian unstable by Mattia Rizzolo. It includes contributions already covered in previous weeks as additional contributions from Mattia, including:
- Don’t
Recommenddiffutilsas it is anEssential:yespackage. - Point
debian/watchtowards our new release archive. - Fix spelling errors in documentation strings.
- Use
/usr/share/dpkg/pkg-info.mto avoid shelling out todpkg-parsechangelog. - Recommend
diffoscopeby itself instead as an alternative todiffutils.
Misc.
This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.
