Here’s what happened in the Reproducible Builds effort between Sunday July 8 and Saturday July 14 2018:
Derek Zimmer wrote a post entitled Solving an Old Open Source Problem to Improve Security on the PrivateinternetAccess blog.
Mathias Clasen wrote a short text about reproducing flatpacks from source
Ross Vandegrift posted to our mailing list asking a question about the doxygen documentatin generators’s
Chris Lamb added a link to our website’s resources page to add a video link for the talk he gave on Wednesday 13th June at foss-backstage.de in Berlin, Germany on reproducible builds and how they prevent developers being targets for malicious attacks.
Vagrant Cascadian removed various
armhfsystems with only 1GB of RAM from the Reproducible Builds testing framework.
There was significant progress on Debian bug #894476 (“rcc: please honour
Vagrant Cascadian worked on Debian packaging for Mes, with help from Jan Nieuwenhuizen.
6 package reviews were added, 3 have been updated and 6 were removed in this week, adding to our knowledge about identified issues. In addition, two issue types (variations_from_march_native and randomness_in_documentation_generated_by_lua_ldoc) were added. Lastly, two new classes of issue were added to theunreproduciblepackage.
Packages reviewed and fixed, and bugs filed
- Bernhard M. Wiedemann:
- bash (strcpy memory corruption, sent upstream)
- courier-imap (merged, date, use
- dapl (date, use
- dosemu (merged, submitted and merged upstream date, use
- fflas-ffpack (compile time CPU detection)
- form (drop
- givaro (compile time CPU detection)
- glucat (drop
- infinipath-psm (date, use
- lam (fix date and hostname)
- legion (drop march=native)
- librsb (don’t store compile CPU cache details)
- linux-glibc-devel (
- lv2 (use upstreamed patches)
- opa-fm (date, use
- openSUSE build env (fix all
- pidentd (
- python-annoy (drop march=native)
- python-libsass (sort
- qore (
- redis (date and hostname)
- sudo (build races?)
- trigger-rally (drop
- tuxpaint-config (date, use
- tuxpaint (date, use
SOURCE_DATE_EPOCH; submitted upstream)
- Chris Lamb:
- Evgeny Kapun:
diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week, diffoscope version
99 was uploaded to Debian unstable by Mattia Rizzolo. It includes contributions already covered in previous weeks as well as new ones from:
- Chris Lamb:
- Mattia Rizzolo:
- Do not shadow original import errors when loading comparators.
debian/tests/controlwith all the recommends listed as dependencies.
- Add a build-dependency on
procyon-decompilerto run the tests.
- Always clean the line before printing a log message.
- Clean the terminal line before printing a traceback.
- Remove terminal line cleaning; it is handled by the logging module.
- Fix a test if
/sbincontains a directory.
reprotest is our “end-user” tool to build arbitrary software and check it for reproducibility. This week, version
0.7.8 was uploaded to Debian unstable by Mattia Rizzolo. It includes contributions already covered in previous weeks as additional contributions from Mattia, including:
diffutilsas it is an
debian/watchtowards our new release archive.
- Fix spelling errors in documentation strings.
/usr/share/dpkg/pkg-info.mto avoid shelling out to
diffoscopeby itself instead as an alternative to
This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.