Here’s what happened in the Reproducible Builds effort between Sunday July 15 and Saturday July 21 2018:
The default GCC version in Debian unstable was changed from GCC 7 to GCC 8. Unfortunately as we have not updated our build path patches for this latter version, this is resulting in a large number of packages becoming unreproducible in our testing framework. Holger Levsen temporarily disabled rescheduling of already-tested packages, but note that newly uploaded versions will still be tested and thus will likely be marked as “unreproducible”.
- “Reproducible Buster and beyond” by the Reproducible Builds team.
- “My crush on GNU Guix” by Vagrant Cascadian.
- “Software transparency: package security beyond signatures and reproducible builds” by Benjamin Hof.
(Live video streams will be available.)
Bernhard M. Wiedemann completed rebuilding all official openSUSE-Leap-15.0 packages. No bit-for-bit identical rebuilds are possible yet (as file modification times are kept). However, several new bugs were found/fixed, and no backdoors were found.
Chris Lamb’s patches to ensure Debian initrd images are reproducible were merged and released by Ben Hutchings.
Holger Levsen’s proposal to the Prototype Fund entitled «Reproducible Builds in der Wirklichkeit» (“Reproducible builds in reality”) has been accepted for funding as part of their fourth round of projects, starting in September 2019.
Chris Lamb updated diffoscope (our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages) to wrap jsondiff calls with a try-except to prevent fatal errors to close Debian bugs #903447 and #903449.
One Debian package review was added and one was removed in this week, adding to our knowledge about identified issues.
Packages reviewed and fixed, and bugs filed
Bernhard M. Wiedemann:
- Holger Levsen:
- Mattia Rizzolo:
This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.