Reproducible Builds: Weekly report #171

Here’s what happened in the Reproducible Builds effort between Sunday July 29 and Saturday August 4 2018:

• Recently the default GCC version in Debian unstable moved from GCC 7 to GCC 8. As outlined in our two previous reports (#168 & #169) as we had not updated our build path patches, it was resulting in a large number of packages becoming unreproducible in our testing framework. Accordingly ,Holger temporarily disabled the scheduling of packages in unstable and experimental.

  However, this week Vagrant Cascadian worked with Guillem Jover on an update to dpkg to pass a different set of build flags to GCC which Holger installed in our testing framework and re-enabled testing.

• Last week, Chris Lamb performed a Non Maintainer Upload (NMU) in Debian of the GNU mtools package in order to address two reproducibility-related bugs (#900409 & #900410) that were blocking work on making the installation images bit-for-bit reproducible. This week, the DELAYED upload was finally accepted into the archive and the corresponding merge request was updated.

• A number of Reproducible Builds team were presenting at DebConf18 the annual Debian Developers conference. Benjamin Hof gave a talk titled Software transparency: package security beyond signatures and reproducible builds” and there was also a status update from the team entitled “Reproducible Buster and beyond”. These, and many more talks, are available Resources section of our website.

• Holger added the Civil Infrastructure Platform’s key package list and their build-dependencies to our testing framework

• Santiago Torres sent a reminder that there’s a reproducible builds IRC meeting on the 21th of August at 16:00 UTC.

• There were a number of updates to our Jenkins-based testing framework that powers tests.reproducible-builds.org, including work by Holger Levsen cleaning up some disk space (1, 2 & 3) and Mattia Rizzolo tidying the node health page.

• Holger Levsen also added our new logo to our group on salsa.debian.org.

• Finally, 38 package reviews updated and 62 were removed in this week, adding to our knowledge about identified issues.

Upstream work

Bernhard M. Wiedemann proposed toolchain patches to:

• rpm to have determinism in the process of stripping debuginfo into separate packages
• gzip to make tar -cz output reproducible on the gzip side. This might also help with compressed man-pages and merged by gzip upstream.

In addition, Bernhard M. Wiedemann worked on:

• alex (drop config.log)
• chrony (version update to 3.3 to fix date)
• fontforge (date)
• gdm (race)
• graphviz (compile-time benchmarking)
• libdnet (sort readdir(2))
• moarvm (CPU detection)
• nauty (CPU detection)
• opa-ff (date)
• openSUSE/build-compare (erroneously reported jar files as identical)
• pcp (merged, tar.gz)
• pcp (merged, date)
• pocl (CPU-detection)
• python-restkit (date)
• tbb (date)
• wsmancli (date)
• xrdp (drop random unused private key pem)
• yudit (accepted, date)

Misc.

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.