Here’s what happened in the Reproducible Builds effort between Sunday July 29 and Saturday August 4 2018:
Recently the default GCC version in Debian
unstablemoved from GCC 7 to GCC 8. As outlined in our two previous reports (#168 & #169) as we had not updated our build path patches, it was resulting in a large number of packages becoming unreproducible in our testing framework. Accordingly ,Holger temporarily disabled the scheduling of packages in
However, this week Vagrant Cascadian worked with Guillem Jover on an update to dpkg to pass a different set of build flags to GCC which Holger installed in our testing framework and re-enabled testing.
Last week, Chris Lamb performed a Non Maintainer Upload (NMU) in Debian of the GNU mtools package in order to address two reproducibility-related bugs (#900409 & #900410) that were blocking work on making the installation images bit-for-bit reproducible. This week, the DELAYED upload was finally accepted into the archive and the corresponding merge request was updated.
A number of Reproducible Builds team were presenting at DebConf18 the annual Debian Developers conference. Benjamin Hof gave a talk titled Software transparency: package security beyond signatures and reproducible builds” and there was also a status update from the team entitled “Reproducible Buster and beyond”. These, and many more talks, are available Resources section of our website.
Santiago Torres sent a reminder that there’s a reproducible builds IRC meeting on the 21th of August at 16:00 UTC.
There were a number of updates to our Jenkins-based testing framework that powers tests.reproducible-builds.org, including work by Holger Levsen cleaning up some disk space (1, 2 & 3) and Mattia Rizzolo tidying the node health page.
Holger Levsen also added our new logo to our group on salsa.debian.org.
Finally, 38 package reviews updated and 62 were removed in this week, adding to our knowledge about identified issues.
Bernhard M. Wiedemann proposed toolchain patches to:
- rpm to have determinism in the process of stripping debuginfo into separate packages
- gzip to make
tar -czoutput reproducible on the gzip side. This might also help with compressed
man-pagesand merged by
In addition, Bernhard M. Wiedemann worked on:
- alex (drop config.log)
- chrony (version update to 3.3 to fix date)
- fontforge (date)
- gdm (race)
- graphviz (compile-time benchmarking)
- libdnet (sort
- moarvm (CPU detection)
- nauty (CPU detection)
- opa-ff (date)
- openSUSE/build-compare (erroneously reported jar files as identical)
- pcp (merged, tar.gz)
- pcp (merged, date)
- pocl (CPU-detection)
- python-restkit (date)
- tbb (date)
- wsmancli (date)
- xrdp (drop random unused private key pem)
- yudit (accepted, date)
This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.