Reproducible Builds: Weekly report #183

If you are interested in attending the Reproducible Builds summit in Paris between 11th—13th December please see the event page. In the meantime, here’s what happened in the Reproducible Builds effort between Sunday October 21 and Saturday October 27 2018:

• Allen “Gunner” Gunn — the facilitator at our summit meetings — discussed the Reproducible Builds on a recent episode of The Changelog podcast at about 12m00s.

• Lisa Neigut wrote a blog post entitled “Reproducible builds with Bitcoin, Tor and Turtles” referencing the Turtles project by Cory Fields as well as Tor.

• Bernhard M. Wiedemann posted a status update to the opensuse-factory mailing list on the current state of reproducible builds in openSUSE.

• Vagrant Cascadian announced that he has begun uploading .buildinfo files from the Debian archive to the experimental buildinfo.debian.net service.

• David A. Wheeler started a thread on our mailing list enquiring on the status of core reproducibility in Debian.

• It was announced that Chris Lamb will be presenting in on Reproducible Builds at the SFScon conference in Bozen, Italy on reproducible builds and how they can prevent developers from becoming targets of various attacks. In addition, Arnout Engelen and Jelle van der Waa will present at HackerHotel in mid-February 2019 on “Improving Open Source Security with Reproducible Builds”.

• The CMake build system documented a new BUILD_RPATH_USE_ORIGIN flag that determines whether to use (typically unreproducible) absolute build paths versus relative ones in the rpath library search path header found in executables on UNIX systems.

• Chris Lamb added a Salsa ribbon to the diffoscope.org website. […]

• Bernhard M. Wiedemann gave an update on the openSUSE reproducible builds status, including details on remaining issues with 57 important packages.

• Jelle van der Waa held an IRC meeting on 23th of October.

• 44 Debian package reviews were added, 6 were updated and 15 were removed in this week, adding to our knowledge about identified issues.

Packages reviewed and fixed, and bugs filed

• Bernhard M. Wiedemann:

  • ant/jar — noarch, rebuild-counter)
  • daps/release-notes-openSUSE — date, time & other
  • docker/cobra — merged, date
  • gnome-builder — drop environment.pickle
  • infinipath-psm — date
  • libressl — FTBFS-j1
  • open-iscsi — fix date in manpages
  • python-Kivy — merged, date
  • qpid-proton — sort Python glob / readdir(2)
  • qt5-qtbase — use SOURCE_DATE_EPOCH as the file modification time
  • xen — date, time, random, tried to upstream the patch to drop the .efi Portable Executable (PE) timestamps, and then try to address it in binutils (use SOURCE_DATE_EPOCH for PE timestamp)
• Chris Lamb:
  • #911804 filed against wit — buildpath.
  • #911757 filed against zsh-antigen — timestamps.
• Marina Moore:
  • librabbitmq — Use CMAKE_SYSTEM_NAME instead of CMAKE_SYSTEM.
  • golang-go-flags — Use SOURCE_DATE_EPOCH.

diffoscope development

diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week, version 104 was uploaded to Debian unstable by Mattia Rizzolo. It included contributions already covered in previous weeks as well as new ones from:

• Chris Lamb:
  • Prevent test failures when running under stretch-backports by checking the OCaml version number.. ( #911846)
  • Add support for comparing PDF metadata using PyPDF2. (#911446)
  • Correct “didnt” typo in test utilities.
  • Regenerate debian/tests/control with no material changes to “add” a regeneration comment.
• Mattia Rizzolo:
  • Compute the test coverage on GitLab.
  • Reinstate Build-Depends and Test-Depends for apktool as it is now back in Debian “buster”.
  • Declare compatibility with Python 3.7 for PyPI metadata.
  • Clean up .pytest_cache.
  • Ensure the correct fallback from procyon to javap also when procyon exists but doesn’t return any output

disorderfs development

disorderfs (our FUSE-based filesystem that deliberately introduces non-determinism into filesystems) version 0.5.5-1 was uploaded to Debian unstable by Chris Lamb. It included contributions already covered in previous weeks as well as new ones from:

• Bernhard M. Wiedemann:
  • Include and use a run-parts.sh for tests as this a Debian-specific utility.
  • Use lazy unmount and -q for fusermount when running the testsuite.
• Chris Lamb:
  • Inform FUSE that we wrap and thus accept the UTIME_OMIT (and UTIME_NOW) magic values to ensure that touch -m … and touch -a … work as expected. (#911281)
  • Failing an “XFail” test should be a failure.
  • Tidy tests.

reproducible-website development

• Chris Lamb:
  • Add step-by-step instructions and screenshots on how to signup to our project on Salsa. […]
  • Migrate the TimestampsProposal page on the Debian Wiki to our website. […]
  • Update logo to “real” white background, not a colour very close to white.

• Holger Levsen:

  • Update the Paris 2018 summit page to improve some language and to add a add a remark about the schedule.

• Vagrant Cascadian:

  • Fix broken DebianPts links to use tracker.debian.org after an import from the Debian Wiki on the “Contribute page. [….]
  • Note that we longer need a logo; we have one.

Test framework development

There were a number of updates to our Jenkins-based testing framework that powers tests.reproducible-builds.org by Holger Levsen this week, including:

• Notify the #reprodudicible-builds IRC channel on “notes” job failures. […]
• Fix the F-Droid development package set. […]
• Send IRC “notifications” to the #reproducible-builds channel. […]
• Attempt to fix the disorderfs and reprotests jobs. […]
• Ignore diffoscope jobs in health view as they are already covered in the node health view. […]
• Correctly calculate the percentage of reproducible packages and images in OpenWrt. […]

Chris Lamb also suppressed some warnings from the cryptsetup initramfs hook which were causing some builds to be marked as “unstable”.

---

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Jelle van der Waa, Marina Moore, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.