Reproducible Builds: Weekly report #206

Here’s what happened in the Reproducible Builds effort between Sunday March 31 and Saturday April 6 2019:

• Bernhard M. Wiedemann wrote a blog post about his import of openSUSE Tumbleweed into IPFS to aid verification of older binaries.

• Chris Lamb filed a wishlist bug against Debian’s jenkins.debian.org “pseudo-package” to request that we test and ensure the reproducibility status of Debian Installer images.

• diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week Chris Lamb changed the behaviour such that specifying “-” (a hyphen) is explicitly required on the command-line to read a single diff from standard input to avoid somewhat non-intuitive behaviour when diffoscope is called without any arguments ([#54]). In addition, Holger Levsen requested permission for diffoscope version 113 to enter the upcoming Debian buster release via bug #926065. This was subsequently processed by Jonathan Wiltshire.

• 33 reviews of Debian packages were added, 2 were updated and 8 were removed in this week adding to our knowledge about identified issues. Chris Lamb identified and triaged a fresh toolchain issue, randomness_in_perl6_precompiled_libraries.

• There were a number of updates to the reproducible-builds.org project website including Chris Lamb adding an explicit link to the “who” and “donate” pages in the new footer template […][…] as well as tidying the language a little[…]. In addition, Daniel Shahaf adding an April’s Fools joke […].

• On our mailing list, David A. Wheeler started a thread regarding the definition of reproducibility and how it appears on the reproducible-builds.org project website.

• Chris Lamb updated the LetsEncrypt SSL certificate for buildinfo.debian.net.

• On the Software Freedom Conservancy blog, Pamela Chestek wrote a post titled “Do You Know Where Your Code Came From?” which references the Reproducible Builds project. In addition,Reproducible Builds (and supply chain security in general) were mentioned on episode 15 of the LibreLounge podcast.

Packages reviewed and fixed, and bugs filed

• Bernhard M. Wiedemann:
  • mstflint (date/time)
  • mhvtl (time)
  • A number of fixes for the pesign-obs-integration to pass through RPM %licence filetype tag and better keep RPM bits and a related fix of an RPM bug
  • oyranos (uname -r)
  • linphone (sort Python readdir)
  • mvapich2 (sort readdir)
  • miredo (hostname)
  • python-Django1 (“FTBFS-2028”)
  • inotify-tools (date orphaned upstream)
  • warzone2100 (sort zip -X already upstream)
  • diffoscope (update to version 113)
• Chris Lamb:
  • #926298 filed against adms.
  • #926300 filed against qpid-proton.
  • #926301 filed against coda.
  • #926421 filed against netcdf-parallel.

Test framework development

• We operate a comprehensive Jenkins-based testing framework that powers tests.reproducible-builds.org. The following changes were done this week:

• Chris Lamb:
  • Avoid double spaces in IRC output, eg. “Failed http://example.com/”. […]
• Holger Levsen:
  • Don’t turn nodes offline too quickly. […]
  • Add new experimental buildinfos.debian.net service. […]
  • Allow “long-running” .buildinfo download runners. […]
  • Node maintenance. […][…][…][…][…]
• Mattia Rizzolo:
  • Apply flake8 to the email2irc.py script. […]
  • Install the python3-yaml library everywhere as it is needed by the deploy script. […]
  • Special-case the src:debian-installer package as it has “special” download requirements. […] (see #926242)
  • Add the new reproducible-builds.org mail server to our Munin configurations. […]
  • Drop the old Alioth OpenSSH key from Jenkins’ authorized_keys. […]
  • Node maintenance. […]

---

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Daniel Shahaf, Holger Levsen, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.