Welcome to the October 2020 report from the Reproducible Builds project.
In our monthly reports, we outline the major things that we have been up to over the past month. As a brief reminder, the motivation behind the Reproducible Builds effort is to ensure flaws have not been introduced in the binaries we install on our systems. If you are interested in contributing to the project, please visit our main website.
The previous year has seen great progress in Arch Linux to get reproducible builds in the hands of the users and developers. In this talk we will explore the current tooling that allows users to reproduce packages, the rebuilder software that has been written to check packages and the current issues in this space.
During the Reproducible Builds summit in Marrakesh in 2019, developers from the GNU Guix, NixOS and Debian distributions were able to produce a bit-for-bit identical GNU Mes binary despite using three different versions of GCC. Since this summit, additional work resulted in a bit-for-bit identical Mes binary using
tcc, and last month a fuller update was posted to this effect by the individuals involved. This month, however, David Wheeler updated his extensive page on Fully Countering Trusting Trust through Diverse Double-Compiling, remarking that:
GNU Mes rebuild is definitely an application of [Diverse Double-Compiling]. [..] This is an awesome application of DDC, and I believe it’s the first publicly acknowledged use of DDC on a binary
There was a small, followup discussion on our mailing list.
This month, the Reproducible Builds project restarted our IRC meetings, managing to convene twice: the first time on October 12th (summary & logs), and later on the 26th (logs). As mentioned in previous reports, due to the unprecedented events throughout 2020, there will be no in-person summit event this year.
In August, Lucas Nussbaum performed an archive-wide rebuild of packages to test enabling the
reproducible=+fixfilepath Debian build flag by default. Enabling this
fixfilepath feature will likely fix reproducibility issues in an estimated 500-700 packages. However, this month Vagrant Cascadian posted to the debian-devel mailing list:
It would be great to see the
reproducible=+fixfilepathfeature enabled by default in
dpkg-buildflags, and we would like to proceed forward with this soon unless we hear any major concerns or other outstanding issues. […] We would like to move forward with this change soon, so please raise any concerns or issues not covered already.
Debian Developer Stuart Prescott has been improving
python-debian, a Python library that is used to parse Debian-specific files such as changelogs,
.dscs, etc. In particular, Stuart is working on adding support for
.buildinfo files used for recording reproducibility-related build metadata:
This can mostly be a very thin layer around the existing
Deb822types, using the existing
Changescode for the file listings, the existing
PkgRelationscode for the package listing and
gpg_*functions for signature handling.
A total of 159 Debian packages were categorised, 69 had their categorisation updated, and 33 had their classification removed this month, adding to our knowledge about identified issues. As part of this, Chris Lamb identified and classified two new issues:
This month, we tried to fix a large number of currently-unreproducible packages, including:
Bernhard M. Wiedemann:
go(version 1.15.3 has improved reproducibility over 1.14)
goxel(sort SCons-related filesystem ordering issue)
lal(rework an old date-related patch)
libsemigroups(build failure in single-CPU mode)
memcached(build failure in 2025 due to expired SSL certificate)
octant(SUSE-specific date issue)
openmpi4(date-related problem, revive old patch)
sbcl(datetime and hostname issue)
selinux-policy/policycoreutils(date-related issue in timezone)
- #970383 filed against
- #971527 filed against
- #972077 filed against
- #972078 filed against
- #972147 filed against
- #972336 filed against
- #972378 filed against
- #972493 filed against
- #972494 filed against
- #972496 filed against
- #972559 filed against
- #972561 filed against
- #972562 filed against
- #972631 filed against
- #972668 filed against
- #972861 filed against
- #972930 filed against
- #965255 re-opened with new patch
- #970383 filed against
diffoscope is our in-depth and content-aware diff utility. Not only could you locate and diagnose reproducibility issues, it provides human-readable diffs of all kinds too. This month, Chris Lamb uploaded version
161 to Debian (later backported by Mattia Rizzolo), as well as made the following changes:
- Update tests to support OCaml version 4.11.1. Thanks to Sebastian Ramacher for the report. (#972518)
- Bump minimum version of the Black source code formatter to
In addition, Jean-Romain Garnier temporarily updated the dependency on
radare2 to ensure our test pipelines continue to work […], and for the GNU Guix distribution Vagrant Cascadian diffoscope to version 161 […].
In related development, trydiffoscope is the web-based version of diffoscope. This month, Chris Lamb made the following changes:
- Mark a
--help-only test as being a ‘superficial’ test. (#971506)
- Add a real, albeit flaky, test that interacts with the
debhelpercompatibility level to 13 […] and bump
Standards-Versionto 4.5.0 […].
Lastly, disorderfs version
0.5.10-2 was uploaded to Debian unstable by Holger Levsen, which enabled security hardening via
DEB_BUILD_MAINT_OPTIONS […] and dropped
This month, a number of updates to the main Reproducible Builds website and related documentation were made by Chris Lamb:
- Add a citation link to the academic article regarding
dettrace[…], and added yet another supply-chain security attack publication […].
- Reformatted the Jekyll’s Liquid templating language and CSS formatting to be consistent […] as well as expand a number of tab characters […].
relative_urlto fix missing translation icon on various pages. […]
- Published two announcement blog posts regarding the restarting of our IRC meetings. […][…]
- Added an explicit note regarding the lack of an in-person summit in 2020 to our events page. […]
System health checks:
- Make a number of updates to reflect that our sponsor Profitbricks has renamed itself to IONOS. […][…][…][…]
- Run a F-Droid maintenance routine twice a month to utilise its cleanup features. […]
- Fix the target name in OpenWrt builds to
- Add a missing Postfix configuration for a node. […]
- Temporarily disable Arch Linux builds until a core node is back. […]
- Make a number of changes to our “thanks” page. […][…][…]
Build node maintenance was performed by both Holger Levsen […][…] and Vagrant Cascadian […][…][…], Vagrant Cascadian also updated the page listing the variations made when testing to reflect changes for in build paths […] and Hans-Christoph Steiner made a number of changes for F-Droid, the free software app repository for Android devices, including:
- Do not fail reproducibility jobs when their cleanup tasks fail. […]
- Skip libvirt-related
sudocommand if we are not actually running
- Use direct URLs in order to eliminate a useless HTTP redirect. […]
If you are interested in contributing to the Reproducible Builds project, please visit the Contribute page on our website. However, you can also get in touch with us via: