This is report on my previous week activities with Debian Reproducible-Builds. In last 10 days, I had build different Debain packages at my own using prebuilder to experience the reproducibility issues. I am thankful to deki and Lunar for suggesting me to do that task. Based on this experience, I managed to find more use cases for hide=profiles specification. I also researched differences of different unreproducible Debian packages on http://tests.reproducible-builds.org . There are many packages available for examination. In brief I did following tasks:

• I worked on hide=profiles specification. Mostly, I tried to find use cases.
• I made changes to https://wiki.debian.org/ReproducibleBuilds/HideProfilesSpecification added detailed information in each use case.
• Read documentation on argcomplete python module and had some hands on experience with module. Purpose of doing this was to add argument completion feature to Diffoscope. pabs had filed bug report for this #826711. I am implementing this feature and discussing issues with pabs as well as researching diffs side-by-side to generate more use cases. Here, Thanks to pabs for guidance and support :)
• I went through different software to see how they are ignoring the stuff. Those are following:
  • apkdiff
  • pkg-diff
  • tar

Upcoming week will be an important as well as fun week because I will be implementing the use cases. Right now, I am currently looking at different softwares which ignores stuff and taking notes of it. So that, it will help me during implementing solution of use cases. I am also looking forward to feedback from community on use cases and CLI interfaces. Have a great week :)

This is a concise report on my previous week. I started working from 28 May as the exams ended. This report is bit late. I started work on hide=profiles flag. Till now, I did/doing following tasks:

• Read documentation related to argparse python module.
• Debug the code to find the ways to implement the solution
• Discussed the problem with the community.
• Based on progress I have pushed some code here (work is in progress)

Lunar suggested me to create the specification for hide=profiles. It can be found here https://wiki.debian.org/ReproducibleBuilds/HideProfilesSpecification General purpose of addition of hide=profiles to diffoscope is because we want to provide an alternative for tool like OBS pkg-diff. We want to increase userbase of diffoscope and thus number of contributors. Hopefully, I will finish this part as soon as possible. We are still discussing, how things should be done! Right now, I am researching diff of unreproducible packages and trying to develop use cases. I will update the HideProfilesSpecification wiki with my findings. Lunar has given me a proper directions and community is very much helpful. :) My goal for an upcoming week is to search for packages which are unreproducible and generate use cases for diffoscope. This week I will also try to fix the reproducibility of Debian packages. I am loving, contributing to Debian and free software and it s a great learning experience. Many things to come in upcoming time :)

Puppet 4 has been uploaded to Debian unstable. This is a major upgrade from Puppet 3. If you are using Puppet, chances are that it is handling important bits of your infrastructure, and you should upgrade with care. Here are some points to consider.

Read Puppet s upgrade checklist First, there are a number of changes in Puppet itself. There is an upgrade checklist for Puppet (the software) published by Puppet (the company). Please read this before you upgrade, and not after.

Using exported resources? In Puppet 4, using exported resources requires PuppetDB, which is not packaged in Debian.

Getting PuppetDB Puppet provides good installation documentation for PuppetDB, and an apt software repository where you you can get the packages you require.

Editor support packages The packages vim-puppet and puppet-el provide support for editors Vim and Emacs. These are no longer built from the puppet source package. The sources for these have moved to separate repositories, and will get individual source packages. For vim-puppet, there are two alternatives for new packaging, rodjek/vim-puppet, and puppetlabs/puppet-syntax-vim For puppet-el puppetlabs/puppet-syntax-emacs and lunaryorn/puppet-mode are available.

Hello friend, family, fellow Outreachy participants, and the Debian community!
This blog's primary purpose will be to track the progress of the Outreachy project in which I'm participating this summer   This post is to introduce myself and my project (working on the Debian reproducible builds project).
What is Outreachy? You might not know! Let me empower you: Outreachy is an organization connecting woman and minorities to mentors in the free (as in freedom) software community, /and/ funding for three months to work with the mentors and contribute to a free software project.  If you are a woman or minority human that likes free software, or if you know anyone in this situation, please tell them about Outreachy  Or put them in touch with me, I'd happily tell them more.
So who am I?
My name is Valerie Young. I live in the Boston Metropolitan Area (any other outreachy participants here?) and hella love free software. 
Some bullet pointed Val facts in rough reverse chronological order:
- I run Debian but only began contributing during the Outreachy application process
- If you went to DebConf2015, you might have seen me dye nine people's hair blue, blond or Debian swirl.
- If you stop through Boston I could be easily convinced to dye your hair.
- I worked on electronic medical records web application for the last two years (lotsa Javascriptin' and Perlin' at athenahealth)
- Before that I taught a programming summer program at University of Moratuwain Sri Lanka.
- Before that I got a degrees in physics and computer science at Boston University.
- At BU I helped start a hackerspace where my interest in technology, free software, hacker culture, anarchy, the internet all began.
- I grew up in the very fine San Francisco Bay Area.
What will I be working on?
Reproducible builds!
In the near future I'll write a  What is reproducible builds? Why is it so hot right now?  post.  For now, from a high (and not technical) level, reproducible builds is a broad effort to verify that the computer executable binary programs you run on your computer come from the human readable source code they claim to. It is not presently /impossible/ to do this verification, but it's not easy, and there are a lot of nuanced computer quirks that make it difficult for the most experienced programmer and straight-up impossible for a user with no technical expertise. And without this ability to verify -- the state we are in now -- any executable piece of software could be hiding secret code. 
The first step towards the goal of verifiability is to make reproducibility a essential part of software development. Reproducible builds means this: when you compile a program from the source code, it should always be identical, bit by bit. If the program is always identical, you can compare your version of the software to any trusted programmer with very little effort. If it is identical, you can trust it -- if it's not, you have reason to worry.
The Debian project is undergoing an effort to make the entire Debian operating system verifiable reproducible (hurray!). My outreachy-funded summer contribution involves the improving and updating tests.reproducible-builds.org   a site that presently presently surfaces the results of reproducibility testing of several free software projects (including Debian, Fedora, coreboot, OpenWrt, NetBSD, FreeBSD and ArchLinux). However, the design of test.r-b.org is a bit confusing, making it difficult for a user to find how to check on the reproducibility of a given package for one of the aforementioned projects, or understand the reasons for failure. Additional, the backend test results of Debian are outgrowing the original SQLite database, and many projects do not log the results of package testing at all. I hope, by the end of the summer, we'll have a more beefed-out and pretty site as well as better organized backend data 
This summer there will be 3 other Outreachy participants working on the Debian reproducible builds project! Check out their blogs/projects:
Scarlett
Satyam
Ceridwen
Thanks to our Debian mentors -- Lunar, Holger Levsen, and Mattia Rizzolo -- for taking us on  

What happened in the Reproducible Builds effort between May 1st and May 7th 2016: Media coverage There has been a surprising tweet last week: "Props to @FiloSottile for his nifty gvt golang tool. We're using it to get reproducible builds for a Zika & West Nile monitoring project." and to our surprise Kenn confirmed privately that he indeed meant "reproducible builds" as in "bit by bit identical builds". Wow. We're looking forward to learn more details about this; for now we just know that they are doing this for software quality reasons basically. Two of the four GSoC and Outreachy participants for Reproducible builds posted their introductions to Planet Debian:

• Scarlett Clark: Kubuntu: Debian: KDE: Outreachy! Yay! Upcoming changes
• Satyam Zode: Google Summer of Code 2016 With Debian Reproducible Builds : Introduction

Toolchain fixes and other upstream developments dpkg 1.18.5 was uploaded fixing two bugs relevant to us:

• #719845 (make the file order within the data,control .tar.gz .deb members deterministic)
• #819194 (add -fdebug-prefix-map to the compilers options)

This upload made it necessary to rebase our dpkg on the version on sid again, which Niko Tyni and Lunar promptly did. Then a few days later 1.18.6 was released to fix a regression in the previous upload, and Niko promptly updated our patched version again. Following this Niko Tyni found #823428: "dpkg: many packages affected by dpkg-source: error: source package uses only weak checksums". Alexis Bienven e worked on tex related packages and SOURCE_DATE_EPOCH:

• Alexis uploaded texlive-bin to our repo improving the existing patches.
• pdftex upstream discussion by Alexis Bienven e began at tex-k mailing list to make \today honour SOURCE_DATE_EPOCH. Upstream already commited enhanced versions of the proposed patches.
• Similar discussion on the luatex side at luatex mailing list. Upstream is working on it, and already committed some changes.

Emmanuel Bourg uploaded jflex/1.4.3+dfsg-2, which removes timestamps from generated files. Packages fixed The following 285 packages have become reproducible due to changes in their build dependencies (mostly from GCC honouring SOURCE_DATE_EPOCH, see the previous week report): 0ad abiword abcm2ps acedb acpica-unix actiona alliance amarok amideco amsynth anjuta aolserver4-nsmysql aolserver4-nsopenssl aolserver4-nssqlite3 apbs aqsis aria2 ascd ascii2binary atheme-services audacity autodocksuite avis awardeco bacula ballerburg bb berusky berusky2 bindechexascii binkd boinc boost1.58 boost1.60 bwctl cairo-dock cd-hit cenon.app chipw ckermit clp clustalo cmatrix coinor-cbc commons-pool cppformat crashmail crrcsim csvimp cyphesis-cpp dact dar darcs darkradiant dcap dia distcc dolphin-emu drumkv1 dtach dune-localfunctions dvbsnoop dvbstreamer eclib ed2k-hash edfbrowser efax-gtk efax exonerate f-irc fakepop fbb filezilla fityk flasm flightgear fluxbox fmit fossil freedink-dfarc freehdl freemedforms-project freeplayer freeradius fxload gdb-arm-none-eabi geany-plugins geany geda-gaf gfm gif2png giflib gifticlib glaurung glusterfs gnokii gnubiff gnugk goaccess gocr goldencheetah gom gopchop gosmore gpsim gputils grcompiler grisbi gtkpod gvpe hardlink haskell-github hashrat hatari herculesstudio hpcc hypre i2util incron infiniband-diags infon ips iptotal ipv6calc iqtree jabber-muc jama jamnntpd janino jcharts joy2key jpilot jumpnbump jvim kanatest kbuild kchmviewer konclude krename kscope kvpnc latexdiff lcrack leocad libace-perl libcaca libcgicc libdap libdbi-drivers libewf libjlayer-java libkcompactdisc liblscp libmp3spi-java libpwiz librecad libspin-java libuninum libzypp lightdm-gtk-greeter lighttpd linpac lookup lz4 lzop maitreya meshlab mgetty mhwaveedit minbif minc-tools moc mrtrix mscompress msort mudlet multiwatch mysecureshell nifticlib nkf noblenote nqc numactl numad octave-optim omega-rpg open-cobol openmama openmprtl openrpt opensm openvpn openvswitch owx pads parsinsert pcb pd-hcs pd-hexloader pd-hid pd-libdir pear-channels pgn-extract phnxdeco php-amqp php-apcu-bc php-apcu php-solr pidgin-librvp plan plymouth pnscan pocketsphinx polygraph portaudio19 postbooks-updater postbooks powertop previsat progressivemauve puredata-import pycurl qjackctl qmidinet qsampler qsopt-ex qsynth qtractor quassel quelcom quickplot qxgedit ratpoison rlpr robojournal samplv1 sanlock saods9 schism scorched3d scummvm-tools sdlbasic sgrep simh sinfo sip-tester sludge sniffit sox spd speex stimfit swarm-cluster synfig synthv1 syslog-ng tart tessa theseus thunar-vcs-plugin ticcutils tickr tilp2 timbl timblserver tkgate transtermhp tstools tvoe ucarp ultracopier undbx uni2ascii uniutils universalindentgui util-vserver uudeview vfu virtualjaguar vmpk voms voxbo vpcs wipe x264 xcfa xfrisk xmorph xmount xyscan yacas yasm z88dk zeal zsync zynaddsubfx Last week the 1000th bug usertagged "reproducible" was fixed! This means roughly 2 bugs per day since 2015-01-01. Kudos and huge thanks to everyone involved! Please also note: FTBFS packages have not been counted here and there are still 600 open bugs with reproducible patches provided. Please help bringing that number down to 0! The following packages have become reproducible after being fixed:

• crawl/2:0.18.0-1 by Adam Borowski, original patch by Alexis Bienven e.
• eigenbase-resgen/1.3.0.13768-3 by Emmanuel Bourg.
• fpga-icestorm/0~20160218gitf2b2549-2 by Ruben Undheim, original patch by Daniel Shahaf.
• gap/4r8p3-3 by Bill Allombert, original patch by Jerome Benoit.
• libksba/1.3.4-1 by Andreas Metzler.
• libusb/2:0.1.12-29 by Aurelien Jarno, original patch by Daniel Shahaf.
• milkytracker/0.90.86+dfsg-1 by James Cowgill.
• mp4h/1.3.1-15 by Axel Beckert.
• rdtool/0.6.38-4 by Christian Hofstaedtler, original patch by Alexis Bienven e.
• sympow/1.023-7 by Jerome Benoit.

Some uploads have fixed some reproducibility issues, but not all of them:

• freefem++/3.46+dfsg1-2 by Dimitrios Eftaxiopoulosis, original patch by Alexis Bienven e.
• jaligner/1.0+dfsg-2 by Michael R. Crusoe.
• keyutils/1.5.9-9 by Christian Kastner.
• shotwell/0.22.1-1 by J rg Frings-F rst.

Uploads which fix reproducibility issues, but currently FTBFS:

• emoslib/2:4.4.1-1 by Alastair McKinstry, original patch by boyska.

Patches submitted that have not made their way to the archive yet:

• #823174 against ros-pluginlib by Daniel Shahaf: use printf instead of echo to fix implementation-specific behavior.
• #823239 against gspiceui by Alexis Bienven e: sort list of object files for linking binary.
• #823241 against unhide by Alexis Bienven e: sort list of source files passed to compiler.
• #823393 against kdbg by Alexis Bienven e: fix changelog encoding and call grep in text mode.
• #823452 against khronos-opengl-man4 by Daniel Shahaf: sort file lists deterministically.

Package reviews 54 reviews have been added, 6 have been updated and 44 have been removed in this week. 18 FTBFS bugs have been reported by Chris Lamb, James Cowgill and Niko Tyni. diffoscope development Thanks to Mattia, diffoscope 52~bpo8+1 is available in jessie-backports now. tests.reproducible-builds.org

• All packages from all tested suites have finally been built on i386.
• Due to GCC supporting SOURCE_DATE_EPOCH sid/armhf has finally reached 20k reproducible packages and sid/amd64 has even reached 21k reproducible packages. (These numbers are about our test setup. The numbers for the Debian archive are still all 0. dpkg and dak need to be fixed to get the numbers above 0.)
• IRC notifications for non-Debian related jenkins job results go to #reproducible-builds now, while Debian related notifications stay on #debian-reproducible. (h01ger)
• profitbricks-build4-amd64 has been fully set up now and is running 398 days in the future. Next: update coreboot/OpenWrt/Fedora/Archlinux/FreeBSD/NetBSD scripts to use it. Help (in form of patches to existing shell scripts) very much welcome! (Other help is much welcome (and needed) too, but some things might take longer to merge or explain )

Misc. This week's edition was written by Reiner Herrmann, Holger Levsen and Mattia Rizzolo and reviewed by a bunch of Reproducible builds folks on IRC. Mattia also wrote a small ikiwiki macro for this blog to ease linking reproducible issues, packages in the package tracker and bugs in the Debian BTS.

This is the first blog post among series of posts which I will be writing throughout the summer about Google Summer of Code 2016 under Debian Reproducible Builds Experience. Introduction: I am Satyam Zode I am a final year Computer Science student (Satyam_z on IRC). I live in Pune, India (GMT +5:30). I am pursuing my undergraduate degree in Computer Engineering from Pune Institute of Computer Technology, Pune. I have been programming for the past 4 years. I am well versed in C/C++, Python3, and Golang. My Alioth and Github handles are satyamz-guest and satyamz respectively. I have been using GNU/Linux and free software from last four years. I am an open source enthusiast and I have been following Hacker culture since past three years. Accepted into Google Summer of Code 2016 under Debian Project: I am glad that I have got an opportunity to contribute to the Debian Project via Google Summer of Code 2016. I am accepted for project Improving diffoscope tool and reproducibility of Debian packages. This Summer and beyond I will be working with Debian Reproducible Builds team to improve the debbugging tool called Diffoscope (previously known as debbindiff). Thanks a bunch to Debian community, Lunar, Holger Levsen, Reiner Herrmann, Mattia Rizzolo and reproducible-builds folks for giving me this opportunity. Here is my GSoC'16 Proposal. And Yay! It really feels great :smile: Project details: I will be working on Diffoscope tool which is debbugging tool developed under reproducible-builds effort. Basically, Diffoscope compares two files and shows the difference in text and html format. Diffoscope is mainly developed to compare two Debian packages which may consist of binary files, tar files, text files etc. Diffoscope helps to identify difference between two Debian packages with respect to timestamps, file ordering etc. Diffoscope will try to get to the bottom of what makes files or directories different. It will recursively unpack archives of many kinds and transform various binary formats into more human readable form to compare them. It can compare two tarballs, ISO images, Debian packages or PDF just as easily. Diffoscope helps to identify the reproduciblity of Debian packages. During this summer I will be improving Diffoscope. I will be mainly working on:

• Finish Parallel processing part.
• Add command line option - -ignore-profile to allow users to ignore arbitrary differences.
• perform fuzzy-matching across archives.
• Add new file comparators to extend support of diffoscope for new file types.

My next blog post will be regarding community bonding. Thanks for reading :)

What happened in the Reproducible Builds effort between April 17th and April 23rd 2016: Toolchain fixes Thomas Weber uploaded lcms2/2.7-1 which will not write uninitialized memory when writing color names. Original patch by Lunar. The GCC 7 development phase has just begun, so Dhole reworked his patch to make gcc use SOURCE_DATE_EPOCH if set which prompted interesting feedback, but it has not been merged yet. Alexis Bienven e submitted a patch for sphinx to strip Python object memory addresses from the generated documentation. Packages fixed The following packages have become reproducible due to changes in their build dependencies: cobertura, commons-pool, easymock, eclipselink, excalibur-logkit, gap-radiroot, gluegen2, jabref, java3d, jcifs, jline, jmock2, josql, jtharness, libfann, libgroboutils-java, libjemmy2-java, libjgoodies-binding-java, libjgrapht0.8-java, libjtds-java, liboptions-java, libpal-java, libzeus-jscl-java, node-transformers, octave-msh, octave-secs2d, openmama, rkward. The following packages have become reproducible after being fixed:

• auto-multiple-choice/1.3.0-1 by Alexis Bienven e.
• castle-game-engine/5.2.0-3 by Paul Gevers.
• gap-autpgrp/1.5-2 by Bill Allombert.
• gap-grape/4r7+ds-2 by Jerome Benoit.
• letsencrypt.sh/0.1.0-2 by Mattia Rizzolo.
• libindicate/0.6.92-3 by Adam Borowski.
• ltrsift/1.0.2-7 by Sascha Steinbiss.
• perl/5.22.1-10 by Niko Tyni.
• php-pear/1:1.10.1+submodules+notgz-7 by Mathieu Parent.
• python-pint/0.7.2-2 by Ond ej Nov .
• spades/3.7.1+dfsg-3 by Sascha Steinbiss.
• tex4ht/20090611-2 by Reiner Herrmann.

Patches submitted that have not made their way to the archive yet:

• #821356 against emoslib by boyska: use echo in a portable manner across shells.
• #822268 against transdecoder by Dhole: set PERL_HASH_SEED=0 when calling the scripts that generate samples.

tests.reproducible-builds.org

• Steven Chamberlain investigated the performance of our armhf boards which also provided a nice overview of our armhf build network.
• As i386 has almost been completely tested the order of the architectures displayed has been changed to reflect the fact that i386 is now the 2nd most popular architecture in Debian. (h01ger)
• In order to decrease the number of blacklisted packages, the first build is now run with a timeout of 18h (previously: 12h) and the 2nd with 24h timeout (previously: 18h). (h01ger)
• We now also vary the CPU model on amd64 (and soon on i386 too) so that one build is performed using a "AMD Opteron 62xx class CPU" while the other is done using a "Intel Core Processor (Haswell)". This is now possible as proftitbricks.com offers VMs running both types of CPU and have generously increased their sponsorship once more. (h01ger)
• Profitbricks increased our storage space by 400 GB which will be used to setup a 2nd build node for the coreboot/OpenWrt/NetBSD/Arch Linux/Fedora tests. This 2nd build node will run 398 days in the future for testing reproducibility on a different date.

diffoscope development diffoscope 52 was released with changes from Mattia Rizzolo, h01ger, Satyam Zode and Reiner Herrmann, who also did the release. Notable changes included:

• Drop transitional debbindiff package.
• Let objdump demangle symbols for better readability.
• Install bin/diffoscope instead of auto-generated script. (Closes: #821777)

As usual, diffoscope 52 is available on Debian, Archlinux and PyPI, other distributions will hopefully soon update. Package reviews 28 reviews have been added, 11 have been updated and 94 have been removed in this week. 14 FTBFS bugs were reported by Chris Lamb (one being was a duplicate of a bug filed by Sebastian Ramacher an hour earlier). Misc. This week's edition was written by Lunar, Holger 'h01ger' Levsen and Chris Lamb and reviewed by a bunch of Reproducible builds folks on IRC.

What happened in the reproducible builds effort between April 10th and April 16th 2016: Toolchain fixes

• Roland Rosenfeld uploaded transfig/1:3.2.5.e-6 which honors SOURCE_DATE_EPOCH. Original patch by Alexis Bienven e.
• Bill Allombert uploaded gap/4r8p3-2 which makes convert.pl honor SOURCE_DATE_EPOCH. Original patch by Jerome Benoit, duplicate patch by Dhole.
• Emmanuel Bourg uploaded ant/1.9.7-1 which makes the Javadoc task use UTF-8 as the default encoding if none was specified and SOURCE_DATE_EPOCH is set.

Antoine Beaupr suggested that gitpkg stops recording timestamps when creating upstream archives. Antoine Beaupr also pointed out that git-buildpackage diverges from the default gzip settings which is a problem for reproducibly recreating released tarballs which were made using the defaults. Alexis Bienven e submitted a patch extending sphinx SOURCE_DATE_EPOCH support to copyright year. Packages fixed The following packages have become reproducible due to changes in their build dependencies: atinject-jsr330, avis, brailleutils, charactermanaj, classycle, commons-io, commons-javaflow, commons-jci, gap-radiroot, jebl2, jetty, libcommons-el-java, libcommons-jxpath-java, libjackson-json-java, libjogl2-java, libmicroba-java, libproxool-java, libregexp-java, mobile-atlas-creator, octave-econometrics, octave-linear-algebra, octave-odepkg, octave-optiminterp, rapidsvn, remotetea, ruby-rinku, tachyon, xhtmlrenderer. The following packages became reproducible after getting fixed:

• autopkgtest/3.20.3 uploaded by Martin Pitt, original patch by Alexis Bienven e.
• fop/1:2.1-3 uploaded by Mathieu Malaterre, original patch by Alexis Bienven e.
• fwupdate/0.5-4 by Mario Limonciello.
• gem/1:0.93.3-10 by IOhannes m zm lnig.
• imview/1.1.9c-16 by Anton Gladky.
• libappindicator/0.4.92-4 by Adam Borowski.
• libjlha-java/0.0.20050504-9 by Emmanuel Bourg.
• lwjgl/2.9.3+dfsg-1 by Markus Koschany.
• lxc/1:2.0.0~rc15-1 uploaded by Evgeni Golov, original patch by Reiner Herrmann.
• manpages-de/1.12-1 uploaded by Tobias Quathamer, original patch by Reiner Herrmann.
• pd-mrpeach/0.1~svn17615-1 by IOhannes m zm lnig.
• pyhoca-gui/0.5.0.6-1 uploaded by Mike Gabriel, original patch by Chris Lamb.
• r-cran-spatstat/1.45-0-1 by Andreas Tille.
• s5/1.1.dfsg.2-6 uploaded by Peter Pentchev, original patch by Juan Picca.
• samba/2:4.3.8+dfsg-1 by Jelmer Vernoo .
• sim4/0.0.20121010-3 uploaded by Andreas Tille, original patch by Alexis Bienven e.
• svxlink/15.11-1 uploaded by Felix Lechner, fixed upstream.
• tinc/1.0.28-1 by Guus Sliepen, fixed upstream.
• ucblogo/6.0+dfsg-1 by Reiner Herrmann.

Some uploads fixed some reproducibility issues, but not all of them:

• mm-common/0.9.10-1 by Michael Biebl.

Patches submitted which have not made their way to the archive yet:

• #820603 on viking by Alexis Bienven e: fix icon headers inclusion order.
• #820661 on nullmailer by Alexis Bienven e: fix the order in which files are included in the static archive.
• #820668 on sawfish by Alexis Bienven e: fix file ordering in theme archives, strip hostname and username from the config.h file, and honour SOURCE_DATE_EPOCH when creating the config.h file.
• #820740 on bless by Alexis Bienven e: always use /bin/sh as shell.
• #820742 on gmic by Alexis Bienven e: strip the build date from help messages.
• #820809 on wsdl4j by Alexis Bienven e: use a plain text representation of the copyright character.
• #820815 on freefem++ by Alexis Bienven e: fix the order in which files are included in the .edp files, and honour SOURCE_DATE_EPOCH when using the build date.
• #820869 on pyexiv2 by Alexis Bienven e: honour the SOURCE_DATE_EPOCH environment variable through the ustrftime function, to get a reproducible copyright year.
• #820932 on fim by Alexis Bienven e: fix the order in which files are joined in header files, strip the build date from fim binary, make the embeded vim2html script honour SOURCE_DATE_EPOCH variable when building the documentation, and force language to be English when using bison to make a grammar that is going to be parsed using English keywords.
• #820990 on grib-api by Santiago Vila: always call dh-buildinfo.

diffoscope development Zbigniew J drzejewski-Szmek noted in #820631 that diffoscope doesn't work properly when a file contains several cpio archives. Package reviews 21 reviews have been added, 14 updated and 22 removed in this week. New issue found: timestamps_in_htm_by_gap. Chris Lamb reported 10 new FTBFS issues. Misc. The video and the slides from the talk "Reproducible builds ecosystem" at LibrePlanet 2016 have been published now. This week's edition was written by Lunar and Holger Levsen. h01ger automated the maintenance and publishing of this weekly newsletter via git.

What happened in the reproducible builds effort between April 3rd and April 9th 2016: Media coverage Emily Ratliff wrote an article for SecurityWeek called Establishing Correspondence Between an Application and its Source Code - How Combining Two Completely Separate Open Source Projects Can Make Us All More Secure. Tails have started work on a design for freezable APT repositories to make it easier and practical to perform reproductions of an entire distribution at a given point in time, which will be needed to create reproducible installation- or live-media. Toolchain fixes Alexis Bienven e submitted patches adding support for SOURCE_DATE_EPOCH in several tools: transfig, imagemagick, rdtool, and asciidoctor. boyska submitted one for python-reportlab. Packages fixed The following packages have become reproducible due to changes in their build dependencies: atinject-jsr330 brailleutils cglib3 gnugo libcobra-java libgnumail-java libjchart2d-java libjcommon-java libjfreechart-java libjide-oss-java liblaf-widget-java liblastfm-java liboptions-java octave-control octave-mpi octave-nan octave-parallel octave-stk octave-struct octave-tsa oar The following packages became reproducible after getting fixed:

• apt-listchanges/2.88 by Robert Luberda.
• cgal/4.8-1 by Joachim Reichel.
• erlang-bitcask/2.0.2+dfsg-1 by Nobuhiro Iwamatsu.
• geneweb/6.08+git20160228+dfsg-2 by Guillaume Brochu.
• glance/2:12.0.0~rc2-1 uploaded by Thomas Goirand, original patch by Chris Lamb.
• gle-graphics/4.2.5-4 by Christian T. Steigies.
• maude uploaded by Andreas Tille, patch by Alexis Bienven e.
• psqlodbc/1:09.05.0100-3 by Christoph Berg.
• resource-agents/1:3.9.7-3 by Christoph Berg.
• vgabios/0.7a-6 by Reiner Herrmann.
• vim/2:7.4.1689-2 by James McCoy.
• xmhtml/1.1.10-2 by Graham Inggs with Reiner Herrmann's help.
• xscreensaver/5.34-2 uploaded by Tormod Volden, original patch by Sascha Steinbiss.

Several uploads fixed some reproducibility issues, but not all of them:

• rkward/0.6.5-1 uploaded by Thomas Friedrichsmeier, original patch by Philip Rinn.
• mailfilter/0.8.4-1 uploaded by Elimar Riesebieter, original patch by Chris Lamb.
• bind9/1:9.10.3.dfsg.P4-6 uploaded by Michael Gilbert, original patch by Reiner Herrmann.
• bzr/2.7.0- 3,4 by Jelmer Vernooij.
• samba/2:4.3.6+dfsg-2 uploaded by Mathieu Parent, fix by Jelmer Vernooij.
• fwupdate/0.5-3 by Mario Limonciello.
• paraview/5.0.1+dfsg1-1 by Anton Gladky.

Patches submitted which have not made their way to the archive yet:

• #819883 on debootstrap by Reiner Herrmann: tell tar to sort the archive members.
• #819885 on chktex by Sascha Steinbiss: use the time of latest debian/changelog entry as documentation timestamp.
• #819915 on kannel by Alexis Bienven e: use the time of latest debian/changelog entry as documentation timestamp.
• #819921 on basket by Alexis Bienven e: remove build date from debug info.
• #819965 on openarena-data by Alexandre Detiste: normalize file permissions before creating .pk3 archive.
• #820016 on gabedit by Alexis Bienven e: sort object files used to build the executable.
• #820032 on bibledit-gtk by Alexis Bienven e: remove useless included Makefile.
• #820072 on synfig by Alexis Bienven e: remove build date from info output.
• #820148 on autopkgtest by Alexis Bienven e: fix install order to cope with locales with case insensitive globbing.
• #820152 on anope by Alexis Bienven e: remove build date from the version string.
• #820179 on aodh by Alexis Bienven e: remove build date from the documentation.
• #820183 on cython by Alexis Bienven e: add support SOURCE_DATE_EPOCH.
• #820194 on nasm by rain1: sorts keys when traversing hash tables used to build the documentation.
• #820226 on chrony by Alexis Bienven e: add support for SOURCE_DATE_EPOCH to preset the ntp_era_split parameter.
• #820457 on recode by Alexis Bienven e: use system help2man.
• #820522 on gtkspell by Alexis Bienven e: force shell to /bin/sh in example Makefile.

Other upstream fixes Alexander Batischev made a commit to make newsbeuter reproducible. tests.reproducible-builds.org

• An architecture agnostic summary has been added to the reproducible-tracker.json by Valerie Young to make it easy to parse whether a package is unreproducible anywhere.
• To find more reproducibility issues a new variation was added to the i386 builders, so that one build is done using a 32 bit kernel (686-PAE) and the other build is using a 64 bit kernel (amd64). (h01ger)
  • Niko Tyni was the first to notice a bug due to this: #821182 perl: embeds kernel architecture information
• The 2nd builds are now done in fr_CH on amd64, de_CH on i386 and it_CH on armhf. (h01ger)
• The variation table has been updated to reflect the recent changes and various small bugs have been fixed. (h01ger)

Package reviews 93 reviews have been removed, 66 added and 21 updated in the previous week. 12 new FTBFS bugs have been reported by Chris Lamb and Niko Tyni. Misc. This week's edition was written by Lunar, Holger Levsen, Reiner Herrmann, Mattia Rizzolo and Ximin Luo. With the departure of Lunar as a full-time contributor, Reproducible Builds Weekly News (this thing you're reading) has moved from his personal Debian blog on Debian People to the Reproducible Builds team web site on Debian Alioth. You may want to update your RSS or Atom feeds. Very many thanks to Lunar for writing and publishing this weekly news for so long, well & continously!

What happened in the reproducible builds effort between March 27th and April 2nd: Toolchain fixes

• Emmanuel Bourg uploaded ant/1.9.6-2 which makes the Tstamp task support the SOURCE_DATE_EPOCH variable, and the Javadoc task use en as the default locale if none was specified and SOURCE_DATE_EPOCH is set.

Packages fixed The following packages have become reproducible due to changes in their build dependencies: ctioga2, erlang-bitcask, libcommons-collections3-java, libjgoodies-animation-java, libjide-oss-java, octave-gsl, octave-interval, octave-io, octave-quaternion, octave-signal, octave-stk, segment, service-wrapper-java, sqlline, svnkit, uddi4j, velocity-tools. The following packages became reproducible after getting fixed:

• angular.js/1.3.20-3 uploaded by Laszlo Boszormenyi, patch by Dhole.
• boa-constructor/0.6.1-16 by Reiner Herrmann.
• fgetty/0.7-1 by Dmitry Bogatov.
• hexchat/2.12.0-1 uploaded by Jesse Rhodes, fixed upstream.
• littlewizard/1.2.2-4 uploaded by Kari Pahula, original patch by Reiner Herrmann.
• logback/1:1.1.6-1 by Emmanuel Bourg.
• pcsxr/1.9.94-2 by James Cowgill.
• pybtex/0.19-2 by Daniel Stender.
• python-structlog/16.0.0-1 by Filippo Giunchedi.
• sbmltoolbox/4.1.0-3 by Afif Elghraoui, original patch by Reiner Herrmann.
• tiles/2.2.2-7 by Emmanuel Bourg.

Some uploads fixed some reproducibility issues, but not all of them:

• dash/0.5.8-2.2 uploaded by Niels Thykier, original patch by Lunar.
• gle-graphics/4.2.5-4 by Christian T. Steigies.
• prospector/0.11.7-6 by Daniel Stender.
• therion/5.3.16-10 by Wookey.
• vim/2:7.4.1689-1 uploaded by James McCoy, original patch by Reiner Herrmann.

Patches submitted which have not made their way to the archive yet:

• #783239 on kexec-tools by Lunar: follow-up patch to cope with locale variations.
• #819347 on starvoyager by Sascha Steinbiss: sort the list of input object files.
• #819352 on xpdf by Sascha Steinbiss: sort the list of linked object files.
• #819512 on breeze by Dhole: force grep to treat all files as text to avoid locale-related issues.
• #819726 on ckbuilder by boyska: add support for SOURCE_DATE_EPOCH.
• #819767 on libtool by rain1: removes extra timestamps from the build system, ensure a stable file order when creating the source archive, and replace uses of the hostname command with the fixed string "localhost".

tests.reproducible-builds.org The i386 builders are now testing packages on i386 for reproducibility. It will probably take 4 weeks until everything has been build twice, on this arch. (h01ger) Package reviews 52 reviews have been removed, 24 added and 4 updated in the previous week. Chris Lamb reported 13 new FTBFS. New issue: copyright_year_in_comments_generated_by_ckbuilder. Misc. This week's edition was mostly written by Lunar, with some help by Reiner Herrmann and h01ger.

What happened in the reproducible builds effort between March 20th and March 26th: Toolchain fixes

• Sebastian Ramacher uploaded breathe/4.2.0-1 which makes its output deterministic. Original patch by Chris Lamb, merged upstream.
• Rafael Laboissiere uploaded octave/4.0.1-1 which allows packages to be built in place and avoid unreproducible builds due to temporary build directories appearing in the .oct files.

Daniel Kahn Gillmor worked on removing build path from build symbols submitting a patch adding -fdebug-prefix-map to clang to match GCC, another patch against gcc-5 to backport the removal of -fdebug-prefix-map from DW_AT_producer, and finally by proposing the addition of a normalizedebugpath to the reproducible feature set of dpkg-buildflags that would use -fdebug-prefix-map to replace the current directory with . using -fdebug-prefix-map. Sergey Poznyakoff merged the --clamp-mtime option so that it will be featured in the next Tar release. This option is likely to be used by dpkg-deb to implement deterministic mtimes for packaged files. Packages fixed The following packages have become reproducible due to changes in their build dependencies: augeas, gmtkbabel, ktikz, octave-control, octave-general, octave-image, octave-ltfat, octave-miscellaneous, octave-mpi, octave-nurbs, octave-octcdf, octave-sockets, octave-strings, openlayers, python-structlog, signond. The following packages became reproducible after getting fixed:

• atheme-services/7.0.7-1 by Antoine Beaupr .
• boa-constructor/0.6.1-16 by Reiner Herrmann.
• calculix-ccx/2.10-1 by Wolfgang F tterer, fixed upstream.
• deap/1.0.2.post2-2 by Daniel Stender.
• debian-keyring/2016.03.22 uploaded by Jonathan McDowell, fix by Niels Thykier, obsolete patch by Satyam Zode.
• firefox-kwallet5/1.0-2 by Sandro Knau .
• fox1.6/1.6.51-1 by Joachim Wiedorn.
• gdnsd/2.2.3-1 by Faidon Liambotis.
• glib2.0/2.48.0-1 uploaded by Iain Lane, original patch by Lunar, merged upstream.
• jwm/2.3.4-1 uploaded by Samuel Henrique Oltramari Pinto, fix by Reiner Herrmann.
• libasm4-java/5.0.4-2 by Emmanuel Bourg.
• libjna-java/4.2.2-1 by Emmanuel Bourg.
• libsynthesis/3.4.0.47.5+syncevolution-1.5.1-1 uploaded by Tino Mettler, patch by Reiner Herrmann.
• logback/1:1.1.6-1 by Emmanuel Bourg.
• nethack/3.6.0-2 uploaded by James Cowgill, patch by Reiner Herrmann.
• php-htmlpurifier/4.7.0-2 by David Pr vot.
• psocksxx/1.1.0-1 by Gianfranco Costamagna.
• sbmltoolbox/4.1.0-3 uploaded by Afif Elghraoui, original patch by Reiner Herrmann.
• spades/3.7.1+dfsg-2 by Sascha Steinbiss.
• sprng/2.0a-10 uploaded by Dirk Eddelbuettel, original patch by Reiner Herrmann.

Some uploads fixed some reproducibility issues, but not all of them:

• gle-graphics/4.2.5-2 by Christian T. Steigies.
• kexec-tools/1:2.0.10-2 uploaded by Khalid Aziz, original patch by Lunar.
• pdal/1.1.0-4 by Bas Couwenberg.
• tcl8.5/8.5.19-2 uploaded by Sergei Golovan, original patch.
• tcl8.6/8.6.5+dfsg-2 uploaded by Sergei Golovan, original patch.

Patches submitted which have not made their way to the archive yet:

• #818742 on milkytracker by Reiner Herrmann: sorts the list of source files.
• #818752 on tcl8.4 by Reiner Herrmann: sort source files using C locale.
• #818753 on tk8.6 by Reiner Herrmann: sort source files using C locale.
• #818754 on tk8.5 by Reiner Herrmann: sort source files using C locale.
• #818755 on tk8.4 by Reiner Herrmann: sort source files using C locale.
• #818952 on marionnet by ceridwen: dummy out build date and uname to make build reproducible.
• #819334 on avahi by Reiner Herrmann: ship upstream changelog instead of the one generated by gettextize (although duplicate of #804141 by Santiago Vila).

tests.reproducible-builds.org i386 build nodes have been setup by converting 2 of the 4 amd64 nodes to i386. (h01ger) Package reviews 92 reviews have been removed, 66 added and 31 updated in the previous week. New issues: timestamps_generated_by_xbean_spring, timestamps_generated_by_mangosdk_spiprocessor. Chris Lamb filed 7 FTBFS bugs. Misc. On March 20th, Chris Lamb gave a talk at FOSSASIA 2016 in Singapore. The very same day, but a few timezones apart, h01ger did a presentation at LibrePlanet 2016 in Cambridge, Massachusetts. Seven GSoC/Outreachy applications were made by potential interns to work on various aspects of the reproducible builds effort. On top of interacting with several applicants, prospective mentors gathered to review the applications.

Here is my monthly update covering a large part of what I have been doing in the free software world (previously):

• Submitted a number of pull requests to the Ansible sever configuration tool:
  • Add the ability to specify the --allow-unauthenticated to APT. (#2023)
  • Ignore EPIPE when flushing standard input and output to avoid unnecessary and ugly tracebacks. (#14774)
  • Add an option for ansible-playbook to exit with an error if no plays were matched. (#14742)
• Various improvements to django-slack, a library to easily post messages to the Slack group-messaging utility from projects using the Django web development framework:
  • Merged a patch from Joshua Blum to update the logging integration documentation. (#39)
  • Fixed an issue when rendering various exceptions would in themselves raise an exception. (#40)
  • Improved and merged a patch from Patrick Cloke to actually allow settings to be overriden using the @override_settings decorator. (#37)
• Updated local-debian-mirror, a package that attempts to make it easy to maintain a partial local mirror of the Debian archive:
  • Added an option to exclude DEP-11 files. (ee03b21)
  • Added an option to exclude Translation-* files. (28bbf34)
  • Corrected the phrasing of the debconf prompt to not ask a direct question to appease Lintian. (13fccc7b)
• Updated django-keyerror a library to post exceptions to the KeyError.com error tracking service to support pushing tracebacks from the Celery queue processor using the task_failure signal. (#1)
• Submitted a number of pull requests for django-zebra, a collection of utilities that make it easier to integrate the Stripe payment processor and the Django web development framework:
  • Add the ability to test an incoming Stripe webhook. (#44)
  • Prefer @require_POST over an explicit check in the view. (#43)
  • Move away from the deprecated django.conf.urls.patterns method. (#45)
• Updated django-template-tests, a tool to perform simple static analysis on Django templates prior to production to improve the robustness of dynamic test generation. (e98f9fc)
• Fixed django-force-logout a library to allow administrators to log user's out of Django projects to not require a custom JSON serialiser. (c0e5d64)
• Corrected the documentation for travis.debian.net my hosted script to easily test and build Debian packages on the Travis CI continuous integration platform to reflect the actual default mirror. (4c862f0)
• Blogged about generating dynamic Python tests using metaclasses.

---

What happened in the reproducible builds effort between March 20th and March 26th:

Toolchain fixes

• Sebastian Ramacher uploaded breathe/4.2.0-1 which makes its output deterministic. Original patch by Chris Lamb, merged uptream.
• Rafael Laboissiere uploaded octave/4.0.1-1 which allows packages to be built in place and avoid unreproducible builds due to temporary build directories appearing in the .oct files.

Daniel Kahn Gillmor worked on removing build path from build symbols submitting a patch adding -fdebug-prefix-map to clang to match GCC, another patch against gcc-5 to backport the removal of -fdebug-prefix-map from DW_AT_producer, and finally by proposing the addition of a normalizedebugpath to the reproducible feature set of dpkg-buildflags that would use -fdebug-prefix-map to replace the current directory with . using -fdebug-prefix-map. As succesful result of lobbying at LibrePlanet 2016, the --clamp-mtime option will be featured in the next Tar release. This option is likely to be used by dpkg-deb to implement deterministic mtimes for packaged files.

Packages fixed The following packages have become reproducible due to changes in their build dependencies: augeas, gmtkbabel, ktikz, octave-control, octave-general, octave-image, octave-ltfat, octave-miscellaneous, octave-mpi, octave-nurbs, octave-octcdf, octave-sockets, octave-strings, openlayers, python-structlog, signond. The following packages became reproducible after getting fixed:

• atheme-services/7.0.7-1 by Antoine Beaupr .
• boa-constructor/0.6.1-16 by Reiner Herrmann.
• calculix-ccx/2.10-1 by Wolfgang F tterer, fixed upstream.
• deap/1.0.2.post2-2 by Daniel Stender.
• debian-keyring/2016.03.22 uploaded by Jonathan McDowell, fix by Niels Thykier, obsolete patch by Satyam Zode.
• firefox-kwallet5/1.0-2 by Sandro Knau .
• fox1.6/1.6.51-1 by Joachim Wiedorn.
• gdnsd/2.2.3-1 by Faidon Liambotis.
• glib2.0/2.48.0-1 uploaded by Iain Lane, original patch by Lunar, merged upstream.
• jwm/2.3.4-1 uploaded by Samuel Henrique Oltramari Pinto, fix by Reiner Herrmann.
• libasm4-java/5.0.4-2 by Emmanuel Bourg.
• libjna-java/4.2.2-1 by Emmanuel Bourg.
• libsynthesis/3.4.0.47.5+syncevolution-1.5.1-1 uploaded by Tino Mettler, patch by Reiner Herrmann.
• logback/1:1.1.6-1 by Emmanuel Bourg.
• nethack/3.6.0-2 uploaded by James Cowgill, patch by Reiner Herrmann.
• php-htmlpurifier/4.7.0-2 by David Pr vot.
• psocksxx/1.1.0-1 by Gianfranco Costamagna.
• sbmltoolbox/4.1.0-3 uploaded by Afif Elghraoui, original patch by Reiner Herrmann.
• spades/3.7.1+dfsg-2 by Sascha Steinbiss.
• sprng/2.0a-10 uploaded by Dirk Eddelbuettel, original patch by Reiner Herrmann.

Some uploads fixed some reproducibility issues, but not all of them:

• gle-graphics/4.2.5-2 by Christian T. Steigies.
• kexec-tools/1:2.0.10-2 uploaded by Khalid Aziz, original patch by Lunar.
• pdal/1.1.0-4 by Bas Couwenberg.
• tcl8.5/8.5.19-2 uploaded by Sergei Golovan, original patch.
• tcl8.6/8.6.5+dfsg-2 uploaded by Sergei Golovan, original patch.

Patches submitted which have not made their way to the archive yet:

• #818742 on milkytracker by Reiner Herrmann: sorts the list of source files.
• #818752 on tcl8.4 by Reiner Herrmann: sort source files using C locale.
• #818753 on tk8.6 by Reiner Herrmann: sort source files using C locale.
• #818754 on tk8.5 by Reiner Herrmann: sort source files using C locale.
• #818755 on tk8.4 by Reiner Herrmann: sort source files using C locale.
• #818952 on marionnet by ceridwen: dummy out build date and uname to make build reproducible.
• #819334 on avahi by Reiner Herrmann: ship upstream changelog instead of the one generated by gettextize (although duplicate of #804141 by Santiago Vila).

tests.reproducible-builds.org i386 build nodes have been setup by converting 2 of the 4 amd64 nodes to i386. (h01ger)

Package reviews 92 reviews have been removed, 66 added and 31 updated in the previous week. New issues: timestamps_generated_by_xbean_spring, timestamps_generated_by_mangosdk_spiprocessor. Chris Lamb filed 7 FTBFS bugs.

Misc. On March 20th, Chris Lamb gave a talk at FOSSASIA 2016 in Singapore. The very same day, but a few timezones apart, h01ger did a presentation at LibrePlanet 2016 in Cambridge, Massachusetts. Seven GSoC/Outreachy applications were made by potential interns to work on various aspects of the reproducible builds effort. On top of interacting with several applicants, prospective mentors gathered to review the applications. Huge thanks to Linda Naeun Lee for the new hackergotchi visible on Planet Debian.

What happened in the reproducible builds effort between March 13th and March 19th 2016:

Toolchain fixes

• Petter Reinholdtsen uploaded naturaldocs/1.51-1.1 which makes the output reproducible. Original patch by Chris Lamb.
• Damyan Ivanov uploaded libpdf-api2-perl/2.025-2 which will make internal font ID reproducible.
• Christian Hofstaedtler uploaded ruby2.3/2.3.0-5 which sets gzip embedded mtime field to fixed value for rdoc-generated compressed javascript data.

Packages fixed The following packages have become reproducible due to changes in their build dependencies: diction, doublecmd, ruby-hiredis, vdr-plugin-epgsearch. The following packages became reproducible after getting fixed:

• adduser/3.114 by Niels Thykier.
• borgbackup/1.0.0-3 by Danny Edel.
• firefox-esr/45.0.1esr-1 by Mike Hommey.
• gzip/1.6-5 by Bdale Garbee, original patch by Valentin Lorentz.
• httperf/0.9.0-5 by Reiner Herrmann.
• leafpad/0.8.18.1-5 uploaded by Paulo Roberto Alves de Oliveira, original patch by Reiner Herrmann.
• libsdl1.2/1.2.15+dfsg1-4 by Manuel A. Fernandez Montecelo.
• mpc123/0.2.4-4 by Reiner Herrmann.
• openhpi/3.6.1-1 uploaded by Bryan Sutula, likely fixed upstream.
• pbsim/1.0.3-2 by Sascha Steinbiss.
• pdnsd/1.2.9a-par-3 by Reiner Herrmann.
• phyml/3:3.2.0+dfsg-2 uploaded by Andreas Tille, fix by Kevin Murray.
• polyml/5.6-3 by James Clarke.
• psocksxx/1.1.0-1 uploaded by J rg Frings-F rst, original patch by akira.
• python-pip/8.1.1-1 by Reiner Herrmann.
• reapr/1.0.18+dfsg-2 by Sascha Steinbiss.
• rows/0.1.1-3 uploaded by Paulo Roberto Alves de Oliveira, original patch by Reiner Herrmann.
• seqprep/1.1-5 uploaded by Andreas Tille, original patch by Dhole.
• subliminal/1.1.1-1 uploaded by Etienne Millon, fixed upstream.
• tantan/13-4 by Sascha Steinbiss.
• tzdata/2016b-1 by Aurelien Jarno.
• xpra/0.16.2+dfsg-1 uploaded by Dmitry Smirnov, original patch by Reiner Herrmann.

Some uploads fixed some reproducibility issues, but not all of them:

• lombok/1.16.6+ds-3 by Markus Koschany.
• python-skbio/0.4.2-1 by Kevin Murray.

Patches submitted which have not made their way to the archive yet:

• #818128 on nethack by Reiner Herrmann: implement support for SOURCE_DATE_EPOCH, set LC_ALL to C, and ensure deterministic build order when running parallel builds.
• #818111 on debian-keyring by Satyam Zode: fix the order of files in md5sums.
• #818067 on ncurses by Niels Thykier: strip trailing whitespaces introduced when using dash as system shell.
• #818230 on aircrack-ng by Reiner Herrmann: build assembly code as a separate .o file.
• #818419 on mutt by Daniel Shahaf: use C locale when listing files to be put in README.Patches.
• #818430 on ruby-coveralls by Dhole: ensure UTC is used as the timezone when generating the documentation.
• #818686 on littlewizard by Reiner Herrmann: use the C locale in the script for iterating over the files.
• #818704 on strigi by Reiner Herrmann: sort keys when traversing hashes in makecode.pl.

Package reviews 44 reviews have been removed, 40 added and 5 updated in the previous week. Chris Lamb has reported 16 FTBFS.

What happened in the reproducible builds effort between March 6th and March 12th:

Packages fixed The following packages have become reproducible due to changes in their build dependencies: dfc, gap-openmath, gnubik, gplanarity, iirish, iitalian, monajat, openimageio, plexus-digest, ruby-fssm, vdr-plugin-dvd, vdr-plugin-spider. The following packages became reproducible after getting fixed:

• adduser/3.114 by Niels Thykier.
• bsdmainutils/9.0.7 by Michael Meskes.
• criu/2.0-1 by Salvatore Bonaccorso.
• genometools/1.5.8+ds-2 by Sascha Steinbiss.
• gfs2-utils/3.1.8-1 uploaded by Bastian Blank, fix by Christoph Berg.
• gmerlin/1.2.0~dfsg+1-5 by IOhannes m zm lnig.
• heroes/0.21-14 by Stephen Kitt.
• kmc/2.3+dfsg-3 by Sascha Steinbiss.
• polyml/5.6-3 by James Clarke.
• sed/4.2.2-7.1 by Niels Thykier.
• snpomatic/1.0-3 by Sascha Steinbiss.
• tantan/13-4 by Sascha Steinbiss.

Some uploads fixed some reproducibility issues, but not all of them:

• apg/2.2.3.dfsg.1-3 uploaded by Marc Haber, original patch by Chris Lamb.
• elastix/4.8-4 uploaded by Gert Wollny, reported by akira.

Patches submitted which have not made their way to the archive yet:

• #817979 on modernizr by Sascha Steinbiss: sort list of files included in feature-detects.js.
• #818027 on snapper by Sascha Steinbiss: always use /bin/sh as shell.

tests.reproducible-builds.org Always use all cores on armhf builders. (h01ger) Improve the look of Debian dashboard. (h01ger)

Package reviews 118 reviews have been removed, 114 added and 15 updated in the previous week. 15 FTBFS have been filled by Chris Lamb. New issues: xmlto_txt_output_locale_specific.

Misc. Lunar seeks new maintainers for diffoscope, several mailing lists, and these very weekly reports.

What happened in the reproducible builds effort between February 28th and March 5th:

Toolchain fixes

• Antonio Terceiro uploaded gem2deb/0.27 that forces generated gemspecs to use the date from debian/changelog.
• Antonio Terceiro uploaded gem2deb/0.28 that forces generated gemspecs to have their contains file lists sorted.
• Robert Luberda uploaded ispell/3.4.00-5 which make builds of hashes reproducible.
• C dric Boutillier uploaded ruby-ronn/0.7.3-4 which will make the output locale agnostic. Original patch by Chris Lamb.
• Markus Koschany uploaded spring/101.0+dfsg-1. Fixed by Alexandre Detiste.

Ximin Luo resubmitted the patch adding the --clamp-mtime option to Tar on Savannah's bug tracker. Lunar rebased our experimental dpkg on top of the current master branch. Changes in the test infrastructure are required before uploading a new version to our experimental repository. Reiner Herrmann rebased our custom texlive-bin against the latest uploaded version.

Packages fixed The following 77 packages have become reproducible due to changes in their build dependencies: asciidoctor, atig, fuel-astute, jekyll, libphone-ui-shr, linkchecker, maven-plugin-testing, node-iscroll, origami-pdf, plexus-digest, pry, python-avro, python-odf, rails, ruby-actionpack-xml-parser, ruby-active-model-serializers, ruby-activerecord-session-store, ruby-api-pagination, ruby-babosa, ruby-carrierwave, ruby-classifier-reborn, ruby-compass, ruby-concurrent, ruby-configurate, ruby-crack, ruby-css-parser, ruby-cucumber-rails, ruby-delorean, ruby-encryptor, ruby-fakeweb, ruby-flexmock, ruby-fog-vsphere, ruby-gemojione, ruby-git, ruby-grack, ruby-htmlentities, ruby-jekyll-feed, ruby-json-schema, ruby-listen, ruby-markerb, ruby-mathml, ruby-mini-magick, ruby-net-telnet, ruby-omniauth-azure-oauth2, ruby-omniauth-saml, ruby-org, ruby-origin, ruby-prawn, ruby-pygments.rb, ruby-raemon, ruby-rails-deprecated-sanitizer, ruby-raindrops, ruby-rbpdf, ruby-rbvmomi, ruby-recaptcha, ruby-ref, ruby-responders, ruby-rjb, ruby-rspec-rails, ruby-rspec, ruby-rufus-scheduler, ruby-sass-rails, ruby-sass, ruby-sentry-raven, ruby-sequel-pg, ruby-sequel, ruby-settingslogic, ruby-shoulda-matchers, ruby-slack-notifier, ruby-symboltable, ruby-timers, ruby-zip, ticgit, tmuxinator, vagrant, wagon, yard. The following packages became reproducible after getting fixed:

• air-quality-sensor/0.1.4-1 uploaded by Benedikt Wildenhain, fixed upstream, original patch by Chris Lamb.
• device3dfx/2013.08.08-4 by Guillem Jover.
• fldigi/3.23.08-1 by Kamal Mostafa.
• fltk1.1/1.1.10-22 by Aaron M. Ucko.
• freeimage/3.17.0+ds1-2 by Ghislain Antony Vaillant.
• gimagereader/3.1.2+git368fa8f-2 by Philip Rinn.
• ginkgocadx/3.7.5-1 by Gert Wollny, fixed upstream.
• jadetex/3.13-17 by Norbert Preining.
• opensips/2.1.2-1 by Razvan Crainea.
• ruby-sqlite3/1.3.11-2 uploaded by C dric Boutillier, original patch by Lunar.
• runawk/1.6.0-2 uploaded by Andrew Shadura, patch by Reiner Herrmann.
• systraq/20160303-1 by Joost van Baal-Ili .

Some uploads fixed some reproducibility issues, but not all of them:

• auto-multiple-choice/1.2.1-4 by Georges Khaznadar.
• avfs/1.0.3-1 uploaded by Michael Meskes, original patch by Chris Lamb.
• console-setup/1.138 uploaded by Anton Zinoviev, original patch by Reiner Herrmann.
• gromacs/5.1.2-1 by Nicholas Breen.
• mrrescue/1.02c-2 by Alexandre Detiste.
• usb-modeswitch-data/20160112-2 by Didier Raboud.

Patches submitted which have not made their way to the archive yet:

• #816209 on elog by Reiner Herrmann: use printf instead of echo which is shell-independent.
• #816214 on python-pip by Reiner Herrmann: removes timestamp from generated Python scripts.
• #816230 on rows by Reiner Herrmann: tell grep to always treat the input as text.
• #816232 on eficas by Reiner Herrmann: use printf instead of echo which is shell-independent.

Florent Daigniere and bancfc reported that linux-grsec was currently built with GRKERNSEC_RANDSTRUCT which will prevent reproducible builds with the current packaging.

tests.reproducible-builds.org pbuilder has been updated to the last version to be able to support Build-Depends-Arch and Build-Conflicts-Arch. (Mattia Rizzolo, h01ger) New package sets have been added for Subgraph OS, which is based on Debian Stretch: packages and build dependencies. (h01ger) Two new armhf build nodes have been added (thanks Vagrant Cascadian) and integrated in our Jenkins setup with 8 new armhf builder jobs. (h01ger)

strip-nondeterminism development strip-nondeterminism version 0.016-1 was released on Sunday 28th. It will now normalize the POT-Creation-Date field in GNU Gettext .mo files. (Reiner Herrmann) Several improvements to the packages metadata have also been made. (h01ger, Ben Finney)

Package reviews 185 reviews have been removed, 91 added and 33 updated in the previous week. New issue: fileorder_in_gemspec_files_list. 43 FTBFS bugs were reported by Chris Lamb, Martin Michlmayr, and gregor herrmann.

Misc. After merging the patch from Dhiru Kholia adding support for SOURCE_DATE_EPOCH in rpm, Florian Festi opened a discussion on the rpm-ecosystem mailing list about reproducible builds. On March 4th, Lunar gave an overview of the general reproducible builds effort at the Internet Freedom Festival in Valencia.

Earlier today I was made aware by Holger of the results of our reproducibility efforts during the sprint. I would like to thank Lunar for pinging us about the issue, and Holger for pointing me to updated results. The figure below depicts a stacked area chart where the X axis is time and the green area is reproducible packages. Red is packages that fail to build, and Orange are unreproducible packages I was able to book accommodation for the sprint attendees very close to both my place and the sprint venue, what was very useful but also had this downside of them not being able to see much of city. As the final day of the sprint was getting closer, we decided to have a different lunch to allow them to see one of the most famous local landmarks, the botanical gardens. So we headed down to the botanical gardens, grabbed a few items for lunch at the park coffee shop, and set out to visit this very beautiful place. I have to say that there is the place were I usually take every visitor I have. We were joined by Gioavani who had just arrived for the the MiniDebconf on the following weekend. The final lists of accomplishments of the day was again very impressive

• r10k 2.1.1-2
• run massive update on team repositories
  • bump Standards-Version
  • fix Vcs-* fields
  • drop version in gem2deb build-dependency
  • set debhelper compatibility level to 9
  • update the default ruby-tests.rake
• day 4 report
• uploaded ruby-faraday-middleware-multi-json 0.0.6-2
• uploaded ruby-powerpack 0.1.1-2
• uploaded ruby-contracts 0.13.0-1
• uploaded ruby-chef-config 12.7.2-1 (NEW)
• uploaded ruby-foreigner #808530 and asked it removal from the NEW queue (was already ROMed)
• filled for RM ruby-opengraph-parser (#816752)
• new how-can-i-help version developed and uploaded
• uploaded ruby-romkan to unstable (from exp)
• uploaded ruby-rinku to unstable (from exp)
• uploaded ruby-ole to unstable (from exp)
• uploaded ruby-net-ldap to unstable (from exp)
• uploaded ruby-rack-mobile-detect to unstable (from exp)
• uploaded gem2deb 0.28 to help with reproducible builds: filenames are now sorted
• uploaded rails 2:4.2.5.2-2 with packaging improvements
  • run unit tests during the build and on CI
  • apply upstream patch to fix ActiveRecord breakage under Ruby 2.3
• pushed a ton of tags for existing uploads
• merged improvements to the team master repository
  • review/cleanup the contents of the repository
  • improved helper scripts to automate the workflow (upload, build, new-upstream, etc)
• followed up on ruby2.3 transition, filed #816698 against subversion because of ftbfs on mips, mipsel
• put ruby-cocoon into a better state
• uploaded ruby-plist
• gem2deb: gem2tgz will now create foo.gemspec (easier to patch) instead of metadata.yml
• gemwatch: ditto
• close #794139 jekyll bug (unreproducible)
• close #798934 ruby-ffi-rzmq bug (unreproducible)
• closed ftbfs #816586 #800057 #784699 as unreproducible
• reassigned #760952 #680297 to ruby2.3 (from ruby2.2)
• investigated how to list packages with non-buildd-binary uploads
• ScottK has removed ruby2.1 from unstable!

By the end of the afternoon I asked everyone to fill out a simple retrospective list, what we can use later to make future sprints better and better. Below are the results we got. What was good:

• restricted room hours actually made for a nice rhythm (did not apply for a long time )
• very good food
• very cheap food!
• longer period makes the effort of travel more worthwhile
• many participants and longer sprint than usual allowing more work to be done
• good preparation with clear goals, make the sprint usefull
• patience with the less experienced participants
• RFS very fast
• Ant nio is an excellent host
• You all are so helpful
• great dinners

What could be better:

• room too close to the street, too much vehicle noise, but sometimes nice music
• more coffee ^W meat
• could know more portugues so ordering food would have been easier
• debian infra could have not been down during the sprint

The night ended at Bar do Alem o ( The German s Bar ). Both their beer and their food are very good, but I don t have enough elements to vouch for their authenticity. :) We were joined by Giovani (who we also met earlier in the botanic gardens), and by Paulo and Daniel who are organizing the MiniDebconf. And that is the end of this year s Debian Ruby team sprint. I hope we do it all over again next year.

What happened in the reproducible builds effort between February 21th and February 27th:

Toolchain fixes Didier Raboud uploaded pyppd/1.0.2-4 which makes PPD generation deterministic. Emmanuel Bourg uploaded plexus-maven-plugin/1.3.8-10 which sorts the components in the components.xml files generated by the plugin. Guillem Jover has implemented stable ordering for members of the control archives in .debs. Chris Lamb submitted another patch to improve reproducibility of files generated by cython.

Packages fixed The following packages have become reproducible due to changes in their build dependencies: dctrl-tools, debian-edu, dvdwizard, dymo-cups-drivers, ekg2, epson-inkjet-printer-escpr, expeyes, fades, foomatic-db, galternatives, gnuradio, gpodder, gutenprint icewm, invesalius, jodconverter-cli latex-mk, libiio, libimobiledevice, libmcrypt, libopendbx, lives, lttnganalyses, m2300w, microdc2, navit, po4a, ptouch-driver, pxljr, tasksel, tilda, vdr-plugin-infosatepg, xaos. The following packages became reproducible after getting fixed:

• afterstep/2.2.12-7 by Robert Luberda.
• arachne-pnr/0~20150927gitefdb026-2 uploaded by Ruben Undheim, patch by Dhole.
• astroquery/0.3.1+dfsg-2 by Vincent Prat.
• compton-conf/0.1.0+20151226-2 uploaded by Alf Gaida, original patch by Dhole.
• disque/1.0~rc1-5 uploaded by Chris Lamb, issue identified by Reiner Herrmann.
• foo2zjs/20151024dfsg0-2 by Didier Raboud.
• gnugo/3.8-9 uploaded by Martin A. Godisch, original patch by Reiner Herrmann.
• hplip/3.16.2+repack0-4 by Didier Raboud.
• ibus-braille/0.1.2.99+git1.a95477d-4 by Samuel Thibault.
• iputils/3:20150815-1 by Noah Meyerhans, original patch by Juan Picca.
• jimtcl/0.76-2 by Didier Raboud.
• jodconverter/2.2.2-8 uploaded by Samuel Thibault, original patch by Reiner Herrmann.
• jts/1.14+ds-1~exp1 by Bas Couwenberg.
• loadlin/1.6f-5 by Samuel Thibault.
• lximage-qt/0.4.0+20160108-3 by ChangZhuo Chen ( ), patch by Dhole.
• modello/1.8.3-2 by Emmanuel Bourg.
• obconf-qt/0.9.0+20151227-2 uploaded by Alf Gaida, original patch by Dhole.
• pcmanfm-qt/0.10.1-2 uploaded by Alf Gaida, original patch by Dhole.
• pnm2ppa/1.13-7 by Didier Raboud.
• screengrab/1.95+20160128-2 uploaded by Alf Gaida, original patch by Dhole.
• sip4/4.17+dfsg-2 uploaded by Scott Kitterman, original patch by Reiner Herrmann.
• spades/3.7.0+dfsg-1 by Sascha Steinbiss.
• sphinxtrain/1.0.8+5prealpha-4 by Samuel Thibault.
• tcsh/6.18.01-5 uploaded by Thomas Lange, original patch by Reiner Herrmann.
• ubertooth/2015.09.R2-4 by Ruben Undheim.
• watchdog/5.15-1 by Michael Meskes.
• xfonts-a12k12/1-12 uploaded by Nobuhiro Iwamatsu, original patch by Chris Lamb.

Some uploads fixed some reproducibility issues, but not all of them:

• gridsite/2.2.6-2 by Mattias Ellert.
• gsoap/2.8.28-2 by Mattias Ellert.
• natbraille/2.0rc3-3 by Samuel Thibault.
• pairs/4:15.04.3-1 uploaded by Maximiliano Curia, original patch by Scarlett Clark.

tests.reproducible-builds.org The reproducibly tests for Debian now vary the provider of /bin/sh between bash and dash. (Reiner Herrmann)

diffoscope development diffoscope version 50 was released on February 27th. It adds a new comparator for PostScript files, makes the directory tests pass on slower hardware, and line ordering variations in .deb md5sums files will not be hidden anymore. Version 51 uploaded the next day re-added test data missing from the previous tarball. diffoscope is looking for a new primary maintainer.

Package reviews 87 reviews have been removed, 61 added and 43 updated in the previous week. New issues: captures_shell_variable_in_autofoo_script, varying_ordering_in_data_tar_gz_or_control_tar_gz. 30 new FTBFS have been reported by Chris Lamb, Antonio Terceiro, Aaron M. Ucko, Michael Tautschnig, and Tobias Frost.

Misc. The release team reported on their discussion about the topic of rebuilding all of Stretch to make it self-contained (in respect to reproducibility). Christian Boltz is hoping someone could talk about reproducible builds at the openSUSE conference happening June 22nd-26th in N rnberg, Germany.

Here is my monthly update covering a large part of what I have been doing in the free software world (previously):

• Various improvements to django-slack, a library to easily post messages to the Slack group-messaging utility from projects using the Django web development framework:
  • Added explicit support to send messages asynchronously via the Celery distributed task queue. (#29)
  • Worked with Patrick Clope to add an escapeslack template filter to ensure the correct characters for Slack's API are escaped using Django's built-in safe is too invasive. (#36)
  • Corrected an issue where custom endpoints and channel names were incompatible. (#27)
  • Overhaul of the field/option/block parsing. (49ff3c4)
  • Moved away from using a django.template.Context instance, preventing a deprecation warning. (#31)
• Added a create-folders subcommand to my tickle-me-email Getting Things Done (GTD) email toolbox to create numbered folders for the rotate "tickler" functionality. (#3)
• Wrote and released a Django template tag to collapse multiple whitespace/newline characters in order to correctly format, for example, plaintext emails that make extensive use of for-loops. These would normally require careful and fragile placement of the % for .. % and % endfor % tags. (Repo)
• Pushed a number of updates to my Strava Enhancement Suite, a Chrome extension that improves and fixes annoyances in the web interface of the Strava cycling and running tracker:
  • Fix unit conversion where the element was wrapped in an another HTML element. (#48)
  • Hide premium indicator from top-level navigation. (#45)
  • Correct matching of the "shop" link in top-level navigation and footer module. (#47 & #46)
  • Remove "premium" pages on Club pages. (#44)
• Added a security-oriented warning to Ansible's documentation regarding the behaviour if an UFW firewall application profile is added and subsequently removed. (#1740)
• Added support to my django-staticfiles-dotd "staticfiles" library which concatenates Javascript and CSS files from .d-style directories to support an arbitrary file rendering method. This allows the use of media pre-processors such as SASS within such directories. (#1)
• Corrected my Chrome extension for the FastMail web interface to correctly hook into the internal "send" mechanism. (#2)
• Moved my stravabot IRC bot to use dh-virtualenv and systemd, improving security and reliability. (1c48709)
• Updated django-pedantic-http-methods a tool to raise an exception during development when attempting to perform side effects in GET and HEAD HTTP methods to support the latest version of Django. (#1)

---

What happened in the reproducible builds effort between February 14th and February 20th 2016:

Toolchain fixes Yaroslav Halchenko uploaded cython/0.23.4+git4-g7eed8d8-1 which makes its output deterministic. Original patch by Chris Lamb. Didier Raboud uploaded pyppd/1.0.2-3 to experimental which now serialize PPD deterministically. Lunar submitted two patches for lcms to add a way for clients to set the creation date/time in profile headers and initialize all bytes when writing named colors.

Packages fixed The following packages have become reproducible due to changes in their build dependencies: dbconfig-common, dctrl-tools, dvdwizard, ekg2, expeyes, galternatives, gpodder, icewm, latex-mk, libiio, lives, navit, po4a, tasksel, tilda, vdr-plugin-infosatepg, xaos. The following packages became reproducible after getting fixed:

• calendarserver/7.0+dfsg-1 uploaded by Rahul Amaram, issue fixed upstream, obsolete patch by Esa Peuha.
• charybdis/3.5.0-1 uploaded by Antoine Beaupr , fixed upstream.
• cpio/2.11+dfsg-5 uploaded by Anibal Monsalve Salazar, patch by Lunar.
• fdroidserver/0.6.0-1 uploaded by Hans-Christoph Steiner, original patch by Reiner Herrmann.
• filter/2.6.3+ds1-2 by Axel Beckert.
• foxyproxy/4.5.5-debian-1 uploaded by David Pr vot, patch by Dhole.
• fpga-icestorm/0~20151006git103e6fd-3 by Ruben Undheim.
• gutenprint/5.2.11~pre1-1 uploaded by Didier Raboud, fixed upstream.
• juce/4.1.0+repack-2 by IOhannes m zm lnig.
• libjxp-java/1.6.1-6 by Emmanuel Bourg.
• libpgm/5.2.122~dfsg-2 uploaded by Laszlo Boszormenyi, patch by Lunar.
• modello/1.8.3-2 by Emmanuel Bourg.
• python-hypothesis/3.0.2-1 by Tristan Seligmann, fixed upstream.
• tcsh/6.18.01-4 uploaded by Thomas Lange, original patch by Reiner Herrmann.

Some uploads fixed some reproducibility issues, but not all of them:

• astroquery/0.3.1+dfsg-1 uploaded by Vincent Prat, original patch by Juan Picca.
• vtk-dicom/0.7.4-1 by Gert Wollny.

Unknown status:

• tomcat7/7.0.68-1 by Emmanuel Bourg (test suite fails in test environment).

Patches submitted which have not made their way to the archive yet:

• #814840 on tor by Petter Reinholdtsen: use the UTC timezone when calling asciidoc.
• #815082 on arachne-pnr by Dhole: use the C locale to format the changelog date.
• #815192 on manpages-de by Reiner Herrmann: tell grep to always treat the input as text so that it works with non-UTF-8 locales.
• #815193 on razorqt by Reiner Herrmann: tell grep to always treat the input as text so that it works with non-UTF-8 locales.
• #815250 on jacal by Reiner Herrmann: use the C locale to format the build date.
• #815252 on colord by Lunar: remove extra timestamps when generating CMF and spectra and implement support for SOURCE_DATE_EPOCH.

reproducible.debian.net Two new package sets have been added: freedombox and freedombox_build-depends. (h01ger)

diffoscope development diffoscope version 49 was released on February 17th. It continues to improve handling of debug symbols for ELF files. Their content will now be compared separately to make them more readable. The search for matching debug packages is more efficient by looking only for .deb files in the same parent directory. Alongside more bug fixes, support for ICC profiles has been added, and libarchive is now also used to read metadata for ar archives.

strip-nondeterminism development Reiner Herrmann added support to normalize Gettext .mo files.

Package reviews 170 reviews have been removed, 172 added and 54 updated in the previous week. 34 new FTBFS bugs have been opened by Chris Lamb, h01ger and Reiner Herrmann. New issues added this week: lxqt_translate_desktop_binary_file_matched_under_certain_locales, timestamps_in_manpages_generated_by_autogen. Improvements to the prebuilder script: avoid ccache, skip disorderfs hook if device nodes cannot be created, compatibility with grsec trusted path execution (Reiner Herrmann), code cleanup (Esa Peuha).

Misc. Steven Chamberlain highlighted reproducibility problems due to differences in how Linux and FreeBSD handle permissions for symlinks. Some possible ways forward have been discussed on the reproducible-builds mailing list. Bernhard M. Wiedemann reported on some reproducibility tests made on OpenSuse mentioning the growing support for SOURCE_DATE_EPOCH. If you are eligible for Outreachy or Google Summer of Code, consider spending the summer working on reproducible builds!