Search Results: "mez"

3 August 2020

Sylvain Beucler: Debian LTS and ELTS - July 2020

New local build setup
ELTS buildds: request timezone harmonization
Reclassify in-progress updates from jessie-LTS to jessie-ELTS
python3.4: finish preparing update, security upload ELA 239-1
net-snmp: global triage: bisect CVE-2019-20892 to identify affected version, jessie/stretch not-affected
nginx: global triage: clarify CVE-2013-0337 status; locate CVE-2020-11724 original patch and regression tests, update MITRE
nginx: security upload ELA-247-1 with 2 CVEs

LTS - Stretch

Reclassify in-progress/needed updates from stretch/oldstable to stretch-LTS
rails: upstream security: follow-up on CVE-2020-8163 (RCE) on upstream bug tracker and create pull request for 4.x (merged), hence getting some upstream review
rails: global security: continue coordinating upload in multiple Debian versions, prepare fixes for common stretch/buster vulnerabilities in buster
rails: security upload DLA-2282 fixing 3 CVEs
python3.5: security upload DLA-2280-1 fixing 13 pending non-critical vulnerabilities, and its test suite
nginx: security upload DLA-2283 (cf. common ELTS work)
net-snmp: global triage (cf. common ELTS work)
public IRC monthly team meeting
reach out to clarify the intro from last month's report, following unsettled feedback during meeting

Documentation/Scripts

ELTS/README.how-to-release-an-update: fix typo
ELTS buildd: attempt to diagnose slow perfs, provide comparison with Debian and local builds
LTS/Meetings: improve presentation
SourceOnlyUpload: clarify/de-dup pbuilder doc
LTS/Development: reference build logs URL, reference proposed-updates issue during dists switch, reference new-upstream-versioning discussion, multiple jessie->stretch fixes and clean-ups
LTS/Development/Asan: drop wheezy documentation
Warn about jruby mis-triage
Provide feedback for ksh/CVE-2019-14868
Provide feedback for condor update
LTS/TestsSuites/nginx: test with new request smuggling test cases

1 July 2020

Sylvain Beucler: Debian LTS and ELTS - June 2020

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor. In June, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 30h for LTS (out of 30 max; all done) and 5.25h for ELTS (out of 20 max; all done). While LTS is part of the Debian project, fellow contributors sometimes surprise me: suggestion to vote for sponsors-funded projects with concorcet was only met with overhead concerns, and there were requests for executive / business owner decisions (we're currently heading towards consultative vote); I heard concerns about discussing non-technical issues publicly (IRC team meetings are public though); the private mail infrastructure was moved from self-hosting straight to Google; when some got an issue with Debian Social for our first video conference, there were immediate suggestions to move to Zoom...
Well, we do need some people to make those LTS firmware updates in non-free

Also this was the last month before shifting suites: goodbye to Jessie LTS and Wheezy ELTS, welcome Stretch LTS and Jessie ELTS. ELTS - Wheezy

mysql-connector-java: improve testsuite setup; prepare wheezy/jessie/stretch triple builds; coordinate versioning scheme with security-team; security upload ELA 234-1
ntp: wheezy+jessie triage: 1 ignored (too intrusive to backport); 1 postponed (hard to exploit, no patch)
Clean-up (ditch) wheezy VMs

LTS - Jessie

mysql-connector-java: see common work in ELTS
mysql-connector-java: security uploads DLA 2245-1 (LTS) and DSA 4703 (oldstable)
ntp: wheezy+jessie triage (see ELTS)
rails: global triage, backport 2 patches, security upload DLA 2251-1
rails: global security: prepare stretch/oldstable update
rails: new important CVE on unmaintained 4.x, fixes introduce several regressions, propose new fix to upstream, update stretch proposed update [and jessie, but rails will turn out unsupported in ELTS]
python3.4: prepare update to fix all pending non-criticial issues, 5/6 ready
private video^W^Wpublic IRC team meeting

Documentation/Scripts

LTS/TestsSuites/mysql-connector-java: improve testsuite setup for better coverage
LTS/TestSuites/tiff: document package maintainer's (extensive) tests
LTS/TestSuites/rails: first version
LTS/TestSuites/python: how to run individual test
LTS/Development: clarifications on grouping fixes and validating patches
internal discussion on (not) capping LTS-funded hours
discussion on unbound and freerdp EOL
tzdata, libdatetime-timezone-perl: check and explain delayed update workflow
ELTS: update new tracker URL in documentation

7 June 2020

Enrico Zini: Cooperation links

Sincerit e modo di fare

cooperation education archive.org

2020-06-08

How to be perfectly unhappy - The Oatmeal

comics cooperation identity archive.org

2020-06-08

This comic was based on this essay from Augusten Burroughs: How to live unhappily ever after. In addition to the essay, I highly recommend reading his books. It's also been described in psychology as flow.

NVC Marshall Rosenberg - San Francisco Workshop

cooperation empowerment

2020-06-08

With full English subtitles

From confict to co-operation - Booklet 1

cooperation empowerment archive.org

2020-06-08

Confict where it comes from and how to deal with it

From conflict to co-operation - Booklet 2

cooperation empowerment archive.org

2020-06-08

Communication skills

Contempt Culture - The Particular Finest

cooperation archive.org

2020-06-08

Other languages

FOSDEM 2020 - Applying Open Culture Practices across Distributed Teams

cooperation archive.org

2020-06-08

Distributed teams are where people you work with aren t physically co-located, ie. they re at another office building, home or an outsourced company abroad. They re becoming increasingly popular, for DevOps and other teams, due to recruitment, diversity, flexibility and cost savings. Challenges arise due to timezones, language barriers, cultures and ways of working. People actively participating in Open Source communities tend to be effective in distributed teams. This session looks at how to apply core Open Source principles to distributed teams in Enterprise organisations, and the importance of shared purposes/goals, (mis)communication, leading vs managing teams, sharing and learning. We'll also look at practical aspects of what's worked well for others, such as alternatives to daily standups, promoting video conferencing, time management and virtual coffee breaks. This session is relevant for those leading or working in distributed teams, wanting to know how to cultivate an inclusive culture of increased trust and collaboration that leads to increased productivity and performance.

29 May 2020

Gunnar Wolf: Heads up Online MiniDebConf is Online

I know most Debian people know about this already But in case you don t follow the usual Debian communications channels, this might interest you! Given most of the world is still under COVID-19 restrictions, and that we want to work on Debian, given there is no certainty as to what the future holds in store for us Our DPL fearless as they always are had the bold initiative to make this weekend into the first-ever miniDebConf Online (MDCO)!

So, we are already halfway through DebCamp (which means, you can come and hang out with us in the debian.social DebCamp Jitsi lounge, where some impromptu presentations might happen (or not). Starting tomorrow morning (11AM UTC), we will have a quite interesting set of talks. I am reproducing the schedule here:

Saturday 2020.05.30

Time (UTC) Speaker Talk

11:00 - 11:10 MDCO team members Hello + Welcome

11:30 - 11:50 Wouter Verhelst Extrepo

12:00 - 12:45 JP Mengual Debian France, trust european organization

13:00 - 13:20 Arnaud Ferraris Bringing Debian to mobile phones, one package at a time

13:30 - 15:00 Lunch Break A chance for the teams to catch some air

15:00 - 15:45 JP Mengual The community team, United Nations Organizations of Debian?

16:00 - 16:45 Christoph Biedl Clevis and tang - overcoming the disk unlocking problem

17:00 - 17:45 Antonio Terceiro I m a programmer, how can I help Debian

Time (UTC)	Speaker	Talk
11:00 - 11:10	MDCO team members	Hello + Welcome
11:30 - 11:50	Wouter Verhelst	Extrepo
12:00 - 12:45	JP Mengual	Debian France, trust european organization
13:00 - 13:20	Arnaud Ferraris	Bringing Debian to mobile phones, one package at a time
13:30 - 15:00	Lunch Break	A chance for the teams to catch some air
15:00 - 15:45	JP Mengual	The community team, United Nations Organizations of Debian?
16:00 - 16:45	Christoph Biedl	Clevis and tang - overcoming the disk unlocking problem
17:00 - 17:45	Antonio Terceiro	I m a programmer, how can I help Debian

Sunday 2020.05.31

Time (UTC) Speaker Talk

11:00 - 11:45 Andreas Tille The effect of Covid-19 on the Debian Med project

12:00 - 12:45 Paul Gevers BoF: running autopkgtest for your package

13:00 - 13:20 Ben Hutchings debplate: Build many binary packages with templates

13:30 - 15:00 Lunch break A chance for the teams to catch some air

15:00 - 15:45 Holger Levsen Reproducing bullseye in practice

16:00 - 16:45 Jonathan Carter Striving towards excellence

17:00 - 17:45 Delib* Organizing Peer-to-Peer Debian Facilitation Training

18:00 - 18:15 MDCO team members Closing

subject to confirmation

Time (UTC)	Speaker	Talk
11:00 - 11:45	Andreas Tille	The effect of Covid-19 on the Debian Med project
12:00 - 12:45	Paul Gevers	BoF: running autopkgtest for your package
13:00 - 13:20	Ben Hutchings	debplate: Build many binary packages with templates
13:30 - 15:00	Lunch break	A chance for the teams to catch some air
15:00 - 15:45	Holger Levsen	Reproducing bullseye in practice
16:00 - 16:45	Jonathan Carter	Striving towards excellence
17:00 - 17:45	Delib*	Organizing Peer-to-Peer Debian Facilitation Training
18:00 - 18:15	MDCO team members	Closing

Timezone Remember this is an online event, meant for all of the world! Yes, the chosen times seem quite Europe-centric (but they are mostly a function of the times the talk submitters requested). Talks are 11:00 18:00UTC, which means, 06:00 13:00 Mexico (GMT-5), 20:00 03:00 Japan (GMT+9), 04:00 11:00 Western Canada/USA/Mexico (GMT-7) and the rest of the world, somewhere in between. (No, this was clearly not optimized for our dear usual beer team. Sorry! I guess we need you to be fully awake at beertime!)

[update] Connecting! Of course, I didn t make it clear at first how to connect to the Online miniDebConf, silly me!

The video streams are available at: https://video.debconf.org/

Suggested: tune in to the `#minidebconf-online` IRC channel in OFTC.

That should be it. Hope to see you there! (Stay home, stay safe )

Gunnar Wolf: Heads up Online MiniDebConf is Online

Saturday 2020.05.30

Time (UTC) Speaker Talk

11:00 - 11:10 MDCO team members Hello + Welcome

11:30 - 11:50 Wouter Verhelst Extrepo

12:00 - 12:45 JP Mengual Debian France, trust european organization

13:00 - 13:20 Arnaud Ferraris Bringing Debian to mobile phones, one package at a time

13:30 - 15:00 Lunch Break A chance for the teams to catch some air

15:00 - 15:45 JP Mengual The community team, United Nations Organizations of Debian?

16:00 - 16:45 Christoph Biedl Clevis and tang - overcoming the disk unlocking problem

17:00 - 17:45 Antonio Terceiro I m a programmer, how can I help Debian

Time (UTC)	Speaker	Talk
11:00 - 11:10	MDCO team members	Hello + Welcome
11:30 - 11:50	Wouter Verhelst	Extrepo
12:00 - 12:45	JP Mengual	Debian France, trust european organization
13:00 - 13:20	Arnaud Ferraris	Bringing Debian to mobile phones, one package at a time
13:30 - 15:00	Lunch Break	A chance for the teams to catch some air
15:00 - 15:45	JP Mengual	The community team, United Nations Organizations of Debian?
16:00 - 16:45	Christoph Biedl	Clevis and tang - overcoming the disk unlocking problem
17:00 - 17:45	Antonio Terceiro	I m a programmer, how can I help Debian

Sunday 2020.05.31

Time (UTC) Speaker Talk

11:00 - 11:45 Andreas Tille The effect of Covid-19 on the Debian Med project

12:00 - 12:45 Paul Gevers BoF: running autopkgtest for your package

13:00 - 13:20 Ben Hutchings debplate: Build many binary packages with templates

13:30 - 15:00 Lunch break A chance for the teams to catch some air

15:00 - 15:45 Holger Levsen Reproducing bullseye in practice

16:00 - 16:45 Jonathan Carter Striving towards excellence

17:00 - 17:45 Delib* Organizing Peer-to-Peer Debian Facilitation Training

18:00 - 18:15 MDCO team members Closing

subject to confirmation

Time (UTC)	Speaker	Talk
11:00 - 11:45	Andreas Tille	The effect of Covid-19 on the Debian Med project
12:00 - 12:45	Paul Gevers	BoF: running autopkgtest for your package
13:00 - 13:20	Ben Hutchings	debplate: Build many binary packages with templates
13:30 - 15:00	Lunch break	A chance for the teams to catch some air
15:00 - 15:45	Holger Levsen	Reproducing bullseye in practice
16:00 - 16:45	Jonathan Carter	Striving towards excellence
17:00 - 17:45	Delib*	Organizing Peer-to-Peer Debian Facilitation Training
18:00 - 18:15	MDCO team members	Closing

Timezone Remember this is an online event, meant for all of the world! Yes, the chosen times seem quite Europe-centric (but they are mostly a function of the times the talk submitters requested). Talks are 11:00 18:00UTC, which means, 06:00 13:00 Mexico (GMT-5), 20:00 03:00 Japan (GMT+9), 04:00 11:00 Western Canada/USA/Mexico (GMT-7) and the rest of the world, somewhere in between. (No, this was clearly not optimized for our dear usual beer team. Sorry! I guess we need you to be fully awake at beertime!)

[update] Connecting! Of course, I didn t make it clear at first how to connect to the Online miniDebConf, silly me!

The video streams are available at: https://video.debconf.org/

Suggested: tune in to the `#minidebconf-online` IRC channel in OFTC.

That should be it. Hope to see you there! (Stay home, stay safe )

14 April 2020

Dirk Eddelbuettel: gettz 0.0.4

A minor routine update 0.0.4 of gettz arrived on CRAN overnight. gettz provides a possible fallback in situations where Sys.timezone() fails to determine the system timezone. That happened when e.g. the file /etc/localtime somehow is not a link into the corresponding file with zoneinfo data in, say, /usr/share/zoneinfo. Since the package was written (in the fall of 2016), R added a similar extended heuristic approach itself. This release adds registration of the compiled routine via R_registerRoutines() and R_useDynamicSymbols(), adds .registration=TRUE to useDynLib() in NAMESPACE, and uses an unquoted symbol in .Call(). Two new badges were added to the README.md as well. And as in the previous release in 2016: No new code, or new features. Courtesy of CRANberries, there is a comparison to the previous release. More information is on the gettz page. For questions or comments use the issue tracker off the GitHub repo. If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

18 March 2020

Dirk Eddelbuettel: RcppCCTZ 0.2.7

A new release 0.2.7 of RcppCCTZ is now at CRAN. RcppCCTZ uses Rcpp to bring CCTZ to R. CCTZ is a C++ library for translating between absolute and civil times using the rules of a time zone. In fact, it is two libraries. One for dealing with civil time: human-readable dates and times, and one for converting between between absolute and civil times via time zones. And while CCTZ is made by Google(rs), it is not an official Google product. The RcppCCTZ page has a few usage examples and details. This package was the first CRAN package to use CCTZ; by now at least three others do using copies in their packages which remains less than ideal. This version adds internal extensions, contributed by Leonardo, which support upcoming changes to the nanotime package we are working on.

Changes in version 0.2.7 (2020-03-18)

Added functions _RcppCCTZ_convertToCivilSecond that converts a time point to the number of seconds since epoch, and _RcppCCTZ_convertToTimePoint that converts a number of seconds since epoch into a time point; these functions are only callable from C level (Leonardo in #34 and #35).

Added function _RcppCCTZ_getOffset that returns the offset at a speficied time-point for a specified timezone; this function is only callable from C level (Leonardo in #32).

We also have a diff to the previous version thanks to CRANberries. More details are at the RcppCCTZ page; code, issue tickets etc at the GitHub repository. If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

7 November 2017

Reproducible builds folks: Reproducible Builds: Weekly report #132

Here's what happened in the Reproducible Builds effort between Sunday October 29 and Saturday November 4 2017: Past events

From October 31st November 2nd we held the 3rd Reproducible Builds summit in Berlin, Germany. A full, in-depth report will be posted in the next week or so.

Upcoming events

On November 8th Jonathan Bustillos Osornio (jathan) will present at CubaConf Havana.
On November 17th Chris Lamb will present at Open Compliance Summit, Yokohama, Japan on how reproducible builds ensures the long-term sustainability of technology infrastructure.

Reproducible work in other projects

Alan Pope linked to the status of "asset recording" in SnapCraft, a concept related to .buildinfo files.

Packages reviewed and fixed, and bugs filed

Chris Lamb:
- #880714 filed against cappuccino.
- #880803 filed against python-kafka.
- #880804 filed against debci.
- #880827 filed against roundcube.
Steve Langasek:
- #880550 filed against g2.
Juro:
- curl (SOURCE_DATE_EPOCH)
- OpenSSL (SOURCE_DATE_EPOCH)
Bernhard M. Wiedemann:
- openSUSE/ant (use SOURCE_DATE_EPOCH)
- openSUSE/mariadb (drop INFO_BIN)
- openSUSE/libsmbios (drop embedded build log)

Reviews of unreproducible packages 7 package reviews have been added, 43 have been updated and 47 have been removed in this week, adding to our knowledge about identified issues. Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

Adrian Bunk (44)
Andreas Moog (1)
Lucas Nussbaum (7)
Steve Langasek (1)

Documentation updates

Ulrike Uhlig:
- Add documentation about system images.
Holger Levsen:
- List all speakers of the DebConf17
- Add news about the Berlin event
Chris Lamb:
Bernhard M. Wiedemann:
- Fix openSUSE website link

diffoscope development Version 88 was uploaded to unstable by Mattia Rizzolo. It included contributions (already covered by posts of the previous weeks) from:

Mattia Rizzolo
- tests/comparators/dtb: compatibility with version 1.4.5. (Closes: #880279)
Chris Lamb
- comparators:
  - binwalk: improve names in output of "internal" members. #877525
  - Omit misleading "any of" prefix when only complaining about one module in ImportError messages.
- Don't crash on malformed "md5sums" files. (Closes: #877473)
- tests/comparators:
  - ps: ps2ascii > 9.21 now varies on timezone, so skip this test for now.
  - dtby: only parse the version number, not any "-dirty" suffix.
- debian/watch: Use HTTPS URI.
Ximin Luo
- comparators:
  - utils/file: Diff container metadata centrally. This fixes a last remaining bug in fuzzy-matching across containers. (Closes: #797759)
  - Fix all the affected comparators after the above change.
Holger Levsen
- Bump Standards-Version to 4.1.1, no changes needed.

strip-nondeterminism development Version 0.040-1 was uploaded to unstable by Mattia Rizzolo. It included contributions already covered by posts of the previous weeks, as well as new ones from:

Mattia Rizzolo:
- Declare that strip-nondeterminism doesn't need root to build
- Add my key to debian/upstream/signing-key.asc m disorderfs development

Version 0.5.2-2 was uploaded to unstable by Holger Levsen. It included contributions already covered by posts of the previous weeks, as well as new ones from:

reprotest development

Ximin Luo:
- Mention certificate expiry errors in documentation as a potential issue with faketime

buildinfo.debian.net development

Chris Lamb:
- Support UID filtering
- Add initial "by-hash" API endpoint.

tests.reproducible-builds.org

Mattia Rizzolo:
- archlinux: enable schroot building on pb4 as well
- archlinux: don't install the deprecated abs tool
- archlinux: try to re-enable one schroot creation job
lynxis
- lede: replace TMPDIR -> RESULTSDIR
- lede: openwrt_get_banner(): use locals instead of globals
- lede: add newline to $CONFIG
- lede: show git log -1 in jenkins log
Holger Levsen:
- lede: add very simple landing page
Juliana Oliveira Rodrigues
- archlinux: adds pacman-git dependencies
kpcyrd
- archlinux: disable signature verification when running in the future
- archlinux: use pacman-git until the next release
- archlinux: make pacman fail less early
- archlinux: use sudo to prepare chroot
- archlinux: remove -rf for regular file
- archlinux: avoid possible TOCTOU issue
- archlinux: Try to fix tar extraction
- archlinux: fix sha1sums parsing

Misc. This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

31 October 2017

Chris Lamb: Free software activities in October 2017

Here is my monthly update covering what I have been doing in the free software world in October 2017 (previous month):

Wrote and released python-gfshare, a Python library that implements Shamir s method for secret sharing, a cryptography technique to split a file into multiple parts. I blogged about it earlier in the month.
Improved the new-style URL handling in the 2.x branch of the Django web framework to check for incorrectly migrated calls from the old system. [...]
Added support for Python 3, Django 1.9 & Django 2.0 to django-auto-one-one-to-one, my library to cleanly manage related model instances.
Proposed two small pull requests for Redisearch, a search engine module for the Redis key-value storage database:
- Don't assume that not being Linux is OSX. [...]
- Install the module into /usr/lib over /var/lib as the latter is for program state, not libraries or modules. [...]
In Peter Bengtsson's new django-cache-memoize library, suggested an addition to the store_result documentation. [...]
Made two pull requests for django-auditlog, a Django app that maintains an audit trail of changes in your application:
- Add missing on_delete to the LogEntry initial migration to ensure compatibility with Django 2.x. [...]
- Add missing python-dateutil to setup.py. [...]
Yet more Lintian hacking (previously):
- New features:
  - Warn when packages unnecessararily set dpkg-architecture(1) variables. (#793554)
  - Check for files that use content from the /etc/init.d/skeleton template. (#879152)
  - Warn about certain files under debian/* that contain trailing whitespace characters. (#748405)
  - Ignore embedded jQuery libraries for Doxygen. (#736360)
  - Warn about Django libraries that do not depend on Django itself. (#877292)
  - Check for Python modules with overly generic names such as tests or test. (#875964)
  - Warn if packages set CFLAGS if the value of DEB_BUILD_OPTIONS contains noopt. (#718640)
  - Ignore embedded jQuery libraries for Doxygen. (#736360)
  - Warn about empty fields in debian/control. (#744388)
  - Add bionic as known Ubuntu distribution. (#880115)
  - Warn if native systemd .service files only wrap the existing SysV/LSB init scripts. (#870704)
  - Emit new empty-section-field tag instead of uninitialized value warnings on an empty Section: field. (#878515)
  - Warn about debian/watch files using insecure URIs, similar to vcs-field-uses-insecure-uri. (#849515)
  - Include the offending URI in debian-watch-uses-insecure-uri output, not the line number.
  - Allow empty md5sums files. (#781372)
  - Move latest-debian-changelog-entry-without-new-date tag into a new check of type source. (#873612)
  - Add cwl-runner to the list of known interpreters. (#851126)
  - Also match packages named python2-* as relating to the Python 2.x migration.
- Bug fixes:
  - Don't error out when AppStream metadata is invalid; emit appstream-metadata-invalid instead. (#879661)
  - Actually check for a dependency on sensible-utils before emitting script-needs-depends-on-sensible-utils. (#877439)
  - Avoid a false positives in debian-control-has-empty-field when the field is wrapped onto a new line. (#879977)
  - Drop README.source from files to check against file-contains-trailing-whitespace as it can include literal quotes from upstreams that would be ideally left intact.
  - Lower the severity of package-installs-java-bytecode from E: to W:. (#879862)
  - Do not trigger package-installs-java-bytecode if the path contains WEB-INF, demo, doc etc. (#879860)
  - Verify files triggering package-installs-java-bytecode files really are Java .class files. (#879861)
  - Check the Recommends field as well when testing scripts for script-needs-depends-on-sensible-utils. (#879953)
  - Ignore the "magic" http://sf.net/ redirector URI for the debian-watch-uses-insecure-uri tag. (#879206)
  - Revert addition of "none were" -> "none was" multiword spelling correction as it is "acceptable beyond serious criticism". (#878457)
  - Drop copyright-year-in-future; too error prone and time-consuming to maintain given the severity of the issues it can find. (#877766)
  - Exempt debian/copyright from the license-problem-non-free-RFC tag to avoid false-positives "meta" references. (#877999)
  - Ignore privacy breach violations within HTML/Javascript comments. (#877421)
  - Avoid warning for init.d-script-not-marked-as-conffile when the init.d script does not exist as we will already be alerted via the init.d-script-not-included-in-package tag.
  - Do not emit python-foo-but-no-python3-foo for packages ending with -common.
  - Add missing example-script-uses-deprecated-nodejs-location tag. (#877142)
  - Correct invalid link to upgrading-checklist in Standards-Version checks. (#878184)
- Documentation:
  - Add a note to orig-tarball-missing-upstream-signature regarding support in pristine-tar and git-buildpackage.
  - Add example on how to remove trailing whitespace with sed.
- Tests:
  - Split out checks for debconf-config-not-executable into a separate test protected by a Test-Requires now that dpkg 1.19.0 will bail out on that condition.
  - Correct Depends of python2.7 python3 in a Python 3 test package.
  - Add test for ignoring python-foo-doc packages for the Python 3 migration and correct short descriptions of test packages.
Finally, I was interviewed by HostingAdvice about my role as Debian Project Leader.

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced either maliciously or accidentally during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area. This month I:

Presented at All Things Open, 2017 in Raleigh, NC, United States.
Attended the third Reproducible Builds summit in Berlin, Germany.
Presented at the inaugural Freenode #live conference in Bristol, United Kingdom.
In Debian, I:
- Kept isdebianreproducibleyet.com up to date.
- Submitted 10 patches to fix specific reproducibility issues in argagg, cadvisor, fmtlib, geographiclib, live-build, plr, polygen, python-amqp, rcs & sdlgfx.
- Made the following non-maintainer uploads (NMUs) to Debian to fix reproducibility issues:
  - gerstensaft 0.3-4.1 (#777414)
  - ipsvd 1.0.0-3.1 (#777417, #846890)
  - mailfront 1.16-1.1 (#777431, #847020)
  - miniupnpd 1.8.20140523-4.2 (#860266)
  - plib-doc 1:1.8.5-3.1 (#778971, #557676)
  - rest2web 0.5.2~alpha+svn-r248-2.3 (#833438)
Updated the try.diffoscope.org SSL key.
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
Worked on publishing our weekly reports. (#128, #129, #130 & #131)

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

Improve names in output of "internal" binwalk members. (#877525).
Don't crash on malformed md5sums files. (#877473).
Omit misleading "any of" prefix when only complaining about a single module on import. [...]
Adjust tests as ps2ascii now varies its output on timezone. [...]

strip-nondeterminism

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.

Clojure considers .class file to be stale if it shares the same timestamp of the .clj. We thus adjust the timestamps of the .clj to always be younger. (#877418).
Print a message in --verbose mode if no canonical time was specified. [...]

buildinfo.debian.net

buildinfo.debian.net is my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them.

Always show SHA-256 checksums, regardless of the browser viewport size. [...]
Add an API endpoint to fetch specific .buildinfo files for a certain package/version/architecture. [...]

Debian My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce mailing list.

Patches contributed

devscripts: Please print the actual arguments debuild makes to Lintian. (#880124)
hw-detect: Drop reference to floppy disks; it's almost 2018. (#880122)
debci:
- Use deb.debian.org over http.debian.net. (#879654)
- Document how to use an alternative mirror. (#879655)

Debian LTS

This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:

"Frontdesk" duties, triaging CVEs, etc.
Followed up on a large number of upstream "pings" that have been left dormant.
Issued DLA 1121-1 to fix an out-of-bounds read vulnerability in curl where a malicious FTP server could abuse this to prevent clients from interacting with it.
Issued DLA 1123-1 for the "Go" programming language where an attacker could generate a MIME request such that the server ran out of file descriptors.
Issued DLA 1126-1 for the libxfont font selection and rasterisation library, correcting two vulnerabilities, both involving the library being tricked into reading invalid/random memory.
Issued DLA 1134-1 for sdl-image1.2, an image loading library. A maliciously-crafted .xcf file could cause a stack-based buffer overflow resulting in potential code execution.

Uploads

python-django:
- 2.0~beta1-1 New upstream 2.x release.
- 1.11.6-1 New upstream bugfix release.
gunicorn (19.6.0-10+deb9u1) Prepared a release for stable to avoid a runtime dependency on a compiler. (#877722)
redis:
- 4:4.0.2-3:
  - Drop the Debian-specific /etc/redis/redis-server.pre-up.d (etc.) hooks and remove them if unchanged.
  - Include systemd redis-server@.service and redis-sentinel@.service template files to easily run multiple Redis instances. (#877702)
  - Patch redis.conf and sentinel.conf with quilt instead of maintaining our own versions under debian/.
- 4:4.0.2-4:
  - Add input validity checking to cluster config slot numbers to fix CVE-2017-15047. (#878076)
  - Drop debian/bin/generate-parts now we aren't calling it.
  - Correct Bash-ism in NEWS file.
- 4:4.0.2-5: Replace the existing patch for CVE-2017-15047 with an upstream-blessed version that covers another case.
redisearch (0.21.3-5) Initial release.
docbook2man (2.0.0-40) Correct spelling mistakes in binaries and other misc packaging tidying.
python-redis (2.10.6-1) New upstream release.
bfs (1.1.3-1) New upstream release.

FTP Team

As a Debian FTP assistant I ACCEPTed 103 packages: amcheck, argagg, binutils, blockui, bro-pkg, chkservice, citus, django-axes, docker-containerd, doctest, dtkwidget, duktape, feed2exec, fontforge, fonttools, gcc-8, gcc-8-cross, generator-scripting-language, gitgraph.js, haskell-uri-encode, hoel, iniparser, its, jquery-areyousure, kodi, libcatmandu-mods-perl, libcatmandu-template-perl, libcatmandu-xml-perl, libcatmandu-xsd-perl, libcode-tidyall-plugin-sortlines-naturally-perl, libgdamm5.0, libinfinity, libmods-record-perl, libreoffice-dictionaries, libset-intervaltree-perl, libsodium, linux, linux-grsec, ltsp-manager, lxqt-themes, mailman3-core, measurement-kit, mini-buildd, musescore, node-babel, node-babel-eslint, node-babel-loader, node-babel-plugin-add-module-exports, node-babel-plugin-transform-define, node-gulp-newer, node-regenerate-unicode-properties, node-regexpu-core, node-regjsparser, node-unicode-data, node-unicode-loose-match, openjdk-9, orafce, pgaudit, pgsql-ogr-fdw, pk4, postgresql-mysql-fdw, powa-archivist, python-azure-devtools, python-colormap, python-darkslide, python-dotenv, python-karborclient, python-logfury, python-lupa, python-marshmallow, python-murano-pkg-check, python-octaviaclient, python-pathspec, python-pgpy, python-pydub, python-randomize, python-sabyenc, python-searchlightclient, python-stestr, python-subunit2sql, python-twitter, python-utils, python-wsgilog, r-cran-bindr, r-cran-desc, r-cran-hms, r-cran-readstata13, r-cran-rprojroot, r-cran-wikidatar, r-cran-wikipedir, r-cran-wikitaxa, repmgr, requests-file, resteasy3.0, sdl-kitchensink, stardicter, systemd-el, thunderbird, tomcat8.0, uwsgi-plugin-luajit, uwsgi-plugin-mongo, uwsgi-plugin-php & uwsgi-plugin-v8. I additionally filed 3 RC bugs against packages that had incomplete debian/copyright files against: fonttools, generator-scripting-language & libsodium.

16 August 2017

Holger Levsen: 20170816-irssi-timezones

How to change irssi's timezone without restart Happy birthday to all you lovely Debian people! For my future self:

<Rhonda>   h01ger: /script exec $ENV TZ  = 'Europe/Vienna';

5 August 2017

Steinar H. Gunderson: Dear conference organizers

Dear conference organizers, In this day and age, people stream conferences and other events over the Internet. Most of the Internet happens to be in a different timezone from yours (it's crazy, I know!). This means that if you publish a schedule, please say which timezone it's in. We've even got this thing called JavaScript now, which allows you to also convert times to the user's local timezone (the future is now!), so you might want to consider using it. :-) (Yes, this goes for you, DebConf, and also for you, Assembly.)

31 July 2017

Chris Lamb: Free software activities in July 2017

Here is my monthly update covering what I have been doing in the free software world during July 2017 (previous month):

Updated travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds:
- Moved the default mirror from ftp.de.debian.org to deb.debian.org. [ ]
- Create a sensible debian/changelog file if one does not exist. [ ]
Updated django-slack, my library to easily post messages to the Slack group-messaging utility:
- Merged a PR to clarify the error message when a channel could not be found. [ ]
- Reviewed and merged a suggestion to add a TestBackend. [ ]
Added Pascal support to Louis Taylor's anyprint hack to add support for "print" statements from other languages into Python. [ ]
Filed a PR against Julien Danjou's daiquiri Python logging helper to clarify an issue in the documentation. [ ]
Merged a PR to Strava Enhancement Suite my Chrome extension that improves and fixes annoyances in the web interface of the Strava cycling and running tracker to remove Zwift activities with maps. [ ]
Submitted a pull request for Redis key-value database store to fix a spelling mistake in a binary. [ ]
Sent patches upstream to the authors of the OpenSVC cloud engine and the Argyll Color Management System to fix some "1204" typos.
Fixed a number of Python and deployment issues in my stravabot IRC bot. [ ]
Correct a "1204" typo in Facebook's RocksDB key-value store. [ ]
Corrected =+ typos in the Calibre e-book reader software. [ ]
Filed a PR against the diaspy Python interface to the DIASPORA social network to correct the number of seconds in a day. [ ]
Sent a pull request to remedy a =+ typo in sparqlwrapper, a SPARQL endpoint interface for Python. [ ]
Filed a PR against Postfix Admin to fix some =+ typos. [ ]
Fixed a "1042" typo in ImageJ, a Java image processing library. [ ]
On a less-serious note, I filed an issue for Brad Abraham's bot for the Reddit sub-reddit to add some missing "hit the gym" advice. [ ]

I also blogged about my recent lintian hacking and installation-birthday package.

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced either maliciously or accidentally during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. (I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.) This month I:

Assisted Mattia with a draft of an extensive status update to the debian-devel-announce mailing list. There were interesting follow-up discussions on Hacker News and Reddit.
Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
- apt: Make the output of apt-ftparchive reproducible. Thanks to Colin Percival from Tarsnap for the initial bug report. (#869557)
- gconf: Make the output of /var/lib/gconf/defaults/%gconf-tree-*.xml files reproducible. (#867848, forwarded upstream)
- grunt: Make the output reproducible. (#867753, forwarded upstream)
- node-marked-man: Make the output reproducible. (#868321, forwarded upstream)
- xorg-server: Make BUILD_ DATE,TIME reproducible. (#868843)
I also submitted 5 patches to fix specific reproducibility issues in autopep8, castle-game-engine, grep, libcdio & tinymux.
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
Worked on publishing our weekly reports. (#114 #115, #116 & #117)

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

comparators.xml:
- Fix EPUB "missing file" tests; they ship a META-INF/container.xml file. [ ]
- Misc style fixups. [ ]
APK files can also be identified as "DOS/MBR boot sector". (#868486)
comparators.sqlite: Simplify file detection by rewriting manual recognizes call with a Sqlite3Database.RE_FILE_TYPE definition. [ ]
comparators.directory:
- Revert the removal of a try-except. (#868534)
- Tidy module. [ ]

strip-nondeterminism

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.

Add missing File::Temp imports in the JAR and PNG handlers. This appears to have been exposed by lazily-loading handlers in #867982. (#868077)

buildinfo.debian.net

buildinfo.debian.net is my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them.

Avoid a race condition between check-and-creation of Buildinfo instances. [ ]

Debian My activities as the current Debian Project Leader are covered in my "Bits from the DPL emails to the debian-devel-announce mailing list.

Patches contributed

obs-studio: Remove annoying "click wrapper" on first startup. (#867756)
vim: Syntax highlighting for debian/copyright files. (#869965)
moin: Incorrect timezone offset applied due to "84600" typo. (#868463)
ssss: Add a simple autopkgtest. (#869645)
dch: Please bump $latest_bpo_dist to current stable release. (#867662)
python-kaitaistruct: Remove Markdown and homepage references from package long descriptions. (#869265)
album-data: Correct invalid Vcs-Git URI. (#869822)
pytest-sourceorder: Update Homepage field. (#869125)

I also made a very large number of contributions to the Lintian static analysis tool. To avoid duplication here, I have outlined them in a separate post.

Debian LTS

This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:

"Frontdesk" duties, triaging CVEs, etc.
Issued DLA 1014-1 for libclamunrar, a library to add unrar support to the Clam anti-virus software to fix an arbitrary code execution vulnerability.
Issued DLA 1015-1 for the libgcrypt11 crypto library to fix a "sliding windows" information leak.
Issued DLA 1016-1 for radare2 (a reverse-engineering framework) to prevent a remote denial-of-service attack.
Issued DLA 1017-1 to fix a heap-based buffer over-read in the mpg123 audio library.
Issued DLA 1018-1 for the sqlite3 database engine to prevent a vulnerability that could be exploited via a specially-crafted database file.
Issued DLA 1019-1 to patch a cross-site scripting (XSS) exploit in phpldapadmin, a web-based interface for administering LDAP servers.
Issued DLA 1024-1 to prevent an information leak in nginx via a specially-crafted HTTP range.
Issued DLA 1028-1 for apache2 to prevent the leakage of potentially confidential information via providing Authorization Digest headers.
Issued DLA 1033-1 for the memcached in-memory object caching server to prevent a remote denial-of-service attack.

Uploads

redis:
- 4:4.0.0-1 Upload new major upstream release to unstable.
- 4:4.0.0-2 Make /usr/bin/redis-server in the primary package a symlink to /usr/bin/redis-check-rdb in the redis-tools package to prevent duplicate debug symbols that result in a package file collision. (#868551)
- 4:4.0.0-3 Add -latomic to LDFLAGS to avoid a FTBFS on the mips & mipsel architectures.
- 4:4.0.1-1 New upstream version. Install 00-RELEASENOTES as the upstream changelog.
- 4:4.0.1-2 Skip non-deterministic tests that rely on timing. (#857855)
python-django:
- 1:1.11.3-1 New upstream bugfix release. Check DEB_BUILD_PROFILES consistently, not DEB_BUILD_OPTIONS.
bfs:
- 1.0.2-2 & 1.0.2-3 Use help2man to generate a manpage.
- 1.0.2-4 Set hardening=+all for bindnow, etc.
- 1.0.2-5 & 1.0.2-6 Don't use upstream's release target as it overrides our CFLAGS & install RELEASES.md as the upstream changelog.
- 1.1-1 New upstream release.
libfiu:
- 0.95-4 Apply patch from Steve Langasek to fix autopkgtests. (#869709)
python-daiquiri:
- 1.0.1-1 Initial upload. (ITP)
- 1.1.0-1 New upstream release.
- 1.1.0-2 Tidy package long description.
- 1.2.1-1 New upstream release.

I also reviewed and sponsored the uploads of gtts-token 1.1.1-1 and nlopt 2.4.2+dfsg-3.

Debian bugs filed

ITP: python-daiquiri Python library to easily setup basic logging functionality. (#867322)
twittering-mode: Correct incorrect time formatting due to "84600" typo. (#868479)

FTP Team

As a Debian FTP assistant I ACCEPTed 45 packages: 2ping, behave, cmake-extras, cockpit, cppunit1.13, curvedns, flask-mongoengine, fparser, gnome-shell-extension-dash-to-panel, graphene, gtts-token, hamlib, hashcat-meta, haskell-alsa-mixer, haskell-floatinghex, haskell-hashable-time, haskell-integer-logarithms, haskell-murmur-hash, haskell-quickcheck-text, haskell-th-abstraction, haskell-uri-bytestring, highlight.js, hoel, libdrm, libhtp, libpgplot-perl, linux, magithub, meson-mode, orcania, pg-dirtyread, prometheus-apache-exporter, pyee, pytest-pep8, python-coverage-test-runner, python-digitalocean, python-django-imagekit, python-rtmidi, python-transitions, qdirstat, redtick, ulfius, weresync, yder & zktop. I additionally filed 5 RC bugs against packages that had incomplete debian/copyright files against: cockpit, cppunit, cppunit1.13, curvedns & highlight.js.

28 June 2017

Yakking: What is Time?

Time is a big enough subject that I'd never finish writing about it. Fortunately this is a Linux technical blog, so I only have to talk about it from that perspective. In a departure from our usual article series format, we are going to start with an introductory article and follow up starting from basics, introducing new concepts in order of complexity. What is time? Time is seconds since the unix epoch. The Unix epoch is midnight, Thursday, 1st January 1970 in the UTC time zone. If you know the unix time and how many seconds in each day since then you can use the unix timestamp to work out what time it is now in UTC time. If you want to know the time in another timezone the na ve thing is to apply a timezone offset based on how far or behind the zone is compared to UTC. This is non-trivial since time is a political issue, requiring global coordination with hundreds of countries coming in and out of [daylight saving time][] and various other administrative changes, time often changes. Some times don't exist in some timezones. Samoa skipped a day and changed time zone. A side-effect of your system clock being in Unix time is that to know local time you need to know where you are. The talk linked to in https://fosdem.org/2017/schedule/event/python_datetime/ is primarily about time in python, but covers the relationship between time stamps, clock time and time zones. http://www.creativedeletion.com/2015/01/28/falsehoods-programmers-date-time-zones.html is a good summary of some of the common misconceptions of time zone handling.

Now that we've covered some of the concepts we can discuss in future articles how this is implemented in Linux.

22 June 2017

Dirk Eddelbuettel: RcppCCTZ 0.2.3 (and 0.2.2)

A new minor version 0.2.3 of RcppCCTZ is now on CRAN. RcppCCTZ uses Rcpp to bring CCTZ to R. CCTZ is a C++ library for translating between absolute and civil times using the rules of a time zone. In fact, it is two libraries. One for dealing with civil time: human-readable dates and times, and one for converting between between absolute and civil times via time zones. The RcppCCTZ page has a few usage examples and details. This version ensures that we set the TZDIR environment variable correctly on the old dreaded OS that does not come with proper timezone information---an issue which had come up while preparing the next (and awesome, trust me) release of nanotime. It also appears that I failed to blog about 0.2.2, another maintenance release, so changes for both are summarised next.

Changes in version 0.2.3 (2017-06-19)

On Windows, the TZDIR environment variable is now set in .onLoad()

Replaced init.c with registration code inside of RcppExports.cpp thanks to Rcpp 0.12.11.

Changes in version 0.2.2 (2017-04-20)

Synchronized with upstream CCTZ

The time_point object is instantiated explicitly for nanosecond use which appears to be required on macOS

We also have a diff to the previous version thanks to CRANberries. More details are at the RcppCCTZ page; code, issue tickets etc at the GitHub repository.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

17 May 2017

Reproducible builds folks: Reproducible Builds: week 107 in Stretch cycle

Here's what happened in the Reproducible Builds effort between Sunday May 7 and Saturday May 13 2017: Report from Reproducible Builds Hamburg Hackathon We were 16 participants from 12 projects: 7 Debian, 2 repeatr.io, 1 ArchLinux, 1 coreboot + LEDE, 1 F-Droid, 1 ElectroBSD + privoxy, 1 GNU R, 1 in-toto.io, 1 Meson and 1 openSUSE. Three people came from the USA, 3 from the UK, 2 Finland, 1 Austria, 1 Denmark and 6 from Germany, plus we several guests from our gracious hosts at the CCCHH hackerspace as well as a guest from Australia We had four presentations:

"Reproducible Builds everywhere" by h01ger
https://in-toto.io by Justin Cappos
http://repeatr.io by Eric Myhre
http://mesonbuild.com by Jussi Pakkanen

Some of the things we worked on:

h01ger did orga stuff for this very hackathon, discussed tests.r-b.o with various non-Debian contributors, filed some bugs and restarted the policy discussion in #844431. He also did some polishing work on tests.r-b.o which shall be covered in next issue of our weekly blog.
Justin Cappos involved many of us in interesting discussions and started to write an academic paper about Reproducible Builds of which he shared an early beta on our mailinglist.
Chris Lamb (lamby) filed a number of patches for individual packages, worked on diffoscope, merged many changes to strip-nondeterminism and also filed #862073 against dak to upload buildinfo files to external services.
Maria Glukhova (siamezzze) fixed a bug with plots on tests.reproducible-builds.org and worked on diffoscope test coverage.
Lynxis worked on a new squashfs upstream release improving support for reproducible squashfs filesystems and also had some time to hack on coreboot and show others how to install coreboot on real hardware.
Michael Poehn worked on integrating F-Droid builds into tests.reproducible-builds.org, on the F-Droid verification utility and also ran some app reproducibility tests.
Bernhard worked on various unreproducible issues upstream and submitted fixes for curl, bzr, ant.
Erin Myhre worked on bootstrapping cleanroom builds of compiler components in Repeatr sandboxes.
Calvin Behling merged improvements to reppl for a cleaner storage format and better error handling and did design work for next version of repeatr pipeline execution. Calvin also lead the reproducibility testing of restaurant mood lighting.
Eric and Calvin also claim to have had all sorts of useful exchanges about the state of other projects, and learned a lot about where to look for more info about debian bootstrap and archive mirroring from steven and lamby
Phil Hands came by to say hi and worked on testing d-i on jenkins.debian.net.
Chris West (Faux) worked on extending misc.git:has-only.py, and started looking at Britney.

We had a Debian focussed meeting where we discussed a number of topics:

IRC meetings: yes, we want to try again to have them, monthly, a poll for a good date is being held.
Debian tests post Stretch: we'll add tests for stable/Stretch.
.buildinfo files, how forward: we need sourceful uploads for any arch:all packages. dak should send .buildinfo files to buildinfo.debian.net.
(pre?) Stretch release press release: we should do that, esp. as our achievements are largely unrelated to Stretch.
Reproducible Builds Summit 3: yes, we want that.
what to do (in notes.git) with resolved issues: keep the issues.
strip-nondeterminism quo vadis: Justin reminded us that strip-nondeterminism is a workaround we want to get rid off.

And then we also had a lot of fun in the hackerspace, enjoying some of their gimmicks, such as being able to open physical doors with ssh or controlling light and music with an webbrowser without authentication (besides being in the right network).

(This wasn't the hackathon per-se, but some of us appreciated these sights and so we thought you would too.) Many thanks to:

Debian for sponsoring food and accomodation!
Dock Europe for providing us with really nice accomodation in the house!
CCC Hamburg for letting us use their hackerspace for >3 days non-stop!

News and media coverage openSUSE has had a security breach in their infrastructure, including their build services. As of this writing, the scope and impact are still unclear, however the incident illustrates that no one should rely on being able to secure their infrastructure at all times. Reproducible Builds help mitigate this by allowing independent verification of build results, by parties that are unaffected by the compromise. (Whilst this can happen to anyone. Kudos to openSUSE for being open about it. Now let's continue working on Reproducible Builds everywhere!) On May 13th Chris Lamb gave a talk on Reproducible Builds at OSCAL 2017 in Tirana, Albania.

Toolchain bug reports and fixes

Chris Lamb:
- Fixed a long-standing toolchain issue (#842635, #858389) in docbook-to-man by adopting the package.
- #862003 filed against debhelper.
- #862073 filed against ftp.debian.org, to upload buildinfo files to buildinfo.debian.net.
Steven Chamberlain:
- #862059 filed against sbuild, for signing buildinfo files.
Ximin Luo:
- #862112 filed against r-base.
- #862113 filed against gcc-6.
- #862116 filed against dpkg.

Packages' bug reports

Chris Lamb:
- #862088 filed against compass-h5bp-plugin.
- #862140 filed against ofxstatement-plugins.
- #862179 filed against acct.
- #862183 filed against libjgroups-java.
- #862195 filed against sendip.
- #862451 filed against wammu, forwarded upstream.
- #862484 filed against seqan2.
- #862553 filed against vim-command-t.
- #862588 filed against tkhtml1.
- #862592 filed against taskcoach.
Chris West:
- #862252 filed against dns-root-data.

Reviews of unreproducible packages 11 package reviews have been added, 2562 have been updated and 278 have been removed in this week, adding to our knowledge about identified issues. Most of the updates were to move ~1800 packages affected by the generic catch-all captures_build_path (out of ~2600 total) to the more specific gcc_captures_build_path, fixed by our proposed patches to GCC. 5 issue types have been updated:

Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

Adrian Bunk (1)
Chris Lamb (2)
Chris West (1)

diffoscope development diffoscope development continued on the experimental branch:

Maria Glukhova:
- Code refactoring and more tests.
Chris Lamb:
- Add safeguards against unpacking recursive or deeply-nested archives. (Closes: #780761)

strip-nondeterminism development

strip-nondeterminism 0.033-1 and -2 were uploaded to unstable by Chris Lamb. It included contributions from:
Bernhard M. Wiedemann:
- Add cpio handler.
- Code quality improvements.
Chris Lamb:
- Add documentation and increase verbosity, in support of the long-term aim of removing the need for this tool.

reprotest development

reprotest 0.6.1 and 0.6.2 were uploaded to unstable by Ximin Luo. It included contributions from:
Ximin Luo:
- Add a documentation section on "Known bugs".
- Move developer documentation away from the man page.
- Mention release instructions in the previous changelog.
- Preserve directory structure when copying artifacts. Otherwise hash output on a successful reproduction sometimes fails, because find(1) can't find the artifacts using the original artifact_pattern.
Chris Lamb
- Add proper release instructions and a keyring.

trydiffoscope development

Chris Lamb:
- Uses the diffoscope from Debian experimental if possible.

Misc. This week's edition was written by Ximin Luo, Holger Levsen and Chris Lamb & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

15 May 2017

intrigeri: GNOME and Debian usability testing, May 2017

During the Contribute your skills to Debian event that took place in Paris last week-end, we conducted a usability testing session. Six people were tasked with testing a few aspects of the GNOME 3.22 desktop environment and of the Debian 9 (Stretch) operating system. A number of other people observed them and took notes. Then, two observers and three testers analyzed the results, that we are hereby presenting: we created a heat map visualization, summed up the challenges met during the tests, and wrote this blog post together. We will point the relevant upstream projects to our results. A couple of other people also did some usability testing but went in much more depth: their feedback is much more detailed and comes with a number of improvement ideas. I will process and publish their results as soon as possible. Missions Testers were provided a laptop running GNOME on a a Debian 9 (Stretch) Live system. A quick introduction (mostly copied from the one we found in some GNOME usability testing reports) was read. Then they were asked to complete the following tasks. A. Nautilus Mission A.1 Download and rename file in Nautilus

Download a file from the web, a PDF document for example.
Open the folder in which the file has been downloaded.
Rename the dowloaded file to SUCCESS.pdf.
Toggle the browser window to full screen.
Open the file SUCCESS.pdf.
Go back to the File manager.
Close the file SUCCESS.pdf.

Mission A.2 Manipulate folders in Nautilus

Create a new folder named cats in your user directory.
Create a new folder named to do in your user directory.
Move the cats folder to the to do folder.
Delete the cats folder.

Mission A.3 Create a bookmark in Nautilus

Create a folder named unicorns in your personal directory.
This folder is important. Add a bookmark for unicorns in order to find it again in a few weeks.

Mission A.4 Nautilus display settings Folders and files are usually listed as icons, but they can also be displayed differently.

Configure the File manager to make it show items as a list, with one file per line.
You forgot your glasses and the font size is too small for you to see the text: increase the size of the text.

B. Package management Introduction On Debian, each application is available as a "package" which contains every file needed for the software to work. Unlike in other operating systems, it is rarely necessary and almost never a good idea, to download and install software from the authors website. We can rather install it from an online library managed by Debian (like an appstore). This alternative offers several advantages, such as being able to update all the software installed in one single action. Specific tools are available to install and update Debian packages. Mission B.1 Install and remove packages

Install the vlc package.
Start VLC.
Remove the vlc package.

Mission B.2 Search and install a package

Find a piece of software which can download files with BitTorrent in a graphical interface.
Install the corresponding package.
Launch that BitTorrent software.

Mission B.3 Upgrade the system Make sure the whole system (meaning all installed packages) is up to date. C. Settings Mission C.1 Change the desktop background

Download an image you like from the web.
Set the downloaded image as the desktop wallpaper.

Mission C.2 Tweak temporary files management Configure the system so that temporary files older than three days are deleted automatically. Mission C.3 Change the default video player

Install VLC (ask for help if you could not do it during the previous mission).
Make VLC the default video player.
Download a video file from the web.
Open the downloaded video, then check if it opens with VLC.

Mission C.4 Add and remove world clocks When you click the time and date in the top bar, a menu pops-up. There, you can display clocks in several time-zones.

Add a clock with Rio de Janeiro timezone, then another showing the current time in Boston.
Check that the time and date menu now displays these two additional clocks.
Remove the Boston clock.

Results and analysis Heat map We used Jim Hall's heat map technique to summarize our usability test results. As Renata puts it, it is "a great way to see how the users performed on each task. The heat map clarifies how easy or difficult it was for the participant to accomplish a certain task.

Scenario tasks (from the usability test) are arranged in rows.
Test participants (for each tester) are arranged in columns.
The colored blocks represent each tester s difficulty with each scenario task.

Green blocks represent the ability of the participant to accomplish the tasks with little or no difficulty. Yellow blocks indicate the tasks that the tester had significant difficulties accomplishing. Red blocks indicate that testers experienced extreme difficulty or where testers completed the tasks incorrectly. Black blocks indicate tasks the tester was unable to complete."

Alternatively, here is the spreadsheet that was used to create this picture, with added text to avoid relying on colors only. Most tasks were accomplished with little or no difficulty so we will now focus on the problematic parts. What were the challenges? The heat map shows several "hot" rows, that we will now be looking at in more details. Mission A.3 Create a bookmark in Nautilus Most testers right-clicked the folder first, and eventually found they could simply drag'n'drop to the bookmarks location in the sidebar. One tester thought that he could select a folder, click the hamburger icon, and from there use the "Bookmark this folder" menu item. However, this menu action only works on the folder one has entered, not on the selected one. Mission B.1 Install and remove a package Here we faced a number of issues caused by the fact that Debian Live images don't include package indices (with good reason), so no package manager can list available software. Everyone managed to start a graphical package manager via the Overview (or via the CLI or Alt-F2 for a couple power users). Some testers tried to use GNOME Software, which listed only already installed packages (Debian bug #862560) and provided no way we could find to refresh the package indices. That's arguably a bug in Debian Live, but still: GNOME Software might display some useful information when it detects this unusual situation. We won't list here all the obstacles that were met in Synaptic: it's no news its usability is rather sub-optimal and better alternatives (such as GNOME Software) are in the works. Mission C.2 Tweak temporary files management The mission was poorly phrased: some observers had to clarify that it was specifically about GNOME, and not generic Linux system administration: some power-users were already searching the web for command-line tools to address the task at hand. Even with this clarification, no tester would have succeeded without being told they were allowed to use the web with a search query including the word "GNOME", or use the GNOME help or the Overview. Yet eventually all testers succeeded. It's interesting to note that regular GNOME users had the same problem as others: they did not try searching "temporary" in the Overview and did not look-up the GNOME Help until they were suggested to do so. Mission C.3 Change the default video player One tester configured one single video file format to be opened by default with VLC, via right-click in Nautilus Open with etc. He believed this would be enough to make VLC the default video player, missing the subtle difference between "default video player" and "default player for one single video format". One tester tried to complete this task inside VLC itself and then needed some help to succeed. It might be that the way web browsers ask "Do you want ThisBrowser to become the default web browser?" gave a hint an application GUI is the right place to do it. Two testers searched "default" in the Overview (perhaps the previous mission dealing with temporary files was enough to put them in this direction). At least one tester was confused since the only search result (Details View information about your system), which is the correct one to get there, includes the word View, which suggests that one cannot modify settings there, but only view them. One long-term GNOME user looked in Tweak Tool first, and then used the Overview. Here again, GNOME users experienced essentially the same issues as others. Mission C.4 Add and remove world clocks One tester tried to look for the clock on the top right corner of the screen, then realized it was in the middle. Other than this, all testers easily found a way to add world clocks. However, removing a world clock was rather difficult; although most testers managed to do it, it took them a number of attempts to succeed:

Several testers left-clicked or right-clicked the clock they wanted to remove, expecting this would provide them with a way to remove it (which is not the case).
After a while, all testers noticed the Select button (that has no text label nor tooltip info), which allowed them to select the clock they wanted to remove; then, most testers clicked the 1 selected button, hoping it would provide a contextual menu or some other way to act on the selected clocks (it doesn't).
Eventually, everyone managed to locate the Delete button on the bottom right corner of the window; some testers mentioned that it is less visible and flashy than the blue bar that appears on the top of the screen once they had entered "Selection" mode.

General notes and observations

None of the participants sollicited the GNOME Help, which is unfortunate knowing its:
- great quality;
- translations in several languages;
- availability and adaptability to regional specifications;
- adequacy to the currently running version of GNOME.
Some users found the relevant help page online via web searches; others initially ignored it among search results, then looked for it later after being told that the mission was more about GNOME.
Whether testers were already GNOME users or not seldom impacted their chances of success.
Unfortunately, we haven't compiled enough information about the testers to provide useful data about who they are and what their background is. Still, we had an interesting mix in terms of genders, age (between 17 and 52 years old), skin color and computer experience.

19 April 2017

Steve Kemp: 3d-Printing is cool

I've heard about 3d-printing a lot in the past, although the hype seems to have mostly died down. My view has always been "That seems cool", coupled with "Everybody says making the models is very hard", and "the process itself is fiddly & time-consuming". I've been sporadically working on a project for a few months now which displays tram-departure times, this is part of my drive to "hardware" things with Arduino/ESP8266 devices . Most visitors to our flat have commented on it, at least once, and over time it has become gradually more and more user-friendly. Initially it was just a toy-project for myself, so everything was hard-coded in the source but over time that changed - which I mentioned here, (specifically the Access-point setup):

When it boots up, unconfigured, it starts as an access-point.
- So you can connect and configure the WiFi network it should join.
Once it's up and running you can point a web-browser at it.
- This lets you toggle the backlight, change the timezone, and the tram-stop.
- These values are persisted to flash so reboots will remember everything.

I've now wired up an input-button to the device too, experimenting with the different ways that a single button can carry out multiple actions:

Press & release - toggle the backlight.
Press & release twice - a double-click if you like - show a message.
Press, hold for 1 second, then release - re-sync the date/time & tram-data.

Anyway the software is neat, and I can't think of anything obvious to change. So lets move onto the real topic of this post: 3D Printing. I randomly remembered that I'd heard about an online site holding 3D-models, and on a whim I searched for "4x20 LCD". That lead me to this design, which is exactly what I was looking for. Just like open-source software we're now living in a world where you can get open-source hardware! How cool is that? I had to trust the dimensions of the model, and obviously I was going to mount my new button into the box, rather than the knob shown. But having a model was great. I could download it, for free, and I could view it online at viewstl.com. But with a model obtained the next step was getting it printed. I found a bunch of commercial companies, here in Europe, who would print a model, and ship it to me, but when I uploaded the model they priced it at 90+. Too much. I'd almost lost interest when I stumbled across a site which provides a gateway into a series of individual/companies who will print things for you, on-demand: 3dhubs. Once again I uploaded my model, and this time I was able to select a guy in the same city as me. He printed my model for 1/3-1/4 of the price of the companies I'd found, and sent me fun pictures of the object while it was in the process of being printed. To recap I started like this:

Then I boxed it in cardboard which looked better than nothing, but still not terribly great:

Now I've found an online case-design for free, got it printed cheaply by a volunteer (feels like the wrong word, after-all I did pay him), and I have something which look significantly more professional:

Inside it looks as neat as you would expect:

Of course the case still cost 5 times as much as the actual hardware involved (button: 0.05, processor-board 2.00 and LCD I2C display 3.00). But I've gone from being somebody who had zero experience with hardware-based projects 4 months ago, to somebody who has built a project which is functional and "pretty". The internet really is a glorious thing. Using it for learning, and coding is good, using it for building actual physical parts too? That's something I never could have predicted a few years ago and I can see myself doing it more in the future. Sure the case is a little rough around the edges, but I suspect it is now only a matter of time until I learn how to design my own models. An obvious extension is to add a status-LED above the switch, for example. How hard can it be to add a new hole to a model? (Hell I could just drill it!)

9 April 2017

Sam Hartman: When "when" is too hard a question: SQLAlchemy, Python datetime, and ISO8601

A new programmer asked on a work chat room how timezones are handled in databases. He asked if it was a good idea to store things in UTC. The senior programmers all laughed as we told some of our horror stories with timezones. Yes, UTC is great; if only it were that simple.
About a week later I was designing the schema for a blue sky project I'm implementing. I had to confront time in all its Pythonic horror.
Let's start with the datetime.datetime class. Datetime objects optionally include a timezone. If no timezone is present, several methods such as timestamp treat the object as a local time in the system's timezone. The timezone method returns a POSIX timestamp, which is always expressed in UTC, so knowing the input timezone is important. The now method constructs such an object from the current time.
However other methods act differently. The utcnow method constructs a datetime object that has the UTC time, but is not marked with a timezone. So, for example datetime.fromtimestamp(datetime.utcnow().timestamp()) produces the wrong result unless your system timezone happens to have the same offset as UTC.
It's also possible to construct a datetime object that includes a UTC time and is marked as having a UTC time. The utcnow method never does this, but you can pass the UTC timezone into the now method and get that effect. As you'd expect, the timestamp method returns the correct result on such a datetime.
Now enter SQLAlchemy, one of the more popular Python ORMs. Its DATETIME type has an argument that tries to request a column capable of storing a a timezone from the underlying database. You aren't guaranteed to get this though; some databases don't provide that functionality. With PostgreSQL, I do get such a column, although something in SQLAlchemy is not preserving the timezones (although it is correctly adjusting the time). That is, I'll store a UTC time in an object, flush it to my session, and then read back the same time represented in my local timezone (marked as my local timezone). You'd think this would be safe.
Enter SQLite. SQLite makes life hard for people wanting to store time; it seems to want to store things as strings. That's fairly incompatible with storing a timezone and doing any sort of comparisons on dates. SQLAlchemy does not try to store a timezone in SQLite. It just trims any timezone information from the datetime. So, if I do something like

d = datetime.now(timezone.utc)
obj.date_col = d
session.add(obj)
session.flush()
assert obj.date_col == d # fails
assert obj.date_col.timestamp() == d.timestamp() # fails
assert d == obj.date_col.replace(tzinfo = timezone.utc) # finally succeeds

There are some unfortunate consequences of this. If you mark your datetimes with timezone information (even if it is always the same timezone), whether two datetimes representing the same datetime compare equal depends on whether objects have been flushed to the session yet. If you don't mark your objects with timezones, then you may not store timezone information on other databases.
At least if you use only the methods we've discussed so far, you're reasonably safe if you use local time everywhere in your application and don't mark your datetimes with timezones. That's undesirable because as our new programmer correctly surmised, you really should be using UTC. This is particularly true if users of your database might span multiple timezones.
You can use UTC time and not mark your objects as UTC. This will give the wrong data with a database that actually does support timezones, but will sort of work with SQLite. You need to be careful never to convert your datetime objects into POSIX time as you'll get the wrong result.
It turns out that my life was even more complicated because parts of my project serialize data into JSON. For that serialization, I've chosen ISO 8601. You've probably seen that format: '2017-04-09T18:17:27.340410+00:00. Datetime provides the convenient isoformat method to print timestamps in the ISO 8601 format. If the datetime has a timezone indication, it is included in the ISO formatted string. If not, then no timezone indication is included. You know how I mentioned that datetime takes a string without a timezone marker as local time? Yeah, well, that's not what 8601 does: UTC all the way, baby! And at least the parser in the iso8601 module will always include timezone markers. So, if you use datetime to print a timestamp without a timezone marker and then read that back in to construct a new datetime on the deserialization side, then you'll get the wrong time. OK, so mark things with timezones then. Well, if you use local time, then the time you get depends on whether you print the ISO string before or after session flush (before or after SQLAlchemy trims the timezone information as it goes to SQLite).
It turns out that I had the additional complication of one side of my application using SQLite and one side using PostgreSQL. Remember how I mentioned that something between SQLAlchemy and PostgreSQL was recasting my times in local timezone (although keeping the time the same)? Well, consider how that's going to work. I serialize with the timezone marker on the PostgreSQL side. I get a ISO8601 localtime marked with the correct timezone marker. I deserialize on the SQLite side. Before session flush, I get a local time marked as localtime. After session flush, I get a local time with no marking. That's bad. If I further serialize on the SQLite side, I'll get that local time incorrectly marked as UTC. Moreover, all the times being locally generated on the SQLite side are UTC, and as we explored, SQLite really only wants one timezone in play.
I eventually came up with the following approach:

If I find myself manipulating a time without a timezone marking, assert that its timezone is UTC not localtime.

Always use UTC for times coming into the system.

If I'm generating an ISO 8601 time from a datetime that has a timezone marker in a timezone other than UTC, represent that time as a UTC-marked datetime adjusting the time for the change in timezone.

This is way too complicated. I think that both datetime and SQLAlchemy's SQLite time handling have a lot to answer for. I think SQLAlchemy's core time handling may also have some to answer for, but I'm less sure of that.

7 April 2017

Norbert Preining: Stella Stejskal Im Mezzanin

A book about being woman, mother in a modern but still traditional society. About happiness and fulfillment, love and sex, responsibility and dependency, about life: Stella Stejskal s Im Mezzanin (in German).

Written by a friend back from my old times in Vienna, Stella Stejskal, like me an emigrant, I saw parts of this book during writing, and I was happy to see the final product and read it. The first novel of Stella turns around Anna, the protagonist, a wife, mother, and woman, trying to find her balance between the house, family, kids, work, and her incredible power and thrive to live, live to the fullest.

Dein Leben in der Vorstadt, im Einfamilienhaus mit dem Garten, macht Dich nicht gl cklich. Vordergr ndig hast Du alles, was eine Frau sich w nscht und doch fehlt Dir etwas Wesentliches: Verlangen und Leidenschaft.

(Your life in the suburb, in the one-family home with garden, it doesn t make you happy. On the surface you do have everything what a woman could wish for, but you are missing something essential: desire and passion) The author does not shy away from explicit language without ever dropping into the Vernacolo, the banalities. She manages to convey the incredible tension many of those being stretched out between the necessities of daily life and the need for a more personal life. Last but not least, I loved this book for quoting one of my most favorite lines from a song:

Konstantin Weckers Was passiert in den Jahren, drangen leise durch den Raum. Komm, wir gehen mit der Flut und verwandeln mit den Wellen unsere Angst in neuen Mut , sang ich mit und dachte an den Sommer

For those capable of German, very recommendable.

28 March 2017

Sylvain Beucler: Practical basics of reproducible builds 2

Let's review what we learned so far:

compiler version need to be identical and recorded
build options and their order needs to be identical and recorder
build path needs to be identical and recorded
(otherwise debug symbols - and BuildIDs - change)
diffoscope helps checking for differences in build output

We stopped when compiling a PE .exe produced a varying output.
It turns out that PE carries a build date timestamp. The spec says that bound DLLs timestamps are refered to in the "Delay-Load Directory Table". Maybe that's also the date Windows displays when a system-wide DLL is about to be replaced, too.
Build timestamps looks unused in .exe files though. Anyway, Stephen Kitt pointed out (thanks!) that Debian's MinGW linker binutils-mingw-w64 has an upstream-pending patch that sets the timestamp to SOURCE_DATE_EPOCH if set. Alternatively, one can pass -Wl,--no-insert-timestamp to set it to 0 (though see caveats below):

$ i686-w64-mingw32.static-gcc -Wl,--no-insert-timestamp hello.c -o hello.exe 
$ md5sum hello.exe 
298f98d74e6e913628a8b74514eddcb2  hello.exe
$ /opt/mxe/usr/bin/i686-w64-mingw32.static-gcc -Wl,--no-insert-timestamp hello.c -o hello.exe 
$ md5sum hello.exe 
298f98d74e6e913628a8b74514eddcb2  hello.exe

If we don't care about debug symbols, unlike with ELF, stripped PE binaries look stable too!

$ cd repro/
$ i686-w64-mingw32.static-gcc hello.c -o hello.exe && i686-w64-mingw32.static-strip hello.exe
$ md5sum hello.exe 
6e07736bf8a59e5397c16e799699168d  hello.exe
$ i686-w64-mingw32.static-gcc hello.c -o hello.exe && i686-w64-mingw32.static-strip hello.exe
$ md5sum hello.exe 
6e07736bf8a59e5397c16e799699168d  hello.exe
$ cd ..
$ cp -a repro repro2/
$ cd repro2/
$ i686-w64-mingw32.static-gcc hello.c -o hello.exe && i686-w64-mingw32.static-strip hello.exe
$ md5sum hello.exe 
6e07736bf8a59e5397c16e799699168d  hello.exe

Now that we have the main executable covered, what about the dependencies?
Let's see how well MXE compiles SDL2:

$ cd /opt/mxe/
$ cp -a ./usr/i686-w64-mingw32.static/lib/libSDL2.a /tmp
$ rm -rf * && git checkout .
$ make sdl2
$ md5sum ./usr/i686-w64-mingw32.static/lib/libSDL2.a /tmp/libSDL2.a 
68909ab13181b1283bd1970a56d41482  ./usr/i686-w64-mingw32.static/lib/libSDL2.a
68909ab13181b1283bd1970a56d41482  /tmp/libSDL2.a

Neat - what about another build directory?

$ cd /usr/srx/mxe
$ make sdl2
$ md5sum usr/i686-w64-mingw32.static/lib/libSDL2.a /tmp/libSDL2.a 
c6c368323927e2ae7adab7ee2a7223e9  usr/i686-w64-mingw32.static/lib/libSDL2.a
68909ab13181b1283bd1970a56d41482  /tmp/libSDL2.a
$ ls -l ./usr/i686-w64-mingw32.static/lib/libSDL2.a /tmp/libSDL2.a 
-rw-r--r-- 1 me me 5861536 mars  23 21:04 /tmp/libSDL2.a
-rw-r--r-- 1 me me 5862488 mars  25 19:46 ./usr/i686-w64-mingw32.static/lib/libSDL2.a

Well that was expected.
But what about the filesystem order?
With such an automated build, could potential variations in the order of files go undetected?
Would the output be different on another filesystem format (ext4 vs. btrfs...)? It was a good opportunity to test the disorderfs fuse-based tool.
And while I'm at it, check if reprotest is easy enough to use (the manpage is scary).
Let's redo our basic tests with it - basic usage is actually very simple:

$ apt-get install reprotest disorderfs faketime
$ reprotest 'make hello' 'hello'
...
will vary: environment
will vary: fileordering
will vary: home
will vary: kernel
will vary: locales
will vary: exec_path
will vary: time
will vary: timezone
will vary: umask
...
--- /tmp/tmpk5uipdle/control_artifact/
+++ /tmp/tmpk5uipdle/experiment_artifact/
    --- /tmp/tmpk5uipdle/control_artifact/hello
  +++ /tmp/tmpk5uipdle/experiment_artifact/hello
  stat  
    @@ -1,8 +1,8 @@
     
       Size: 8632       Blocks: 24         IO Block: 4096   regular file
     Links: 1
    -Access: (0755/-rwxr-xr-x)  Uid: ( 1000/      me)   Gid: ( 1000/      me)
    +Access: (0775/-rwxrwxr-x)  Uid: ( 1000/      me)   Gid: ( 1000/      me)
     
     Modify: 1970-01-01 00:00:00.000000000 +0000
     
      Birth: -
# => OK except for permissions
$ reprotest 'make hello && chmod 755 hello' 'hello'
=======================
Reproduction successful
=======================
No differences in hello
c8f63b73265e69ab3b9d44dcee0ef1d2815cdf71df3c59635a2770e21cf462ec  hello
$ reprotest 'make hello CFLAGS="-g -O2"' 'hello'
# => lots of differences, as expected

Now let's apply to the MXE build.
We keep the same build path, and also avoid using linux32 (because MXE would then recompile all the host compiler tools for 32-bit):

$ reprotest --dont-vary build_path,kernel 'touch src/sdl2.mk && make sdl2 && cp -a usr/i686-w64-mingw32.static/lib/libSDL2.a .' 'libSDL2.a'
=======================
Reproduction successful
=======================
No differences in libSDL2.a
d9a39785fbeee5a3ac278be489ac7bf3b99b5f1f7f3e27ebf3f8c60fe25086b5  libSDL2.a

That checks!
What about a full MXE environment?

$ reprotest --dont-vary build_path,kernel 'make clean && make sdl2 sdl2_gfx sdl2_image sdl2_mixer sdl2_ttf libzip gettext nsis' 'usr'
# => changes in installation dates
# => timestamps in .exe files (dbus, ...)
# => libicu doesn't look reproducible (derb.exe, genbrk.exe, genccode.exe...)
# => apparently ar timestamp variations in libaclui

Most libraries look reproducible enough.
ar differences may go away at FreeDink link time since I'm aiming at a static build. Let's try! First let's see how FreeDink behaves with stable dependencies.
We can compile with -Wl,--no-insert-timestamp and strip the binaries in a first step.
There are various issues (timestamps, permissions) but first let's check the executables themselves:

$ cd freedink/
$ reprotest --dont-vary build_path 'mkdir cross-woe-32/ && cd cross-woe-32/ && export PATH=/opt/mxe/usr/bin:$PATH && LDFLAGS='-Wl,--no-insert-timestamp' ../configure --host=i686-w64-mingw32.static --enable-static && make -j$(nproc) && make install-strip DESTDIR=$(pwd)/destdir' 'cross-woe-32/destdir/usr/local/bin'
# => executables are identical!
# Same again, just to make sure
$ reprotest --dont-vary build_path 'mkdir cross-woe-32/ && cd cross-woe-32/ && export PATH=/opt/mxe/usr/bin:$PATH && LDFLAGS='-Wl,--no-insert-timestamp' ../configure --host=i686-w64-mingw32.static --enable-static && make -j$(nproc) && make install-strip DESTDIR=$(pwd)/destdir' 'cross-woe-32/destdir/usr/local/bin'
    --- /tmp/tmp2yw0sn4_/control_artifact/bin/freedink.exe
  +++ /tmp/tmp2yw0sn4_/experiment_artifact/bin/freedink.exe
    @@ -2,20 +2,20 @@
     00000010: b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
     00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
     00000030: 0000 0000 0000 0000 0000 0000 8000 0000  ................
     00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468  ........!..L.!Th
     00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f  is program canno
     00000060: 7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS 
     00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000  mode....$.......
    -00000080: 5045 0000 4c01 0a00 e534 0735 0000 0000  PE..L....4.5....
    +00000080: 5045 0000 4c01 0a00 0000 0000 0000 0000  PE..L...........
     00000090: 0000 0000 e000 0e03 0b01 0219 00f2 3400  ..............4.
     000000a0: 0022 4e00 0050 3b00 c014 0000 0010 0000  ."N..P;.........
     000000b0: 0010 3500 0000 4000 0010 0000 0002 0000  ..5...@.........
     000000c0: 0400 0000 0100 0000 0400 0000 0000 0000  ................
    -000000d0: 00e0 8900 0004 0000 7662 4e00 0200 0000  ........vbN.....
    +000000d0: 00e0 8900 0004 0000 89f8 4e00 0200 0000  ..........N.....
     000000e0: 0000 2000 0010 0000 0000 1000 0010 0000  .. .............
     000000f0: 0000 0000 1000 0000 00a0 8700 b552 0000  .............R..
     00000100: 0000 8800 d02d 0000 0050 8800 5006 0000  .....-...P..P...
     00000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
     00000120: 0060 8800 4477 0100 0000 0000 0000 0000  . ..Dw..........
     00000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
     00000140: 0440 8800 1800 0000 0000 0000 0000 0000  .@..............
  stat  
      @@ -1,8 +1,8 @@
       
         Size: 5121536       Blocks: 10008      IO Block: 4096   regular file
       Links: 1
       Access: (0755/-rwxr-xr-x)  Uid: ( 1000/      me)   Gid: ( 1000/      me)
       
      -Modify: 2017-03-26 01:26:35.233841833 +0000
      +Modify: 2017-03-26 01:27:01.829592505 +0000
       
        Birth: -

Gah...
AFAIU there is something random in the linking phase, and sometimes the timestamp is removed, sometimes it's not.
Not very easy to track but I believe I reproduced it with the "hello" example:

# With MXE:
$ reprotest 'i686-w64-mingw32.static-gcc hello.c -I /opt/mxe/usr/i686-w64-mingw32.static/include -I/opt/mxe/usr/i686-w64-mingw32.static/include/SDL2 -L/opt/mxe/usr/i686-w64-mingw32.static/lib -lmingw32 -Dmain=SDL_main -lSDL2main -lSDL2 -lSDL2main -Wl,--no-insert-timestamp -luser32 -lgdi32 -lwinmm -limm32 -lole32 -loleaut32 -lshell32 -lversion -o hello && chmod 700 hello' 'hello'
# => different
# => maybe because it imports the build timestamp from -lSDL2main
# With Debian's MinGW (but without SOURCE_DATE_EPOCH):
$ reprotest 'i686-w64-mingw32-gcc hello.c -I /opt/mxe/usr/i686-w64-mingw32.static/include -I/opt/mxe/usr/i686-w64-mingw32.static/include/SDL2 -L/opt/mxe/usr/i686-w64-mingw32.static/lib -lmingw32 -Dmain=SDL_main -lSDL2main -lSDL2 -lSDL2main -Wl,--no-insert-timestamp -luser32 -lgdi32 -lwinmm -limm32 -lole32 -loleaut32 -lshell32 -lversion -o hello && chmod 700 hello' 'hello'
=======================
Reproduction successful
=======================
No differences in hello
0b2d99dc51e2ad68ad040d90405ed953a006c6e58599beb304f0c2164c7b83a2  hello
# Let's remove -Dmain=SDL_main and let our main() have precedence over the one in -lSDL2main:
$ reprotest 'i686-w64-mingw32.static-gcc hello.c -I /opt/mxe/usr/i686-w64-mingw32.static/include -I/opt/mxe/usr/i686-w64-mingw32.static/include/SDL2 -L/opt/mxe/usr/i686-w64-mingw32.static/lib -lmingw32 -lSDL2main -lSDL2 -lSDL2main -Wl,--no-insert-timestamp -luser32 -lgdi32 -lwinmm -limm32 -lole32 -loleaut32 -lshell32 -lversion -o hello && chmod 700 hello' 'hello'
=======================
Reproduction successful
=======================
No differences in hello
6c05f75eec1904d58be222cc83055d078b4c3be8b7f185c7d3a08b9a83a2ef8d  hello
$ LANG=C i686-w64-mingw32.static-ld --version  # MXE
GNU ld (GNU Binutils) 2.25.1
Copyright (C) 2014 Free Software Foundation, Inc.
$ LANG=C i686-w64-mingw32-ld --version  # Debian
GNU ld (GNU Binutils) 2.27.90.20161231
Copyright (C) 2016 Free Software Foundation, Inc.

It looks like there is a random behavior in binutils 2.25, coupled with SDL2's wrapping of my main(). So FreeDink is nearly reproducible, except for this build timestamp issue that pops up in all kind of situations. In the worse case I can zero it out, or patch MXE's binutils until they upgrade. More importantly, what if I recompile FreeDink and the dependencies twice?

$ (cd /opt/mxe/ && make clean && make sdl2 sdl2_gfx sdl2_image sdl2_mixer sdl2_ttf glm libzip gettext nsis)
$ (mkdir cross-woe-32/ && cd cross-woe-32/ \
  && export PATH=/opt/mxe/usr/bin:$PATH \
  && LDFLAGS="-Wl,--no-insert-timestamp" ../configure --host=i686-w64-mingw32.static --enable-static \
  && make V=1 -j$(nproc) \
  && make install-strip DESTDIR=$(pwd)/destdir)
$ mv cross-woe-32/ cross-woe-32-1/
# Same again...
$ mv cross-woe-32/ cross-woe-32-2/
$ diff -ru cross-woe-32-1/destdir/ cross-woe-32-2/destdir/
[nothing]

Yay!
I could not reproduce the build timestamp issue in the stripped binaries, though it was still varying in the unstripped src/freedinkedit.exe.

I mentioned there was other changes noticed by diffoscope.

Changes in file timestamps.

That one is interesting.
Could be ignored, but we want to generate an identical binary package/archive too, right?
That's where archive meta-data matters.
make INSTALL="$(which install) install -p" could help for static files, but not generated ones.
The doc suggests clamping all files to SOURCE_DATE_EPOCH - i.e. all generated files will have their date set at that timestamp:

$ export SOURCE_DATE_EPOCH=$(date +%s) \
  && reprotest --dont-vary build_path \
  'make ... && find destdir/ -newermt "@$ SOURCE_DATE_EPOCH " -print0   xargs -0r touch --no-dereference --date="@$ SOURCE_DATE_EPOCH "' 'cross-woe-32/destdir/'

Changes in directory permissions

Caused by varying umask.
I attempted to mitigate the issue by playing with make install MKDIR_P="mkdir -p -m 755" (1).
However even mkdir -p -m ... does not set permissions for intermediate directories.
Maybe it's better to set and record the umask...

So, aside from minor issues such as BuildIDs and build timestamps, the toolchain is pretty stable as of now.
The issue is more about fixing and recording the build environment.
Which is probably the next challenge

Next.

Previous.

Search Results: "mez"

3 August 2020

1 July 2020

7 June 2020

29 May 2020

14 April 2020

18 March 2020

7 November 2017

31 October 2017

16 August 2017

5 August 2017

31 July 2017

28 June 2017

22 June 2017

Changes in version 0.2.3 (2017-06-19) On Windows, the TZDIR environment variable is now set in .onLoad() Replaced init.c with registration code inside of RcppExports.cpp thanks to Rcpp 0.12.11.

Changes in version 0.2.2 (2017-04-20) Synchronized with upstream CCTZ The time_point object is instantiated explicitly for nanosecond use which appears to be required on macOS

17 May 2017

15 May 2017

19 April 2017

9 April 2017

7 April 2017

28 March 2017

Changes in version 0.2.3 (2017-06-19)

On Windows, the `TZDIR` environment variable is now set in `.onLoad()`

Replaced `init.c` with registration code inside of `RcppExports.cpp` thanks to Rcpp 0.12.11.

Changes in version 0.2.2 (2017-04-20)

Synchronized with upstream CCTZ

The `time_point` object is instantiated explicitly for nanosecond use which appears to be required on macOS