Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced either maliciously or accidentally during this compilation process. As part of this project I wrote a script to determine which packages installed on your system are "reproducible" or not: Whether a package is "reproducible" or not is determined by querying the Debian Reproducible Builds testing framework. The --raw command-line argument lets you play with the data in more detail. For example, you can see who maintains your unreproducible packages: reproducible-check is available in devscripts since version 2.17.10, which landed in Debian unstable on 14th September 2017.

What happened about the reproducible builds effort for this week: Toolchain fixes Uploads that should help other packages:

• Stephen Kitt uploaded mingw-w64/4.0.2-2 which avoids inserting timestamps in PE binaries, and specify dlltool's temp prefix so it generates reproducible files.
• Stephen Kitt uploaded binutils-mingw-w64/6.1 which fixed dlltool to initialize its output's .idata$6 section, avoiding random data ending up there.

Patch submitted for toolchain issues:

• #787159 on openjdk-7 by Emmanuel Bourg: sort the annotations and enums in package-tree.html produced by javadoc.
• #787250 on python-qt4 by Reiner Herrmann: sort imported modules to get reproducible output.
• #787251 on pyqt5 by Reiner Herrmann: sort imported modules to get reproducible output.

Some discussions have been started in Debian and with upstream:

• ocaml using random intermediate filenames (Daniel Kahn Gillmor)
• Timestamps embedded in docbook called by pkg-kde-tools or kdoctools5 (Daniel Kahn Gillmor)
• Should --no-insert-timestamps be the default in binutils-mingw-w64? (Stephen Kitt)
• Make PDF ID field deterministic in PDFTeX (Nicolas Boulenguez)
• Add --deterministic option to Tar? (Lunar)
• Undeterministic output from GCC with -flto -ffat-lto-objects (Lunar)

Packages fixed The following 8 packages became reproducible due to changes in their build dependencies: access-modifier-checker, apache-log4j2, jenkins-xstream, libsdl-perl, maven-shared-incremental, ruby-pygments.rb, ruby-wikicloth, uimaj. The following packages became reproducible after getting fixed:

• debianutils/4.5.1 uploaded by Clint Adams, original patch by Lunar.
• exifprobe/2.0.1-5 by Joao Eriberto Mota Filho.
• gdb-mingw-w64/10 by Stephen Kitt.
• iceweasel/38.0.1-5 by Mike Hommey.
• liblingua-en-tagger-perl/0.25-1 uploaded by Axel Beckert, original patch by Reiner Herrmann.
• liboro-java/2.0.8a-10 by Emmanuel Bourg.
• mingw-w64/4.0.2-3 by Stephen Kitt.
• minidlna/1.1.4+dfsg-4 by Alexander GQ Gerasiov.
• miredo/1.2.6-3 by Tomasz Buchert.
• mpv/0.9.2-1 uploaded by Alessandro Ghedini, original patch by Lunar.
• nspr/2:4.10.8-2 by Mike Hommey.
• openstack-doc-tools/0.24-2 uploaded by Thomas Goirand, original patch by Reiner Herrmann.
• osgearth/2.5.0+dfsg-3 uploaded by Bas Couwenberg, original patch by Reiner Herrmann.
• pyexiv2/0.3.2-8 by Michal iha .
• python-netaddr/0.7.14-1 by Vincent Bernat.
• ruby-extlib/0.9.16-1 by C dric Boutillier.
• sane-backends/1.0.24-12 by J rg Frings-F rst.
• sed/4.2.2-6 uploaded by Clint Adams, original patch.
• sextractor/2.19.5+dfsg-3 by Ole Streicher.
• swarp/2.38.0+dfsg-2 by Ole Streicher.
• tiptop/2.2-3 by Tomasz Buchert.
• tomcat7/7.0.62-1 by Emmanuel Bourg.
• tomcat8/8.0.23-1 by Emmanuel Bourg.
• xapian-omega/1.2.21-1 by Olly Betts, also fixed upstream.
• y-u-no-validate/2013052401-3 by Jakub Wilk.

Some uploads fixed some reproducibility issues but not all of them:

• 389-admin/1.1.38-1 uploaded by Timo Aaltonen, original patch by Chris Lamb.
• alt-ergo/0.99.1+dfsg1-3 uploaded by Ralf Treinen, original patch by Juan Picca and Jakub Wilk.
• deets/0.2.1-2 uploaded by Clint Adams, original patch by Chris Lamb.
• fpc/2.6.4+dfsg-5 by Paul Gevers.
• inspircd/2.0.20-1 by Guillaume Delacour.
• libparse-debianchangelog-perl/1.2.0-3 by intrigeri.
• luakit/2012.09.13-r1-4 uploaded by Clint Adams, original patch by Chris Lamb.
• mod-authn-webid/0~20110301-3 uploaded by Clint Adams, original patch by Chris Lamb.
• powerline/2.1.4-1 uploaded by Jerome Charaoui, reported by akira, fixed upstream.
• svtplay-dl/0.10.2015.05.24-1 by Olof Johansson.

Patches submitted which did not make their way to the archive yet:

• #777308 on dhcp-helper by Dhole: fix mtimes of packaged files.
• #786927 on flowscan by Dhole: remove timestamps from gzip files and fix mtimes of packaged files.
• #786959 on python3.5 by Lunar: set build date of binary and documentation to the time of latest debian/changelog entry, prevent gzip from storing a timestamp.
• #786965 on python3.4 by Lunar: same as python3.5.
• #786978 on python2.7 by Lunar: same as python3.5.
• #787122 on xtrlock by Dhole: fix mtimes of packaged files.
• #787123 on rsync by Dhole: remove timestamps from gzip files and fix mtimes of packaged files.
• #787125 on pachi by Dhole: fix mtimes of packaged files.
• #787126 on nis by Dhole: remove timestamps from gzip files and fix mtimes of packaged files.
• #787206 on librpc-xml-perl by Reiner Herrmann: remove timestamps from generated code.
• #787265 on libwx-perl by Reiner Herrmann: produce sorted output.
• #787303 on dos2unix by Juan Picca: set manpage date to the time of latest entry in debian/changelog.
• #787327 on vim by Reiner Herrmann: remove usage of __DATE__ and __TIME__ macros.

Discussions that have been started:

• gst-plugins-base1.0 embeds current timestamp in .rodata of all objects (Daniel Kahn Gillmor)

reproducible.debian.net Holger Levsen added two new package sets: pkg-javascript-devel and pkg-php-pear. The list of packages with and without notes are now sorted by age of the latest build. Mattia Rizzolo added support for email notifications so that maintainers can be warned when a package becomes unreproducible. Please ask Mattia or Holger or in the #debian-reproducible IRC channel if you want to be notified for your packages! strip-nondeterminism development Andrew Ayer fixed the gzip handler so that it skip adding a predetermined timestamp when there was none. Documentation update Lunar added documentation about mtimes of file extracted using unzip being timezone dependent. He also wrote a short example on how to test reproducibility. Stephen Kitt updated the documentation about timestamps in PE binaries. Documentation and scripts to perform weekly reports were published by Lunar. Package reviews 50 obsolete reviews have been removed, 51 added and 29 updated this week. Thanks Chris West and Mathieu Bridon amongst others. New identified issues:

• timestamps in .dat files from the Allegro framework,
• random identifier when using gcc -flto -ffat-lto-objects,
• random import order in .ui generated by pyuic,
• random order in C files generated by ExtUtils::ParseXS,
• timestamps in files generated by eingenbase resource generator.

Misc. Lunar will be talking (in French) about reproducible builds at Pas Sage en Seine on June 19th, at 15:00 in Paris. Meeting will happen this Wednesday, 19:00 UTC.

In the past few days I have been messing around with Linux namespaces, and developed a little tool (pflask) that automates the creation of simple Linux containers based on them (a sort of chroot(8) on steroids if you will). While the whole raison d' tre behind this project was "just because", and many more mature solutions exist, I decided that it'd be nice to find an actual use case for this (otherwise I tend to lose interest pretty quickly) so I wrote a lil (and rather dumb) pbuilder clone that uses pflask instead of chroot. The nice thing about pflask is that, differently from e.g. LXC, it doesn't need any pre-configuration and can be used directly on a vanilla debootstrap(8)ed Debian system:

$ sudo mkdir -p /var/cache/pflask
$ sudo debootstrap --variant=buildd $DIST /var/cache/pflask/base-$DIST-$ARCH

Where $DIST and $ARCH are e.g. unstable and amd64. Once that's done just run pflask-debuild on the package sources:

$ apt-get source somepackage
$ cd somepackage-XYX
$ pflask-debuild

The script will take care of creating a new container, chroot(2)ing into it, installing all the required dependencies, building and signing the package (it also runs lintian!). The main difference from pbuilder is that pflask will mount a copy-on-write filesystem (using AuFS) on the / of the container so that any modification (e.g. installation of packages) can be easily discarded once the container terminates (similarly to what cowbuilder(8) does, modulo the hardlinks hack). Additionally, thanks to the mount namespace created inside the container, all of this will be isolated from the host system and other containers, so that multiple packages can be built simultaneously on the same base debootstrapped directory. Another possibility would be that of disabling the network inside the container using a network namespace, in order to prevent the package build system from downloading stuff from Internet while at the same time maintaining the network active on the host system, but I haven't done any experiment in this direction yet. Note though that all of this is rather crude and experimental, but as a little hack it seems to work rather well (YMMV).

A few hours ago I uploaded ecasound 2.9.0, which brings, among other things, support for LV2 plugins and a few new commands for the interactive mode. Enjoy :)

I ve uploaded yesterday the rakudo package version 0.1~2012.01-1 to unstable. It ships the Rakudo upstream release from January, running on top of the Parrot stable release 4.0.0 (which was uploaded earlier). Rakudo is a compiler that implements the Perl 6 specification and runs on top of the Parrot virtual machine (if you are interested on Perl 6 you may have a look at some nice articles, and at the talk of Damian Conway, about Perl 6). This is the first upload since a few months, and the first release being uploaded to Debian based on the nom (New Object Model) development branch of Rakudo, which opened the door for substantial performance improvements. This release brings other nice things too, such as the support for meta-programming, better package and exception handling and more. The latest upstream release 2012.04 (which brings, among other things, improvements in startup times thanks to bounded serialization) has been released a few days ago and uses the new Parrot stable release 4.3.0 (which has been released about a week ago), so we hope to test and upload both in time for the Wheezy freeze (and hopefully we ll be a bit more timely for future updates too).

due to some new incoming RC bugs, this week was more devoted to fixing bugs in "our" (= the Debian Perl Group's) packages. here's the list:

• #641816 libmusicbrainz3-dev: "libmusicbrainz3-dev should depends on libneon25-dev and libdiscid"
  add missing dependencies, upload to DELAYED/2
• #646649 src:libio-async-loop-epoll-perl: "libio-async-loop-epoll-perl: FTBFS: Failed 1/8 test programs. 1/86 subtests failed."
  upload with patches from Niko Tyni (pkg-perl)
• #656791 approx: "approx: should depend on system-log-daemon"
  add missing dependency, upload to DELAYED/2
• #661799 libcvs-perl: "libcvs-perl: FTBFS"
  upload with patch from Niko Tyni (pkg-perl)
• #663052 leds-alix-source: "leds-alix-source: module fails to compile"
  apply patch from Federico Brega, upload to DELAYED/2
• #663567 wxglade: "wxglade: FTBFS: ImportError: No module named wx"
  send patch to the BTS
• #665233 src:libanyevent-perl: "libanyevent-perl: FTBFS: tests failed"
  upload patched package prepared by Alessandro Ghedini (pkg-perl)
• #665388 src:libperlbal-xs-httpheaders-perl: "libperlbal-xs-httpheaders-perl: FTBFS: C code doesn't load reliably"
  add patch, upload package prepared by Jonathan Steinert (pkg-perl)
• #666292 src:libmecab-perl: "libmecab-perl: FTBFS: MeCab_wrap.cxx:1826:16: error: 'mecab_node_t' has no member named 'sentence_length'"
  upload new upstream version (pkg-perl)
• #666369 src:fbcat: "fbcat: FTBFS: doc/fbcat.1: No such file or directory at /usr/bin/dh_installman line 127."
  fix targets in debian/rules, upload to DELAYED/5, then fixed earlier in a maintainer upload
• #666581 src:latexdiff: "latexdiff: FTBFS: ! LaTeX Error: File ulem.sty' not found."
  finish and upload package with fix prepared by David Bremner (pkg-perl)
• #666638 src:libcpan-mini-perl: "libcpan-mini-perl: FTBFS: test failed"
  use writable HOME during build (pkg-perl)

since I was travelling in the pre-ultimate week for a few days, there was no report about my RC bugs fixing activities. so here we go with an overview covering two weeks:

• #634538 src:tcpreplay: "tcpreplay: FTBFS: configure: error: Unable to find matching library for header file in /usr"
  prepare a debdiff and send it to the BTS
• #639489 ftp.debian.org: "RM: pitrtools -- RoM; unused, dead upstream"
  reassign to ftp.debian.org as intended by maintainer
• #643177 src:lcms2: "lcms2: FTBFS: dpkg-buildpackage: error: dpkg-source -b lcms2-2.2+git20110628 gave error exit status 2"
  drop unintended changes, upload to DELAYED/2
• #643820 key-mon: "key-mon: fails to start; python-gtk2 issue loading svg?"
  suggest to close the bug as unreproducible, done by maintainer
• #649463 libpam-rsa: "libpam-rsa: code to hash hostname and username is broken"
  improve my existing patch after feedback, upload to DELAYED/2
• #652197 src:yate: "yate: FTBFS: dpkg-buildpackage: error: dpkg-source -b yate-2.2.0-1~dfsg gave error exit status 2"
  update handling of config. guess,sub , upload to DELAYED/2
• #652211 src:yagiuda: "yagiuda: FTBFS: dpkg-buildpackage: error: dpkg-source -b yagiuda-1.19 gave error exit status 2"
  update handling of config. guess,sub , QA upload
• #652213 src:wmnd: "wmnd: FTBFS: dpkg-buildpackage: error: dpkg-source -b wmnd-0.4.16 gave error exit status 2"
  update handling of config. guess,sub , upload to DELAYED/2
• #652216 src:libgssapi-perl: "libgssapi-perl: FTBFS: Failed 1/9 test programs. 1/152 subtests failed."
  upload package prepared by Florian Schlichting (pkg-perl)
• #653312 tahoe-lafs: "tahoe-lafs: Error on building from source: aborting due to unexpected upstream changes"
  send cleaned up debdiff to BTS
• #658405 postgresql-9.1-pgmemcache: "postgresql-9.1-pgmemcache: FTBFS with libmemcached-dev-1.0.3-1"
  add patch from Michael Fladischer, upload to DELAYED/2
• #661448 dvbstreamer: "FTBFS"
  add a patch to fix Makefile.am variables, upload to DELAYED/2
• #661768 netapplet: "FTBFS"
  update handling of config. guess,sub , upload to DELAYED/2
• #661875 libgsf: "FTBFS"
  update handling of config. guess,sub , upload to DELAYED/2
• #661906 milkytracker: "FTBFS"
  add patch from Arch Linux found by Paul Wise, upload to DELAYED/2
• #662599 libmail-imapclient-perl: "libmail-imapclient-perl: FTBFS: Test suite failure"
  recreate grammar during package build (pkg-perl)
• #662816 jifty: "jifty: FTBFS: Test suite failure"
  upload fixed package prepared by Florian Schlichting (pkg-perl)
• #664056 libxml-libxml-perl: "libxml-libxml-perl (<= 1.93+dfsg-1) has issues overloading != on XML::LibXML::Element"
  upload package prepared by Alessandro Ghedini (pkg-perl)
• #664196 libyaml-libyaml-perl: "libyaml-libyaml-perl: embeds libyaml without a copyright notice"
  add missing copyright/license (pkg-perl)

as expected this week was characterised by fixing bugs around the perl 5.14 transition. besides that I've also uploaded a couple of NMUs with patches kindly provided in the BTS by some tireless bug fixers.

• #554047 src:cellwriter: "FTBFS with binutils-gold"
  add patch from Ubuntu / Mahyuddin Susanto, upload to DELAYED/2
• #628500 src:prima: "prima: FTBFS with perl 5.14: error: 'sv_undef' undeclared"
  patch to change functions that rely on removed PERL_POLLUTE, upload to DELAYED/2 (perl-5.14)
• #629284 src:libpod-constants-perl: "libpod-constants-perl: FTBFS with perl 5.14: Can't use string [...] as an ARRAY ref"
  patch Makefile.PL (older and newer EUMM) (pkg-perl, perl-5.14)
• #636268 src:libdbix-class-timestamp-perl: "libdbix-class-timestamp-perl: FTBFS with perl 5.14: test failures"
  upload new upstream release (pkg-perl, perl-5.14)
• #636271 src:libtest-www-declare-perl: "libtest-www-declare-perl: FTBFS with perl 5.14: tests fail"
  new patch to work with perl 5.14 regexp (pkg-perl, perl-5.14)
• #636517 src:libregexp-optimizer-perl: "libregexp-optimizer-perl: FTBFS with perl 5.14: test failures"
  new patch to work with perl 5.14 regexp (pkg-perl, perl-5.14)
• #636520 src:libtest-html-content-perl: "libtest-html-content-perl: FTBFS with perl 5.14: tests fail"
  send a patch to the BTS, uploaded by the maintainer (perl-5.14)
• #636521 src:libtest-log4perl-perl: "libtest-log4perl-perl: FTBFS with perl 5.14: tests fail"
  new patch to work with perl 5.14 regexp (pkg-perl, perl-5.14)
• #636522 src:libtest-simpleunit-perl: "libtest-simpleunit-perl: FTBFS with perl 5.14: tests fail"
  new patch to work with perl 5.14 regexp (pkg-perl, perl-5.14)
• #643040 src:abcm2ps: "abcm2ps: FTBFS: dpkg-buildpackage: error: dpkg-source -b abcm2ps-5.9.22 gave error exit status 2"
  backup/restore Makefile in debian/rules, upload to DELAYED/2
• #643359 src:blktool: "blktool: FTBFS: util.c:31:3: error: format not a string literal and no format arguments [-Werror=format-security]"
  add patch from Eric Alexander, upload to DELAYED/2
• #643362 src:cellwriter: "cellwriter: FTBFS: src/statusicon.c:215:17: error: format not a string literal and no format arguments [-Werror=format-security]"
  add patch from Eric Alexander, upload to DELAYED/2
• #643369 src:crack-attack: "crack-attack: FTBFS: callbacks.cxx:116:38: error: format not a string literal and no format arguments [-Werror=format-security]"
  add patch from Eric Alexander, upload to DELAYED/2
• #643370 src:d52: "d52: FTBFS: d52pass2.c:935:3: error: format not a string literal and no format arguments [-Werror=format-security]"
  add patch from peter green, upload to DELAYED/2
• #643374 src:dis51: "dis51: FTBFS: pass2.c:186:4: error: format not a string literal and no format arguments [-Werror=format-security]"
  add patch from Eric Alexander, upload to DELAYED/2
• #643375 src:ebview: "ebview: FTBFS: dialog.c:72:6: error: format not a string literal and no format arguments [-Werror=format-security]"
  add patch from Eric Alexander, upload to DELAYED/2
• #643383 src:gfan: "gfan: FTBFS: application.cpp:548:22: error: format not a string literal and no format arguments [-Werror=format-security]"
  add patch from Eric Alexander, upload to DELAYED/2
• #643384 src:gfccore: "gfccore: FTBFS: error.cc:116:52: error: format not a string literal and no format arguments [-Werror=format-security]"
  add patch from Eric Alexander, upload to DELAYED/2
• #643413 src:jack-tools: "jack-tools: FTBFS: jack.dl.c:20:3: error: format not a string literal and no format arguments [-Werror=format-security]"
  add patch from M nica Ram rez Arceda, upload to DELAYED/2
• #643417 src:libccscript3: "libccscript3: FTBFS: compiler.cpp:1147:38: error: format not a string literal and no format arguments [-Werror=format-security]"
  add patch from Ilya Barygin, upload to DELAYED/2
• #643448 src:nvramtool: "nvramtool: FTBFS: hexdump.c:94:7: error: format not a string literal and no format arguments [-Werror=format-security]"
  add patch from peter green, upload to DELAYED/2
• #643457 src:pidgin-librvp: "pidgin-librvp: FTBFS: rvp.c:4271:3: error: format not a string literal and no format arguments [-Werror=format-security]"
  add patch from Eric Alexander, upload to DELAYED/2
• #646286 src:genders: "genders: FTBFS: crti.o: No such file or directory"
  send a patch to the BTS, uploaded by the maintainer (perl-5.14)
• #646297 src:spread: "spread: FTBFS: Spread.xs:463:4: error: format not a string literal and no format arguments [-Werror=format-security]"
  add format argument, do a QA upload (perl-5.14)
• #648858 src:libdbd-oracle-perl: "libdbd-oracle-perl: needs to be rebuilt against perl 5.14"
  manually rebuild against perl 5.14 (pkg-perl, perl-5.14)
• #649055 libgnome2-gconf-perl: "libgnome2-gconf-perl: FTBFS (Failed 1/1 test programs. 0/0 subtests failed)"
  add patch from Colin Watson (pkg-perl, perl-5.14)
• #649058 libdata-alias-perl: "libdata-alias-perl: FTBFS on mips powerpc s390 sparc"
  add patch from Niko Tyni (pkg-perl, perl-5.14)
• #649180 src:libmouse-perl: "libmouse-perl: swap libextutils-parsexs-perl/perl dep"
  upload fixed package prepared by Alessandro Ghedini (pkg-perl, perl-5.14)