Search Results: "Bill Allombert"

6 July 2020

Reproducible Builds: Reproducible Builds in June 2020

Welcome to the June 2020 report from the Reproducible Builds project. In these reports we outline the most important things that we and the rest of the community have been up to over the past month.

What are reproducible builds? One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. But whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into seemingly secure software during the various compilation and distribution processes.

News The GitHub Security Lab published a long article on the discovery of a piece of malware designed to backdoor open source projects that used the build process and its resulting artifacts to spread itself. In the course of their analysis and investigation, the GitHub team uncovered 26 open source projects that were backdoored by this malware and were actively serving malicious code. (Full article) Carl Dong from Chaincode Labs uploaded a presentation on Bitcoin Build System Security and reproducible builds to YouTube: The app intended to trace infection chains of Covid-19 in Switzerland published information on how to perform a reproducible build. The Reproducible Builds project has received funding in the past from the Open Technology Fund (OTF) to reach specific technical goals, as well as to enable the project to meet in-person at our summits. The OTF has actually also assisted countless other organisations that promote transparent, civil society as well as those that provide tools to circumvent censorship and repressive surveillance. However, the OTF has now been threatened with closure. (More info) It was noticed that Reproducible Builds was mentioned in the book End-user Computer Security by Mark Fernandes (published by WikiBooks) in the section titled Detection of malware in software. Lastly, reproducible builds and other ideas around software supply chain were mentioned in a recent episode of the Ubuntu Podcast in a wider discussion about the Snap and application stores (at approx 16:00).

Distribution work In the ArchLinux distribution, a goal to remove .doctrees from installed files was created via Arch s TODO list mechanism. These .doctree files are caches generated by the Sphinx documentation generator when developing documentation so that Sphinx does not have to reparse all input files across runs. They should not be packaged, especially as they lead to the package being unreproducible as their pickled format contains unreproducible data. Jelle van der Waa and Eli Schwartz submitted various upstream patches to fix projects that install these by default. Dimitry Andric was able to determine why the reproducibility status of FreeBSD s base.txz depended on the number of CPU cores, attributing it to an optimisation made to the Clang C compiler [ ]. After further detailed discussion on the FreeBSD bug it was possible to get the binaries reproducible again [ ]. For the GNU Guix operating system, Vagrant Cascadian started a thread about collecting reproducibility metrics and Jan janneke Nieuwenhuizen posted that they had further reduced their bootstrap seed to 25% which is intended to reduce the amount of code to be audited to avoid potential compiler backdoors. In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update as well as made the following changes within the distribution itself:

Debian Holger Levsen filed three bugs (#961857, #961858 & #961859) against the reproducible-check tool that reports on the reproducible status of installed packages on a running Debian system. They were subsequently all fixed by Chris Lamb [ ][ ][ ]. Timo R hling filed a wishlist bug against the debhelper build tool impacting the reproducibility status of 100s of packages that use the CMake build system which led to a number of tests and next steps. [ ] Chris Lamb contributed to a conversation regarding the nondeterministic execution of order of Debian maintainer scripts that results in the arbitrary allocation of UNIX group IDs, referencing the Tails operating system s approach this [ ]. Vagrant Cascadian also added to a discussion regarding verification formats for reproducible builds. 47 reviews of Debian packages were added, 37 were updated and 69 were removed this month adding to our knowledge about identified issues. Chris Lamb identified and classified a new uids_gids_in_tarballs_generated_by_cmake_kde_package_app_templates issue [ ] and updated the paths_vary_due_to_usrmerge as deterministic issue, and Vagrant Cascadian updated the cmake_rpath_contains_build_path and gcc_captures_build_path issues. [ ][ ][ ]. Lastly, Debian Developer Bill Allombert started a mailing list thread regarding setting the -fdebug-prefix-map command-line argument via an environment variable and Holger Levsen also filed three bugs against the debrebuild Debian package rebuilder tool (#961861, #961862 & #961864).

Development On our website this month, Arnout Engelen added a link to our Mastodon account [ ] and moved the SOURCE_DATE_EPOCH git log example to another section [ ]. Chris Lamb also limited the number of news posts to avoid showing items from (for example) 2017 [ ]. strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build. It is used automatically in most Debian package builds. This month, Mattia Rizzolo bumped the debhelper compatibility level to 13 [ ] and adjusted a related dependency to avoid potential circular dependency [ ].

Upstream work The Reproducible Builds project attempts to fix unreproducible packages and we try to to send all of our patches upstream. This month, we wrote a large number of such patches including: Bernhard M. Wiedemann also filed reports for frr (build fails on single-processor machines), ghc-yesod-static/git-annex (a filesystem ordering issue) and ooRexx (ASLR-related issue).

diffoscope diffoscope is our in-depth diff-on-steroids utility which helps us diagnose reproducibility issues in packages. It does not define reproducibility, but rather provides a helpful and human-readable guidance for packages that are not reproducible, rather than relying essentially-useless binary diffs. This month, Chris Lamb uploaded versions 147, 148 and 149 to Debian and made the following changes:
  • New features:
    • Add output from strings(1) to ELF binaries. (#148)
    • Dump PE32+ executables (such as EFI applications) using objdump(1). (#181)
    • Add support for Zsh shell completion. (#158)
  • Bug fixes:
    • Prevent a traceback when comparing PDF documents that did not contain metadata (ie. a PDF /Info stanza). (#150)
    • Fix compatibility with jsondiff version 1.2.0. (#159)
    • Fix an issue in GnuPG keybox file handling that left filenames in the diff. [ ]
    • Correct detection of JSON files due to missing call to File.recognizes that checks candidates against file(1). [ ]
  • Output improvements:
    • Use the CSS word-break property over manually adding U+200B zero-width spaces as these were making copy-pasting cumbersome. (!53)
    • Downgrade the tlsh warning message to an info level warning. (#29)
  • Logging improvements:
  • Testsuite improvements:
    • Update tests for file(1) version 5.39. (#179)
    • Drop accidentally-duplicated copy of the --diff-mask tests. [ ]
    • Don t mask an existing test. [ ]
  • Codebase improvements:
    • Replace obscure references to WF with Wagner-Fischer for clarity. [ ]
    • Use a semantic AbstractMissingType type instead of remembering to check for both types of missing files. [ ]
    • Add a comment regarding potential security issue in the .changes, .dsc and .buildinfo comparators. [ ]
    • Drop a large number of unused imports. [ ][ ][ ][ ][ ]
    • Make many code sections more Pythonic. [ ][ ][ ][ ]
    • Prevent some variable aliasing issues. [ ][ ][ ]
    • Use some tactical f-strings to tidy up code [ ][ ] and remove explicit u"unicode" strings [ ].
    • Refactor a large number of routines for clarity. [ ][ ][ ][ ]
trydiffoscope is the web-based version of diffoscope. This month, Chris Lamb also corrected the location for the celerybeat scheduler to ensure that the clean/tidy tasks are actually called which had caused an accidental resource exhaustion. (#12) In addition Jean-Romain Garnier made the following changes:
  • Fix the --new-file option when comparing directories by merging and (#180)
  • Allow user to mask/filter diff output via --diff-mask=REGEX. (!51)
  • Make child pages open in new window in the --html-dir presenter format. [ ]
  • Improve the diffs in the --html-dir format. [ ][ ]
Lastly, Daniel Fullmer fixed the Coreboot filesystem comparator [ ] and Mattia Rizzolo prevented warnings from the tlsh fuzzy-matching library during tests [ ] and tweaked the build system to remove an unwanted .build directory [ ]. For the GNU Guix distribution Vagrant Cascadian updated the version of diffoscope to version 147 [ ] and later 148 [ ].

Testing framework We operate a large and many-featured Jenkins-based testing framework that powers Amongst many other tasks, this tracks the status of our reproducibility efforts across many distributions as well as identifies any regressions that have been introduced. This month, Holger Levsen made the following changes:
  • Debian-related changes:
    • Prevent bogus failure emails from every night. [ ]
    • Merge a fix from David Bremner s database of .buildinfo files to include a fix regarding comparing source vs. binary package versions. [ ]
    • Only run the Debian package rebuilder job twice per day. [ ]
    • Increase bullseye scheduling. [ ]
  • System health status page:
    • Add a note displaying whether a node needs to be rebooted for a kernel upgrade. [ ]
    • Fix sorting order of failed jobs. [ ]
    • Expand footer to link to the related Jenkins job. [ ]
    • Add archlinux_html_pages, openwrt_rebuilder_today and openwrt_rebuilder_future to known broken jobs. [ ]
    • Add HTML <meta> header to refresh the page every 5 minutes. [ ]
    • Count the number of ignored jobs [ ], ignore permanently known broken jobs [ ] and jobs on known offline nodes [ ].
    • Only consider the known offline status from Git. [ ]
    • Various output improvements. [ ][ ]
  • Tools:
    • Switch URLs for the Grml Live Linux and PureOS package sets. [ ][ ]
    • Don t try to build a disorderfs Debian source package. [ ][ ][ ]
    • Stop building diffoscope as we are moving this to Salsa. [ ][ ]
    • Merge several is diffoscope up-to-date on every platform? test jobs into one [ ] and fail less noisily if the version in Debian cannot be determined [ ].
In addition: Marcus Hoffmann was added as a maintainer of the F-Droid reproducible checking components [ ], Jelle van der Waa updated the is diffoscope up-to-date in every platform check for Arch Linux and diffoscope [ ], Mattia Rizzolo backed up a copy of a remove script run on the Codethink-hosted jump server [ ] and Vagrant Cascadian temporarily disabled the fixfilepath on bullseye, to get better data about the ftbfs_due_to_f-file-prefix-map categorised issue. Lastly, the usual build node maintenance was performed by Holger Levsen [ ][ ], Mattia Rizzolo [ ] and Vagrant Cascadian [ ][ ][ ][ ][ ].

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

This month s report was written by Bernhard M. Wiedemann, Chris Lamb, Eli Schwartz, Holger Levsen, Jelle van der Waa and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.

3 July 2016

Reproducible builds folks: Reproducible builds: week 61 in Stretch cycle

What happened in the Reproducible Builds effort between June 19th and June 25th 2016. Media coverage GSoC and Outreachy updates Toolchain fixes Other upstream fixes Emil Velikov searched on IRC for hints on how to guarantee unique values during build to invalidate shader caches in Mesa, when also no VCS information is available. A possible solution is a timestamp, which is unique enough for local builds, but can still be reproducible by allowing it to be overwritten with SOURCE_DATE_EPOCH. Packages fixed The following 9 packages have become reproducible due to changes in their build dependencies: cclib librun-parts-perl llvm-toolchain-snapshot python-crypto python-openid r-bioc-shortread r-bioc-variantannotation ruby-hdfeos5 sqlparse The following packages have become reproducible after being fixed: Some uploads have fixed some reproducibility issues, but not all of them: Patches submitted that have not made their way to the archive yet: Package reviews 139 reviews have been added, 20 have been updated and 21 have been removed in this week. New issues found: 53 FTBFS bugs have been reported by Chris Lamb, Santiago Vila and Mateusz ukasik. diffoscope development Quote of the week "My builds are so reproducible, they fail exactly every second time." Johannes Ziemke (@discordianfish) Misc. This week's edition was written by Chris Lamb (lamby), Reiner Herrmann and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.

22 May 2016

Reproducible builds folks: Reproducible builds: week 56 in Stretch cycle

What happened in the Reproducible Builds effort between May 15th and May 21st 2016: Media coverage Blog posts from our GSoC and Outreachy contributors: Documentation update Ximin Luo clarified instructions on how to set SOURCE_DATE_EPOCH. Toolchain fixes Other upstream fixes Packages fixed The following 18 packages have become reproducible due to changes in their build dependencies: abiword angband apt-listbugs asn1c bacula-doc bittornado cdbackup fenix gap-autpgrp gerbv jboss-logging-tools invokebinder modplugtools objenesis pmw r-cran-rniftilib x-loader zsnes The following packages have become reproducible after being fixed: Some uploads have fixed some reproducibility issues, but not all of them: Patches submitted that have not made their way to the archive yet: Reproducibility-related bugs filed: Package reviews 51 reviews have been added, 19 have been updated and 15 have been removed in this week. 22 FTBFS bugs have been reported by Chris Lamb, Santiago Vila, Niko Tyni and Daniel Schepler. Misc. This week's edition was written by Reiner Herrmann and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.

10 May 2016

Reproducible builds folks: Reproducible builds: week 54 in Stretch cycle

What happened in the Reproducible Builds effort between May 1st and May 7th 2016: Media coverage There has been a surprising tweet last week: "Props to @FiloSottile for his nifty gvt golang tool. We're using it to get reproducible builds for a Zika & West Nile monitoring project." and to our surprise Kenn confirmed privately that he indeed meant "reproducible builds" as in "bit by bit identical builds". Wow. We're looking forward to learn more details about this; for now we just know that they are doing this for software quality reasons basically. Two of the four GSoC and Outreachy participants for Reproducible builds posted their introductions to Planet Debian: Toolchain fixes and other upstream developments dpkg 1.18.5 was uploaded fixing two bugs relevant to us: This upload made it necessary to rebase our dpkg on the version on sid again, which Niko Tyni and Lunar promptly did. Then a few days later 1.18.6 was released to fix a regression in the previous upload, and Niko promptly updated our patched version again. Following this Niko Tyni found #823428: "dpkg: many packages affected by dpkg-source: error: source package uses only weak checksums". Alexis Bienven e worked on tex related packages and SOURCE_DATE_EPOCH: Emmanuel Bourg uploaded jflex/1.4.3+dfsg-2, which removes timestamps from generated files. Packages fixed The following 285 packages have become reproducible due to changes in their build dependencies (mostly from GCC honouring SOURCE_DATE_EPOCH, see the previous week report): 0ad abiword abcm2ps acedb acpica-unix actiona alliance amarok amideco amsynth anjuta aolserver4-nsmysql aolserver4-nsopenssl aolserver4-nssqlite3 apbs aqsis aria2 ascd ascii2binary atheme-services audacity autodocksuite avis awardeco bacula ballerburg bb berusky berusky2 bindechexascii binkd boinc boost1.58 boost1.60 bwctl cairo-dock cd-hit chipw ckermit clp clustalo cmatrix coinor-cbc commons-pool cppformat crashmail crrcsim csvimp cyphesis-cpp dact dar darcs darkradiant dcap dia distcc dolphin-emu drumkv1 dtach dune-localfunctions dvbsnoop dvbstreamer eclib ed2k-hash edfbrowser efax-gtk efax exonerate f-irc fakepop fbb filezilla fityk flasm flightgear fluxbox fmit fossil freedink-dfarc freehdl freemedforms-project freeplayer freeradius fxload gdb-arm-none-eabi geany-plugins geany geda-gaf gfm gif2png giflib gifticlib glaurung glusterfs gnokii gnubiff gnugk goaccess gocr goldencheetah gom gopchop gosmore gpsim gputils grcompiler grisbi gtkpod gvpe hardlink haskell-github hashrat hatari herculesstudio hpcc hypre i2util incron infiniband-diags infon ips iptotal ipv6calc iqtree jabber-muc jama jamnntpd janino jcharts joy2key jpilot jumpnbump jvim kanatest kbuild kchmviewer konclude krename kscope kvpnc latexdiff lcrack leocad libace-perl libcaca libcgicc libdap libdbi-drivers libewf libjlayer-java libkcompactdisc liblscp libmp3spi-java libpwiz librecad libspin-java libuninum libzypp lightdm-gtk-greeter lighttpd linpac lookup lz4 lzop maitreya meshlab mgetty mhwaveedit minbif minc-tools moc mrtrix mscompress msort mudlet multiwatch mysecureshell nifticlib nkf noblenote nqc numactl numad octave-optim omega-rpg open-cobol openmama openmprtl openrpt opensm openvpn openvswitch owx pads parsinsert pcb pd-hcs pd-hexloader pd-hid pd-libdir pear-channels pgn-extract phnxdeco php-amqp php-apcu-bc php-apcu php-solr pidgin-librvp plan plymouth pnscan pocketsphinx polygraph portaudio19 postbooks-updater postbooks powertop previsat progressivemauve puredata-import pycurl qjackctl qmidinet qsampler qsopt-ex qsynth qtractor quassel quelcom quickplot qxgedit ratpoison rlpr robojournal samplv1 sanlock saods9 schism scorched3d scummvm-tools sdlbasic sgrep simh sinfo sip-tester sludge sniffit sox spd speex stimfit swarm-cluster synfig synthv1 syslog-ng tart tessa theseus thunar-vcs-plugin ticcutils tickr tilp2 timbl timblserver tkgate transtermhp tstools tvoe ucarp ultracopier undbx uni2ascii uniutils universalindentgui util-vserver uudeview vfu virtualjaguar vmpk voms voxbo vpcs wipe x264 xcfa xfrisk xmorph xmount xyscan yacas yasm z88dk zeal zsync zynaddsubfx Last week the 1000th bug usertagged "reproducible" was fixed! This means roughly 2 bugs per day since 2015-01-01. Kudos and huge thanks to everyone involved! Please also note: FTBFS packages have not been counted here and there are still 600 open bugs with reproducible patches provided. Please help bringing that number down to 0! The following packages have become reproducible after being fixed: Some uploads have fixed some reproducibility issues, but not all of them: Uploads which fix reproducibility issues, but currently FTBFS: Patches submitted that have not made their way to the archive yet: Package reviews 54 reviews have been added, 6 have been updated and 44 have been removed in this week. 18 FTBFS bugs have been reported by Chris Lamb, James Cowgill and Niko Tyni. diffoscope development Thanks to Mattia, diffoscope 52~bpo8+1 is available in jessie-backports now. Misc. This week's edition was written by Reiner Herrmann, Holger Levsen and Mattia Rizzolo and reviewed by a bunch of Reproducible builds folks on IRC. Mattia also wrote a small ikiwiki macro for this blog to ease linking reproducible issues, packages in the package tracker and bugs in the Debian BTS.

2 May 2016

Reproducible builds folks: Reproducible builds: week 53 in Stretch cycle

What happened in the Reproducible Builds effort between April 24th and 30th 2016. Media coverage Reproducible builds were mentioned explicitly in two talks at the Mini-DebConf in Vienna: Aspiration together with the OTF CommunityLab released their report about the Reproducible Builds summit in December 2015 in Athens. Toolchain fixes Now that the GCC development window has been opened again, the SOURCE_DATE_EPOCH patch by Dhole and Matthias Klose to address the issue timestamps_from_cpp_macros (__DATE__ / __TIME__) has been applied upstream and will be released with GCC 7. Following that Matthias Klose also has uploaded gcc-5/5.3.1-17 and gcc-6/6.1.1-1 to unstable with a backport of that SOURCE_DATE_EPOCH patch. Emmanuel Bourg uploaded maven/3.3.9-4, which uses SOURCE_DATE_EPOCH for the (SOURCE_DATE_EPOCH specification) Other upstream changes Alexis Bienven e submitted a patch to Sphinx which extends SOURCE_DATE_EPOCH support for copyright years in generated documentation. Packages fixed The following 12 packages have become reproducible due to changes in their build dependencies: hhvm jcsp libfann libflexdock-java libjcommon-java libswingx1-java mobile-atlas-creator not-yet-commons-ssl plexus-utils squareness svnclientadapter The following packages have became reproducible after being fixed: Some uploads have fixed some reproducibility issues, but not all of them: Patches submitted that have not made their way to the archive yet: Package reviews 95 reviews have been added, 15 have been updated and 129 have been removed in this week. 22 FTBFS bugs have been reported by Chris Lamb and Martin Michlmayr. diffoscope development strip-nondeterminism development Misc. Amongst the 29 interns who will work on Debian through GSoC and Outreachy there are four who will be contributing to Reproducible Builds for Debian and Free Software. We are very glad to welcome ceridwen, Satyam Zode, Scarlett Clark and Valerie Young and look forward to working together with them the coming months (and maybe beyond)! This week's edition was written by Reiner Herrmann and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.

26 April 2016

Reproducible builds folks: Reproducible builds: week 52 in Stretch cycle

What happened in the Reproducible Builds effort between April 17th and April 23rd 2016: Toolchain fixes Thomas Weber uploaded lcms2/2.7-1 which will not write uninitialized memory when writing color names. Original patch by Lunar. The GCC 7 development phase has just begun, so Dhole reworked his patch to make gcc use SOURCE_DATE_EPOCH if set which prompted interesting feedback, but it has not been merged yet. Alexis Bienven e submitted a patch for sphinx to strip Python object memory addresses from the generated documentation. Packages fixed The following packages have become reproducible due to changes in their build dependencies: cobertura, commons-pool, easymock, eclipselink, excalibur-logkit, gap-radiroot, gluegen2, jabref, java3d, jcifs, jline, jmock2, josql, jtharness, libfann, libgroboutils-java, libjemmy2-java, libjgoodies-binding-java, libjgrapht0.8-java, libjtds-java, liboptions-java, libpal-java, libzeus-jscl-java, node-transformers, octave-msh, octave-secs2d, openmama, rkward. The following packages have become reproducible after being fixed: Patches submitted that have not made their way to the archive yet: diffoscope development diffoscope 52 was released with changes from Mattia Rizzolo, h01ger, Satyam Zode and Reiner Herrmann, who also did the release. Notable changes included: As usual, diffoscope 52 is available on Debian, Archlinux and PyPI, other distributions will hopefully soon update. Package reviews 28 reviews have been added, 11 have been updated and 94 have been removed in this week. 14 FTBFS bugs were reported by Chris Lamb (one being was a duplicate of a bug filed by Sebastian Ramacher an hour earlier). Misc. This week's edition was written by Lunar, Holger 'h01ger' Levsen and Chris Lamb and reviewed by a bunch of Reproducible builds folks on IRC.

20 April 2016

Reproducible builds folks: Reproducible builds: week 51 in Stretch cycle

What happened in the reproducible builds effort between April 10th and April 16th 2016: Toolchain fixes Antoine Beaupr suggested that gitpkg stops recording timestamps when creating upstream archives. Antoine Beaupr also pointed out that git-buildpackage diverges from the default gzip settings which is a problem for reproducibly recreating released tarballs which were made using the defaults. Alexis Bienven e submitted a patch extending sphinx SOURCE_DATE_EPOCH support to copyright year. Packages fixed The following packages have become reproducible due to changes in their build dependencies: atinject-jsr330, avis, brailleutils, charactermanaj, classycle, commons-io, commons-javaflow, commons-jci, gap-radiroot, jebl2, jetty, libcommons-el-java, libcommons-jxpath-java, libjackson-json-java, libjogl2-java, libmicroba-java, libproxool-java, libregexp-java, mobile-atlas-creator, octave-econometrics, octave-linear-algebra, octave-odepkg, octave-optiminterp, rapidsvn, remotetea, ruby-rinku, tachyon, xhtmlrenderer. The following packages became reproducible after getting fixed: Some uploads fixed some reproducibility issues, but not all of them: Patches submitted which have not made their way to the archive yet: diffoscope development Zbigniew J drzejewski-Szmek noted in #820631 that diffoscope doesn't work properly when a file contains several cpio archives. Package reviews 21 reviews have been added, 14 updated and 22 removed in this week. New issue found: timestamps_in_htm_by_gap. Chris Lamb reported 10 new FTBFS issues. Misc. The video and the slides from the talk "Reproducible builds ecosystem" at LibrePlanet 2016 have been published now. This week's edition was written by Lunar and Holger Levsen. h01ger automated the maintenance and publishing of this weekly newsletter via git.

21 February 2013

Eugene V. Lyubimkin: DPL game

Inspired by The order is chosen by a fair dice roll.

Wouter Verhelst
Russ Allbery
Bill Allombert
Paul Wise

3 July 2011

Rapha&#235;l Hertzog: My Debian activities in June 2011

This is my monthly summary of my Debian related activities. If you re among the people who made a donation to support my work (195 , thanks everybody!), then you can learn how I spent your money. Otherwise it s just an interesting status update on my various projects. Dropbox for Debian This is not free software but Dropbox is very popular and they did only provide an Ubuntu package that did not work on Debian. So I created an official package. I have been in touch with Dropbox developers and they have been very helpful. They ll shortly release a signature mechanism (with GPG) so that we can further improve the package by verifying the origin of the downloaded binaries. SAT Britney At the start of the month, I continued my work on the britney reimplementation (the software that creates testing out of unstable) but I quickly stalled it because the release managers asked the feedback of Stefano Zacchiroli and Ralf Treinen (who have extensive knowledge on the topic with their research work on Mancoosi) and I did not want to invest further work in case they would identify a major flow the feedback came only very late this month and while it was somewhat negative, I still think it s worth pursuing the effort for a bit longer. Converted ftplib to multiarch While dpkg still doesn t support multiarch (no news from Guillem and no visible sign of progress :-( ), unstable got all the remaining bits allowing us to convert libraries to multiarch (see the announce). As soon as the required libc6 landed in unstable, I looked into converting the only library package that I maintain. I had no major problem but I still identified 2 issues in Lintian (filed as #630164 and quickly fixed by Niels Thykier). build-arch / build-indep support For the 42th time in the last 10 years, the idea of using build-arch/build-indep targets in the rules file has surfaced again. I had already decided some time ago that I would accept a patch implementing a new field Build-Features to enable dpkg-buildpackage to use those targets and this time Bill Allombert completed such a patch so I merged it. The technical committee also decided that it would take a final decision on this topic (see #629385). Roger Leigh provided useful input by doing an archive-wide rebuild with the various solutions suggested. Given that the majority would like to make the target mandatory at some point in the future, I provided the dpkg patch for my preferred solution. We would use auto-detection as a temporary measure until all packages have been converted to have the targets. The technical committee has not yet taken any decision even though the discussion stalled since the 12th of June. But that s usual with that body. I m sure it will be solved during Debconf. ;-) Misc dpkg work Hamster applet update Hamster-applet is a GNOME application which did not have a 3.0 release, but it had a development release (2.91.x). I checked out whether it was possible to package this version for experimental and have the applet work with the GNOME fallback mode. Apparently not, the code was not yet updated to be compatible with the newer panel. Instead I uploaded the latest stable version (2.32.1) to unstable. It has some nice improvements in the standalone version (and the name of the executable changed). For usage with GNOME 3, I have created a custom shortcut to start it quickly (with gconf-editor set /apps/metacity/global_keybindings/run_command_1 to <Mod4>t and /apps/metacity/keybinding_commands/command_1 to hamster-time-tracker because the GNOME 3 control panel does not seem to work to set custom keybindings currently). Translated my professional website into English While I m grateful for all the people who are supporting my work, I m still far from my goal to have one third of my time funded through donations and sales of products on this blog. So I decided to also bring more visibility to my company and in particular to its Debian-related service offering. It was only available in French up to now so I translated it and expanded it a bit. My support page on this blog now also links to my company s website. If your company needs help to create Debian packages, or needs Debian technical support by email, you just found the right partner. :-) BTW, I have discounted prices for individuals and non-profits who would like to benefit from my help to create Debian packages. The Debian Administrator s Handbook This is the title of the upcoming translation of my book. The project now has a dedicated website: You can subscribe to its RSS feed to keep up with the latest news. The full table of contents is online along with a FAQ. I m actively looking for partners to help me promote the fundraising once it goes live. If you can reach a large set of readers interested by a good Debian book, get in touch with me to join the affiliate program. Thanks See you next month for a new summary of my activities.

No comment Liked this article? Click here. My blog is Flattr-enabled.

13 March 2011

Lars Wirzenius: DPL elections: candidate counts

Out of curiosity, and because it is Sunday morning and I have a cold and can't get my brain to do anything tricky, I counted the number of candidates in each year's DPL elections.
Year Count Names
1999 4 Joseph Carter, Ben Collins, Wichert Akkerman, Richard Braakman
2000 4 Ben Collins, Wichert Akkerman, Joel Klecker, Matthew Vernon
2001 4 Branden Robinson, Anand Kumria, Ben Collins, Bdale Garbee
2002 3 Branden Robinson, Rapha l Hertzog, Bdale Garbee
2003 4 Moshe Zadka, Bdale Garbee, Branden Robinson, Martin Michlmayr
2004 3 Martin Michlmayr, Gergely Nagy, Branden Robinson
2005 6 Matthew Garrett, Andreas Schuldei, Angus Lees, Anthony Towns, Jonathan Walther, Branden Robinson
2006 7 Jeroen van Wolffelaar, Ari Pollak, Steve McIntyre, Anthony Towns, Andreas Schuldei, Jonathan (Ted) Walther, Bill Allombert
2007 8 Wouter Verhelst, Aigars Mahinovs, Gustavo Franco, Sam Hocevar, Steve McIntyre, Rapha l Hertzog, Anthony Towns, Simon Richter
2008 3 Marc Brockschmidt, Rapha l Hertzog, Steve McIntyre
2009 2 Stefano Zacchiroli, Steve McIntyre
2010 4 Stefano Zacchiroli, Wouter Verhelst, Charles Plessy, Margarita Manterola
2011 1 Stefano Zacchiroli (no vote yet)
Winner indicate by boldface. I expect Zack to win over "None Of The Above", so I went ahead and boldfaced him already, even if there has not been a vote for this year. Median number of candidates is 4.

27 July 2010

Petter Reinholdtsen: Circular package dependencies harms apt recovery

I discovered this while doing automated testing of upgrades from Debian Lenny to Squeeze. A few packages in Debian still got circular dependencies, and it is often claimed that apt and aptitude should be able to handle this just fine, but some times these dependency loops causes apt to fail. An example is from todays upgrade of KDE using aptitude. In it, a bug in kdebase-workspace-data causes perl-modules to fail to upgrade. The cause is simple. If a package fail to unpack, then only part of packages with the circular dependency might end up being unpacked when unpacking aborts, and the ones already unpacked will fail to configure in the recovery phase because its dependencies are unavailable. In this log, the problem manifest itself with this error:
dpkg: dependency problems prevent configuration of perl-modules:
 perl-modules depends on perl (>= 5.10.1-1); however:
  Version of perl on system is 5.10.0-19lenny2.
dpkg: error processing perl-modules (--configure):
 dependency problems - leaving unconfigured
The perl/perl-modules circular dependency is already reported as a bug, and will hopefully be solved as soon as possible, but it is not the only one, and each one of these loops in the dependency tree can cause similar failures. Of course, they only occur when there are bugs in other packages causing the unpacking to fail, but it is rather nasty when the failure of one package causes the problem to become worse because of dependency loops. Thanks to the tireless effort by Bill Allombert, the number of circular dependencies left in Debian is dropping, and perhaps it will reach zero one day. :) Todays testing also exposed a bug in update-notifier and different behaviour between apt-get and aptitude, the latter possibly caused by some circular dependency. Reported both to BTS to try to get someone to look at it.

22 October 2006

Martin Michlmayr: Testing GCC 4.2 on ARM

On Friday, a branch for GCC 4.2 finally got created, which means that we will hopefully see a release in a few months. The branch should have been created ages ago but the number of regressions just wouldn't go under 100 until recently. During that time, basically since I completed my tests with GCC 4.1, I've been busy testing snapshots of 4.2. I've mainly been testing on em64t (amd64), powerpc and ia64, but I also did some runs on alpha, mips, mipsel, s390 and sparc. Recently, I started testing it on ARM. Being an embedded architecture, ARM isn't terribly fast compared to some other architectures. However, Intel's IOP line is quite interesting and is used in a number of NAS devices. They typically include SATA and often have expandable memory. The device some ARM people are currently working with is the Thecus N2100. A port of debian-installer is underway but more on that later. Since my N2100 is not permanently connected to the Internet, Riku Voipio kindly gave me access to his to do some GCC tests. I started several weeks ago using gcc-snapshot 20060922-1 and it has been compiling happily since. I sort packages by their age, starting with old packages, so while there has been quite a bit of progress since I started, lately it has been going quite slowly. With about 2000 packages compiled in 3.5 weeks, I reckon that GCC 4.2 will be released before I've compiled the full archive. I've therefore been thinking of using distcc to speed the process up. The idea is to run the build process natively on the ARM box but use distcc to perform the actual compilation on another box, namely on a fast machine that has an ARM cross compiler. Unfortunately, I don't have access to such a setup right now. However, I strongly believe that this is a good alternative to test GCC on slower systems and in fact Bill Allombert is currently testing whether it could be used for the m68k port. Finally, Intel's new IOP 34x CPUs are also interesting for this kind of work given that they feature a cache and go up to 1.2 GHz with two cores. P.S. If someone is interested in fixing bugs, I have tagged package bugs related to GCC 4.2.

7 April 2006

David Moreno Garza: DPL election ballot

I’m one of those waiting until the last call for votes to send the ballot: - - -=-=-=-=-=- Don’t Delete Anything Between These Lines =-=-=-=-=-=-=-=-
[ 3 ] Choice 1: Jeroen van Wolffelaar
[ 4 ] Choice 2: Ari Pollak
[ 2 ] Choice 3: Steve McIntyre
[ 1 ] Choice 4: Anthony Towns
[ 3 ] Choice 5: Andreas Schuldei
[ 6 ] Choice 6: Jonathan aka Ted Walther
[ 4 ] Choice 7: Bill Allombert
[ 5 ] Choice 8: None Of The Above
- - -=-=-=-=-=- Don’t Delete Anything Between These Lines =-=-=-=-=-=-=-=-
Good luck to everyone on the election!

19 March 2006

Amaya Rodrigo: DPL vote

- - -=-=-=-=-=- Don t Delete Anything Between These Lines =-=-=-=-=-=-=-=-
[ 3 ] Choice 1: Jeroen van Wolffelaar
[ 5 ] Choice 2: Ari Pollak
[ 1 ] Choice 3: Steve McIntyre
[ 3 ] Choice 4: Anthony Towns
[ 4 ] Choice 5: Andreas Schuldei
[ 7 ] Choice 6: Jonathan aka Ted Walther
[ 2 ] Choice 7: Bill Allombert
[ 6 ] Choice 8: None Of The Above
- - -=-=-=-=-=- Don t Delete Anything Between These Lines =-=-=-=-=-=-=-=-

17 March 2006

MJ Ray: The DPL Debate 2006

So, we get to the end of the DPL Debate (my logs), I revise my opinions and make a first draft of my vote. Thoughts here are given with grouping people as I see similarities (3 collaboration-centrics, 2 I don't like and the 2 unusual).
Bill Allombert
a moderate, a change, a reluctant candidate. Maintainer of an important, widely-used but unfashionable package. Someone questioned status and charisma, but from watching the FOSDEM video, I think there's the stage presence. Needs work on presenting. How much does that matter, though? It can be learnt. Above NOTA for sure. Just not sure where.
Andreas Schuldei
Seems to have done both good and bad work in the DPL team, which I guess is to be expected. I am uncomforable with some of his opinions and I think he's made poor judgement calls like signing this hate campaign - but I don't think he'd try to impose those opinions and all DPLs goof sometimes. I still think the small teams aim has many benefits. Above NOTA.
Jeroen van Wolffelaar
I'm not clear what he did in the DPL team during the year. I've listened to the FOSDEM talk, but still not clear. I am also uncomfortable with some opinions and judgements, even more so than Andreas. In debate, brazenly said he supported the first expulsion request. Gives a fairly good analysis of the problem, but: Physician! Heal Thyself! Placing unsure.
Anthony Towns
Lost my vote on Wed, 17 Aug 2005. Below NOTA.
Steve McIntyre
Commercialising debian on an ugly footing with DUS. It's wrong to try to call Debian Developers members of a retail business without asking them. Did something else I dislike a lot. Below NOTA.
Ari Pollack
If this was comedy, it needed to be funnier. Did something I dislike a lot. Below NOTA.
Ted Walther
Learned some things from last year. Heart seems to be in the right place. The interview with Aigarius suggests views not as simple as painted. Still a political disaster zone in internal debian matters (see platform, debate, ...). May be above NOTA in my vote this year.
Update: I slept well. Thanks for caring. Martin F. Krafft asked what's the point of this type of post, why we don't stand for DPL or "use the time to get some work done on Debian". For me, I'm trying to bias the vote outcome by persuading voters or candidates and draw attention to things that may have slipped past. There's no way I'd be elected DPL this year - mostly because of misperceptions I think, but mid-Feb to mid-March is always a bad time for me to explain myself - and I'm working on Debian things but I'm happy to spend extra time trying to identify a good leader. I never decide for sure until I fill out the ballot: some things can change in the last few days. If you don't find my ideas thought-provoking, sorry. I know some do.

7 March 2006

Wouter Verhelst: AOL

Since everyone else seems to give their opinion on DPL candidates over at Planet Debian, I'll join the chorus. Since I've met and know most of the candidates, I'll focus on what cannot be in their platform: their personality.

Jaldhar Vyas: Debian Project Leader Elections 2006

Debian Project Leader Candidates 2006 It's that time time of the year again when the Debian Project gathers to elect a new leader. This year there are a record seven candidates. I just spent a couple of hours reading their platforms and a lot (not all, my eyes glazed over after a bit) of the discussions on debian-vote and these are my initial impressions. Jeroen Van Wolffelaar: Jeroen seems to have a good grasp of where the bottlenecks in the Debian system are. He supports the project Scud idea which has not really worked well so far (as far as I can see) but claims he knows what is wrong and how to fix it. He is young and still a student which might hamper his ability to travel which is a big part of being DPL. Astutely notes that Debian needs to stand out from the crowd more. Zeke the Cat: Does he have the balls to be an effective leader? Steve McIntyre: Not really high profile within the project as far as I can tell. Will he be able to "herd cats"? His platform is mainly about reforming Debians' social structure so this is a real concern. The idea of imposing some level of performance standard on developers is intriguing but he is rather short of details on how it is supposed to happen. Anthony Towns: Anthony is heavily involved in such roles as ftpmaster and release manager. It would be a shame if being DPL actually meant he would have less time for that sort of thing. He claims to be running mainly to introduce some new ideas. So hopefully he won't mind if we keep him in the boiler room instead of, um, athwart the foc'sle? Andreas Schuldei I like the idea of frequent face to face meetings. Andreas is a good fundraiser so if anyone can make this happen, he can. But in the absence of support from an eccentric billionaire is this really feasible? Also a member of project Scud. Johnathan 'Ted' Walther: Retar-ted. Bill Allombert: Also suffers from being relatively unknown (IMO.) A bit low on ideas and basically wants to maintain the status quo as far as social issues go. I can't consider him a viable contender. At the moment I'm leaning towards voting for Jeroen but Andreas and Anthony are still in the running. The IRC debate should be interesting.

28 February 2006

Clint Adams: Why NoTA is getting ranked first this year

Jeroen van Wifflepuck There are compromising pictures of this guy in carnal embrace with windmills. These could be very embarrassing if leaked to the press. We can't have a DPL that will embarrass us. We just can't.
R.E. Jacks In Pollack This guy is beholden to marmots. Lots and lots of marmots. Do you really want to empower a marmot rampage?
Uncle Steve Charging money for T-shirts? What happened to the gift economy? All clothing should be FREE! Where's the love?
Tony Bob Towns This guy can't decide whether or not his last name is Town or Town'S. Can you really trust someone who changes his name so casually? I don't think so.
Andreas Schuldei He and Ari are part of the same marmot cabal. If you can't trust one, can you trust the other?
Yonah ( ) Walth re Quite, simply, this, guy, is, employed, by,, to, make, us, all, look, silly. Vive le Rock. P.S., I think the syphilis is worsening.
Bill Allombert Did the Debian menu in ion3 become less fun to use? I blame this guy for some reason.

Aigars Mahinovs: DPL platform runthrough

I think more people should just publish their thoughts about platforms of our DPL candidates so that we can have more visibility and insight (and a reason to actually read those platform statements). Thanks go to MJRay for the idea, however I will try to be a bit more biased so that this post conveys more of my opinions then just a plain summary of the platforms.
Jeroen van Wolffelaar
  • ftp-team for a year, looks good
  • dpl-team as a good idea, wants team decisions to take less responsibility on his own. Might be wise, but could be un-leaderish.
  • pushes for smooth communication, I am not sure how that will work out - smooth communication means sanding off the edges, but we all know that the best development is always on the edge.
  • pushes for code of conduct. While the idea might be quite popular it also states that bad behavior in our community is becoming so widespread that a special code is needed to compensate for that. I do not feel that we are at such a bad state now - more flamewars are raised about the code of conduct then about the conduct itself. I feel this is were simple and decisive action by the DPL should be done and not a birocratic procedure to spread the blame of failure.
  • "insider reports" - good idea, like an internal Debian News Station (see Howard 100 News)
  • encouraging wiki, forums and IRC as official channels of external communication. Several questions arise here: as a user with specific question - where must I go? to which media? to which list, channel or forum category? It must not be too complex. Also there is the question of spreading knowledgeable users and developers too thin across multiple channels of voluntary support.
  • infrastructure transparency - good, but how? even tiny bits of paperwork there can slow the whole project to a crawl.
  • mediator in flamewar situations - good, DPL should be doing that.
  • media coverage - does Debian need more media coverage? I do not think so. I do believe that we need more coverage in more professional circles (even if in circles of professional psychiatrists) to attract more developers and make them understand us better, but I do not feel that attracting huge crowds of general public would do much good for the project.
  • in my opinion team players make mediocre leaders
Five word summary: transparent, wide, smooth, mediative, consensus
Ari Pollak
  • whoa ... pictures, so sweet :)
  • humor, so much needed in our project
  • good point about half-DPL - it would be nice to have DPL delegate as much as they possibly can but be strict and easy with what is left
  • Debian Police - sounds like a good substitute for Project Scud and the Finnish Inquisition :D
  • good take on licences, however I would add to the Gnocchi licence the phrase "And you must remove any copies of this licence from your memory as soon as you have finished reading it." That will show them lawyers ...
Five word summary: humor, half-*, police, anti-legalese, illustrations
Steve McIntyre
  • got in cheap, but a long time ago
  • The CD dude!
  • not much new on internal communication, same old "will tell you even that I not doing anything"
  • same stuff about the code of conduct, see above.
  • social skill test within NM. Good idea, but not a good implementation - you will not get much social conditioning with mentoring inside teams. We need someone to get on the candidate and roast them good - test their asbestos suits. After he has made a package, schedule for time and either call the newbie or IRC with him. Grill him about his package. Must sure to slide into personal insults, religion bashing and political discourses. Watch the response. Evaluate. Post audio online :)
  • open cabalish developments - there is little to be done beyond talking to cabal and making sure all semi-private developments use public Debian infrastructure for communication - draft on wiki and develop in svn, so that everyone can see.
  • very good points about professionalism. we must be able to be proud about Debian and demand some level of standards from packages inside Debian. The idea of regular DD reexamination might be a very good fit here, see below.
  • Steve looks like a good organizer to me
  • however he might be a bit too soft on leadership or simply too diplomatically inclined in his platform statement
Five word summary: professionalism, standards, MIA, tests, communication
Anthony Towns
  • not wanting to win too much
  • speed up! - release early, release often. Sounds good for the everyday processes, but not for The Release. I still want to see Debian as The Most Stable thing ever.
  • recruiting - I would ask, recruit for what? People can not just get into the interesting parts of the project and recruiting for general run of the mill development does not sound too engaging to me. You'd better make a contest for new security team members or new ftp masters or any other position that one person or only a few persons hold now. Have clear requirements and tests and actually get those people into doing those critical jobs. After that we can think about ...
  • ... compulsory turnover. Now there is a good idea that I'd like other DPLs to consider, but only with in conjunction with the previous one. We might not need full rotation, but we could have a rotating ftp team leader post that would iterate among ftp team members. That would alleviate the "hit by a bus" problem a bit more.
  • DPL as a discussion and direction leader is quite a nice and needed idea in my opinion.
  • I do not agree with aj about compulsory kindness and the general idea of expulsion on social grounds. Currently it creates more problems then it could solve in a lifetime.
  • Congrats on declassification thing, historians will surely thank us for that.
  • nice legal disclaimer, I like those kind of things :)
Five word summary: continuity, tempo, newbies, direction, bling
Andreas Schuldei Not online, to be put here when it appears.
Jonathan (Ted) Walther
  • photo, nice touch.
  • speak your mind. sound essential to a DPL.
  • Ubuntu good. Good.
  • Make love (and code) and not Desktop. Let Ubuntu make Desktop if they want to.
  • We all are strange people, face it.
  • Kicking people out is more harm to the project then those people could ever do.
  • Kicking fun out of Debian.
  • Great points about improving NM process and worshiping James Troup - I fully agree.
  • The best idea here - recertification of all Debian Developers every X years (where X is proposed to be 3 currently). This will almost automatically solve many problems we have in Debian: NM frustration, MIA developers, standards of professionalism, reiteration of best practices, social reshuffling.
Five word summary: Here, goes, my, vote, period. Alternate summary: geek, love, tolerate, recertification, statue.
Bill Allombert
  • math Ph.D. and researcher.
  • wanted to vot for Lars, but as he stepped down saw no one else good enough, so put himself forward. brave words. I like Lars too, bet it's not like we do not have good candidates this year besides him.
  • summary on effect of voluntarism and respectful communication. Quite plain if you ask me. Got me a bit bored there. Not a good sign.
  • think globally
  • assist others
  • help Debian specific software
  • observers - sounds like that Debian Action News Team minus all the fun.
  • "I am very patient" - be patient when reading and enthusiastic while writing, otherwise people might not read patiently
Five word summary: filler, communicate, more filler, patience I hope this summary gave someone as much food for thought as it did for me. My favorite is very clear, but can you guess who is my second choice? Leave a comment and let me know what you think :)

MJ Ray: How I read the DPL 2006 platforms

Bill Allombert
  • Lars Wirzenius had denominated himself
  • fully volunteer project implications
  • some rules for better communications
  • mediate
  • consider the distribution globally
  • "assistant" projects, Debian-specific projects
  • neutral observers
Jonathan (Ted) Walther
  • unpopular
  • Most of us are disfunctional in various ways
  • if a person tries to get another person kicked out of the Debian project, and they fail, they themselves will be kicked out. wiki
  • developers who didn't go through NM to go through it within the next year. From that point on, every developer would be required to renew their membership every three years, similar to drivers licenses [MJR: not English driving licences, it's not]
  • honor James Troup
Andreas Schuldei
  • not found on this server
Anthony Towns
  • a leadership hat
  • increasing its tempo
  • DPL and others actively and visibly recruit people on an ongoing basis
  • raise topics for discussion, and help guide them through
  • Gratuitous Song Parody
  • [seems to see the arbitrary expulsion and ban procedures as good developments?]
  • [title claims to be Ari Pollak's platform :) This is a good thing, will win votes.]
Steve McIntyre
  • [officer of the trader called "Debian-UK"]
  • regular status updates
  • agree a Debian code of conduct
  • more NM training can/should happen more within teams
  • more open discussion will happen naturally
  • Professionalism [(!) why not think of the children, too?]
  • detect [MIA] more quickly and more easily
Ari Pollak
  • half-joke candidate
  • half-DPL
  • Team Ari: Debian Police
  • who needs such complicated licenses, anyway?
Jeroen van Wolffelaar
  • DPL team
  • adoption of a code of conduct
  • insider reports
  • more use of the official wiki
  • Increase transparency of infrastructure teams
  • mediator/ombudsman ... team like the tech-ctte
  • actively approach the press
The above are in the reverse of the vote page order, in case you were wondering. I've not worked out my preference yet. Let's see what happens.