Lunar: Reproducible builds: week 21 in Stretch cycle
What happened in the reproducible
builds effort this week:
Media coverage
Nathan Willis covered our DebConf15 status
update in Linux Weekly News. Access to
non-LWN subscribers will be given on Thursday 24th.
Linux Journal published a more general
piece
last Tuesday.
Unexpected praise for reproducible builds appeared this week in the form of
several iOS applications identified as including spyware. The malware was
undetected by Apple screening. This actually happened because
application developers had simply downloaded a trojaned version of XCode
through an unofficial
source. While reproducible builds can't really help users of non-free software, this is exactly the kind of attacks that we are trying to prevent in our systems.
Toolchain fixes
- Mathieu Malaterre uploaded abi-compliance-checker/1.99.11-1 which drops the timestamps from the generated HTML reports and makes the generated .abi.tar.gz files reproducible. Original patches by Chris Lamb.
- apparmor/2.10-2 uploaded by intrigeri, fixed upstream by Christian Boltz, with the same change suggested by Reiner Herrmann.
- ardour/1:4.2~dfsg-2 by IOhannes m zm lnig.
- dcmtk/3.6.1~20150629-1 uploaded by Andreas Tille, original patch by akira.
- deap/1.0.1-4 by Daniel Stender.
- firebird2.5/2.5.4.26856.ds4-2 by Damyan Ivanov.
- gamera/3.4.2+svn1437-1 by Daniel Stender.
- genometools/1.5.7-1 by Sascha Steinbiss.
- golang-github-go-xorm-core/0.4.4-1 by Alexandre Viau.
- klibc/2.0.4-4 by Ben Hutchings.
- libgtk2-perl/2:1.2496-3 by intrigeri.
- lsof/4.89+dfsg-0.1 uploaded by Laurent Bigonville, original patch by Lunar.
- monotone/1.1-6 by Markus Wanner.
- ndisc6/1.0.1-4 by Santiago Vila.
- privoxy/3.0.23-4 by Roland Rosenfeld.
- ruby-flexmock/2.0.0~rc1-1 by Antonio Terceiro.
- ruby-html2haml/2.0.0-1 by Lunar.
- tunnelx/20140102-3 uploaded by Wookey, original patch by Chris Lamb.
- wtforms/2.0.2-1 by Orestis Ioannou, original patch by Juan Picca.
- #783152 on kmod by Lunar: export
SOURCE_DATE_EPOCH
indebian/rules
. - #799010 on 389-ds-base by Chris Lamb: use
SOURCE_DATE_EPOCH
value as the build date. - #799206 on python-sqlalchemy-utils by Chris Lamb: sort the list of extra requirement.
- #799330 on cappuccino by Chris Lamb: pass a fixed seed to polygen.
- #799410 on segment by Chris Lamb: use date of the latest
debian/changelog
entry as build date.
yield from
and concurrent.futures
) that could help implement parallel processing. The clear separation of bytes and unicode strings is also likely to reduce encoding related issues.
Mattia Rizolo thus kicked the effort of porting diffoscope to Python 3. tlsh was the only dependency missing a Python 3 module. This got quickly fixed by a new upload.
The rest of the code has been moved to the point where only incompatibilities between Python 2.7 and Pyhon 3.4 had to be changed. The commit stream still require some cleanups but all tests are now passing under Python 3.
Documentation update
The documentation on how to assemble the weekly reports has been updated. (Lunar)
The example on how to use SOURCE_DATE_EPOCH with CMake has been improved. (Ben Beockel, Daniel Kahn Gillmor)
The solution for timestamps in man pages generated by Sphinx now uses SOURCE_DATE_EPOCH. (Mattia Rizzolo)
Package reviews
45 reviews have
been removed, 141 added and 62 updated this week.
67 new FTBFS reports have been filled by Chris Lamb, Niko Tyni, and Lisandro Dami n Nicanor P rez Meyer.
New issues added this week: randomness_in_r_rdb_rds_databases, python-ply_compiled_parse_tables.
Misc.
The prebuilder script is now properly testing umask variations again.
Santiago Villa started a discussion on debian-devel on how binNMUs would work for reproducible builds.