Debian is running a "vcswatch" service that keeps track of the status of all packaging repositories that have a Vcs-Git (and other VCSes) header set and shows which repos might need a package upload to push pending changes out. Naturally, this is a lot of data and the scratch partition on qa.debian.org had to be expanded several times, up to 300 GB in the last iteration. Attempts to reduce that size using shallow clones (git clone --depth=50) did not result more than a few percent of space saved. Running git gc on all repos helps a bit, but is tedious and as Debian is growing, the repos are still growing both in size and number. I ended up blocking all repos with checkouts larger than a gigabyte, and still the only cure was expanding the disk, or to lower the blocking threshold. Since we only need a tiny bit of info from the repositories, namely the content of debian/changelog and a few other files from debian/, plus the number of commits since the last tag on the packaging branch, it made sense to try to get the info without fetching a full repo clone. The question if we could grab that solely using the GitLab API at salsa.debian.org was never really answered. But then, in #1032623, G bor N meth suggested the use of git clone --filter blob:none. As things go, this sat unattended in the bug report for almost a year until the next "disk full" event made me give it a try. The blob:none filter makes git clone omit all files, fetching only commit and tree information. Any blob (file content) needed at git run time is transparently fetched from the upstream repository, and stored locally. It turned out to be a game-changer. The (largish) repositories I tried it on shrank to 1/100 of the original size. Poking around I figured we could even do better by using tree:0 as filter. This additionally omits all trees from the git clone, again only fetching the information at run time when needed. Some of the larger repos I tried it on shrank to 1/1000 of their original size. I deployed the new option on qa.debian.org and scheduled all repositories to fetch a new clone on the next scan: The initial dip from 100% to 95% is my first "what happens if we block repos > 500 MB" attempt. Over the week after that, the git filter clones reduce the overall disk consumption from almost 300 GB to 15 GB, a 1/20. Some repos shrank from GBs to below a MB. Perhaps I should make all my git clones use one of the filters.

Back in 2015, when PostgreSQL 9.5 alpha 1 was released, I had posted the PostgreSQL data from Debian's popularity contest. 8 years and 8 PostgreSQL releases later, the graph now looks like this: Currently, the most popular PostgreSQL on Debian systems is still PostgreSQL 13 (shipped in Bullseye), followed by PostgreSQL 11 (Buster). At the time of writing, PostgreSQL 9.6 (Stretch) and PostgreSQL 15 (Bookworm) share the third place, with 15 rising quickly.

pg_dirtyread Earlier this week, I updated pg_dirtyread to work with PostgreSQL 14. pg_dirtyread is a PostgreSQL extension that allows reading "dead" rows from tables, i.e. rows that have already been deleted, or updated. Of course that works only if the table has not been cleaned-up yet by a VACUUM command or autovacuum, which is PostgreSQL's garbage collection machinery. Here's an example of pg_dirtyread in action:

# create table foo (id int, t text);
CREATE TABLE
# insert into foo values (1, 'Doc1');
INSERT 0 1
# insert into foo values (2, 'Doc2');
INSERT 0 1
# insert into foo values (3, 'Doc3');
INSERT 0 1
# select * from foo;
 id    t
 
  1   Doc1
  2   Doc2
  3   Doc3
(3 rows)
# delete from foo where id < 3;
DELETE 2
# select * from foo;
 id    t
 
  3   Doc3
(1 row)

Oops! The first two documents have disappeared. Now let's use pg_dirtyread to look at the table:

# create extension pg_dirtyread;
CREATE EXTENSION
# select * from pg_dirtyread('foo') t(id int, t text);
 id    t
 
  1   Doc1
  2   Doc2
  3   Doc3

All three documents are still there, but only one of them is visible. pg_dirtyread can also show PostgreSQL's system colums with the row location and visibility information. For the first two documents, xmax is set, which means the row has been deleted:

# select * from pg_dirtyread('foo') t(ctid tid, xmin xid, xmax xid, id int, t text);
 ctid    xmin   xmax   id    t
 
 (0,1)   1577   1580    1   Doc1
 (0,2)   1578   1580    2   Doc2
 (0,3)   1579      0    3   Doc3
(3 rows)

Undelete Caveat: I'm not promising any of the ideas quoted below will actually work in practice. There are a few caveats and a good portion of intricate knowledge about the PostgreSQL internals might be required to succeed properly. Consider consulting your favorite PostgreSQL support channel for advice if you need to recover data on any production system. Don't try this at work. I always had plans to extend pg_dirtyread to include some "undelete" command to make deleted rows reappear, but never got around to trying that. But rows can already be restored by using the output of pg_dirtyread itself:

# insert into foo select * from pg_dirtyread('foo') t(id int, t text) where id = 1;

This is not a true "undelete", though - it just inserts new rows from the data read from the table. pg_surgery Enter pg_surgery, which is a new PostgreSQL extension supplied with PostgreSQL 14. It contains two functions to "perform surgery on a damaged relation". As a side-effect, they can also make delete tuples reappear. As I discovered now, one of the functions, heap_force_freeze(), works nicely with pg_dirtyread. It takes a list of ctids (row locations) that it marks "frozen", but at the same time as "not deleted". Let's apply it to our test table, using the ctids that pg_dirtyread can read:

# create extension pg_surgery;
CREATE EXTENSION
# select heap_force_freeze('foo', array_agg(ctid))
    from pg_dirtyread('foo') t(ctid tid, xmin xid, xmax xid, id int, t text) where id = 1;
 heap_force_freeze
 
(1 row)

Et voil , our deleted document is back:

# select * from foo;
 id    t
 
  1   Doc1
  3   Doc3
(2 rows)
# select * from pg_dirtyread('foo') t(ctid tid, xmin xid, xmax xid, id int, t text);
 ctid    xmin   xmax   id    t
 
 (0,1)      2      0    1   Doc1
 (0,2)   1578   1580    2   Doc2
 (0,3)   1579      0    3   Doc3
(3 rows)

Disclaimer Most importantly, none of the above methods will work if the data you just deleted has already been purged by VACUUM or autovacuum. These actively zero out reclaimed space. Restore from backup to get your data back. Since both pg_dirtyread and pg_surgery operate outside the normal PostgreSQL MVCC machinery, it's easy to create corrupt data using them. This includes duplicated rows, duplicated primary key values, indexes being out of sync with tables, broken foreign key constraints, and others. You have been warned. pg_dirtyread does not work (yet) if the deleted rows contain any toasted values. Possible other approaches include using pageinspect and pg_filedump to retrieve the ctids of deleted rows. Please make sure you have working backups and don't need any of the above.

Here s my (twentieth) monthly update about the activities I ve done in the F/L/OSS world.

Debian

This was my 29th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas 19! \o/ Interesting month, surprisingly. Lots of things happening and lots of moving parts; becoming the new normal , I believe. Anyhow, working on Ubuntu full-time has its own advantage and one of them is being able to work on Debian stuff! So whilst I couldn t upload a lot of packages because of the freeze, here s what I worked on:

Uploads and bug fixes:

• ruby-rack-cors (1.0.2-1+deb10u1) - Fix for CVE-2019-18978/#944849.
• rails (2:6.0.3.7+dfsg-1) - New upstream version, fixing CVE-2021-22904, CVE-2021-22902, and CVE-2021-22885 /#988214.
• ruby-marcel (1.0.1+dfsg-2) - Upload to unstable for rails.
• python-aws-requests-auth (0.4.3-2) - Enable build-time tests.
• gist (6.0.0-2) - Add patch to skip test when $HTTP_PROXY isn t set.
• php-cache-lite (1.8.3-1) - New upstream version, fixing FTBFS w/ PHP 8.0.
• Sponsored upload of htmldoc (1.9.3-1+deb10u1) to buster-pu, fixing CVE-2019-19630 and CVE-2021-20308 for H vard Flaget Aasen.
• Sponsored upload of libbusiness-us-usps-webtools-perl (1.125-1) to unstable, fixing #988330 for Yadd.
• Sponsored upload of radsecproxy (1.8.2-4) to unstable, fixing CVE-2021-32642 for Sven Hartge.

Other $things:

• Mentoring for newcomers and assisting people in BSP.
• Moderation of -project mailing list.

---

Ubuntu

This was my 4th month of actively contributing to Ubuntu. Now that I ve joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/ This month, by all means, was dedicated mostly to PHP 8.0, transitioning from PHP 7.4 to 8.0. Naturally, it had so many moving parts and moments of utmost frustration, shared w/ Bryce. :D So even though I can t upload anything, I worked on the following stuff & asked for sponsorship.
But before, I d like to take a moment to stress how kind and awesome Gianfranco Costamagna, a.k.a. LocutusOfBorg is! He s been sponsoring a bunch of my things & helping with re-triggers, et al. Thanks a bunch, Gianfranco; beers on me whenever we meet!

Merges:

• [2021-05-05] ruby2.7 (2.7.3-2ubuntu1).
• [2021-05-11] exim4 (4.94.2-2ubuntu1).
• [2021-05-17] openvpn (2.5.1-3ubuntu1).
• [2021-05-19] autofs (5.1.7-1).
• [2021-05-25] xterm (366-1ubuntu1).

Uploads & Syncs:

• [2021-05-20] php-net-url2/2.2.1-0.2build2 - no-change rebuild.
• [2021-05-26] phpmyadmin/4:5.0.4+dfsg2-2ubuntu1 - fix build w/ PHP 8.
• [2021-05-26] php-async-aws-core/1.7.2-1build1 - no-change rebuild.
• [2021-05-26] php-async-aws-ses/1.3.0-1build1 - no-change rebuild.
• [2021-05-26] php-async-aws-sqs/1.3.2-1build1 - no-change rebuild.
• [2021-05-26] php-http-interop-http-factory-tests/0.9.0-1build1 - no-change rebuild.
• [2021-05-26] php-twig/3.3.2-1 - sync d from experimental.
• [2021-05-26] php-doctrine-cache/1.10.2-2ubuntu1 - fix build w/ PHP 8.
• [2021-05-26] php-symfony-contracts/2.4.0-1 - sync d from experimental.
• [2021-05-26] php-phpseclib/2.0.30-2ubuntu1 - fix build w/ PHP 8.
• [2021-05-27] php-email-validator/3.1.1-2 - sync d from experimental.
• [2021-05-27] php-async-aws-core/1.10.0-1 - sync d from experimental.
• [2021-05-27] php-async-aws-ses/1.4.0-1 - sync d from experimental.
• [2021-05-27] php-async-aws-sqs/1.5.0-1 - sync d from experimental.
• [2021-05-27] libphp-swiftmailer/6.2.4-1ubuntu1 - fix build w/ PHP 8.
• [2021-05-27] phpunit/9.5.4-1 - sync d from experimental.
• [2021-05-27] php-psr-cache/3.0.0-1 - sync d from experimental.
• [2021-05-27] php-psr-container/2.0.1-1 - sync d from experimental.
• [2021-05-28] php-wmerrors/2.0.0~git20190628.183ef7d-2ubuntu1 - fix build w/ PHP 8.
• [2021-05-28] php-monolog/2.2.0-1 - sync d from experimental.
• [2021-05-28] php-amqplib/3.0.0-1 - sync d from experimental.
• [2021-05-28] php-cache-lite/1.8.3-1 - uploaded to Debian.
• [2021-05-28] php-cache-lite/1.8.3-1 - sync d from experimental.
• [2021-05-29] php-symfony-contracts/2.4.0-1ubuntu1 - fix build w/ PHP 8.
• [2021-05-31] php-symfony-contracts/2.4.0-1ubuntu2 - fix build w/ php-cache-container.

MIRs:

• [2021-05-16] LP: #1915445/python-aws-requests-auth.
• [2021-05-20] LP: #1152187/systemd-container.
• [2021-05-31] LP: #1930207/prips.

Seed Operations:

• [2021-05-31] MP #403505/systemd-container for Bionic.
• [2021-06-01] MP #403562/prips for Impish.

---

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success. And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support). This was my twentieth month as a Debian LTS and eleventh month as a Debian ELTS paid contributor.
I was assigned 29.75 hours for LTS and 40.00 hours for ELTS and worked on the following things:

LTS CVE Fixes and Announcements:

• Issued DLA 2654-1, fixing CVE-2021-29472, for composer.
  For Debian 9 stretch, these problems have been fixed in version 1.2.2-1+deb9u1.
• Issued DLA 2655-1, fixing CVE-2021-22885 and CVE-2021-22904, for rails.
  For Debian 9 stretch, these problems have been fixed in version 2:4.2.7.1-1+deb9u5.
• Issued DLA 2656-1, fixing CVE-2021-3504, for hivex.
  For Debian 9 stretch, these problems have been fixed in version 1.3.13-2+deb9u1.
• Issued DLA 2659-1, fixing CVE-2018-10196 and CVE-2020-18032, for graphviz.
  For Debian 9 stretch, these problems have been fixed in version 2.38.0-17+deb9u1.
• Issued DLA 2662-1, fixing CVE-2021-32027 and CVE-2021-32028, for postgresql-9.6.
  For Debian 9 stretch, these problems have been fixed in version 9.6.22-0+deb9u1. This update for done by the maintainer, Christoph Berg. I just took care of announcing and publishing the update.
• Uploaded ruby-rack-cors to buster-security, fixing CVE-2019-18978. For Debian 10 buster, these problems have been fixed in version 1.0.2-1+deb10u1.
• Issued DLA 2663-1, fixing CVE-2021-22204, for libimage-exiftool-perl.
  For Debian 9 stretch, these problems have been fixed in version 10.40-1+deb9u1.

ELTS CVE Fixes and Announcements:

• Issued ELA 425-1, fixing CVE-2021-22885 and CVE-2021-22904, for rails.
  For Debian 8 jessie, these problems have been fixed in version 2:4.1.8-1+deb8u9.
• Uploaded rails to unstable, fixing CVE-2021-22885, CVE-2021-22902, and CVE-2021-22904.
  For Debian sid, these problems have been fixed in version 2:6.0.3.7+dfsg-1.
• Issued ELA 426-1, fixing CVE-2021-3504, for hivex.
  For Debian 8 jessie, these problems have been fixed in version 1.3.10-2+deb8u3.
• Issued ELA 428-1, fixing CVE-2018-10196 and CVE-2020-18032, for graphviz.
  For Debian 8 jessie, these problems have been fixed in version 2.38.0-7+deb8u1.
• Issued ELA 430-1, fixing CVE-2021-22204, for libimage-exiftool-perl.
  For Debian 8 jessie, these problems have been fixed in version 9.74-1+deb8u1.

Other (E)LTS Work:

• Front-desk duty from 24-05 until 30-05 for both LTS and ELTS.
• Triaged rails, libimage-exiftool-perl, hivex, graphviz, glibc, libexosip2, impacket, node-ws, thunar, libgrss, nginx, postgresql-9.6, ffmpeg, composter, and curl.
• Mark CVE-2019-9904/graphviz as ignored for stretch and jessie.
• Mark CVE-2021-32029/postgresql-9.6 as not-affected for stretch.
• Mark CVE-2020-24020/ffmpeg as not-affected for stretch.
• Mark CVE-2020-22020/ffmpeg as postponed for stretch.
• Mark CVE-2020-22015/ffmpeg as ignored for stretch.
• Mark CVE-2020-21041/ffmpeg as postponed for stretch.
• Mark CVE-2021-33574/glibc as no-dsa for stretch & jessie.
• Mark CVE-2021-31800/impacket as no-dsa for stretch.
• Mark CVE-2021-32611/libexosip2 as no-dsa for stretch.
• Mark CVE-2016-20011/libgrss as ignored for stretch.
• Mark CVE-2021-32640/node-ws as no-dsa for stretch.
• Mark CVE-2021-32563/thunar as no-dsa for stretch.
• [LTS] Help test and review bind9 update for Emilio.
• [LTS] Suggest and add DEP8 tests for bind9 for stretch.
• [LTS] Sponsored upload of htmldoc to buster for Havard as a consequence of #988289.
• [ELTS] Fix triage order for jetty and graphviz.
• [ELTS] Raise issue upstream about cloud-init; mock tests instead.
• [ELTS] Write to private ELTS list about triage ordering.
• [ELTS] Review Emilio s new script and write back feedback, mentioning extra file created, et al.
• [ELTS/LTS] Raise upgrade problems from LTS -> LTS+1 to the list. Thread here.
  • Further help review and raise problems that could occur, et al.
• [LTS] Help explain path forward for firmware-nonfree update to Ola. Thread here.
• [ELTS] Revert entries of TEMP-0000000-16B7E7 and TEMP-0000000-1C4729; CVEs assigned & fix ELTS tracker build.
• Auto EOL ed linux, libgrss, node-ws, and inspircd for jessie.
• Attended monthly Debian LTS meeting, which didn t happen, heh.
• Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
• General and other discussions on LTS private and public mailing list.

---

Until next time.
:wq for today.

The apt.postgresql.org repository has been extended to cover the arm64 architecture. We had occasionally received user request to add "arm" in the past, but it was never really clear which kind of "arm" made sense to target for PostgreSQL. In terms of Debian architectures, there's (at least) armel, armhf, and arm64. Furthermore, Raspberry Pis are very popular (and indeed what most users seemed to were asking about), but the raspbian "armhf" port is incompatible with the Debian "armhf" port. Now that most hardware has moved to 64-bit, it was becoming clear that "arm64" was the way to go. Amit Khandekar made it happen that HUAWEI Cloud Services donated a arm64 build host with enough resources to build the arm64 packages at the same speed as the existing amd64, i386, and ppc64el architectures. A few days later, all the build jobs were done, including passing all test-suites. Very few arm-specific issues were encountered which makes me confident that arm64 is a solid architecture to run PostgreSQL on. We are targeting Debian buster (stable), bullseye (testing), and sid (unstable), and Ubuntu bionic (18.04) and focal (20.04). To use the arm64 archive, just add the normal sources.list entry:

deb https://apt.postgresql.org/pub/repos/apt buster-pgdg main

Ubuntu focal At the same time, I've added the next Ubuntu LTS release to apt.postgresql.org: focal (20.04). It ships amd64, arm64, and ppc64el binaries.

deb https://apt.postgresql.org/pub/repos/apt focal-pgdg main

Old PostgreSQL versions Many PostgreSQL extensions are still supporting older server versions that are EOL. For testing these extension, server packages need to be available. I've built packages for PostgreSQL 9.2+ on all Debian distributions, and all Ubuntu LTS distributions. 9.1 will follow shortly. This means people can move to newer base distributions in their .travis.yml, .gitlab-ci.yml, and other CI files.

Users had often asked where they could find older versions of packages from apt.postgresql.org. I had been collecting these since about April 2013, and in July 2016, I made the packages available via an ad-hoc URL on the repository master host, called "the morgue". There was little repository structure, all files belonging to a source package were stuffed into a single directory, no matter what distribution they belonged to. Besides this not being particularly accessible for users, the main problem was the ever-increasing need for more disk space on the repository host. We are now at 175 GB for the archive, of which 152 GB is for the morgue. Our friends from yum.postgresql.org have had a proper archive host (yum-archive.postgresql.org) for some time already, so it was about time to follow suit and implement a proper archive for apt.postgresql.org as well, usable from apt. So here it is: apt-archive.postgresql.org The archive covers all past and current Debian and Ubuntu distributions. The apt sources.lists entries are similar to the main repository, just with "-archive" appended to the host name and the distribution:

deb https://apt-archive.postgresql.org/pub/repos/apt DIST-pgdg-archive main
deb-src https://apt-archive.postgresql.org/pub/repos/apt DIST-pgdg-archive main

The oldest PostgreSQL server versions covered there are 8.2.23, 8.3.23, 8.4.17, 9.0.13, 9.1.9, 9.2.4, 9.3beta1, and everything newer. Some example:

$ apt-cache policy postgresql-12
postgresql-12:
  Installed: 12.2-2.pgdg+1+b1
  Candidate: 12.2-2.pgdg+1+b1
  Version table:
 *** 12.2-2.pgdg+1+b1 900
        500 http://apt.postgresql.org/pub/repos/apt sid-pgdg/main amd64 Packages
        500 https://apt-archive.postgresql.org/pub/repos/apt sid-pgdg-archive/main amd64 Packages
        100 /var/lib/dpkg/status
     12.2-2.pgdg+1 500
        500 https://apt-archive.postgresql.org/pub/repos/apt sid-pgdg-archive/main amd64 Packages
     12.2-1.pgdg+1 500
        500 https://apt-archive.postgresql.org/pub/repos/apt sid-pgdg-archive/main amd64 Packages
     12.1-2.pgdg+1 500
        500 https://apt-archive.postgresql.org/pub/repos/apt sid-pgdg-archive/main amd64 Packages
     12.1-1.pgdg+1 500
        500 https://apt-archive.postgresql.org/pub/repos/apt sid-pgdg-archive/main amd64 Packages
     12.0-2.pgdg+1 500
        500 https://apt-archive.postgresql.org/pub/repos/apt sid-pgdg-archive/main amd64 Packages
     12.0-1.pgdg+1 500
        500 https://apt-archive.postgresql.org/pub/repos/apt sid-pgdg-archive/main amd64 Packages
     12~rc1-1.pgdg+1 500
        500 https://apt-archive.postgresql.org/pub/repos/apt sid-pgdg-archive/main amd64 Packages
     12~beta4-1.pgdg+1 500
        500 https://apt-archive.postgresql.org/pub/repos/apt sid-pgdg-archive/main amd64 Packages
     12~beta3-1.pgdg+1 500
        500 https://apt-archive.postgresql.org/pub/repos/apt sid-pgdg-archive/main amd64 Packages
     12~beta2-1.pgdg+1 500
        500 https://apt-archive.postgresql.org/pub/repos/apt sid-pgdg-archive/main amd64 Packages
     12~beta1-1.pgdg+1 500
        500 https://apt-archive.postgresql.org/pub/repos/apt sid-pgdg-archive/main amd64 Packages

Because this is hosted on S3, browsing directories is only supported indirectly by static index.html files, so if you want to look at some specific URL, append "/index.html" to see it. The archive is powered by a PostgreSQL database and a bunch of python/shell scripts, from which the apt index files are built. Archiving old distributions I'm also using the opportunity to remove some long-retired distributions from the main repository host. The following distributions have been moved over:

• Debian etch (4.0)
• Debian lenny (5.0)
• Debian squeeze (6.0)
• Ubuntu lucid (10.04)
• Ubuntu saucy (13.10)
• Ubuntu utopic (14.10)
• Ubuntu wily (15.10)
• Ubuntu zesty (17.04)
• Ubuntu cosmic (18.10)

They are available as "DIST-pgdg" from the archive, e.g. squeeze:

deb https://apt-archive.postgresql.org/pub/repos/apt squeeze-pgdg main
deb-src https://apt-archive.postgresql.org/pub/repos/apt squeeze-pgdg main

Here's what happened in the Reproducible Builds effort between Sunday October 1 and Saturday October 7 2017: Media coverage

• Bernhard sent another report about the status of Reproducible openSUSE. They currently they are at 478 unreproducible and 11,111 reproducible packages out of 11,821, so also at 93%!
• Holger attempted to get a Reproducible Builds devroom at FOSDEM 2018 but sadly this proposal was not accepted.

Documentation updates

• Christoph Berg created a wiki page about Openjade generated timestamps from DSSSL stylesheets.

Packages reviewed and fixed, and bugs filed

• Bernhard M. Wiedemann:
  • LiE uninitialized memory (need to find upstream)
  • chrony date (merged)
• Chris Lamb:
  • #877375 filed against polygen.
  • #877381 filed against plr.
  • #877384 filed against rcs.
  • #877928 filed against cadvisor.
• jathan:
  • #877470 filed against bsh.

Reviews of unreproducible packages 32 package reviews have been added, 46 have been updated and 62 have been removed in this week, adding to our knowledge about identified issues. Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

• Adrian Bunk (27)

diffoscope development

• Chris Lamb:
  • Don't crash on malformed md5sums files. (Closes: #877473)
  • Improve names in output of "internal" binwalk members. (Closes: #877525)
• Mattia Rizzolo:
  • Fix test compatibility with dtb version 1.4.5

strip-nondeterminism development Rob Browning noticed that strip-nondeterminism was causing serious performance regressions in the Clojure programming language within Debian. After some discussion, Chris Lamb also posted a query to debian-devel in case there were any other programming languages that might be suffering from the same problem.

• Chris Lamb:
  • jar.pm: Clojure considers the .class file to be stale if it shares the same timestamp of the .clj. We thus adjust the timestamps of the .clj to always be younger.. (Closes: #877418)
  • jar.pm, zip.pm: Allow $options member_normalizer callback to support specifying the timestamp.
  • zip.pm: Ensure that we don't try and write an old timestamp; Archive::Zip will do this anyway, just noisily.
  • zip.pm: Calculate the target canonical time in just one place.
  • bin/strip-nondeterminism: Print a warning in --verbose mode if no canonical time specified.
  • jar.pm: Update comment to reflect that NTFS/FAT has a 2s timestamp granularity.
  • jar.pm: s/NTFS/FAT/. Thanks to James Ross.

reprotest development Versions 0.7.1 and 0.7.2 were uploaded to unstable by Ximin Luo:

• New features:
  • Add a --auto-build option to try to determine which specific variations cause unreproducibility.
  • Add a --source-pattern option to restrict copying of source_root, and set this automatically in our presets.
• Usability improvements:
  • Improve error messages in some common scenarios.
    • Fiving a source_root or build_command that doesn't exist
    • Using reprotest with default settings after not installing Recommends
  • Output hashes after a successful --auto-build.
  • Print a warning message if we reproduced successfully but didn't vary everything.
• Fix varying both umask and user_group at the same time.
• Have dpkg-source extract to different build dir if varying the build-path.
• Pass --exclude-directory-metadata to diffoscope(1) by default as this is the majority use-case.
• Various bug fixes to get the basic dsc+schroot example working.

It included contributions already covered by posts of the previous weeks, as well as new ones from:

• Ximin Luo:
  • main: Add a --env-build option for testing different env vars
  • Don't output spurious warnings in tests
  • Add some more notes on the remaining variations
  • Fix the help text for virtual servers

tests.reproducible-builds.org

• Mattia Rizzolo:
  • Re-deploy odxu4a after being reinstalled and renamed from odxu4.
• Vagrant Cascadian:
  • Rename armhf host odxu4 to odxu4a

Misc. This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

What happened in the Reproducible Builds effort between Sunday September 25 and Saturday October 1 2016: Statistics For the first time, we reached 91% reproducible packages in our testing framework on testing/amd64 using a determistic build path. (This is what we recommend to make packages in Stretch reproducible.) For unstable/amd64, where we additionally test for reproducibility across different build paths we are at almost 76% again. IRC meetings We have a poll to set a time for a new regular IRC meeting. If you would like to attend, please input your available times and we will try to accommodate for you. There was a trial IRC meeting on Friday, 2016-09-31 1800 UTC. Unfortunately, we did not activate meetbot. Despite this participants consider the meeting a success as several topics where discussed (eg changes to IRC notifications of tests.r-b.o) and the meeting stayed within one our length. Upcoming events Reproduce and Verify Filesystems - Vincent Batts, Red Hat - Berlin (Germany), 5th October, 14:30 - 15:20 @ LinuxCon + ContainerCon Europe 2016. From Reproducible Debian builds to Reproducible OpenWrt, LEDE & coreboot - Holger "h01ger" Levsen and Alexander "lynxis" Couzens - Berlin (Germany), 13th October, 11:00 - 11:25 @ OpenWrt Summit 2016. Introduction to Reproducible Builds - Vagrant Cascadian will be presenting at the SeaGL.org Conference In Seattle (USA), November 11th-12th, 2016. Previous events GHC Determinism - Bartosz Nitka, Facebook - Nara (Japan), 24th September, ICPF 2016. Toolchain development and fixes Michael Meskes uploaded bsdmainutils/9.0.11 to unstable with a fix for #830259 based on Reiner Herrmann's patch. This fixed locale_dependent_symbol_order_by_lorder issue in the affected packages (freebsd-libs, mmh). devscripts/2.16.8 was uploaded to unstable. It includes a debrepro script by Antonio Terceiro which is similar in purpose to reprotest but more lightweight; specific to Debian packages and without support for virtual servers or configurable variations. Packages reviewed and fixed, and bugs filed The following updated packages have become reproducible in our testing framework after being fixed:

• ara/1.0.32 by Chris Lamb, original patch by Chris Lamb.
• fracplanet/0.4.0-5 by Chris Lamb, original patch by Reiner Herrman.
• gnarwl/3.6.dfsg-8 by Bernhard Schmidt, original patch by Chris Lamb.
• kgb-bot/1.34-1 by gregor herrmann, original patch by gregor herrmann.
• survex/1.2.29-1 by Olly Betts.
• zpaq/1.10-3 by Chris Lamb, original patch by Reiner Herrman.
• fig2dev/1:3.2.6-3 by Roland Rosenfeld.
• luxio/11-1 by Daniel Silverstone.
• monkeysign/2.1.1 by Antoine Beaupr , original patch by Daniel Kahn Gillmor.
• openarena-085-data/0.8.5split-9 by Simon McVittie.
• openarena-088-data/0.8.8-7 by Simon McVittie.
• openarena-data/0.8.5split-9 by Simon McVittie.
• rc/1.7.4-1 by Reiner Herrmann, original patch by Chris Lamb.

The following updated packages appear to be reproducible now for reasons we were not able to figure out. (Relevant changelogs did not mention reproducible builds.)

• gkrellm/2.3.8-1 by Sandro Tosi
• glassfish/1:2.1.1-b31g+dfsg1-4 by Emmanuel Bourg

Some uploads have addressed some reproducibility issues, but not all of them:

• apache2/2.4.23-5 by Rapha l Hertzog
• freeradius/3.0.11+dfsg-1 by Michael Stapelberg
• libnss-ldap/265-4 by Chris Lamb
• lift/2.5.0-1 by Nicolas Delvaux
• linux/4.8~rc8-1~exp1 by Ben Hutchings
• nose2/0.6.5-2 by Barry Warsaw
• postgresql-9.6/9.6.0-1 Christoph Berg
• strace/4.13-0.1 by Nicolas Braud-Santoni
• yersinia/0.7.3-3 by No l K the

Patches submitted that have not made their way to the archive yet:

• #838888 filed against dh-haskell by Chris Lamb.
• #838971 filed against slang2 by Chris Lamb.
• #839587 filed against sympa by Chris Lamb.
• #839181 filed against transmission-remote-gtk by Chris Lamb.
• #838829 filed against vala by Sebastian Reichel.
• #838970 filed against webkit2pdf by Chris Lamb.
• #831569 filed against websockets by Chris Lamb.
• #839347 filed against xml-core by Lucas Nussbaum.
• #839526 filed against xml-core by Adrian Bunk.

Reviews of unreproducible packages 77 package reviews have been added, 178 have been updated and 80 have been removed in this week, adding to our knowledge about identified issues. 6 issue types have been updated:

• Added clilibs_line_order, records_build_flags and hevea_captures_build_path.
• Removed locale_dependent_symbol_order_by_lorder, fixed in bsdmainutils/9.0.11.
• Updated diffoscope_runs_forever, captures_build_path.

Weekly QA work As part of reproducibility testing, FTBFS bugs have been detected and reported by:

• Adrian Bunk (3)
• Chris Lamb (12)
• Lucas Nussbaum (3)
• Sebastian Reichel (1)

diffoscope development A new version of diffoscope 61 was uploaded to unstable by Chris Lamb. It included contributions from:

• Ximin Luo:
  • Improve the CLI --help text and add an --output-empty option.
• Chris Lamb:
  • Add a progress bar and show it if stdout is a TTY. You can read more about it here. It can also be read by higher-level programs via the --status-fd CLI option.
• Maria Glukhova:
  • Behaviour improvements in the case of OS-level errors.
• Mattia Rizzolo:
  • Testing and packaging improvements.

Post-release there were further contributions from:

• Chris Lamb:
  • Code architecture improvements.
• Maria Glukhova:
  • Testing improvements.

reprotest development A new version of reprotest 0.3.2 was uploaded to unstable by Ximin Luo. It included contributions from:

• Ximin Luo:
  • Add a --diffoscope-arg CLI option to pass extra args to diffoscope.

Post-release there were further contributions from:

• Chris Lamb:
  • Code quality improvements.

tests.reproducible-builds.org

• Hans-Christoph Steiner continued work on setting up reproducible tests for F-Droid.
• Holger cleaned up the script creating the page showing breakages, so that it now also cleans up some of the breakage it finds.
• IRC notifications about diffoscope crashes and artifacts available for investigations have been dropped; instead the breakages page has a permanent pointer. (h01ger)
• IRC notifications from the automatic package scheduler and status changes for packages have been moved -- as a temporary trial -- to #debian-reproducible-changes on irc.oftc.net (Mattia).

Misc. This week's edition was written by Ximin Luo, Holger Levsen & Chris Lamb and reviewed by a bunch of Reproducible Builds folks on IRC.

About a week ago, I extended vcswatch to also look at tags in git repositories. Previously, it was solely paying attention to the version number in the top paragraph in debian/changelog, and would alert if that version didn't match the package version in Debian unstable or experimental. The idea is that "UNRELEASED" versions will keep nagging the maintainer (via DDPO) not to forget that some day this package needs an upload. This works for git, svn, bzr, hg, cvs, mtn, and darcs repositories (in decreasing order of actual usage numbers in Debian. I had actually tried to add arch support as well, but that VCS is so weird that it wasn't worth the trouble). There are several shortcomings in that simple approach:

• Some packages update debian/changelog only at release time, e.g. auto-generated from the git changelog using git-dch
• Missing or misplaced release tags are not detected

The new mechanism fixes this for git repositories by also looking at the output of git describe --tags. If there are any commits since the last tag, and the vcswatch status according to debian/changelog would otherwise be "OK", a new status "COMMITS" is set. DDPO will report e.g. "1.4-1+2", to be read as "2 commits since the tag [debian/]1.4-1". Of the 16644 packages using git in Debian, currently 7327 are "OK", 2649 are in the new "COMMITS" state, and 4227 are "NEW". 723 are "OLD" and 79 are "UNREL" which indicates that the package in Debian is ahead of the git repository. 1639 are in an ERROR state. So far the new mechanism works for git only, but other VCSes could be added as well.

What happened in the reproducible builds effort between April 3rd and April 9th 2016: Media coverage Emily Ratliff wrote an article for SecurityWeek called Establishing Correspondence Between an Application and its Source Code - How Combining Two Completely Separate Open Source Projects Can Make Us All More Secure. Tails have started work on a design for freezable APT repositories to make it easier and practical to perform reproductions of an entire distribution at a given point in time, which will be needed to create reproducible installation- or live-media. Toolchain fixes Alexis Bienven e submitted patches adding support for SOURCE_DATE_EPOCH in several tools: transfig, imagemagick, rdtool, and asciidoctor. boyska submitted one for python-reportlab. Packages fixed The following packages have become reproducible due to changes in their build dependencies: atinject-jsr330 brailleutils cglib3 gnugo libcobra-java libgnumail-java libjchart2d-java libjcommon-java libjfreechart-java libjide-oss-java liblaf-widget-java liblastfm-java liboptions-java octave-control octave-mpi octave-nan octave-parallel octave-stk octave-struct octave-tsa oar The following packages became reproducible after getting fixed:

• apt-listchanges/2.88 by Robert Luberda.
• cgal/4.8-1 by Joachim Reichel.
• erlang-bitcask/2.0.2+dfsg-1 by Nobuhiro Iwamatsu.
• geneweb/6.08+git20160228+dfsg-2 by Guillaume Brochu.
• glance/2:12.0.0~rc2-1 uploaded by Thomas Goirand, original patch by Chris Lamb.
• gle-graphics/4.2.5-4 by Christian T. Steigies.
• maude uploaded by Andreas Tille, patch by Alexis Bienven e.
• psqlodbc/1:09.05.0100-3 by Christoph Berg.
• resource-agents/1:3.9.7-3 by Christoph Berg.
• vgabios/0.7a-6 by Reiner Herrmann.
• vim/2:7.4.1689-2 by James McCoy.
• xmhtml/1.1.10-2 by Graham Inggs with Reiner Herrmann's help.
• xscreensaver/5.34-2 uploaded by Tormod Volden, original patch by Sascha Steinbiss.

Several uploads fixed some reproducibility issues, but not all of them:

• rkward/0.6.5-1 uploaded by Thomas Friedrichsmeier, original patch by Philip Rinn.
• mailfilter/0.8.4-1 uploaded by Elimar Riesebieter, original patch by Chris Lamb.
• bind9/1:9.10.3.dfsg.P4-6 uploaded by Michael Gilbert, original patch by Reiner Herrmann.
• bzr/2.7.0- 3,4 by Jelmer Vernooij.
• samba/2:4.3.6+dfsg-2 uploaded by Mathieu Parent, fix by Jelmer Vernooij.
• fwupdate/0.5-3 by Mario Limonciello.
• paraview/5.0.1+dfsg1-1 by Anton Gladky.

Patches submitted which have not made their way to the archive yet:

• #819883 on debootstrap by Reiner Herrmann: tell tar to sort the archive members.
• #819885 on chktex by Sascha Steinbiss: use the time of latest debian/changelog entry as documentation timestamp.
• #819915 on kannel by Alexis Bienven e: use the time of latest debian/changelog entry as documentation timestamp.
• #819921 on basket by Alexis Bienven e: remove build date from debug info.
• #819965 on openarena-data by Alexandre Detiste: normalize file permissions before creating .pk3 archive.
• #820016 on gabedit by Alexis Bienven e: sort object files used to build the executable.
• #820032 on bibledit-gtk by Alexis Bienven e: remove useless included Makefile.
• #820072 on synfig by Alexis Bienven e: remove build date from info output.
• #820148 on autopkgtest by Alexis Bienven e: fix install order to cope with locales with case insensitive globbing.
• #820152 on anope by Alexis Bienven e: remove build date from the version string.
• #820179 on aodh by Alexis Bienven e: remove build date from the documentation.
• #820183 on cython by Alexis Bienven e: add support SOURCE_DATE_EPOCH.
• #820194 on nasm by rain1: sorts keys when traversing hash tables used to build the documentation.
• #820226 on chrony by Alexis Bienven e: add support for SOURCE_DATE_EPOCH to preset the ntp_era_split parameter.
• #820457 on recode by Alexis Bienven e: use system help2man.
• #820522 on gtkspell by Alexis Bienven e: force shell to /bin/sh in example Makefile.

Other upstream fixes Alexander Batischev made a commit to make newsbeuter reproducible. tests.reproducible-builds.org

• An architecture agnostic summary has been added to the reproducible-tracker.json by Valerie Young to make it easy to parse whether a package is unreproducible anywhere.
• To find more reproducibility issues a new variation was added to the i386 builders, so that one build is done using a 32 bit kernel (686-PAE) and the other build is using a 64 bit kernel (amd64). (h01ger)
  • Niko Tyni was the first to notice a bug due to this: #821182 perl: embeds kernel architecture information
• The 2nd builds are now done in fr_CH on amd64, de_CH on i386 and it_CH on armhf. (h01ger)
• The variation table has been updated to reflect the recent changes and various small bugs have been fixed. (h01ger)

Package reviews 93 reviews have been removed, 66 added and 21 updated in the previous week. 12 new FTBFS bugs have been reported by Chris Lamb and Niko Tyni. Misc. This week's edition was written by Lunar, Holger Levsen, Reiner Herrmann, Mattia Rizzolo and Ximin Luo. With the departure of Lunar as a full-time contributor, Reproducible Builds Weekly News (this thing you're reading) has moved from his personal Debian blog on Debian People to the Reproducible Builds team web site on Debian Alioth. You may want to update your RSS or Atom feeds. Very many thanks to Lunar for writing and publishing this weekly news for so long, well & continously!

What happened in the reproducible builds effort between March 6th and March 12th:

Packages fixed The following packages have become reproducible due to changes in their build dependencies: dfc, gap-openmath, gnubik, gplanarity, iirish, iitalian, monajat, openimageio, plexus-digest, ruby-fssm, vdr-plugin-dvd, vdr-plugin-spider. The following packages became reproducible after getting fixed:

• adduser/3.114 by Niels Thykier.
• bsdmainutils/9.0.7 by Michael Meskes.
• criu/2.0-1 by Salvatore Bonaccorso.
• genometools/1.5.8+ds-2 by Sascha Steinbiss.
• gfs2-utils/3.1.8-1 uploaded by Bastian Blank, fix by Christoph Berg.
• gmerlin/1.2.0~dfsg+1-5 by IOhannes m zm lnig.
• heroes/0.21-14 by Stephen Kitt.
• kmc/2.3+dfsg-3 by Sascha Steinbiss.
• polyml/5.6-3 by James Clarke.
• sed/4.2.2-7.1 by Niels Thykier.
• snpomatic/1.0-3 by Sascha Steinbiss.
• tantan/13-4 by Sascha Steinbiss.

Some uploads fixed some reproducibility issues, but not all of them:

• apg/2.2.3.dfsg.1-3 uploaded by Marc Haber, original patch by Chris Lamb.
• elastix/4.8-4 uploaded by Gert Wollny, reported by akira.

Patches submitted which have not made their way to the archive yet:

• #817979 on modernizr by Sascha Steinbiss: sort list of files included in feature-detects.js.
• #818027 on snapper by Sascha Steinbiss: always use /bin/sh as shell.

tests.reproducible-builds.org Always use all cores on armhf builders. (h01ger) Improve the look of Debian dashboard. (h01ger)

Package reviews 118 reviews have been removed, 114 added and 15 updated in the previous week. 15 FTBFS have been filled by Chris Lamb. New issues: xmlto_txt_output_locale_specific.

Misc. Lunar seeks new maintainers for diffoscope, several mailing lists, and these very weekly reports.

Great news! The HA stack has been finally updated and you can find now both pacemaker & corosync in Debian stretch.

This is thanks to the hard work of some people, specially Christoph Berg, Ferenc W gner, Martin Loschwitz and others.

By the time of this blogpost, in testing (stretch) you have:

• pacemaker 1.1.14-1
• corosync 2.3.5-3
• crmsh 2.2.0-1

• pcs 0.9.148-1

what to do now

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donators (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it s one of the best ways to find volunteers to work with me on projects that matter to me. Debian LTS I did not ask for any paid hours this month and won t be requesting paid hours for the next 5 months as I have a big project to handle with a deadline in June. That said I still did a few LTS related tasks:

• I uploaded a new version of debian-security-support (2016.01.07) to officialize that virtualbox-ose is no longer supported in Squeeze and that redmine was not really supportable ever since we dropped support for rails.
• Made a summary of the discussion about what to support in wheezy and started a new round of discussions with some open questions. I invited contributors to try to pickup one topic, study it and bring the discussion to some conclusion.
• I wrote a blog post to recruit new paid contributors. Brian May, Markus Koschany and Damyan Ivanov candidated and will do their first paid hours over February.

Distro Tracker Due to many nights spent on playing Splatoon (I m at level 33, rank B+, anyone else playing it?), I did not do much work on Distro Tracker. After having received the bug report #809211, I investigated the reasons why SQLite was no longer working satisfactorily in Django 1.9 and I opened the upstream ticket 26063 and I had a long discussion with two upstream developers to find out the best fix. The next point release (1.9.2) will fix that annoying regression. I also merged a couple of contributions (two patches from Christophe Siraut, one adding descriptions to keywords, cf #754413, one making it more obvious that chevrons in action items are actionable to show more data, a patch from Balasankar C in #810226 fixing a bad URL in an action item). I fixed a small bug in the unsubscribe command of the mail bot, it was not properly recognizing source packages. I updated the task notifying of new upstream versions to use the data generated by UDD (instead of the data generated by Christoph Berg s mole-based implementation which was suffering from a few bugs). Debian Packaging Testing experimental sbuild. While following the work of Johannes Schauer on sbuild, I installed the version from experimental to support his work and give him some feedback. In the process I uncovered #810248. Python sponsorship. I reviewed and uploaded many packages for Daniel Stender who keeps doing great work maintaining prospector and all its recursive dependencies: pylint-common, python-requirements-detector, sphinx-argparse, pylint-django, prospector. He also prepared an upload of python-bcrypt which I requested last month for Django. Django packaging. I uploaded Django 1.8.8 to jessie-backports.
My stable updates for Django 1.7.11 was not handled before the release of Debian 8.3 even though it was filed more than 1.5 months before. Misc stuff. My stable update for debian-handbook has been accepted fairly shortly after my last monthly report (thank you Adam!) so I uploaded the package once acked by a release manager. I also sponsor a backports upload of zim prepared by Joerg Desch. Kali related work Kernel work. The switch to Linux 4.3 in Kali resulted in a few bug reports that I investigated with the help of #debian-kernel and where I reported my findings back so that the Debian kernel could also benefit from the fixes I uploaded to Kali: first we included a patch for a regression in the vmwgfx video driver used by VMWare virtual machines (which broke the gdm login screen), then we fixed the input-modules udeb to fix support of some Logitech keyboards in debian-installer (see #796096). Misc work. I made a non-maintainer upload of python-maxminddb to fix #805689 which had been removed from stretch and that we needed in Kali. I also had to NMU libmaxminddb since it was no longer available on armel and we actually support armel in Kali. During that NMU, it occurred to me that dh-exec could offer a feature of optional install , that is installing a file that exists but not failing if it doesn t exist. I filed this as #811064 and it stirred up quite some debate. Thanks See you next month for a new summary of my activities.

No comment Liked this article? Click here. My blog is Flattr-enabled.

What happened in the reproducible builds effort between January 10th and January 16th:

Toolchain fixes Benjamin Drung uploaded mozilla-devscripts/0.43 which sorts the file list in preferences files. Original patch by Reiner Herrmann. Lunar submitted an updated patch series to make timestamps in packages created by dpkg deterministic. To ensure that the mtimes in data.tar are reproducible, with the patches, dpkg-deb uses the --clamp-mtime option added in tar/1.28-1 when available. An updated package has been uploaded to the experimental repository. This removed the need for a modified debhelper as all required changes for reproducibility have been merged or are now covered by dpkg.

Packages fixed The following packages have become reproducible due to changes in their build dependencies: angband-doc, bible-kjv, cgoban, gnugo, pachi, wmpuzzle, wmweather, wmwork, xfaces, xnecview, xscavenger, xtrlock, virt-top. The following packages became reproducible after getting fixed:

• dist/1:3.5-36.0001-1 uploaded by Manoj Srivastava, original patch by Reiner Herrmann.
• grib-api/1.14.4-4 by Alastair McKinstry.
• gui-apt-key/0.4-2.1 by Axel Beckert, original patch by Chris Lamb.
• kiki-the-nano-bot/1.0.2+dfsg1-6 by Peter De Wachter, original patch by Chris Lamb.
• ldapvi/1.7-10 by Rhonda D'Vine, original patches (#777490, #793702) by Chris Lamb and akira.
• libf2c2/20090411-3 by Barak A. Pearlmutter.
• liquidsoap/1.1.1-7.1 by Mattia Rizzolo.
• marsshooter/0.7.6-1 uploaded by Markus Koschany, fixed upstream.
• offlineimap/6.6.1+dfsg1-2 by Ilias Tsitsimpis.
• pgbouncer/1.7-1 by Christoph Berg.
• python-requests-toolbelt/0.5.1-4 by Petter Reinholdtsen.
• shorewall-core/5.0.3.1-1 uploaded by Roberto C. Sanchez, fixed upstream, obsolete patch by Chris Lamb.
• slrnface/2.1.1-7 by Rhonda D'Vine, original patches (#777425, #793722) by Chris Lamb and akira.
• tetradraw/2.0.3-9 by Rhonda D'Vine, original patches (#777426, #793727) by Chris Lamb and akira.
• xblast-tnt-images/20050106-3 by Rhonda D'Vine, original patch by Chris Lamb.
• xblast-tnt/2.10.4-4 by Rhonda D'Vine, original patch by Chris Lamb.
• xtrkcad/1:4.2.2-1 uploaded by Daniel E. Markle, fixed upstream, obsolete patch by Chris Lamb.

Some uploads fixed some reproducibility issues, but not all of them:

• apt/1.2 uploaded by Julian Andres Klode, original patch by Mattia Rizzolo.
• ecere-sdk/0.44.14-1 by Jerome St-Louis.
• epubcheck/4.0.1-2 by Eugene Zhukov.
• hplip/3.15.11+repack0-1 by Didier Raboud.
• irsim/9.7.93-1 uploaded by Roland Stigge, original patch by Chris Lamb.
• julia/0.4.3-1 uploaded by Peter Colberg, fix by Graham Inggs.
• magics++/2.26.2-1 by Alastair McKinstry.
• mailagent/1:3.1-81-1 by Manoj Srivastava.
• nasm/2.11.08-1 uploaded by Anibal Monsalve Salazar, original patch by Valentin Lorentz.
• ns3/3.22+dfsg-2 uploaded by Martin Quinson, original patch by Juan Picca.
• shotwell/0.22.0-3 by J rg Frings-F rst.

Untested changes:

• firmware-nonfree/20160110-1 by Ben Hutchings (non-free).
• nvidia-graphics-drivers-legacy-304xx/304.131-3 by Andreas Beckmann (non-free).
• nvidia-graphics-drivers-legacy-340xx/340.96-2 by Andreas Beckmann (non-free).
• nvidia-graphics-drivers/340.96-4 by Andreas Beckmann (non-free).

reproducible.debian.net Once again, Vagrant Cascadian is providing another armhf build system, allowing to run 6 more armhf builder jobs, right there. (h01ger) Stop requiring a modified debhelper and adapt to the latest dpkg experimental version by providing a predetermined identifier for the .buildinfo filename. (Mattia Rizzolo, h01ger) New X.509 certificates were set up for jenkins.debian.net and reproducible.debian.net using Let's Encrypt!. Thanks to GlobalSign for providing certificates for the last year free of charge. (h01ger)

Package reviews 131 reviews have been removed, 85 added and 32 updated in the previous week. FTBFS issues filled: 29. Thanks to Chris Lamb, Mattia Rizzolo, and Niko Tyni. New issue identified: timestamps_in_manpages_added_by_golang_cobra.

Misc. Most of the minutes from the meetings held in Athens in December 2015 are now available to the public.

What happened in the reproducible builds effort between January 3rd and January 9th 2016:

Toolchain fixes David Bremner uploaded dh-elpa/0.0.18 which adds a --fix-autoload-date option (on by default) to take autoload dates from changelog. Lunar updated and sent the patch adding the generation of .buildinfo to dpkg.

Packages fixed The following packages have become reproducible due to changes in their build dependencies: aggressive-indent-mode, circe, company-mode, db4o, dh-elpa, editorconfig-emacs, expand-region-el, f-el, geiser, hyena, js2-mode, markdown-mode, mono-fuse, mysql-connector-net, openbve, regina-normal, sml-mode, vala-mode-el. The following packages became reproducible after getting fixed:

• avrdude/6.2-5 by Milan Kupcevic.
• ca-certificates/20160104 by Michael Shuler, original patch by Reiner Herrmann.
• cryptsetup/2:1.7.0-1 uploaded by Jonas Meurer, original patches (#780864, #794106) by Dhole and Valentin Lorentz.
• gpaw/0.11.0.13004-3 by Graham Inggs.
• graphite2/1.3.4-2 uploaded by Rene Engelhard, original patch by Reiner Herrmann.
• manpages/4.04-0.1 uploaded by Tobias Quathamer, original patch by Lunar.
• medicalterms/20160103-1 uploaded by Tobias Quathamer, reported by Daniel Kahn Gillmor.
• metview/4.5.7-3 uploaded by Alastair McKinstry, original patch by Reiner Herrmann.
• oasis3/3.mct+dfsg.121022-7 uploaded by Alastair McKinstry, original patch by Reiner Herrmann.
• postgresql-9.5/9.5.0-1 by Christoph Berg.
• python-caja/1.12.0-1 uploaded by Mike Gabriel, original patch by Chris Lamb.
• qutemol/0.4.1~cvs20081111-5 by Graham Inggs.
• robocode/1.9.2.5-1 by Markus Koschany.
• rungetty/1.2-16 by Rhonda D'Vine, original patches (#777447, #793717) by Chris Lamb and akira.
• t-prot/3.4-4 by Rhonda D'Vine.
• tetrinet/0.11+CVS20070911-2 by Rhonda D'Vine, original patch by Chris Lamb.
• tworld/1.3.2-2 by Rhonda D'Vine, original patch by Chris Lamb.
• visp-images/3.0.0-2 uploaded by Fabien Spindler, original patch by Chris Lamb.
• xblast-tnt-levels/20050106-3 by Rhonda D'Vine, original patch by Chris Lamb.
• xblast-tnt-models/20050106-4 by Rhonda D'Vine, original patch by Chris Lamb.
• xblast-tnt-musics/20050106-3 by Rhonda D'Vine, original patch by Chris Lamb.
• xblast-tnt-sounds/20040429-3 by Rhonda D'Vine, original patch by Chris Lamb.

Some uploads fixed some reproducibility issues, but not all of them:

• ace-of-penguins/1.5~rc1-1 by Markus Koschany, original patch by Reiner Herrmann.
• disque/1.0~rc1-4 by Chris Lamb.
• elki/0.7.0-4 by Erich Schubert.
• xnecview/1.35-8 by Tobias Frost, original patch by Chris Lamb.

Patches submitted which have not made their way to the archive yet:

• #809780 on flask-restful by Chris Lamb: implement support for SOURCE_DATE_EPOCH in the build system.
• #810259 on avfs by Chris Lamb: implement support for SOURCE_DATE_EPOCH in the build system.
• #810509 on apt by Mattia Rizzolo: ensure a stable file order is given to the linker.

reproducible.debian.net Add 2 more armhf build nodes provided by Vagrant Cascadian. This added 7 more armhf builder jobs. We now run around 900 tests of armhf packages each day. (h01ger) The footer of each page now indicates by which Jenkins jobs build it. (h01ger)

diffoscope development diffoscope 45 has been released on January 4th. It features huge memory improvements when comparing large files, several fixes of squashfs related issues that prevented comparing two Tails images, and improve the file list of tar and cpio archive to be more precise and consistent over time. It also fixes a typo that prevented the Mach-O to work (Rainer M ller), improves comparisons of ELF files when specified on the command line, and solves a few more encoding issues.

Package reviews 134 reviews have been removed, 30 added and 37 updated in the previous week. 20 new fail to build from source issues were reported by Chris Lamb and Chris West. prebuilder will now skip installing diffoscope to save time if the build results are identical. (Reiner Herrmann)

What happened in the reproducible builds effort this week: Media coverage Motherboard published an article on the project inspired by the talk at the Chaos Communication 15. Journalists sadly rarely pick their headlines. The sensationalist How Debian Is Trying to Shut Down the CIA got started a few rants here and there. One from OpenBSD developper Ted Unangst lead to a good email contact and some thorough comments. Toolchain fixes

• Emmanuel Bourg uploaded maven-ant-helper/7.11 which improved the reproducibility of the Javadoc by removing the timestamps and using the English locale.
• Thomas Schmitt uploaded libisoburn/1.4.0-2 which adds to the ISO image creator xorriso new flags for -alter_date to avoid update ctimes. Report by Daniel Kahn Gillmor.
• Florian Schlichting uplodaded libmodule-build-perl/0.421400-2 which makes linked file ordering deterministic. Original patch by Niko Tyni.

The modified version of gettext has been removed from the experimental toolchain. Fixing individual package seems a better approach for now. Chris Lamb sent two patches for abi-compliance-checker: one to drop the timestamp from generated HTML reports and another to make umask and timestamps deterministic in the abi tarball. Bugs submitted by Dhole lead to a discussion on the best way to adapt pod2man now that we have SOURCE_DATE_EPOCH specified. There is really a whole class of issues that are currently undiscovered waiting for tests running on a different date. This is likely to should happen soon. Chris Lamb uploaded a new version of debhelper in the reproducible repository, cherry-picking a fix for interactions between ddebs and udebs. Packages fixed The following packages became reproducible due to changes in their build dependencies: aspic, django-guardian, erlang-sqlite3, etcd, libnative-platform-java, mingw-ocaml, nose2, oar, obexftp, py3cairo, python-dugong, python-secretstorage, python-setuptools, qct, qdox, recutils, s3ql, wine. The following packages became reproducible after getting fixed:

• bochs/2.6-4 by Santiago Vila.
• codec2/0.4-3 by A. Maitland Bottoms.
• coquelicot/0.9.4-1 by Lunar.
• criticalmass/1:1.0.0-3 by Santiago Vila.
• ekg/1:1.9~pre+r2855-3 by Santiago Vila.
• eterm/0.9.6-3 by Santiago Vila.
• fbi/2.10-2 by Moritz Muehlenhoff.
• fsvs/1.2.6-2 by Santiago Vila.
• glhack/1.2-3 by Santiago Vila.
• httraqt/1.4.6-2 by Anton Gladky.
• libapache-authznetldap-perl/0.07-6 by gregor herrmann, original patch by Dhole.
• libkinosearch1-perl/1.01-3 uploaded by Florian Schlichting, original patch by Niko Tyni.
• liblucy-perl/0.3.3-6 uploaded by Florian Schlichting, original patch by Niko Tyni.
• slony1-2/2.2.4-1 by Christoph Berg.
• slrn/1.0.2-3 uploaded by Moritz Muehlenhoff, original patch by Dmitry Bogatov.
• svtplay-dl/0.10.2015.08.24-1 uploaded by Olof Johansson, fixed upstream.
• swh-plugins/0.4.15+1-8 uploaded by Jarom r Mike , original patch by Chris Lamb.
• sysstat/11.1.6-2 uploaded by Robert Luberda, original patch by Chris Lamb.
• uhd/3.9.0-3 by A. Maitland Bottoms.
• volk/1.1-3 by A. Maitland Bottoms.
• yadifa/2.1.3-2 uploaded by Markus Schade, original patch by Santiago Vila.

Some uploads fixed some reproducibility issues but not all of them:

• dict-jargon/4.4.7-3 uploaded by Ruben Molina, original patch by Dhole.
• ferret-vis/6.9.3-3 uploaded by Alastair McKinstry, original patch by Chris Lamb.

Patches submitted which have not made their way to the archive yet:

• #798366 on lilo by Dmitry Bogatov: remove usage of __TIME__ and __DATE__ macros.
• #798557 on libapache-dbi-perl by Dhole: set date of the manpage to the latest debian/changelog entry.
• #798776 on testdisk by upstream!

reproducible.debian.net The configuration of all remote armhf and amd64 nodes in now finished. The remaining reproducibility tests running on the Jenkins host has been removed. armhf results and graphs are now visible in dashboard. We can now test the whole archive in 2-3 weeks using the current 12 amd64 jobs and 3 months using the current 6 armhf builders. We will be looking at improving the armhf sitation, maybe using more native systems or via arm64. (h01ger) The Jenkins UI is now more responsive since all jobs building packages have been moved to remote hosts. (h01ger) A new job has been added to collect information about build nodes to be included in the variation table. (h01ger) The currently scheduled page has been split for amd64 and armhf. They now give an overview (refreshed every minute, thanks to Chris Lamb) of the packages currently being tested. (h01ger) Several cleanup and bugfixes have been made, especially in the remote building and maintenance scripts. They should now be more robust against network problems. The automatic scheduler is now also run closer to when schroots and pbuilders are updated. (h01ger, mapreri) Package reviews 16 reviews have been removed, 54 added and 55 updated this week. Santiago Vila renamed lc_messages_randomness with the more descriptive different_pot_creation_date_in_gettext_mo_files. New issues added this week: timestamps_in_reports_generated_by_abi_compliance_checker, umask_and_timestamp_variation_in_tgz_generated_by_abi_compliance_checker, and timestamps_added_by_blast2. 23 new FTBFS bugs have been filled by Chris Lamb, and Niko Tyni. Misc. Red Hat developper Mike McLean had a talk at Flock 2015 about reproducible builds in Koji. Slides and video recording are available. Koji is the build infrastructure used by Fedora, Red Hat and other distributions. It already keeps track of the environment used for a given build, so the required changes for handling the environment are smaller than the ones in Debian. Fedora is still missing a team effort to fix non-determinism in the package builds, but it is great to see Fedora moving forward.

What happened in the reproducible builds effort this week: Toolchain fixes Dmitry Shachnev uploaded sphinx/1.3.1-6 with improved patches from Val Lorentz. Chris Lamb submitted a patch for ibus-table which makes the output of ibus-table-createdb deterministic. Niko Tyni wrote a patch to make libmodule-build-perl linking order deterministic. Santiago Vila has been leading discussions on the best way to fix timestamps coming from Gettext POT files. Packages fixed The following 35 packages became reproducible due to changes in their build dependencies: apache-log4j2, dctrl-tools, dms, gitit, gnubik, isrcsubmit, mailutils, normaliz, oaklisp, octave-fpl, octave-specfun, octave-vrml, opencolorio, openvdb, pescetti, php-guzzlehttp, proofgeneral, pyblosxom, pyopencl, pyqi, python-expyriment, python-flask-httpauth, python-mzml, python-simpy, python-tidylib, reactive-streams, scmxx, shared-mime-info, sikuli, siproxd, srtp, tachyon, tcltk-defaults, urjtag, velvet. The following packages became reproducible after getting fixed:

• binutils-m68hc1x/1:2.18-7 by Santiago Vila.
• boa-constructor/0.6.1-15 by Santiago Vila.
• brian/1.4.1-3 by Yaroslav Halchenko.
• criticalmass/1:1.0.0-3 by Santiago Vila.
• cvs-buildpackage/5.25 by Santiago Vila.
• fcrackzip/1.0-6 uploaded by Adam Borowski, original patch by Reiner Herrmann.
• filters/2.54 prepared by Joey Hess, fixed by Marius Gavrilescu.
• fsvs/1.2.6-2 by Santiago Vila.
• fte/0.50.2b6-6 by Santiago Vila.
• gcc-mingw-w64/15.7 by Stephen Kitt.
• ircd-hybrid/1:8.2.8+dfsg.1-1 by Dominic Hargreaves.
• leveldb/1.18-3 uploaded by Laszlo Boszormenyi, patch by Reiner Herrmann.
• libavg/1.8.1-2 uploaded by Dimitri John Ledkov, original patch by Reiner Herrmann.
• lynx-cur/2.8.9dev6-4 uploaded by Axel Beckert, patch by Reiner Herrmann.
• maildir-utils/0.9.12-3 by Norbert Preining
• pd-iemnet/0.2-1 by IOhannes m zm lnig.
• photopc/3.05-8 by Santiago Vila.
• postgresql-plproxy/2.6-1 uploaded by Christoph Berg, report by Dhole.
• prometheus-pushgateway/0.2.0+ds-2 uploaded by Mart n Ferrari, original patch by Chris Lamb.
• shelxle/1.0.740-1 uploaded by Daniel Leidert, fixed upstream.
• sigil/0.8.7+dfsg-2 by Mattia Rizzolo.
• sks-ecc/0.93-5 by Santiago Vila.
• smartlist/3.15-25 by Santiago Vila.
• snd/11.7-4 by Santiago Vila.
• solarwolf/1.5-2.1 by Graham Inggs.
• sphinx/1.3.1-6 uploaded by Dmitry Shachnev, patches by Val Lorentz.
• tla/1.3.5+dfsg1-2 by Santiago Vila.
• zapping/0.10~cvs6-10 by Santiago Vila.

The package is not in yet in unstable, but linux/4.2-1~exp1 is now reproducible! Kudos to Ben Hutchings, and most fixes are already merged upstream. Some uploads fixed some reproducibility issues but not all of them:

• bochs/2.6-3 by Santiago Vila.
• oolite/1.82-1 by Nicolas Boulenguez.
• openjdk-7/7u85-2.6.1-1 uploaded by Matthias Klose, original patch by Emmanuel Bourg.
• python-dtcwt/0.10.1+dfsg1-2 uploaded by Ghislain Antony Vaillant, original patch by Chris Lamb.

Patches submitted which have not made their way to the archive yet:

• #797432 on torus-trooper by Reiner Herrmann: set locale to C when sorting source file list.
• #797437 on flow-tools by Chris Lamb: use pre-defined hostname and date of the latest debian/changelog entry in build string.
• #797505 on cloudprint by Chris Lamb: remove embedded .pyc files.
• #797506 on comix by Chris Lamb: remove embedded .pyc files.
• #797508 on litl by Chris Lamb: remove date from documentation generated with LaTeX.
• #797518 on gyoto by Chris Lamb: set date in documentation generated with LaTeX to the latest debian/changelog entry.
• #797539 on cadabra by Chris Lamb: use date of the latest debian/changelog entry as build time.
• #797543 on xotcl by Chris Lamb: sort source list in Makefile.
• #797579 on ferret-vis by Chris Lamb: use date of the latest debian/changelog entry as build time.
• #797711 on libkinosearch1-perl by Niko Tyni: sort source list in Build.PL.
• #797871 on xbae by Chris Lamb: use date of the latest debian/changelog entry as build time.

reproducible.debian.net Some bugs that prevented packages to build successfully in the remote builders have been fixed. (h01ger) Two more amd64 build jobs have been removed from the Jenkins host in favor of six more on the new remote nodes. (h01ger) The munin graphs currently looks fine, so more amd64 jobs will probably be added in the next week. diffoscope development Version 32 of diffoscope has been released on September 3rd with the following new features:

• A new --fuzzy-threshold option to specify the TLSH score used as cut-off for fuzzy matching. Specifying 0 will disable fuzzy-matching entirely. Suggested by Jakub Wilk.
• A new --new-file option to treat absent files as empty. This make diffoscope a great tool to look at the content of an archive at once by comparing it with a non-existent file (example). Suggested by Jakub Wilk.
• Comparisons of symlinks and devices given on the command line is now possible.
• Default values are displayed in --help.

It also fixes many bugs. Head over to the changelog for the full list. Version 33 was released the day after to fix a bug introduced in the packaging. Documentation update Chris Lamb blessed the SOURCE_DATE_EPOCH specification with the version number 1.0 . Lunar documented how the .file assembler directive can help with random filenames in debug symbols. Package reviews 235 reviews have been removed, 84 added and 277 updated this week. 29 new FTBFS bugs were filled by Chris Lamb, Chris West (Faux), Daniel Stender, and Niko Tyni. New issues identified this week: random_order_in_ibus_table_createdb_output, random_order_in_antlr_output, nondetermistic_link_order_in_module_build, and timestamps_in_tex_documents. Misc. Thanks to Dhole and Thomas Vincent, the talk held at DebConf15 now has subtitles! Void Linux started to merge changes to make packages produced by xbps reproducible.

I knew it was about this time of the year 10 years ago when my Debian account was created, but I couldn't remember the exact date until I looked it up earlier this evening: today :). Rene Engelhard had been my advocate, and Marc Brockschmidt my AM. Thanks guys! A lot of time has passed since then, and I've worked in various parts of the project. I became an application manager almost immediately, and quickly got into the NM front desk as well, revamping parts of the NM process which had become pretty bureaucratic (I think we are now, 10 years later, back where we should be, thanks to almost all of the paperwork being automated, thanks Enrico!). I've processed 37 NMs, most of them between 2005 and 2008, later I was only active as front desk and eventually Debian account manager. I've recently picked up AMing again, which I still find quite refreshing as the AM will always also learn new things. Quality Assurance was and is the other big field. Starting by doing QA uploads of orphaned packages, I attended some QA meetings around Germany, and picked up maintenance of the DDPO pages, which I still maintain. The link between QA and NM is the MIA team where I was active for some years until they kindly kicked me out because I was MIA there myself. I'm glad they are still using some of the scripts I was writing to automate some things. My favorite MUA is mutt, of which I became co-maintainer in 2007, and later maintainer. I'm still listed in the uploaders field, but admittedly I haven't really done anything there lately. Also in 2007 I started working at credativ, after having been a research assistant at the university, which meant making my Debian work professional. Of course it also meant more real work and less time for the hobby part, but I was still very active around that time. Later in 2010 I was marrying, and we got two kids, at which point family was of course much more important, so my Debian involvement dropped to a minimum. (Mostly lurking on IRC ;) Being a PostgreSQL consultant at work, it was natural to start looking into the packaging, so I started submitting patches to postgresql-common in 2011, and became a co-maintainer in 2012. Since then, I've mostly been working on PostgreSQL-related packages, of which far too many have my (co-)maintainer stamp on them. To link the Debian and PostgreSQL worlds together, we started an external repository (apt.postgresql.org) that contains packages for the PostgreSQL major releases that Debian doesn't ship. Most of my open source time at the moment is spent on getting all PostgreSQL packages in shape for Debian and this repository. According to minechangelogs, currently 844 changelog entries in Debian mention my name, or were authored by me. Scrolling back yields memories of packages that are long gone again from unstable, or I passed on to other maintainers. There are way too many people in Debian that I enjoy(ed) working with to list them here, and many of them are my friends. Debian is really the extended family on the internet. My last DebConf before this year had been in Mar del Plata - I had met some people at other conferences like FOSDEM, but meeting (almost) everyone again in Heidelberg was very nice. I even remembered all basic Mao rules :D. So, thanks to everyone out there for making Debian such a wonderful place to be!

Today saw the release of PostgreSQL 9.5 Alpha 1. Packages for all supported Debian and Ubuntu releases are available on apt.postgresql.org: deb http://apt.postgresql.org/pub/repos/apt/ YOUR_RELEASE_HERE-pgdg main 9.5 The package is also waiting in NEW to be accepted for Debian experimental. Being curious which PostgreSQL releases have been in use over time, I pulled some graphics from Debian's popularity contest data: Before we included the PostgreSQL major version in the package name, "postgresql" contained the server, so that line represents the installation count of the pre-7.4 releases at the left end of the graph. Interestingly, 7.4 reached its installation peak well past 8.1's. Does anyone have an idea why that happened?

What happened about the reproducible builds effort for this week: Toolchain fixes

• Guillem Jover uploaded dpkg/1.18.0 which now uses an approximation to compute Installed-Size, making it indpendent from the underlying filesystem. It now always sort the Dpkg::Dist::Files files list on output to make the output stable with parallel builds.
• Lunar uploaded mozilla-devscripts/0.40 which told xpi-pack to skip saving extra zip attributes when making jar.
• Dominique Dumont uploaded libmodule-build-perl/0.421100-2 which makes the output deterministic. Original patch by Lunar.

Lunar rebased our custom dpkg on the new release, removing a now unneeded patch identified by Guillem Jover. An extra sort in the buildinfo generator prevented a stable order and was quickly fixed once identified. Mattia Rizzolo also rebased our custom debhelper on the latest release. Packages fixed The following 30 packages became reproducible due to changes in their build dependencies: animal-sniffer, asciidoctor, autodock-vina, camping, cookie-monster, downthemall, flashblock, gamera, httpcomponents-core, https-finder, icedove-l10n, istack-commons, jdeb, libmodule-build-perl, libur-perl, livehttpheaders, maven-dependency-plugin, maven-ejb-plugin, mozilla-noscript, nosquint, requestpolicy, ruby-benchmark-ips, ruby-benchmark-suite, ruby-expression-parser, ruby-github-markup, ruby-http-connection, ruby-settingslogic, ruby-uuidtools, webkit2gtk, wot. The following packages became reproducible after getting fixed:

• aisleriot/1:3.16.2-1 uploaded by Andreas Henriksson, original patch by Chris Lamb.
• aws-sdk-for-php/2.8.5-1 by David Pr vot.
• bamtools/2.3.0+dfsg-3 uploaded by Andreas Tille, fix by Michael R. Crusoe.
• base-files/9.2 by Santiago Vila, some patches by Lunar.
• debian-keyring/2015.05.17 by Daniel Kahn Gillmor.
• debram/2.0.0.2 by Thaddeus H. Black.
• dianara/1.3.0-2 by M nica Ram rez Arceda.
• gazebo/5.0.1+dfsg-1~exp1 by Jose Luis Rivero.
• glassfish/1:2.1.1-b31g+dfsg1-3 uploaded by Emmanuel Bourg, original patch by Daniel Kahn Gillmor.
• lcdproc/0.5.7-3 by Dominique Dumont.
• libalien-sdl-perl/1.446-2 by Dominique Dumont.
• libvirt-python/1.2.15-1 uploaded by Guido G nther, original patch by Chris Lamb.
• libxmpcore-java/5.1.2-3 by Emmanuel Bourg.
• pdb2pqr/2.0.0+dfsg-1 uploaded by Andreas Tille, original patch by Reiner Herrmann.
• puredata/0.46.6-2 by Paul Brossier.
• qt-gstreamer/1.2.0-2 by Diane Trout.
• socat/1.7.3.0-1 uploaded by Laszlo Boszormenyi, original patch by Lunar.
• swaks/20130209.0-5 by Andreas Metzler, some patches by Chris Lamb.
• tf/1:4.0s1-19 by Jan Niehusmann.
• unzip/6.0-17 uploaded by Santiago Vila, original patch by Lunar.
• yorick/2.2.04+dfsg1-2 by by Thibaut Paumard.
• zip/3.0-10 by Santiago Vila, some patches by Chris Lamb.

Some uploads fixed some reproducibility issues but not all of them:

• bible-kjv/4.27 uploaded by Matthew Vernon, original patch by Chris Lamb.
• calendar/2.04-1 by St phane Glondu.
• cupt/2.9.0 uploaded by Eugene V. Lyubimkin, original patch by Chris Lamb.
• dactyl/1.2~hg7166-1 uploaded by Michael Schutte, original patch by Chris Lamb.
• ghc/7.10.1-5 by Joachim Breitner.
• icedove/38.0~b5-1 by Carsten Schoenert.
• jd/1:2.8.9-150226-2 by Hideki Yamane.
• libparse-debianchangelog-perl/1.2.0-2 by intrigeri.
• winswitch/0.12.21+dfsg-1 by Dmitry Smirnov.

Patches submitted which did not make their way to the archive yet:

• #775531 on console-setup by Reiner Herrmann: update and split patch written in January.
• #785535 on maradns by Reiner Herrmann: use latest entry in debian/changelog as build date.
• #785549 on dist by Reiner Herrmann: set hostname and domainname to predefined value.
• #785583 on s5 by Juan Picca: set timezone to UTC when unzipping files.
• #785617 on python-carrot by Juan Picca: use latest entry in debian/changelog as documentation build date.
• #785774 on afterstep by Juan Picca: modify documentation generator to allow a build date to be set instead of the current time, then use latest entry in debian/changelog as reference.
• #786508 on ttyload by Juan Picca: remove timestamp from documentation.
• #786568 on linux-minidisc by Lunar: use latest entry in debian/changelog as build date.
• #786615 on kfreebsd-10 by Steven Chamberlain: make order of file in source tarballs stable.
• #786633 on webkit2pdf by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
• #786634 on libxray-scattering-perl by Reiner Herrmann: tell Storable::nstore to produce sorted output.
• #786637 on nvidia-settings by Lunar: define DATE, WHOAMI, andHOSTNAME_CMD to stable values.
• #786710 on armada-backlight by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
• #786711 on leafpad by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
• #786714 on equivs by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.

Also, the following bugs have been reported:

• #785536 on maradns by Reiner Herrmann: unreproducible deadwood binary.
• #785624 on doxygen by Christoph Berg: timestamps in manpages generated makes builds non-reproducible.
• #785736 on git-annex by Daniel Kahn Gillmor: documentation should be made reproducible.
• #786593 on wordwarvi by Holger Levsen: please provide a --distrobuild build switch.
• #786601 on sbcl by Holger Levsen: FTBFS when locales-all is installed instead of locales.
• #786669 on ruby-celluloid by Holger Levsen: tests sometimes fail, causing ftbfs sometimes.
• #786743 on obnam by Holger Levsen: FTBFS.

reproducible.debian.net Holger Levsen made several small bug fixes and a few more visible changes:

• For packages in testing, comparisions will be done using the sid version of debbindiff.
• The scheduler will now schedule old packages from sid twice often as the ones in testing as we care more about the former at the moment.
• More statistics are now visible and the layout has been improved.
• Variations between the first and second build are now explained on the statistics page.

strip-nondeterminism Version 0.007-1 of strip-nondeterminism the tool to post-process various file formats to normalize them has been uploaded by Holger Levsen. Version 0.006-1 was already in the reproducible repository, the new version mainly improve the detection of Maven's pom.properties files. debbindiff development At the request of Emmanuel Bourg, Reiner Herrmann added a comparator for Java .class files. Documentation update Christoph Berg created a new page for the timestamps in manpages created by Doxygen. Package reviews 93 obsolete reviews have been removed, 76 added and 43 updated this week. New identified issues: timestamps in manpages generated by Doxygen, modification time differences in files extracted by unzip, tstamp task used in Ant build.xml, timestamps in documentation generated by ASDocGen. The description for build id related issues has been clarified. Meetings Holger Levsen announced a first meeting on Wednesday, June 3rd, 2015, 19:00 UTC. The agenda is amendable on the wiki. Misc. Lunar worked on a proof-of-concept script to import the build environment found in .buildinfo files to UDD. Lucas Nussbaum has positively reviewed the proposed schema. Holger Levsen cleaned up various experimental toolchain repositories, marking merged brances as such.