Hi My name is Dominhique Dumont, DevOps freelance in Grenoble, France. My goal is to share my experience regarding a production issue that occurred last week where my client complained that the applications was very slow and sometime showed 5xx errors. The production service is hosted on a Kubernetes cluster on Azure and use a MongoDB on ScaleGrid. I reproduced the issue on my side and found that the API calls were randomly failing due to timeouts on server side. The server logs were showing some MongoDB disconnections and reconnections and some time-out on MongoDB connections, but did not give any clue on why some connections to MongoDB server were failing. Since there was not clue in the cluster logs, I looked at ScaleGrid monitoring. There was about 2500 connections on MongoDB: That seemed quite a lot given the low traffic at that time, but not necessarily a problem. Then, I went to the Azure console, and I got the first hint about the origin of the problem: the SNATs were exhausted on some nodes of the clusters. SNATs are involved in connections from the cluster to the outside world, i.e. to our MongoDB server and are quite limited: only 1024 SNAT ports are available per node. This was consistent with the number of used connections on MongoDB. OK, then the number of used connections on MongoDB was a real problem. The next question was: which pods and how many connections ? First I had to filter out the pods that did not use MongoDB. Fortunately, all our pods have labels so I could list all pods using MongoDB:

$ kubectl -n prod get pods -l db=mongo   wc -l
236

Hmm, still quite a lot. Next problem is to check which pod used too many MongoDB connections. Unfortunately, the logs mentioned that a connection to MongoDB was opened, but that did not give a clue on how many were used. Netstat is not installed on the pods, and cannot be installed since the pods are running as root (which is a good idea for security reasons) Then, my Debian Developer experience kicked in and I remembered that /proc file system on Linux gives a lot of information on consumed kernel resources, including resources consumed by each process. The trick is to know the PID of the process using the connections. In our case, Docker files are written in a way so the main process of a pod using NodeJS is 1, so, the command to list the connections of pod is:

$ kubectl -n prod exec redacted-pod-name-69875496f8-8bj4f -- cat /proc/1/net/tcp
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode                                                     
   0: AC00F00A:C9FA C2906714:6989 01 00000000:00000000 02:00000DA9 00000000  1001        0 376439162 2 0000000000000000 21 4 0 10 -1                 
   1: AC00F00A:CA00 C2906714:6989 01 00000000:00000000 02:00000E76 00000000  1001        0 376439811 2 0000000000000000 21 4 0 10 -1                 
   2: AC00F00A:8ED0 C2906714:6989 01 00000000:00000000 02:000004DA 00000000  1001        0 445806350 2 0000000000000000 21 4 30 10 -1                
   3: AC00F00A:CA02 C2906714:6989 01 00000000:00000000 02:000000DD 00000000  1001        0 376439812 2 0000000000000000 21 4 0 10 -1                 
   4: AC00F00A:C9FE C2906714:6989 01 00000000:00000000 02:00000DA9 00000000  1001        0 376439810 2 0000000000000000 21 4 0 10 -1                 
   5: AC00F00A:8760 C2906714:6989 01 00000000:00000000 02:00000810 00000000  1001        0 375803096 2 0000000000000000 21 4 0 10 -1                 
   6: AC00F00A:C9FC C2906714:6989 01 00000000:00000000 02:00000DA9 00000000  1001        0 376439809 2 0000000000000000 21 4 0 10 -1                 
   7: AC00F00A:C56C C2906714:6989 01 00000000:00000000 02:00000DA9 00000000  1001        0 376167298 2 0000000000000000 21 4 0 10 -1                 
   8: AC00F00A:883C C2906714:6989 01 00000000:00000000 02:00000734 00000000  1001        0 375823415 2 0000000000000000 21 4 30 10 -1 

OK, that s less appealing that netstat output. The trick is that rem_address and port are expressed in hexa. A quick calculation confirms the port 0x6989 is indeed port 27017, which is the listening port of MongoDB server. So the number of opened MongoDB connections is given by:

$ kubectl -n prod exec redacted-pod-name-69875496f8-8bj4f -- cat /proc/1/net/tcp   grep :6989   wc -l
9

What s next ? The ideal solution would be to fix the NodeJS code to handle correctly the termination of the connections, but that would have taken too long to develop. So I ve written a small Perl script to:

• list the pods using MongoDB using kubectl -n prod get pods -l db=mongo
• find the pods using more that 10 connections using the kubectl exec command shown above
• compute the deployment name of these pods (which was possible given the naming convention used with our pods and deployments)
• restart the deployment of these pods with a kubectl rollout restart deployment command

Why restart a deployment instead of simply deleting the gluttonous pods? I wanted to avoid downtime if all pods of a deployment were to be killed. There s no downtime when applying rollout restart command on deployments. This script is now run regularly until the connections issue is fixed for good in NodeJS code. Thanks to this script, there s no need to rush a code modification. All in all, working around this connections issues was made somewhat easier thanks to:

• the monitoring tools provided by the hosting services.
• a good knowledge of Linux internals
• consistent labels on our pods
• the naming conventions used for our kubernetes artifacts

The new release of Config::Model::OpenSsh fixes a bugs that impacted experienced users: the order of Hosts or Match sections is now preserved when writing back ~/.ssh/config file. Why does this matter ? Well, the beginning of ssh_config man page mentions that For each parameter, the first obtained value will be used. and Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end. . Looks like I missed these statements when I designed the model for OpenSsh configuration: the Host section was written back in a neat, but wrong, alphabetical order. This does not matter except when there an overlap between the specifications of the Host (or Match) sections like in the example below:

Host foo.company.com
Port 22
Host *.company.com
Port 10022

With this example, ssh connection to foo.company.com is done using port 22 and connection to bar.company.com with port 10022. If the Host sections are written back in reverse order:

Host *.company.com
Port 10022
Host foo.company.com
Port 22

Then, ssh would be happy to use the first matching section for foo.company.com , i.e. *.company.com and would use the wrong port (10022) This is now fixed with Config::Model::OpenSsh 2.8.4.3 which is available on cpan and in Debian/experimental. While I was at it, I ve also updated Managing OpenSsh configuration with cme wiki page. All the best

I ve finally found the time to improve the GUI of my pet project: cme (aka Config::Model). Several years ago, I stumbled on a usability problem on the GUI. Some configuration (like OpenSsh or Systemd) feature a lot of configuration parameters. Which means that the GUI displays all these parameters, so finding a specfic parameter might be challenging:

To workaround this problem, I ve added a Filter widget in 2018 which did more or less the job, but it suffered from several bugs which made its behavior confusing. This is now fixed. The Filter widget is now working in a more consistent way. In the example below, I ve typed IdentityFile (1) in the Filter widget to show the identityFile used for various hosts (2):

Which is quite good, but some hosts use the default identity file so no value show up in the GUI. You can then click on hide empty value checkbox to show only the hosts that use a specific identity file:

I hope that this new behavior of the Filter box will make this project more useful. The improved GUI was released with Config::Model::TkUI 1.374. This new version is available on CPAN and on Debian/experimental). It will be released on Debian/unstable once the next Debian version is out. All the best

Azure Kubernetes Service provides a nice way to set up Kubernetes
cluster in the cloud. It s quite practical as AKS is setup by default
with a rich monitoring and reporting environment. By default, all
container logs are collected, CPU and disk data are gathered. I used AKS to setup a cluster for my first client as a
freelance. Everything was nice until my client asked me why logs
collection was as expensive as the computer resources. Ouch My first reflex was to reduce the amount of logs produced by all our
containers, i.e. start logging at warn level instead of info
level. This reduced the amount of logs quite a lot. But this did not reduce the cost of collecting logs, which looks like
to a be a common issue. Thanks to the documentation provided by Microsoft, I was able to find
that ContainerInventory data table was responsible of more than 60%
of our logging costs. What is ContainerInventory ? It s a facility to monitor the content
of all environment variables from all containers. Wait What ? Should we be worried about our database credentials which are, legacy
oblige, stored in environment variables ? Unfortunately, the query shown below confirmed that, yes, we should:
the logs aggregated by Azure contains the database credentials of my
client.

ContainerInventory
  where TimeGenerated > ago(1h)

Having credentials collected in logs is lackluster from a security
point of view. And we don t need it because our environment variables do not change. Well, it s now time to fix these issues. We re going to:

1. disable the collection of environment variables in Azure, which
   will reduce cost and plug the potential credential leak
2. renew all DB credentials, because the previous credentials can be
   considered as compromised (The renewal of our DB passwords is quite
   easy with the script I provided to my client)
3. pass credentials with files instead of environment variables.

In summary, the service provided by Azure is still nice, but beware of
the default configuration which may contain surprises. I m a freelance, available for hire. The https://code-straight.fr site
describes how I can help your projects. All the best

Hello Config::Model and cme read and write configuration data with a set of backend classes, like Config::Model::Backend::IniFile. These classes are managed by Config::Model::BackendMgr. Well, that s the simplified view. Actually, the backend manager can handle several different backends to read and write data: read backends are tried until one of them succeeds to read configuration data. And write backend cen be different from the read backend, thus offering the possibility to migrare from one format to another. This feature came at the beginning of the project, back in 2005. This felt like a good idea to let user migrate from one data format to another. More than 10 years later, this feature has never been used and is handled by a bunch of messy code that hampers further evolution of the backend classes. So, without further ado, I m going to deprecate the following features in order to simplify the backend manager:

• The custom backend that can be easily replaced with more standard backend based on Config::Model::Backend::Any. This feature has been deprecated with Config::Model 2.107
• The possibility to specify more that one backend. Soon, only the first read backend will be taken into account. This will simplify the declaration of backend. The read_config parameter, which is currently a list of backend specification, will become a single backend specification. The command cme meta edit will handle the migration of existing model to the new scheme.
• the write_config parameter will be removed.

Unless someone objects, actual removal of these feature will be done in the next few months, after a quite short deprecation period. All the best
Tagged: cme, config-model, Config::Model, configuration

Hello Systemd is powerful, but creating a new service is a task that require creating several files in non obvious location (like /etc/systemd/system or ~/.local/share/systemd/user/). Each file features 2 or more sections (e.g. [Unit], [Service]). And each section supports a lot of parameters. Creating such Systemd configuration files can be seen as a daunting task for beginners. cme project aims to make this task easier by providing a GUI that:

• shows all existing services in a single screen
• shows all possible sections and parameters with their documentation
• validates the content of each parameter (if possible)

For instance, on my laptop, the command cme edit systemd-user shows 2 custom services ( free-imap-tunnel@ and gmail-imap-tunnel@ ) with: The GUI above shows the units for my custom systemd files:

$ ls ~/.config/systemd/user/
free-imap-tunnel@.service
free-imap-tunnel.socket
gmail-imap-tunnel@.service
gmail-imap-tunnel.socket
sockets.target.wants

and the units installed by Debian packages:

$ find /usr/lib/systemd/user/ -maxdepth 1 \
  '(' -name '*.service' -o -name '*.socket' ')' \
  -printf '%f\n'  sort  head -15
at-spi-dbus-bus.service
colord-session.service
dbus.service
dbus.socket
dirmngr.service
dirmngr.socket
glib-pacrunner.service
gpg-agent-browser.socket
gpg-agent-extra.socket
gpg-agent.service
gpg-agent.socket
gpg-agent-ssh.socket
obex.service
pulseaudio.service
pulseaudio.socket

The screenshot above shows the content of the service defined by the following file:

$ cat ~/.config/systemd/user/free-imap-tunnel@.service
[Unit]
Description=Tunnel IMAPS connections to Free with Systemd
[Service]
StandardInput=socket
# no need to install corkscrew
ExecStart=-/usr/bin/socat - PROXY:127.0.0.1:imap.free.fr:993,proxyport=8888

Note that empty parameters are not shown because the hide empty value checkbox on top right is enabled. Likewise, cme is able to edit system files like user files with sudo cme edit systemd: For more details on how to use the GUI to edit systemd files, please see:

• Managing systemd configuration with cme
• Using cme

Using a GUI may not be your cup of tea. cme can also be used as a validation tool. Let s add a parameter with an excessive value to my service:

$ echo "CPUShares = 1000000" >> ~/.local/share/systemd/user/free-imap-tunnel@.service

And check the file with cme:

$ cme check systemd-user 
cme: using Systemd model
loading data
Configuration item 'service:"free-imap-tunnel@" Service CPUShares' has a wrong value:
        value 1000000 > max limit 262144

ok, let s fix this with cme. The wrong value can either be deleted:

$ cme modify systemd-user 'service:"free-imap-tunnel@" Service CPUShares~'
cme: using Systemd model
Changes applied to systemd-user configuration:
- service:"free-imap-tunnel@" Service CPUShares: '1000000' -> ''

Or modified:

$ cme modify systemd-user 'service:"free-imap-tunnel@" Service CPUShares=2048'
cme: using Systemd model
Changes applied to systemd-user configuration:
- service:"free-imap-tunnel@" Service CPUShares: '1000000' -> '2048'

You can also view the specification of a service using cme:

$ cme dump systemd-user 'service:"free-imap-tunnel@"'---
Service:
  CPUShares: 2048
  ExecStart:
    - '-/usr/bin/socat -  PROXY:127.0.0.1:imap.free.fr:993,proxyport=8888'
  StandardInput: socket
Unit:
  Description: Tunnel IMAPS connections to Free with Systemd

The output above matches the content of the service configuration file:

$ cat ~/.local/share/systemd/user/free-imap-tunnel@.service
## This file was written by cme command.
## You can run 'cme edit systemd-user' to modify this file.
## You may also modify the content of this file with your favorite editor.
[Unit]
Description=Tunnel IMAPS connections to Free with Systemd
[Service]
StartupCPUWeight=100
CPUShares=2048
StartupCPUShares=1024
StandardInput=socket
# no need to install corkscrew now
ExecStart=-/usr/bin/socat -  PROXY:127.0.0.1:imap.free.fr:993,proxyport=8888

Last but not least, you can use cme shell if you want an interactive ui but cannot use a graphical interface:

$ cme shell systemd-user 
cme: using Systemd model
 >:$ cd service:"free-imap-tunnel@"  Service  
 >: service:"free-imap-tunnel@" Service $ ll -nz Exec*
name        type   value                                                             
 
ExecStart   list   -/usr/bin/socat -  PROXY:127.0.0.1:imap.free.fr:993,proxyport=8888
 >: service:"free-imap-tunnel@" Service $ ll -nz
name               type      value                                                             
 
StartupCPUWeight   integer   100                                                               
CPUShares          integer   2048                                                              
StartupCPUShares   integer   1024                                                              
StandardInput      enum      socket                                                            
ExecStart          list      -/usr/bin/socat -  PROXY:127.0.0.1:imap.free.fr:993,proxyport=8888
 >: service:"free-imap-tunnel@" Service $ set CPUShares=1024
 >: service:"free-imap-tunnel@" Service $ ll -nz CPUShares 
name        type      value
 
CPUShares   integer   1024 
 >: service:"free-imap-tunnel@" Service $ quit
Changes applied to systemd-user configuration:
- service:"free-imap-tunnel@" Service CPUShares: '2048' -> '1024'
write back data before exit ? (Y/n)

Currently, only service, socket and timer units are supported. Please create a bug report on github if you need more. Installation instructions are detailed at the beginning of Managing Systemd configuration with cme wiki page. As all softwares, cme probably has bugs. Please report any issue you might have with it. For more information:

• Managing Systemd configuration with cme wiki page
• Config::Model::Systemd documentation
• Source code on GitHub. Feel free to star this project
• rate this project on Perl CPAN system

All in all, systemd is quite complex to setup. I hope I made a little bit easier to deal with. All the best
Tagged: config-model, configuration, Perl, systemd

Hello Dist::Zilla is a great tool to limit tedious tasks while working on Perl modules. For instance, dzil provides tools like dzil authordeps or dzil listdeps to list dependencies.
This list of Perl modules can then be installed with cpanm:

dzil authordeps --missing   cpanm
dzil listdeps --missing   cpanm

On a Debian system, one may prefer to install Perl modules using Debian packages. Installing build dependencies can be done with apt build-dep, but apt does not handle Dist::Zilla author dependencies. The new authordebs Dist::Zilla sub-command was wriiten to fill this gap. When run in a directory containing the source of a Perl module that uses Dist::Zilla, you can run dzil installdebs to list the Debian packages required to run the dzil command. You can also run dzil installdebs -install to install author dependencies (using sudo under the hood). See:

• authordebs doc
• An example of installation instructions using authordebs

On Debian, authordebs is provided by libdist-zilla-app-command-authordebs-perl All the best
Tagged: debian, dist-zilla, Perl

Hello Markus Raab, the author of Elektra project, has created a survey to get FLOSS developer s point of view on the configuration of application. If you are a developer, please fill this survey to help Markus work on improving application configuration management. Feeling this survey should take about 15 mns. Note that the survey will close on July 18th. The fact that this blog comes 1 month after the beginning of the survey is entirely my fault. Sorry about that All the best
Tagged: configuration, Perl

Hello While hacking on a script to update build dependencies on a Debian package, it occured to me that using Config::Model in a Perl program should be no more complicated than using cme from a shell script. That was an itch that I scratched immediately. Fast forward a few days, Config::Model now features new cme() and modify() functions that have a behavior similar to cme modify command. For instance, the following program is enough to update popcon s configuration file:

use strict; # let's not forget best practices ;-)
use warnings;
use Config::Model qw(cme); # cme function must be imported
cme('popcon')->modify("PARTICIPATE=yes");

The object returned by cme() is a Config;:Model::Instance. All its methods are available for a finer control. For instance:

my $instance = cme('popcon');
$instance->load("PARTICIPATE=yes");
$instance->apply_fixes;
$instance->say_changes; 
$instance->save;

When run as root, the script above shows:

Changes applied to popcon configuration:
- PARTICIPATE: 'no' -> 'yes'

If need be, you can also retrieve the root node of the configuration tree to use Config;:Model::Node methods:

my $root_node = cme('popcon')->config_root;
say "is popcon active ? ",$root_node->fetch_element_value('PARTICIPATE');

In summary, using cme in a Perl program is now as easy as using cme from a shell script. To provide feedback, comments, ideas, patches or to report problems, please follow the instructions from CONTRIBUTING page on github. All the best
Tagged: config-model, configuration, Perl

Hello Ever since udisk-glue was obsoleted with udisk (the first generation), I ve been struggling to find a solution to automatically mount a usb drive when such a device is connected to a kodi based home cinema PC. I wanted to avoid writing dedicated scripts or udev rules. Systemd is quite powerful and I thought that a simple solution should be possible using systemd configuration. Actually, auto-mount notion covers 2 scenario :

1. A device is mounted after being plugged in
2. An already available device is mounted when a process accesses its mount point

The first case is the one that is needed with Kodi. The second may be usefull so is also documented in this post. For the first case, add a line like the following in /etc/fstab:

/dev/sr0 /mnt/br auto defaults,noatime,auto,nofail 0 2

and reload systemd configuration:

sudo systemctl daemon-reload

The important parameters are auto and nofail : with auto , systemd mounts the filesystem as soon as the device is available. This behavior is different from sysvinit where auto is taken into account only when mount -a is run by init scripts. nofail ensures that boot does not fail when the device is not available. The second case is handled by a line like the following one (even if the line is split here to improve readability):

/dev/sr0 /mnt/br auto defaults,x-systemd.automount,\
   x-systemd.device-timeout=5,noatime,noauto 0 2

With the line above in /etc/fstab, the file system is mounted when user does (for instance) ls /mnt/br (actually, the first ls fails and triggers the mount. A second ls gives the expected result. There s probably a way to improve this behavior, but I ve not found it ) x-systemd.* parameters are documented in systemd.mount(5). Last but not least, using a plain device file (like /dev/sr0) works fine to automount optical devices. But it is difficult to predict the name of a device file created for a usb drive, so a LABEL or a UUID should be used in /etc/fstab instead of a plain device file. I.e. something like:

LABEL=my_usb_drive /mnt/my-drive auto defaults,auto,nofail 0 2

All the best
Tagged: kodi, systemd

Hello Thanks to the help of Daniel Dehennin and Paul Cochrane, The rakudo implementation of Perl 6 is now up to date on Debian/sid. Unlike previous version, Perl 6 on Debian uses moarvm backend. No other backend is provided. Please use the following command to install Perl6 on Debian:

sudo apt-get install rakudo

All the best
Tagged: debian, package, Perl6

Hello At work, I ve been bitten by the way AngularJS handles cache by default when using $https service. This post will show a simple way to improve cache handling with $http service. The service I m working on must perform the followings tasks:

• retrieve data from a remote server.
• save data to the same server.
• retrieve the saved data and some extra information generated by the server to update a UI

At first, I ve naively used $http.get cache parameter to enable or disable caching using a sequence like:

1. $http.get(url, cache: true )
2. $http.post(url)
3. $http.get(url, cache: false )
4. $http.get(url, cache: true )

Let s say the calls above use the following data:

1. $http.get(url, cache: true ) returns foo
2. $http.post(url) stores bar
3. $http.get(url, cache: false ) returns bar

I expected the next call $http.get(url, cache: false ) to return bar . But no, I got foo , i.e. the obsolete data. Turns out that cache object is completely left alone when cache: false is passed to $http.get. ok. Fair enough. But this means that the value of the cache parameter should not change for a given URL. The default cache provided by $https cannot be cleared. (Well, actually, you can clear the cache under AngularJS s hood, but that will probably not improve the readability of your code). The naive approach does not work. Let s try another solution by using a custom cache object as suggested by AngularJS doc. This cache object should be created by $cacheFactory service. This cache object can then be passed to $http.get to be used as cache. When needed, the cache can be cleared. In the example above, the cache must be cleared after saving some data to the remote service. There s 2 possibilities to clear a cache:

• Completely flush the cache using removeAll() function.
• Clear the cache for the specific URL using remove(key) function. The only hitch is that the key used by $http is not documented.

So, we have to use the first solution and create a cache object for each API entry point:

angular.module('app').factory('myService', function ($http, $cacheFactory)  
  var myFooUrl = '/foo-rest-service';
  
  // create cache object. The cache id must be unique
  var fooCache = $cacheFactory('myService.foo'); 
  function getFooData ()  
    return $http.get( myFooUrl,   cache: fooCache  );
   ;
 
  function saveFooData(data)  
    return $http.post( myFooUrl,   cache: fooCache  ).then(function()  
      myCache.removeAll() ;
     );
   
 );

The code above ensures that:

• cached data for foo service is always consistent
• http get requests are not sent more than necessary

This simple approach has the following limitations:

• cache is not refreshed if the data on the server are updated by another client
• cache is flushed when only the browser page is reloaded

If you need more a more advance cache mechanism, you may want to check jmdobry s angular cache project All the best

Hello This problem has been bugging me for a while: how to setup my Kodi based home cinema to automatically mount an optical media ? Turns out the solution is quite simple, now that Debian has switched for systemd. Just add the following line to /etc/fstab:

/dev/sr0 /media/bluray auto defaults,nofail,x-systemd.automount 0 2

Where:

• /dev/sr0 is the device file. You can also use one of the symbolic links setup by udev in /dev/disk/by-id
• /media/bluray is the mount point. You can choose another mount point
• nofail is required to avoid failure report when booting without a disc in the optical drive
• x-systemd.automount is the option to configure systemd to automatically mount the inserted disc

Do not specify noauto: this would prevent systemd to automatically mount a disc, which defeats the purpose. To test you setup:

• Run the command journalctl -x -f in a terminal to check what is going on with systemd
• Reload systemd configuration with sudo systemctl daemon-reload.
• load a disc in your optical drive

Then, journalctl should show something like:

Sept. 27 16:07:01 frodo systemd[1]: Mounted /media/bluray.

And that s it. No need to have obsolete packages like udisk-glue or autofs. Last but not least: this blog is moderated, please do not waste your time (and mine) posting rants. All the best.
Tagged: automount, debian, kodi, optical, systemd

Hello Previous version of libconfig-model-dpkg-perl had 2 bugs related to copyright update command :

• Too many directory paragraphs (like src/foo/*) were removed during update.
• Some file paragraph were not merged, leading to needless paragraphs in debian/copyright file. This bug is less severe as no information is lost

Version 2.067 of libconfig-model-dpkg-perl fixes both issues. This version is available in unstable. To use cme update dpkg-copyright command, the following packages are required:

• cme
• libconfig-model-dpkg-perl
• devscripts

All the best
Tagged: config-model, copyright, debian, DEP-5

What happened about the reproducible builds effort for this week: Toolchain fixes

• Guillem Jover uploaded dpkg/1.18.0 which now uses an approximation to compute Installed-Size, making it indpendent from the underlying filesystem. It now always sort the Dpkg::Dist::Files files list on output to make the output stable with parallel builds.
• Lunar uploaded mozilla-devscripts/0.40 which told xpi-pack to skip saving extra zip attributes when making jar.
• Dominique Dumont uploaded libmodule-build-perl/0.421100-2 which makes the output deterministic. Original patch by Lunar.

Lunar rebased our custom dpkg on the new release, removing a now unneeded patch identified by Guillem Jover. An extra sort in the buildinfo generator prevented a stable order and was quickly fixed once identified. Mattia Rizzolo also rebased our custom debhelper on the latest release. Packages fixed The following 30 packages became reproducible due to changes in their build dependencies: animal-sniffer, asciidoctor, autodock-vina, camping, cookie-monster, downthemall, flashblock, gamera, httpcomponents-core, https-finder, icedove-l10n, istack-commons, jdeb, libmodule-build-perl, libur-perl, livehttpheaders, maven-dependency-plugin, maven-ejb-plugin, mozilla-noscript, nosquint, requestpolicy, ruby-benchmark-ips, ruby-benchmark-suite, ruby-expression-parser, ruby-github-markup, ruby-http-connection, ruby-settingslogic, ruby-uuidtools, webkit2gtk, wot. The following packages became reproducible after getting fixed:

• aisleriot/1:3.16.2-1 uploaded by Andreas Henriksson, original patch by Chris Lamb.
• aws-sdk-for-php/2.8.5-1 by David Pr vot.
• bamtools/2.3.0+dfsg-3 uploaded by Andreas Tille, fix by Michael R. Crusoe.
• base-files/9.2 by Santiago Vila, some patches by Lunar.
• debian-keyring/2015.05.17 by Daniel Kahn Gillmor.
• debram/2.0.0.2 by Thaddeus H. Black.
• dianara/1.3.0-2 by M nica Ram rez Arceda.
• gazebo/5.0.1+dfsg-1~exp1 by Jose Luis Rivero.
• glassfish/1:2.1.1-b31g+dfsg1-3 uploaded by Emmanuel Bourg, original patch by Daniel Kahn Gillmor.
• lcdproc/0.5.7-3 by Dominique Dumont.
• libalien-sdl-perl/1.446-2 by Dominique Dumont.
• libvirt-python/1.2.15-1 uploaded by Guido G nther, original patch by Chris Lamb.
• libxmpcore-java/5.1.2-3 by Emmanuel Bourg.
• pdb2pqr/2.0.0+dfsg-1 uploaded by Andreas Tille, original patch by Reiner Herrmann.
• puredata/0.46.6-2 by Paul Brossier.
• qt-gstreamer/1.2.0-2 by Diane Trout.
• socat/1.7.3.0-1 uploaded by Laszlo Boszormenyi, original patch by Lunar.
• swaks/20130209.0-5 by Andreas Metzler, some patches by Chris Lamb.
• tf/1:4.0s1-19 by Jan Niehusmann.
• unzip/6.0-17 uploaded by Santiago Vila, original patch by Lunar.
• yorick/2.2.04+dfsg1-2 by by Thibaut Paumard.
• zip/3.0-10 by Santiago Vila, some patches by Chris Lamb.

Some uploads fixed some reproducibility issues but not all of them:

• bible-kjv/4.27 uploaded by Matthew Vernon, original patch by Chris Lamb.
• calendar/2.04-1 by St phane Glondu.
• cupt/2.9.0 uploaded by Eugene V. Lyubimkin, original patch by Chris Lamb.
• dactyl/1.2~hg7166-1 uploaded by Michael Schutte, original patch by Chris Lamb.
• ghc/7.10.1-5 by Joachim Breitner.
• icedove/38.0~b5-1 by Carsten Schoenert.
• jd/1:2.8.9-150226-2 by Hideki Yamane.
• libparse-debianchangelog-perl/1.2.0-2 by intrigeri.
• winswitch/0.12.21+dfsg-1 by Dmitry Smirnov.

Patches submitted which did not make their way to the archive yet:

• #775531 on console-setup by Reiner Herrmann: update and split patch written in January.
• #785535 on maradns by Reiner Herrmann: use latest entry in debian/changelog as build date.
• #785549 on dist by Reiner Herrmann: set hostname and domainname to predefined value.
• #785583 on s5 by Juan Picca: set timezone to UTC when unzipping files.
• #785617 on python-carrot by Juan Picca: use latest entry in debian/changelog as documentation build date.
• #785774 on afterstep by Juan Picca: modify documentation generator to allow a build date to be set instead of the current time, then use latest entry in debian/changelog as reference.
• #786508 on ttyload by Juan Picca: remove timestamp from documentation.
• #786568 on linux-minidisc by Lunar: use latest entry in debian/changelog as build date.
• #786615 on kfreebsd-10 by Steven Chamberlain: make order of file in source tarballs stable.
• #786633 on webkit2pdf by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
• #786634 on libxray-scattering-perl by Reiner Herrmann: tell Storable::nstore to produce sorted output.
• #786637 on nvidia-settings by Lunar: define DATE, WHOAMI, andHOSTNAME_CMD to stable values.
• #786710 on armada-backlight by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
• #786711 on leafpad by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
• #786714 on equivs by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.

Also, the following bugs have been reported:

• #785536 on maradns by Reiner Herrmann: unreproducible deadwood binary.
• #785624 on doxygen by Christoph Berg: timestamps in manpages generated makes builds non-reproducible.
• #785736 on git-annex by Daniel Kahn Gillmor: documentation should be made reproducible.
• #786593 on wordwarvi by Holger Levsen: please provide a --distrobuild build switch.
• #786601 on sbcl by Holger Levsen: FTBFS when locales-all is installed instead of locales.
• #786669 on ruby-celluloid by Holger Levsen: tests sometimes fail, causing ftbfs sometimes.
• #786743 on obnam by Holger Levsen: FTBFS.

reproducible.debian.net Holger Levsen made several small bug fixes and a few more visible changes:

• For packages in testing, comparisions will be done using the sid version of debbindiff.
• The scheduler will now schedule old packages from sid twice often as the ones in testing as we care more about the former at the moment.
• More statistics are now visible and the layout has been improved.
• Variations between the first and second build are now explained on the statistics page.

strip-nondeterminism Version 0.007-1 of strip-nondeterminism the tool to post-process various file formats to normalize them has been uploaded by Holger Levsen. Version 0.006-1 was already in the reproducible repository, the new version mainly improve the detection of Maven's pom.properties files. debbindiff development At the request of Emmanuel Bourg, Reiner Herrmann added a comparator for Java .class files. Documentation update Christoph Berg created a new page for the timestamps in manpages created by Doxygen. Package reviews 93 obsolete reviews have been removed, 76 added and 43 updated this week. New identified issues: timestamps in manpages generated by Doxygen, modification time differences in files extracted by unzip, tstamp task used in Ant build.xml, timestamps in documentation generated by ASDocGen. The description for build id related issues has been clarified. Meetings Holger Levsen announced a first meeting on Wednesday, June 3rd, 2015, 19:00 UTC. The agenda is amendable on the wiki. Misc. Lunar worked on a proof-of-concept script to import the build environment found in .buildinfo files to UDD. Lucas Nussbaum has positively reviewed the proposed schema. Holger Levsen cleaned up various experimental toolchain repositories, marking merged brances as such.

Hello One of my last blog introduced the new cme update dpkg-copyright command and explained how to use this command to create a debian/copyright file from scratch. We will see in this blog how cme update dpkg-copyright command can also be used if a debian/copyright file already exists. During the lifetime of a package, creating a new debian/copyright copyright file should only happen once. When updating a package to a new upstream version, the content of the copyright file should be modified to reflect upstream changes by:

• adding or removing file entries
• updating years or owners
• updating licenses

cme update dpkg-copyright can be run with an existing debian/copyright file: the information extracted by licensecheck are merged in debian/copyright. Unfortunately, this merge may bring back the errors coming from licensecheck that you ve cleaned up manually last time. This last part is not optimal as the manual clean up must be repeated after cme update dpkg-copyright is run. Here s a way to avoid the last problem: cme update dpkg-copyright supports a way to modify the content of debian/copyright after the merge: the optional file debian/fix.scanned.copyright contains instructions to tweak the content of debian/copyright. (See Config::Model::Dpkg::Copyright man page for more details) You may remember that Config::Model handles all configuration information as a tree. The information contained in the copyright file is also stored in a tree structure. debian/fix.scanned.copyright contains instructions to navigate this tree and modify the content of the tree. Imagine that there s a robot (or a monkey) in that configuration tree. Each instruction tells the robot either to move in the tree or to perform an operation. The most useful instructions for debian/fix.scanned.copyright are:

• ! to move to the root of the tree
• = to assign a value , e.g: short_name=MIT or Copyright="2014, FooBar" (use double quotes when the value white space or other fancy characters).
• .= to append to a value, e.g Copyright.=" Appended info."
• =~ to apply a substitution with a Perl regexp, e.g. Copyright=~"/ \s*//g"
• : to move a Files element, e.g. Files:"foo/baz.c"
• :~ to remove a Files element, e.g. Files:~"bogus.c"

Otherwise:

• Comments with # or // must begin at the beginning of the line
• Instructions are separated by space(s) or new lines

Let s see a commented example:

# go to the root of the tree (with '!')
# and remove a bogus Files entry (with ":~")
! Files:~"foo/bogus.c"
// go to a Files entry and append (operator '.=') some info to   owner
! Files:"foo/bar.h"
  Copyright.=" Appended info."
# go back to tree root and assign   info
! Files:"foo/baz.c" Copyright="2014, FooBar"
# add a global license and a file entry missed by licensecheck
# global license must be set before using it in Files entry
# note: MIT text license is provided by cme
! License=MIT
! Files:"3rdparty/missed.c" Copyright="2005 FooBar" License short_name=MIT

Other possible instructions for this file are described in Config::Model::Loader doc. The number of instructions depends on the accuracy of licencecheck command. Hopefully, this number can be reduced by improving licensecheck. Last but not least, the following packages are required:

• cme
• libconfig-model-dpkg-perl
• devscripts

You may want to install also libconfig-model-tkui-perl to update the copyright file with cme GUI. In summary, the command cme updated dpkg-copyright associated with instructions stored in debian/fix.scanned.copyright enable Debian packagers to update with less effort debian/copyright file when updating a package. All the best

Here are my contribution for the #newinjessie game, i.e. what new stuff I ve contributed to the Jessie release of Debian.

• lcdproc configuration is upgraded automatically. One less question is asked during upgrade from Wheezy to Jessie. New lcdproc installation are configured automatically for some lcd hardwares. lcdproc configuration can be tweaked with a GUI.
• inotify-hookable: an easy way to trigger a command when a file is changed (based on inotify)
• libjira-client-automated-perl: An easy to use Perl library for Jira REST API
• libpithub-perl: A Perl library for github REST API
• libtkobj-editor-perl: a Tk widget to edit a Perl data structure. You can also whip up a GUI to access MLDBM db with a perl one liner.

See you in 2 years for Stretch release All the best

Hello In my opinion, creating and maintaining Debian copyright file is the most boring task required to create a Debian package. Unfortunately, this file is also one of the most important of a package: it specifies some legal aspect regarding the use of the software. Debian copyright file is scrutinized by ftp masters gatekeepers when accepting a new package in Debian project: this file must accurately describe the copyright and licenses of all files of a source package, preferably using a specific syntax. (Kudos to the ftp-masters team: reading copyright files must be even more boring than writing them). The content of the copyright file must reflect accurately the license of all files. This license is often specified in the comments of a source files. The licencecheck command is able to scan sources files and reports the copyright and licenses declared in there. But it does not summarize this information: a copyright line is generated for each file of a package. licensecheck2dep5 (provided by cdbs package as /usr/lib/cdbs/licensecheck2dep5) does better: the output of licensecheck is consolidated and translated in Debian copyright format. The result is better, but must be heavily edited to be reviewable by ftp-masters team. The new update subcommand of cme (available with libconfig-model-dpkg-perl 2.061 currently in experimental) goes further than licensecheck2deb:

• copyright are coalesced when possible (i.e. 2001,2002,2003-2005 is changed to 2001-2005)
• file entries same copyright owner and license are grouped, group of files may be represented with a wild card ( * )
• license text is filled with actual text for the most popular licenses

For instance, here s the (slightly edited) output of cme run for pan package starting without debian/copyright file:

$ cme update dpkg-copyright -quiet
Adding dummy license text for license public-domain 
for path pan/general/sorted-vector.h
Adding dummy license text for license BSD-2-clause 
for path pan/usenet-utils/MersenneTwister.h
$ cat debian/copyright
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Files: *
Copyright: 1994-2001, Frank Pilhofer. The author may
License: GPL-2+
Files: pan/*
Copyright: 2002-2007, Charles Kerr 
License: GPL-2
Files: pan/data/cert-store.cc
  pan/data/cert-store.h
Copyright: 2011, Heinrich M ller 
  2002-2006, Charles Kerr 
License: GPL-2
Files: pan/general/e-util.cc
  pan/general/e-util.h
Copyright: 2000, 2001, Ximian, Inc
License: LGPL-2
Files: pan/general/locking.h
  pan/general/worker-pool.cc
  pan/general/worker-pool.h
Copyright: 2007, Calin Culianu 
  2002-2007, Charles Kerr 
License: LGPL-2+
Files: pan/general/sorted-vector.h
Copyright: 2002, Martin Holzherr (holzherr@infobrain.com).
License: public-domain
 Please fill license public-domain from header
 of pan/general/sorted-vector.h
[ about 100 more lines including license text for Zlib and several 
  GPL licenses ]

This is a good start, but some modifications must be applied to get a correct license file:

• add missing upstream information (Upstream-Name, Upstream-Contact and Source items)
• remove irrelevant text from some copyright owner (e.g. remove The author may from Files: * entry).
• add some missing license text (e.g. include text from sorted-vector.h comments to specify upstream author s version of public-domain)

These modifications can be done:

• directly after update by running cme update dpkg-copyright --edit
• after update by running cme edit dpkg-copyright
• with your favorite editor

This post has mentioned creation of Debian copyright file, but does not address the problem of updating an existing copyright file when packaging a new version of a software. This will be the subject of a next post. I hope this new feature of cme will save hours of work for Debian packagers. As usual comments and suggestions are welcome All the best

Hello Thanks to Devel::NYTProf, I ve realized that Module::CoreList was used in a not optimal way (to say the least) in Config::Model::Dpkg::Dependency when checking the dependency between Perl packages. (Note that only Perl packages with many dependencies were affected by this lack of performance) After a rework, the performance are much better. Here s an example comparing check time before and after the modification of libconfig-model-dpkg-perl. With libconfig-model-dpkg-perl 2.059:
$ time cme check dpkg
Using Dpkg
loading data
Reading package lists... Done
Building dependency tree
Reading state information... Done
checking data
check done real 0m10.235s
user 0m10.136s
sys 0m0.088s With libconfig-model-dpkg-perl 2.060:
$ time cme check dpkg
Using Dpkg
loading data
Reading package lists... Done
Building dependency tree
Reading state information... Done
checking data
check done real 0m1.565s
user 0m1.468s
sys 0m0.092s All in all, a 8x performance improvement on the dependency check. Note that, due to the freeze, the new version of libconfig-model-dpkg-perl is available only in experimental. All the best
Tagged: Config::Model, debian, dpkg, package

Let s face reality: I cannot find the time to properly maintain Perl6 related packages for Debian. Given the recent surge of popularity of rakudo, it would be a shame to let these packages rot. Instead of throwing the towel, I d rather call for help to maintain these packages. You don t need to be a Debian Developer or Maintainer: I will gladly review and upload packages. The following packages are looking for maintainer:

• rakudo (currently RC buggy)
• moar (needs to be packaged, some work has been done by Daniel Dehennin)
• parrot (up to date)
• nqp (need to be updated. current version no longer compiles on all arch)

Next step to help Perl6 on Debian is to join:

• pkg-rakudo team to maintain moar, nqp and rakudo packages (mailing list)
• pkg-parrot team to maintain parrot package (mailing list)

All the best
Tagged: debian, package, Perl6