What happened in the reproducible builds effort between December 20th to December 26th: Toolchain fixes Mattia Rizzolo rebased our experimental versions of debhelper (twice!) and dpkg on top of the latest releases. Reiner Herrmann submited a patch for mozilla-devscripts to sort the file list in generated preferences.js files. To be able to lift the restriction that packages must be built in the same path, translation support for the __FILE__ C pre-processor macro would also be required. Joerg Sonnenberger submitted a patch back in 2010 that would still be useful today. Chris Lamb started work on providing a deterministic mode for debootstrap. Packages fixed The following packages have become reproducible due to changes in their build dependencies: bouncycastle, cairo-dock-plug-ins, darktable, gshare, libgpod, pafy, ruby-redis-namespace, ruby-rouge, sparkleshare. The following packages became reproducible after getting fixed:

• a7xpg/0.11.dfsg1-9 uploaded by Markus Koschany, original patch by Reiner Herrmann.
• at/3.1.18-1 uploaded by Laurent Bigonville, original patch by Reiner Herrmann, merged by Jose M Calhariz.
• bibtool/2.61+ds-2 by Jerome Benoit.
• bup/0.27-2 uploaded by Robert Edmonds, original patch by Chris Lamb.
• deja-dup/34.1-1 uploaded by Laurent Bigonville, original patch by Reiner Herrmann.
• gauche-gl/0.6-1 by NIIBE Yutaka.
• ifupdown/0.8 uploaded by Guus Sliepen, original patch by Lunar.
• jing-trang/20131210+dfsg+1-4 by Samuel Thibault.
• libp11/0.3.0-2 by Eric Dorland.
• pdns/4.0.0~alpha1-1 by Christian Hofstaedtler.
• pdns-recursor/4.0.0~alpha1-1 by Christian Hofstaedtler.
• qupzilla/1.8.9~dfsg1-1 uploaded by Georges Khaznadar, fixed upstream.
• ros-genpy/0.5.7-4 uploaded by Jochen Sprickerhof, original patch by Chris Lamb.
• signify/1.14-3 by Mattia Rizzolo, obsoleting patches submitted by Chris Lamb and akira.
• sleepyhead/0.9.8-2 by Sergio Durigan Junior.
• texi2html/1.82+dfsg1-5 by Mattia Rizzolo, previous patch by Juan Picca.
• titanion/0.3.dfsg1-6 by Markus Koschany, original patch by Reiner Herrmann.
• tj3/3.5.0-3 uploaded by Vincent Bernat, original patch by Vincent Bernat.
• vcsh/1.20151229-1 by Richard Hartmann.
• waitress/0.8.10-1 uploaded by Andrew Shadura, original patch by Juan Picca.
• xtel/3.3.0-19 by Samuel Thibault.

Some uploads fixed some reproducibility issues, but not all of them:

• kmod/22-1 uploaded by Marco d'Itri, original patch by Lunar.
• libgcrypt20/1.6.4-4 by Andreas Metzler.
• loadlin/1.6f-4 uploaded by Samuel Thibault, original patch by Chris Lamb.
• pathological/1.1.3-13 uploaded by Markus Koschany, original patch by Chris Lamb.
• yacas/1.3.6-1) uploaded by Muammar El Khatib, original patch by Reiner Herrmann.

Patches submitted which have not made their way to the archive yet:

• #808459 on pywavelets by Chris Lamb: add support for SOURCE_DATE_EPOCH in the documentation generator.
• #808652 on nexuiz-data by Reiner Herrmann: sorts with the locale set to C.
• #808667 on libmouse-perl by Reiner Herrmann: sorts the list of filenames to be embedded.
• #808679 on libcorelinux by Reiner Herrmann: sort the list of files in the generated Makefile.
• #808711 on ca-certificates by Reiner Herrmann: sort the list of certificates before it is embedded.

reproducible.debian.net Statistics for package sets are now visible for the armhf architecture. (h01ger) The second build now has a longer timeout (18 hours) than the first build (12 hours). This should prevent wasting resources when a machine is loaded. (h01ger) Builds of Arch Linux packages are now done using a tmpfs. (h01ger) 200 GiB have been added to jenkins.debian.net (thanks to ProfitBricks!) to make room for new jobs. The current count is at 962 and growing! diffoscope development Aside from some minor bugs that have been fixed, a one-line change made huge memory (and time) savings as the output of transformation tool is now streamed line by line instead of loaded entirely in memory at once. disorderfs development Andrew Ayer released disorderfs version 0.4.2-1 on December 22th. It fixes a memory corruption error when processing command line arguments that could cause command line options to be ignored. Documentation update Many small improvements for the documentation on reproducible-builds.org sent by Georg Koppen were merged. Package reviews 666 (!) reviews have been removed, 189 added and 162 updated in the previous week. 151 new fail to build from source reports have been made by Chris West, Chris Lamb, Mattia Rizzolo, and Niko Tyni. New issues identified: unsorted_filelist_in_xul_ext_preferences, nondeterminstic_output_generated_by_moarvm. Misc. Steven Chamberlain drew our attention to one analysis of the Juniper ScreenOS Authentication Backdoor: Whilst this may have been added in source code, it was well-disguised in the disassembly and just 7 instructions long. I thought this was a good example of the current state-of-the-art, and why we'd like our binaries and eventually, installer and VM images reproducible IMHO. Joanna Rutkowska has mentioned possible ways for Qubes to become reproducible on their development mailing-list.

Ten years ago, this very day, my first Debian package entered the Debian unstable repository. It was an addon for Mozilla Composer, Daniel Glazman s Cascades. On the same day, my second Debian package entered the Debian unstable repository as well. It was an addon for Mozilla Browser, Checky. A few days later, my third Debian package entered Debian unstable. It was an addon for Mozilla Browser, Diggler. Do you see a pattern? They are now abandoned software, although I made Checky and Diggler live a little longer (and I m actually considering reviving Diggler) but they had their importance in my journey, and are part of the reason why I am where I am now. My journey on the web started with NCSA Mosaic on VAX/VMS, then continued with Netscape Navigator, Netscape Communicator and Mozilla Suite on Linux. That s where I was ten years ago, sailing between Galeon (a browser using the Mozilla engine) and Mozilla Suite, and filing some layout bugs. Ten years ago, there was a new kid on the block. It used to be called Phoenix, it had just changed its name to Firebird. Eventually, it changed again for Firefox. You may have heard about it. Because Firebird was so much nicer than the browser in the Mozilla Suite, I started using its Debian package, and wanted my packaged addons to work with it. So I contacted Eric Dorland, Phoenix/Firebird package maintainer at the time, and got the addons working. I then ended up fixing a bunch of packaging issues. This is how I got involved in Firefox packaging for Debian, and what eventually led me to work for Mozilla.

After spotting an upload of mira, who in turn spotted an upload of abe (the package, not an upload by me aka abe@d.o), mira (mirabilos aka tg@d.o) noticed that there are Debian packages which have same name as some Debian Developers have as login name. Of course I noticed a long time ago that there is a Debian package with my login name abe . Another well-known Debian login and former package name is amaya. But since someone else came up with that thought, too, it was time for finding the definite answer to the question which are the DD login names which also exist as Debian package names. My first try was based on the list of trusted GnuPG keys:

$ apt-cache policy $(gpg --keyring /etc/apt/trusted.gpg --list-keys 2>/dev/null   \
                     grep @debian.org   \
        	     awk -F'[<@]' ' print $2 '   \
                     sort -u) 2>/dev/null   \
                   egrep -o '^[^ :]*'
alex
tor
ed
bam
ng

But this was not satisfying as my own name didn t show up and gpg also threw quite a lot of block reading errors (which is also the reason for redirecting STDERR). mira then had the idea of using the Ultimate Debian Database to answer this question more properly:

udd=> SELECT login, name FROM carnivore_login, carnivore_names
      WHERE carnivore_login.id=carnivore_names.id AND login IN
      (SELECT package AS login FROM packages, active_dds
       WHERE packages.package=active_dds.login UNION
       SELECT source AS name FROM sources, active_dds
       WHERE sources.source=active_dds.login)
      ORDER BY login;
 login                   name
-------+---------------------------------------
 abe     Axel Beckert
 alex    Alexander List
 alex    Alexander M. List  4402020774 9332554
 and     Andrea Veri
 ash     Albert Huang
 bam     Brian May
 ed      Ed Boraas
 ed      Ed G. Boraas [RSA Compatibility Key]
 ed      Ed G. Boraas [RSA]
 eric    Eric Dorland
 gq      Alexander GQ Gerasiov
 iml     Ian Maclaine-cross
 lunar   J r my Bobbio
 mako    Benjamin Hill
 mako    Benjamin Mako Hill
 mbr     Markus Braun
 mlt     Marcela Tiznado
 nas     Neil A. Schemenauer
 nas     Neil Schemenauer
 opal    Ola Lundkvist
 opal    Ola Lundqvist
 paco    Francisco Moya
 paul    Paul Slootman
 pino    Pino Toscano
 pyro    Brian Nelson
 stone   Fredrik Steen
(26 rows)

Interestingly tor (Tor Slettnes) is missing in this list, so it s not complete either At least I m quite sure that nobody maintains a package with his own login name as package name. :-) We also have no packages ending in -guest , so there s no chance that a package name matches an Alioth guest account either

SF.net now supports OpenID. Hooray! I'd like to make a comment on a thread about the RTL8187se chip I've got in my new MSI Wind. So I go to sign in with OpenID and instead of signing me in it prompts me to create an account with a name, username and password for the account. Huh? I just want to post to their forum, I don't want to create an account (at least not explicitly, if they want to do it behind the scenes fine). Isn't the point of OpenID to not have to create accounts and particularly not have to create new usernames and passwords to access websites? I'm not impressed.

Biella, I am from there and I do agree. If I was still living there I would try to form a team and make a bid. Simon even made noises about organizing a bid at DebConfs past. I wish he would :)

But a DebConf in New York would be almost as good.

Another point release for Etch has been done; now it's the time for the CD team to roll out new images after the next mirror pulse. The official announcements (prepared by Alexander Reichle-Schmehl, thanks!) will follow shortly afterwards. FTP master of the day was Joerg Jaspert, who did his first point release since Woody, as he told us on IRC. We appreciate your work and you spending your time that shortly before going to Argentina. This point release includes the etchnhalf update introducing a new kernel image (based on 2.6.24) and some driver updates. Additionally the infamous openssl hole will be fixed for good, even for new installs. Again I want to present you a list of people who contributed to this release. It cannot be complete as I got the information out of the Changed-by fields of the uploads.

• akira yamada
• Alexander Sack
• Alexander Schmehl
• A Mennucc1
• Andrea De Iacovo
• Andres Salomon
• Aurelien Jarno
• Charles Plessy
• Christian Perrier
• Christian Welzel
• Colin Watson
• dann frazier (indefatigable kernel worker, most sourceful uploads)
• Darren Salt
• Devin Carraway (3rd place of sourceful uploads, due to security work)
• Emmanuel Lacour
• Eric Dorland
• Fabio Tranchitella
• Faidon Liambotis
• Fathi Boudra
• Florian Weimer
• Francesco Paolo Lovergine
• Francois Marier
• Frank Lichtenheld
• Frans Pop (thanks for your d-i work!)
• Frederic Peters
• Gregory Colpart
• Holger Levsen
• Jan Wagner
• Jay Berkenbilt
• J r my Bobbio
• Joey Hess
• Joey Schulze
• Josselin Mouette
• Julien Cristau
• Kai Hendry
• Kurt Roeckx
• LaMont Jones
• Laszlo Boszormenyi
• Martin Pitt
• maximilian attems
• Michael Biebl
• Michael Koch
• Mike Hommey
• Moritz Muehlenhoff
• Noah Meyerhans
• Ola Lundqvist
• Otavio Salvador
• Patrick Matth i
• Petter Reinholdtsen
• Philipp Kern
• Pierre Habouzit
• Raphael Hertzog
• Rene Engelhard
• Robert Millan
• Roberto Lumbreras
• Roland Mas
• Romain Beauxis
• Russ Allbery
• Sean Finney
• Stefan Fritsch
• Steffen Joeris
• Stephen Gran
• Steve Kemp
• Sune Vuorela
• Thijs Kinkhorst (2nd place of sourceful uploads, due to security work)
• Thomas Viehmann
• Toni Mueller
• Tzafrir Cohen

From the Release Team we had dann frazier (who drove the important kernel part of etchnhalf), Luk Claes, Neil McGovern, Andreas Barth, Martin Zobel-Helas and me working on it. ;-)

So first the bad news is that I'm not coming to DebConf this year. There are a few reasons for this. It's fairly far and expensive. I thought the lineup of talks was pretty similar to the last two years. And perhaps most fundamentally, I don't want to go somewhere cold (well, cool) in the summertime. I think this may be a Canadian thing, but I love summer time and I don't want to squander any of my warm days. So have a good time folks, I'll miss you and I'm certainly going to make the effort to be there next year. And lets hope DebConf 10 is in Montr al :)

I will however be heading to OLS for the first time. Which is ironic because I used to live 2 hours from Ottawa and never went. Now I live several more hours away and now I've decided to go. Irony is fun.

I'm also thinking of attending HOPE here in New York. I'm not really sure what to expect. The talks seem really eclectic, which is cool, but makes it hard to figure out what to go to. Suggestions welcome!

When I first saw the eeePC I thought it was a great idea, but seemed a little too small (particularly the screen) and not great battery life. Now that the 901 has been released it seems like an ideal ultra portable laptop for my needs. Unfortunately there doesn't seem to be anyone selling it here except on eBay. Looks like they won't go on sale here until July 7.

I've also become a ridiculous fanboy of the Wii. Which means I have to get a Wii Fit. And of course, no one has them. I am lucky that here in New York we have the Nintendo World Store that gets a shipment every morning, but so far I haven't been desperate enough to drag my ass out of bed early to get one. We'll see how long it lasts.

I wonder if the rumblings of manufacturers purposely shipping less to the US because of the weak dollar are true.

The recent IPv6 Conference at Google and the launching of ipv6.google.com (only accessible over IPv6) inspired me to set up a 6to4 tunnel on my WRT54G running OpenWRT. I've been reading about IPv6 for years, but there didn't seem to be much point. Now I've seen the bouncing Google logo and the dancing turtle, and it really wasn't all that difficult. One issue I ran into was the 2.4 kernel that is needed to run on the WRT54G doesn't have a connection tracking for stateful firewall rules, which makes it a pretty poor IPv6 firewall. It's disabled for now, and tomorrow I'll go buy a WRTSL54GS so I can run a 2.6 kernel.

I'm looking forward to the day when IPv6 transit is normal and all these tunnels are unnecessary.

Martin's adventure makes me long for some scuba diving, which I haven't done for a couple of years now. Damn you, busy life!

Last week it was one year since I moved to New York. The city is pretty amazing, I've barely scratched the surface of what you can do here. I've spent a lot of it working and not taking advantage of it. I've done almost none of the touristy things you're supposed to do in this city, I haven't been to the Statue of Liberty, I haven't been up the Empire State Building and I haven't been in a single museum. It's a bit sad really. Not that I haven't done fun stuff, but I've definitely focused too much on work. Hopefully I can restore a little balance in the new year.

In other news, I'm going to spend Christmas in Ottawa where my parents have moved to recently. It's fairly crappy not to be going back to Montr al. Ottawa always sort of struck me as a boring town, so any suggestions on fun things to do there would be most appreciated.

I've just gotten a 256slice from Slicehost and I will deleting my UML instance with Bytemark. I was a customer of Bytemark's for a number of years, and I was happy with them. I had the smallest VM they offered and was just using it to run my DNS, postfix (and clamav and amavis) and a couple of tiny websites. The 75M of RAM the VM has just isn't up to these tasks anymore, with fairly frequent OOMing. Although they upgrading their smallest VMs to 150M six months ago, I still hadn't been upgraded to that new size, which is one of the main reasons I looked for other options.

So Slicehost seems to have a good reputation and having gotten my slice last week I can say that's it's wayyy faster than my setup with Bytemark. Even if I had stayed with Bytemark I would have 100M less RAM and it would have been more expensive (darn you weak American dollar). I really liked Bytemark, they've been supporting DebConf for at least a couple of years. I wish them success, but at this point they're offerings just competitive anymore.

The one thing I really miss from Bytemark is their DNS slave service. You could run your own BIND and have Bytemark's nameservers be slaves to it. Slicehost only has a hosted DNS service. But this is a small quibble compared to all the upsides.

My UPS died today, so I went to the store to get a new one. It came with a USB cable and when I plugged it into my desktop an icon popped into the Gnome panel to show me my new UPS, how much charge it had, etc (and I assume shut it down when . Very cool, and honestly completely unexpected. I think a couple of years ago I would be much less impressed by this, but as I find my free time dwindling I really appreciate when things just work. It's also a small, but encouraging sign that "Desktop Linux" is making good progress.

Hooray! A long weekend to catch up with all Debian work I've been neglecting!

Hooray! A long weekend to play Metroid 3 on the Wii!

Actually I have made some useful progress, converting nearly all of my packages over to git, even starting an Alioth project for the OpenSC suite of packages. Help is welcome! I should also pump out some updated packages where need be, and I should try to give Iceweasel some love, as it needs it badly.

A hot topic this past DebConf7 was git. I've bought into the hype, so I decided to take the plunge and move my Subversion repositories to it. A lot of people seem to be willing to part with their history when making the move, but I'm some what irrationally attached to it.

Most of my Debian packages are in one big SVN repo, which used to be one big CVS repo (I used cvs2svn to move). So I decided to pull apart each source package into its own git repository. I started with git svn clone like so:

$ git svn clone -A authors --trunk=trunk/libclass-makemethods-perl \
  --branches=branches/libclass-makemethods-perl/upstream \
  --tags=tags/libclass-makemethods-perl --no-metadata \
  file:///home/svn/debian libclass-makemethods-perl

And this gives a git repo that can track an SVN repo. But I want to go all the way, no turning back. So I made a little script to clean up this repo called clean-git-svn:

#!/bin/sh -e
tags= git branch -r   egrep 'tags/[^@]+$' 
echo "$tags"   perl -ne \
  'chomp($_); my $head = $_; s,\s+tags,debian,g; print "git tag $_ $head^\n"'
for i in $tags ; do echo "git branch -r -d $i"; done
upstream_tags= git branch -r   egrep ' +[0-9][^@]+$' 
echo "$upstream_tags"   perl -ne \
  'chomp($_); s,\s+,,g; print "git tag upstream/$_ $_^\n"'
for i in $upstream_tags ; do echo "git branch -r -d $i"; done
echo "git branch upstream current"
echo "git branch -r -d current"
echo "git branch -r -d trunk"

This will output a bunch of git commands that will make this a more "gitified" repo. I make no guarantees this will work, you should probably hand check your history with gitk to make sure this won't screw anything up. If your the part you're converting also came up from CVS, you'll probably have a bit of a mess on your hands that will need more manual cleanup. gitk is really an amazing visualization tool and can help a lot here. Once you're satisfied just pipe it into /bin/sh. Since git svn mostly can't track where you merged in your SVN repo, make sure you merge the upstream branch into master as soon as you can. It will save you a lot of conflicts later, trust me.

One thing I miss from svn is svn export. Does an equivalent command exist in git? You would think there would be an option you could pass to git clone to do this but I can't seem to find anything.

One thing I'm really missing is Montr al in the summer time. Particularly the Fantasia Festival, where I would usually take in twenty-odd movies over a couple of weeks and I've been going for years. It was great. New York doesn't seem to have anything that compares, except maybe The New York Asian Film Festival. But that seems quite a bit smaller and more focused. I'll still check out it out though.

It's been nearly 7 months since I've moved here and time has really flown. Work has consumed most of my life and it's been amazing, but I'm starting to feel like it's lacking in certain areas. I've barely seen most of Manhattan and it's really not that big. I need to make sure I get the balance right.

DebConf 7 was fantastic, doubly so since I got to share it. My BoF was not that popular (which is what I expected) but people were interested and audience participation was high, so I was pleased. I sort of divided my time between the conference and being a tourist, so I hope no one felt like I was ignoring them. Edinburgh was an amazing city, really very beautiful. It felt good to be connected with this place (my mother was born in Perth, not too far away). Simon, Martin and Kai, you guys rock!

Speaking of DebConf, I should have cornered Keith for some troubleshooting. I bought a spiffy new desktop recently with a 965G chipset and plugged in an SDVO card and tried to get dual monitor set up going. After much Googling I found that Xrandr is apparently the new cool way to configure this, but information is pretty scarce. I can't seem to get them to both work at the same time. There could be problems because they have different resolutions (one is a 22" wide screen and one is a regular 19"). The lack of information about this is slightly frustrating and tells me either no one is trying this or no one else is having problems. Neither is good :)

"Hey, at least we don't have Emacs' release cycle"

Dear Lazyweb,

I have a growing frustration with my current home desktop machine, so I would like to get a new one. I'm perfectly willing to build it myself, and I would like it if possible to have one of those spiffy G965 Intel chipsets so I can finally have some free 3D graphics drivers. All the motherboards I have seen have only a VGA port, but apparently you can get an SDVO card to add a DVI interface. Does anyone know if you can drive two monitors with this setup? My googling didn't really clarify if this was possible. I want to have two displays, but I don't mind if one of them has to hook up to a VGA interface.

Beyond that, I'd like it to be quiet. Any tips on quiet power supplies, CPU and case fans?

Two blog posts in one day!

Distributed revision control systems are all the rage these days and I think the time has come to adopt one. I've always thought they were a good idea, but Subversion worked well and suited my needs well enough. I was also somewhat put off by the number of choices and didn't want to switch to something that would turn out to be a dud. But now there seem to be two main contenders, Git and Mecurial. I think Linus' recent talk on git also helped rekindle my interest.

Despite Linus' protestations of greatness, I was thinking of using Mercurial since it seems to fit better with my Subversion centric view of the world and it appears that Mozilla is going to move to it from CVS. I already have a few CVS and Subversion repositories for various things and I would like to keep that history. So I fired up Tailor and started converting a mail archive I have in an svn repo. The repo is only 1.5G, but Tailor was slow. Surprisingly slow. It then failed right near the end of the conversion. I'm also not sure exactly how much history Tailor is preserving. Does it deal with things like file moves properly?

Disheartened, I took a look at git instead. It seemed to have a tool called git-svnimport that sounded very promising. I ran it against the same svn repo and it proceeded to consume all the memory on my system and cause it to thrash like mad. My machine became so unresponsive that I had to log in remotely to kill the import.

So in the end, dear lazyweb, what tools should one use to convert a Subversion repository to Mercurial and/or Git?

Just in case Ben Fowler doesn't read Planet Debian, Eric Dorland has written a much more detailed and accurate account of the Iceweasel situation than I did.