What happened in the reproducible builds effort between January 10th and January 16th:

Toolchain fixes Benjamin Drung uploaded mozilla-devscripts/0.43 which sorts the file list in preferences files. Original patch by Reiner Herrmann. Lunar submitted an updated patch series to make timestamps in packages created by dpkg deterministic. To ensure that the mtimes in data.tar are reproducible, with the patches, dpkg-deb uses the --clamp-mtime option added in tar/1.28-1 when available. An updated package has been uploaded to the experimental repository. This removed the need for a modified debhelper as all required changes for reproducibility have been merged or are now covered by dpkg.

Packages fixed The following packages have become reproducible due to changes in their build dependencies: angband-doc, bible-kjv, cgoban, gnugo, pachi, wmpuzzle, wmweather, wmwork, xfaces, xnecview, xscavenger, xtrlock, virt-top. The following packages became reproducible after getting fixed:

• dist/1:3.5-36.0001-1 uploaded by Manoj Srivastava, original patch by Reiner Herrmann.
• grib-api/1.14.4-4 by Alastair McKinstry.
• gui-apt-key/0.4-2.1 by Axel Beckert, original patch by Chris Lamb.
• kiki-the-nano-bot/1.0.2+dfsg1-6 by Peter De Wachter, original patch by Chris Lamb.
• ldapvi/1.7-10 by Rhonda D'Vine, original patches (#777490, #793702) by Chris Lamb and akira.
• libf2c2/20090411-3 by Barak A. Pearlmutter.
• liquidsoap/1.1.1-7.1 by Mattia Rizzolo.
• marsshooter/0.7.6-1 uploaded by Markus Koschany, fixed upstream.
• offlineimap/6.6.1+dfsg1-2 by Ilias Tsitsimpis.
• pgbouncer/1.7-1 by Christoph Berg.
• python-requests-toolbelt/0.5.1-4 by Petter Reinholdtsen.
• shorewall-core/5.0.3.1-1 uploaded by Roberto C. Sanchez, fixed upstream, obsolete patch by Chris Lamb.
• slrnface/2.1.1-7 by Rhonda D'Vine, original patches (#777425, #793722) by Chris Lamb and akira.
• tetradraw/2.0.3-9 by Rhonda D'Vine, original patches (#777426, #793727) by Chris Lamb and akira.
• xblast-tnt-images/20050106-3 by Rhonda D'Vine, original patch by Chris Lamb.
• xblast-tnt/2.10.4-4 by Rhonda D'Vine, original patch by Chris Lamb.
• xtrkcad/1:4.2.2-1 uploaded by Daniel E. Markle, fixed upstream, obsolete patch by Chris Lamb.

Some uploads fixed some reproducibility issues, but not all of them:

• apt/1.2 uploaded by Julian Andres Klode, original patch by Mattia Rizzolo.
• ecere-sdk/0.44.14-1 by Jerome St-Louis.
• epubcheck/4.0.1-2 by Eugene Zhukov.
• hplip/3.15.11+repack0-1 by Didier Raboud.
• irsim/9.7.93-1 uploaded by Roland Stigge, original patch by Chris Lamb.
• julia/0.4.3-1 uploaded by Peter Colberg, fix by Graham Inggs.
• magics++/2.26.2-1 by Alastair McKinstry.
• mailagent/1:3.1-81-1 by Manoj Srivastava.
• nasm/2.11.08-1 uploaded by Anibal Monsalve Salazar, original patch by Valentin Lorentz.
• ns3/3.22+dfsg-2 uploaded by Martin Quinson, original patch by Juan Picca.
• shotwell/0.22.0-3 by J rg Frings-F rst.

Untested changes:

• firmware-nonfree/20160110-1 by Ben Hutchings (non-free).
• nvidia-graphics-drivers-legacy-304xx/304.131-3 by Andreas Beckmann (non-free).
• nvidia-graphics-drivers-legacy-340xx/340.96-2 by Andreas Beckmann (non-free).
• nvidia-graphics-drivers/340.96-4 by Andreas Beckmann (non-free).

reproducible.debian.net Once again, Vagrant Cascadian is providing another armhf build system, allowing to run 6 more armhf builder jobs, right there. (h01ger) Stop requiring a modified debhelper and adapt to the latest dpkg experimental version by providing a predetermined identifier for the .buildinfo filename. (Mattia Rizzolo, h01ger) New X.509 certificates were set up for jenkins.debian.net and reproducible.debian.net using Let's Encrypt!. Thanks to GlobalSign for providing certificates for the last year free of charge. (h01ger)

Package reviews 131 reviews have been removed, 85 added and 32 updated in the previous week. FTBFS issues filled: 29. Thanks to Chris Lamb, Mattia Rizzolo, and Niko Tyni. New issue identified: timestamps_in_manpages_added_by_golang_cobra.

Misc. Most of the minutes from the meetings held in Athens in December 2015 are now available to the public.

The following contributors got their Debian Developer accounts in the last two months:

• ChangZhuo Chen (czchen)
• Eugene Zhukov (eugene)
• Hugo Lefeuvre (hle)
• Milan Kupcevic (milan)
• Timo Weing rtner (tiwe)
• Uwe Kleine-K nig (ukleinek)
• Bernhard Schmidt (berni)
• Stein Magnus Jodal (jodal)
• Prach Pongpanich (prach)
• Markus Koschany (apo)
• Andy Simpkins (rattustrattus)

The following contributors were added as Debian Maintainers in the last two months:

• Miguel A. Col n V lez
• Afif Elghraoui
• Bastien Roucari s
• Carsten Schoenert
• Tomasz Nitecki
• Christoph Ulrich Scholler
• Mechtilde Stehmann
• Alexandre Viau
• Daniele Tricoli
• Russell Sim
• Benda Xu
• Andrew Kelley
• Ivan Udovichenko
• Shih-Yuan Lee
• Edward Betts
• Punit Agrawal
• Andreas Boll
• Dave Hibberd
• Alexandre Detiste
• Marcio de Souza Oliveira
• Andrew Ayer
• Alf Gaida

Congratulations!

What happened in the reproducible builds effort this week: Toolchain fixes

• Stefano Rivera uploaded python-cffi/1.3.0-1 which makes the generated code order deterministic for anonymous unions and anonymous structs. Reported by Tristan Seligmann, and fixed uptream.

Mattia Rizzolo created a bug report to continue the discussion on storing cryptographic checksums of the installed .deb in dpkg database. This follows the discussion that happened in June and is a pre-requisite to add checksums to .buildinfo files. Niko Tyni identified why the Vala compiler would generate code in varying order. A better patch than his initial attempt still needs to be written. Packages fixed The following 15 packages became reproducible due to changes in their build dependencies: alt-ergo, approx, bin-prot, caml2html, coinst, dokujclient, libapreq2, mwparserfromhell, ocsigenserver, python-cryptography, python-watchdog, slurm-llnl, tyxml, unison2.40.102, yojson. The following packages became reproducible after getting fixed:

• 389-ds-base/1.3.3.13-1 uploaded by Timo Aaltonen, original patch by Chris Lamb.
• apache2/2.4.17-1 by Stefan Fritsch.
• ben/0.7.3 by Mehdi Dogguy.
• cdo/1.6.9+dfsg.1-3 by Alastair McKinstry.
• epubcheck/4.0.0-2 by Eugene Zhukov.
• grads/2:2.0.2-8 by Alastair McKinstry.
• litl/0.1.7+dfsg-1 uploaded by Samuel Thibault, original patch by Chris Lamb.
• mia/2.2.5-1 by Gert Wollny.
• powerline/2.2-2 by Jerome Charaoui.
• python-oslotest/1:1.11.0-2 by Thomas Goirand.
• tth/4.05+ds-2 uploaded by Jerome Benoit, original patch by Reiner Herrmann.
• xbae/4.60.4-7 uploaded by Nicholas Breen, original patch by Chris Lamb.
• xdmf/2.1.dfsg.1-13 by Alastair McKinstry.

Some uploads fixed some reproducibility issues but not all of them:

• foxeye/0.10.2-1 by Andriy Grytsenko.
• jaxe/3.5-6 by Samuel Thibault.
• ncurses/6.0+20151017-1 by Sven Joachim, original patch by Esa Peuha.
• olap4j/1.2.0-1 by Emmanuel Bourg.
• tomcat8/8.0.28-1 by Emmanuel Bourg.

reproducible.debian.net pbuilder has been updated to version 0.219~bpo8+1 on all eight build nodes. (Mattia Rizzolo, h01ger) Packages that FTBFS but for which no open bugs have been recorded are now tested again after 3 days. Likewise for depwait packages. (h01ger) Out of disk situations will not cause IRC notifications anymore. (h01ger) Documentation update Lunar continued to work on writing documentation for the future reproducible-builds.org website. Package reviews 44 reviews have been removed, 81 added and 48 updated this week. Chris West and Chris Lamb identified 70 fail to build from source issues. Misc. h01ger presented the project in Mexico City at the 3er Congreso de Seguridad de la Informaci n where it became clear that we lack academic papers related to reproducible builds. Bryan has been doing hard work to improve reproducibility for OpenWrt. He wrote a report linking to the patches and test results he published.

What happened about the reproducible builds effort for this week: Presentations On May 26th,Holger Levsen presented reproducible builds in Debian at CCC Berlin for the Datengarten 52. The presentation was in German and the slides in English. Audio and video recordings are available. Toolchain fixes

• Dmitry Shachnev uploaded pyqt5/5.4.1+dfsg-3 which makes pyuic output imports in stable order. Original patch by Reiner Herrmann.
• Lunar uploaded mozilla-devscripts/0.41 which uses the UTC timezone when calling zip or unzip.

Niels Thykier fixed the experimental support for the automatic creation of debug packages in debhelper that being tested as part of the reproducible toolchain. Lunar added to the reproducible build version of dpkg the normalization of permissions for files in control.tar. The patch has also been submitted based on the main branch. Daniel Kahn Gillmor proposed a patch to add support for externally-supplying build date to help2man. This sparkled a discussion about agreeing on a common name for an environment variable to hold the date that should be used. It seems opinions are converging on using SOURCE_DATE_UTC which would hold a ISO-8601 formatted date in UTC) (e.g. 2015-06-05T01:08:20Z). Kudos to Daniel, Brendan O'Dea, Ximin Luo for pushing this forward. Lunar proposed a patch to Tar upstream adding a --clamp-mtime option as a generic solution for timestamp variations in tarballs which might also be useful for dpkg. The option changes the behavior of --mtime to only use the time specified if the file mtime is newer than the given time. So far, upstream is not convinced that it would make a worthwhile addition to Tar, though. Daniel Kahn Gillmor reached out to the libburnia project to ask for help on how to make ISO created with xorriso reproducible. We should reward Thomas Schmitt with a model upstream trophy as he went through a thorough analysis of possible sources of variations and ways to improve the situation. Most of what is missing with the current version in Debian is available in the latest upstream version, but libisoburn in Debian needs help. Daniel backported the missing option for version 1.3.2-1.1. akira submitted a new issue to Doxygen upstream regarding the timestamps added to the generated manpages. Packages fixed The following 49 packages became reproducible due to changes in their build dependencies: activemq-protobuf, bnfc, bridge-method-injector, commons-exec, console-data, djinn, github-backup, haskell-authenticate-oauth, haskell-authenticate, haskell-blaze-builder, haskell-blaze-textual, haskell-bloomfilter, haskell-brainfuck, haskell-hspec-discover, haskell-pretty-show, haskell-unlambda, haskell-x509-util, haskelldb-hdbc-odbc, haskelldb-hdbc-postgresql, haskelldb-hdbc-sqlite3, hasktags, hedgewars, hscolour, https-everywhere, java-comment-preprocessor, jffi, jgit, jnr-ffi, jnr-netdb, jsoup, lhs2tex, libcolor-calc-perl, libfile-changenotify-perl, libpdl-io-hdf5-perl, libsvn-notify-mirror-perl, localizer, maven-enforcer, pyotherside, python-xlrd, python-xstatic-angular-bootstrap, rt-extension-calendar, ruby-builder, ruby-em-hiredis, ruby-redcloth, shellcheck, sisu-plexus, tomcat-maven-plugin, v4l2loopback, vim-latexsuite. The following packages became reproducible after getting fixed:

• afterstep/2.2.12-6 uploaded by Robert Luberda, original patch by Juan Picca.
• birdfont/2.8.0-2 by Hideki Yamane.
• bzr/2.6.0+bzr6602-1 by Jelmer Vernooij.
• cassiopee/1.0.3+dfsg-2 uploaded by Olivier Sallou, original patch by akira.
• dhcp-helper/1.1-3 by Simon Kelley.
• elog/3.1.0-2-1 by Roger Kalt.
• flashcache/3.1.3+git20150513-1 uploaded by Liang Guo, original patch by Reiner Herrmann.
• fonts-kiloji/1:2.1.0-21 by Hideki Yamane.
• inspircd/2.0.20-2 by Guillaume Delacour.
• jd/1:2.8.9-150226-3 by Hideki Yamane.
• jruby-joni/2.1.6-2 by Hideki Yamane.
• libaqbanking/5.6.0beta-1 by Micha Lenk.
• libencode-hanextra-perl/0.23-4 fixed and uploaded by Niko Tyni.
• libencode-jis2k-perl/0.02-3 by Niko Tyni.
• libjide-oss-java/3.6.9+dfsg-1 by Markus Koschany.
• librpc-xml-perl/0.78-3 upload by Niko Tyni, original patch by Reiner Herrmann.
• libterm-readkey-perl/2.32-2 by Niko Tyni.
• mkgmap-splitter/0.0.0+svn421-1 by Bas Couwenberg.
• mod-authn-webid/0~20110301-3 by Clint Adams, original patch by Chris Lamb.
• ossim/1.8.16-4 uploaded by Bas Couwenberg, original patch by Juan Picca.
• psfex/3.17.1+dfsg-2 by Ole Streicher.
• socket-wrapper/1.1.3-2 uploaded by Laszlo Boszormenyi, original patch by Jelmer Vernooij.
• stiff/2.4.0-2 by Ole Streicher.
• testng/6.9.4-2 by Eugene Zhukov.
• wcwidth/0.1.4-2 by Sebastian Ramacher.

Some uploads fixed some reproducibility issues but not all of them:

• ant/1.9.5-1 by Emmanuel Bourg.
• gcin/2.8.3+dfsg1-2 by ChangZhuo Chen.
• grcompiler/4.2-5 by Hideki Yamane.
• python2.7/2.7.10-2 uploaded by Matthias Klose, based on a patch by Lunar.
• python3.4/3.4.3-7 uploaded by Matthias Klose, based on a patch by Lunar.
• python3.5/3.5.0~b2-1 uploaded by Matthias Klose, based on a patch by Lunar.
• wml/2.0.12ds1-9 by Axel Beckert.

Patches submitted which did not make their way to the archive yet:

• #787327 on vim by Reiner Herrmann: set a constant user and set modified-by option.
• #787650 on lush by Daniel Kahn Gillmor: remove __DATE__ and __TIME__ macros from source.
• #787669 on cloc by Daniel Kahn Gillmor: use time of latest debian/changelog entry in manpage.
• #787675 on ricochet by Daniel Kahn Gillmor: patch configure to allow an external build date and set it to the time of latest debian/changelog entry.
• #787804 on clipper by akira: set HTML_TIMESTAMP to NO in Doxygen configuration.
• #787829 on colobot by akira: set HTML_TIMESTAMP to NO in Doxygen configuration.
• #787865 on fastjet by akira: call Doxygen with HTML_TIMESTAMP set to NO.
• #787916 on cal3d by akira: remove $datetime from the file api_footer.html.
• #787918 on dime by akira: remove $datetime from the file footer.html.

Daniel Kahn Gilmor also started discussions for emacs24 and the unsorted lists in generated .el files, the recording of a PID number in lush, and the reproducibility of ISO images in grub2. reproducible.debian.net Notifications are now sent when the build environment for a package has changed between two builds. This is a first step before automatically building the package once more. (Holger Levsen) jenkins.debian.net was upgraded to Debian Jessie. (Holger Levsen) A new variation is now being tested: $PATH. The second build will be done with a /i/capture/the/path added. (Holger Levsen) Holger Levsen with the help of Alexander Couzens wrote extra job to test the reproducibility of coreboot. Thanks James McCoy for helping with certificate issues. Mattia Rizollo made some more internal improvements. strip-nondeterminism development Andrew Ayer released strip-nondeterminism/0.008-1. This new version fixes the gzip handler so that it now skip adding a predetermined timestamp when there was none. Holger Levsen sponsored the upload. Documentation update The pages about timestamps in manpages generated by Doxygen, GHC .hi files, and Jar files have been updated to reflect their status in upstream. Markus Koschany documented an easy way to prevent Doxygen to write timestamps in HTML output. Package reviews 83 obsolete reviews have been removed, 71 added and 48 updated this week. Meetings A meeting was held on 2015-06-03. Minutes and full logs are available. It was agreed to hold such a meeting every two weeks for the time being. The time of the next meeting should be announced soon.