What happened in the
Reproducible
Builds effort between April 24th and 30th 2016.
Media coverage
Reproducible builds were mentioned explicitly in two talks at the
Mini-DebConf in Vienna:
- Martin Michlmayr had a talk in which he presented an overview about innovations and changes in Debian in the last years. Martin expressed his disappointment that there was no talk from us in Vienna (we'll fix this at DebConf16 in Cape Town) and described the reproducible builds work as "a real innovation". His talk is very much worth seeing, whatever your current perspective, it might change your view on Debian.
- Ben Hutchings explains how Secure Boot will use signed kernels via separate signature packages and how this was designed with reproducible builds in mind.
Aspiration together with the OTF CommunityLab released
their report about the
Reproducible Builds summit in December 2015 in Athens.
Toolchain fixes
Now that the GCC development window has been opened again, the
SOURCE_DATE_EPOCH patch by Dhole and Matthias Klose to address the issue
timestamps_from_cpp_macros (
__DATE__
/
__TIME__
) has been
applied upstream and will be released with GCC 7.
Following that Matthias Klose also has uploaded
gcc-5/5.3.1-17 and
gcc-6/6.1.1-1 to unstable with a backport of that
SOURCE_DATE_EPOCH patch.
Emmanuel Bourg uploaded
maven/3.3.9-4, which uses
SOURCE_DATE_EPOCH for the
maven.build.timestamp
.
(
SOURCE_DATE_EPOCH specification)
Other upstream changes
Alexis Bienven e
submitted a patch to Sphinx which extends
SOURCE_DATE_EPOCH support for copyright years in generated documentation.
Packages fixed
The following 12 packages have become reproducible due to changes in their
build dependencies:
hhvm
jcsp
libfann
libflexdock-java
libjcommon-java
libswingx1-java
mobile-atlas-creator
not-yet-commons-ssl
plexus-utils
squareness
svnclientadapter
The following packages have became reproducible after being fixed:
Some uploads have fixed some reproducibility issues, but not all of them:
Patches submitted that have not made their way to the archive yet:
- #822566 against stk by Alexis Bienven e: sort lists of object files for reproducible linking order.
- #822948 against shotwell by Alexis Bienven e: normalize tarball permissions and use locale/timezone-independent modification time.
- #822963 against htop by Alexis Bienven e: use SOURCE_DATE_EPOCH for embedded copyright year, which has before already been applied in git and upstream.
Package reviews
95 reviews have been added, 15 have been updated and 129 have been removed in this week.
22 FTBFS bugs have been reported by Chris Lamb and Martin Michlmayr.
diffoscope development
- diffoscope 52~bpo8+1 has been uploaded to jessie-backports by Mattia Rizzolo, where it is currently waiting for NEW-approval.
- Support for the deb(5) format (uncompressed data.tar/control.tar, control.tar.xz) (Closes: #818414) has been completed by Reiner Herrmann in git.
strip-nondeterminism development
- Support for EPUB documents has been added (to the development version in git) by Holger Levsen, to address the timestamps_in_epub issue.
tests.reproducible-builds.org
Misc.
Amongst the
29 interns who will work on Debian through GSoC and Outreachy there are four who will be contributing to Reproducible Builds for Debian and Free Software. We are very glad to welcome ceridwen, Satyam Zode, Scarlett Clark and Valerie Young and look forward to working together with them the coming months (and maybe beyond)!
This week's edition was written by Reiner Herrmann and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.