Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

DEP-17 progress, by Helmut and Emilio We posted a proposal for modifying dpkg to better cope with directory aliasing. After an initial period of silence, the discussion took off, but was mostly diverted to a competing proposal by Luca Boccassi: Do not change dpkg at all, but still move all files affected by aliasing to their canonical location and thus removing the bad effects of aliasing. We facilitated this discussion and performed extensive analysis of this and competing proposals highlighting resulting problems and proposing solutions or workarounds. We performed a detailed analysis of how aliasing affects usage of dpkg-divert, dpkg-statoverride and update-alternatives. Details are available on the debian-dpkg mailinglist thread.

Debian Reimbursements Web App Progress, by Stefano Rivera In a project funded by Freexian s Project Funding initiative, Stefano made some more progress on the Debian Reimbursements Web App. The full workflow can now be exercised, completing the first milestone of the project, the Working Prototype.

DebConf Bursary Team, by Utkarsh Gupta Utkarsh started to prep the bursary team work, gearing up for DebConf, happening in India in September 2023. To learn more about the bursaries team, head to https://wiki.debian.org/Teams/DebConf/Bursaries. For learning how to apply for bursaries, visit https://debconf23.debconf.org/about/bursaries.

Miscellaneous contributions

• Stefano attended several DebConf planning meetings, and did some work on the DebConf 23 website.
• Stefano updated distro-info-data to include the release date of Debian bullseye, and added the next Ubuntu release, Mantic Minotour. This required a round of updates to all the stable releases, LTS, and ELTS.
• Helmut sent patches for 13 cross build failures and filed 104 RC bugs for missing Breaks and Replaces.

Welcome to the Reproducible Builds report for October 2022! In these reports we attempt to outline the most important things that we have been up to over the past month. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website.

---

Our in-person summit this year was held in the past few days in Venice, Italy. Activity and news from the summit will therefore be covered in next month s report!

---

A new article related to reproducible builds was recently published in the 2023 IEEE Symposium on Security and Privacy. Titled Taxonomy of Attacks on Open-Source Software Supply Chains and authored by Piergiorgio Ladisa, Henrik Plate, Matias Martinez and Olivier Barais, their paper:

[ ] proposes a general taxonomy for attacks on opensource supply chains, independent of specific programming languages or ecosystems, and covering all supply chain stages from code contributions to package distribution.

Taking the form of an attack tree, the paper covers 107 unique vectors linked to 94 real world supply-chain incidents which is then mapped to 33 mitigating safeguards including, of course, reproducible builds:

Reproducible Builds received a very high utility rating (5) from 10 participants (58.8%), but also a high-cost rating (4 or 5) from 12 (70.6%). One expert commented that a reproducible build like used by Solarwinds now, is a good measure against tampering with a single build system and another claimed this is going to be the single, biggest barrier .

---

It was noticed this month that Solarwinds published a whitepaper back in December 2021 in order to:

[ ] illustrate a concerning new reality for the software industry and illuminates the increasingly sophisticated threats made by outside nation-states to the supply chains and infrastructure on which we all rely.

The 12-month anniversary of the 2020 Solarwinds attack (which SolarWinds Worldwide LLC itself calls the SUNBURST attack) was, of course, the likely impetus for publication.

---

Whilst collaborating on making the Cyrus IMAP server reproducible, Ellie Timoney asked why the Reproducible Builds testing framework uses two remarkably distinctive build paths when attempting to flush out builds that vary on the absolute system path in which they were built. In the case of the Cyrus IMAP server, these happened to be:

• /build/1st/cyrus-imapd-3.6.0~beta3/
• /build/2/cyrus-imapd-3.6.0~beta3/2nd/

Asked why they vary in three different ways, Chris Lamb listed in detail the motivation behind to each difference.

---

On our mailing list this month:

• Daniel Garcia from WalletScrutiny.com started a thread asking for input on buttons with the Reproducible Builds logo, requesting design suggestions or other feedback. [ ]
• Arch Linux contributor kpcyrd wrote to our list this month with the news that multiple people in Arch Linux noticed the output of our git archive command doesn t match the tarball served by GitHub anymore. In his post, kpcyrd narrows the change to a specific commit in Git. [ ]
• Akihiro Suda wrote to a share a new tool called repro-get. According to Akihiro s post, repro-get is a tool to install a specific snapshot of apt/dnf/apk/pacman packages using SHA256SUMS files . This is needed in order to install specific (or pinned ) dependencies needed to validate a build.
• Finally, Janneke Nieuwenhuizen announced the release of GNU Mes 0.24.1, which represents 23 commits over five months by four people. GNU Mes is a Scheme interpreter and C compiler for bootstrapping the GNU System. [ ]

---

The Reproducible Builds project is delighted to welcome openEuler to the Involved projects page [ ]. openEuler is Linux distribution developed by Huawei, a counterpart to it s more commercially-oriented EulerOS.

---

Debian Colin Watson wrote about his experience towards making the databases generated by the man-db UNIX manual page indexing tool:

One of the people working on [reproducible builds] noticed that man-db s database files were an obstacle to [reproducibility]: in particular, the exact contents of the database seemed to depend on the order in which files were scanned when building it. The reporter proposed solving this by processing files in sorted order, but I wasn t keen on that approach: firstly because it would mean we could no longer process files in an order that makes it more efficient to read them all from disk (still valuable on rotational disks), but mostly because the differences seemed to point to other bugs.

Colin goes on to describe his approach to solving the problem, including fixing various fits of internal caching, and he ends his post with None of this is particularly glamorous work, but it paid off .

---

Vagrant Cascadian announced on our mailing list another online sprint to help clear the huge backlog of reproducible builds patches submitted by performing NMUs (Non-Maintainer Uploads). The first such sprint took place on September 22nd, but another was held on October 6th, and another small one on October 20th. This resulted in the following progress:

• Chris Lamb:
  • ascii2binary (Fixed #1020812, #998758 & #1007421)
  • bibclean (Fixed #829754 & #929036)
  • dradio (Fixed #1020814)
  • leave (Fixed #777403, #967002 & #999259)
  • libimage-imlib2-perl (Fixed #1020665)
  • mailto (Fixed #998978 & #777413)
  • remote-tty (Fixed #829721 & #977280)
  • xcolmix (Fixed #1020748, #999219 & #988018)
  • z80asm (Fixed #939775 & #1020875)
• Holger Levsen:
  • libtheora (Fixed #990843 & #990844)
  • sgml-base (Fixed #1006646 & #929706)
• Vagrant Cascadian:
  • ario (Investigated #828876)
  • cloop (Fixed #787996)
  • elvis-tiny (Fixed #829755 & #901345)
  • hannah (Fixed #845782 & #901260)
  • mc (Investigated #828683)
  • mod-dnssd (Submitted alternate fix for #828752)
  • snake4 (Fixed #829715 & #913734)
  • the (Fixed #842550)
  • zephyr (Investigated #828867 & #1021374)
  • msp430mcu (Fixed #860275)
  • checkpw (Fixed #777299 & #1020887)
  • madlib (Fixed #778946)

---

41 reviews of Debian packages were added, 62 were updated and 12 were removed this month adding to our knowledge about identified issues. A number of issue types were updated too. [1][ ]

---

Lastly, Luca Boccassi submitted a patch to debhelper, a set of tools used in the packaging of the majority of Debian packages. The patch addressed an issue in the dh_installsysusers utility so that the postinst post-installation script that debhelper generates the same data regardless of the underlying filesystem ordering.

---

Other distributions F-Droid is a community-run app store that provides free software applications for Android phones. This month, F-Droid changed their documentation and guidance to now explicitly encourage RB for new apps [ ][ ], and FC Stegerman created an extremely in-depth issue on GitLab concerning the APK signing block. You can read more about F-Droid s approach to reproducibility in our July 2022 interview with Hans-Christoph Steiner of the F-Droid Project. In openSUSE, Bernhard M. Wiedemann published his usual openSUSE monthly report.

---

Upstream patches The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Bernhard M. Wiedemann:
  • asymptote (date-related issue)
  • fastjet-contrib (sort nondeterminstic filesystem ordering)
  • forge (Sphinx doctree issue)
  • gau2grid (output varies with march=native)
  • gosec (date-related issue)
  • helmfile (date-related issue)
  • libnvme (date-related issue)
  • moab (CPU)
  • tcl (fails to build in 2038)
  • vectorscan (output varies with march=native)
  • xz2/lzma (Rust-related filesystem ordering)
• Chris Lamb:
  • #891263 filed against puppet back in early 2018 was finally merged into Puppet and was released in Puppet 7.20.0.
  • #1021198 filed against puppet-agent.
  • #1022777 filed against tpm2-pytss (forwarded upstream).
• Vagrant Cascadian:
  • #1021331 filed against cclive.
  • #1021373 filed against librep.
  • #1021374 filed against zephyr.
  • #1021452 filed against libdv.
  • #1021454 filed against dbview.
  • #1021456 filed against bwbasic.
  • #1021457 filed against olpc-powerd.
  • #1021458 filed against o3dgc.
  • #1021461 filed against icon.
  • #1021463 filed against rdist.
  • #1021464 filed against stfl.
  • #1021466 filed against pacman.
  • #1021469 filed against lam.
  • #1021470 filed against xsok.
  • #1021471 filed against python-djvulibre.
  • #1021472 filed against xzoom.
  • #1021473 filed against nitpic.
  • #1021498 filed against tcm.
  • #1021509 filed against xxkb.
  • #1021512 filed against yersinia.
  • #1021513 filed against centrifuge.
  • #1021514 and #1021516 filed against ssocr.
  • #1021518 filed against jakarta-jmeter.
  • #1021520 filed against guymager.
  • #1021521 and #1021522 filed against crack.
  • #1021751 filed against dc3dd.
  • #1021789 filed against dlt-viewer.
  • #1021792 and #1021793 filed against vart.
  • #1021799 and #1021800 filed against pgrouting.
  • #1021860 filed against libsx.
  • #1021893 filed against device-tree-compiler.
  • #1022130 filed against tsdecrypt.
• John Neffenger:
  • openjdk (Fixed JDK-8292892)

diffoscope diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 224 and 225 to Debian:

• Add support for comparing the text content of HTML files using html2text. [ ]
• Add support for detecting ordering-only differences in XML files. [ ]
• Fix an issue with detecting ordering differences. [ ]
• Use the capitalised version of Ordering consistently everywhere in output. [ ]
• Add support for displaying font metadata using ttx(1) from the fonttools suite. [ ]
• Testsuite improvements:
  • Temporarily allow the stable-po pipeline to fail in the CI. [ ]
  • Rename the order1.diff test fixture to json_expected_ordering_diff. [ ]
  • Tidy the JSON tests. [ ]
  • Use assert_diff over get_data and an manual assert within the XML tests. [ ]
  • Drop the ALLOWED_TEST_FILES test; it was mostly just annoying. [ ]
  • Tidy the tests/test_source.py file. [ ]

Chris Lamb also added a link to diffoscope s OpenBSD packaging on the diffoscope.org homepage [ ] and Mattia Rizzolo fix an test failure that was occurring under with LLVM 15 [ ].

Testing framework The Reproducible Builds project operates a comprehensive testing framework at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility. In October, the following changes were made by Holger Levsen:

• Run the logparse tool to analyse results on the Debian Edu build logs. [ ]
• Install btop(1) on all nodes running Debian. [ ]
• Switch Arch Linux from using SHA1 to SHA256. [ ]
• When checking Debian debstrap jobs, correctly log the tool usage. [ ]
• Cleanup more task-related temporary directory names when testing Debian packages. [ ][ ]
• Use the cdebootstrap-static binary for the 2nd runs of the cdebootstrap tests. [ ]
• Drop a workaround when testing OpenWrt and coreboot as the issue in diffoscope has now been fixed. [ ]
• Turn on an rm(1) warning into an info -level message. [ ]
• Special case the osuosl168 node for running Debian bookworm already. [ ][ ]
• Use the new non-free-firmware suite on the o168 node. [ ]

In addition, Mattia Rizzolo made the following changes:

• Ensure that 2nd build has a merged /usr. [ ]
• Only reconfigure the usrmerge package on Debian bookworm and above. [ ]
• Fix bc(1) syntax in the computation of the percentage of unreproducible packages in the dashboard. [ ][ ][ ]
• In the index_suite_ pages, order the package status to be the same order of the menu. [ ]
• Pass the --distribution parameter to the pbuilder utility. [ ]

Finally, Roland Clobus continued his work on testing Live Debian images. In particular, he extended the maintenance script to warn when workspace directories cannot be deleted. [ ]
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.
• Twitter: @ReproBuilds
• Mailing list: rb-general@lists.reproducible-builds.org

Welcome to the May 2022 report from the Reproducible Builds project. In our reports we outline the most important things that we have been up to over the past month. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website.

Repfix paper Zhilei Ren, Shiwei Sun, Jifeng Xuan, Xiaochen Li, Zhide Zhou and He Jiang have published an academic paper titled Automated Patching for Unreproducible Builds:

[..] fixing unreproducible build issues poses a set of challenges [..], among which we consider the localization granularity and the historical knowledge utilization as the most significant ones. To tackle these challenges, we propose a novel approach [called] RepFix that combines tracing-based fine-grained localization with history-based patch generation mechanisms.

The paper (PDF, 3.5MB) uses the Debian mylvmbackup package as an example to show how RepFix can automatically generate patches to make software build reproducibly. As it happens, Reiner Herrmann submitted a patch for the mylvmbackup package which has remained unapplied by the Debian package maintainer for over seven years, thus this paper inadvertently underscores that achieving reproducible builds will require both technical and social solutions.

Python variables Johannes Schauer discovered a fascinating bug where simply naming your Python variable _m led to unreproducible .pyc files. In particular, the types module in Python 3.10 requires the following patch to make it reproducible:

--- a/Lib/types.py
+++ b/Lib/types.py
@@ -37,8 +37,8 @@ _ag = _ag()
 AsyncGeneratorType = type(_ag)
 
 class _C:
-    def _m(self): pass
-MethodType = type(_C()._m)
+    def _b(self): pass
+MethodType = type(_C()._b)

Simply renaming the dummy method from _m to _b was enough to workaround the problem. Johannes bug report first led to a number of improvements in diffoscope to aid in dissecting .pyc files, but upstream identified this as caused by an issue surrounding interned strings and is being tracked in CPython bug #78274.

New SPDX team to incorporate build metadata in Software Bill of Materials SPDX, the open standard for Software Bill of Materials (SBOM), is continuously developed by a number of teams and committees. However, SPDX has welcomed a new addition; a team dedicated to enhancing metadata about software builds, complementing reproducible builds in creating a more secure software supply chain. The SPDX Builds Team has been working throughout May to define the universal primitives shared by all build systems, including the who, what, where and how of builds:

• Who: the identity of the person or organisation that controls the build infrastructure.
• What: the inputs and outputs of a given build, combining metadata about the build s configuration with an SBOM describing source code and dependencies.
• Where: the software packages making up the build system, from build orchestration tools such as Woodpecker CI and Tekton to language-specific tools.
• How: the invocation of a build, linking metadata of a build to the identity of the person or automation tool that initiated it.

The SPDX Builds Team expects to have a usable data model by September, ready for inclusion in the SPDX 3.0 standard. The team welcomes new contributors, inviting those interested in joining to introduce themselves on the SPDX-Tech mailing list.

Talks at Debian Reunion Hamburg Some of the Reproducible Builds team (Holger Levsen, Mattia Rizzolo, Roland Clobus, Philip Rinn, etc.) met in real life at the Debian Reunion Hamburg (official homepage). There were several informal discussions amongst them, as well as two talks related to reproducible builds. First, Holger Levsen gave a talk on the status of Reproducible Builds for bullseye and bookworm and beyond (WebM, 210MB): Secondly, Roland Clobus gave a talk called Reproducible builds as applied to non-compiler output (WebM, 115MB):

Supply-chain security attacks This was another bumper month for supply-chain attacks in package repositories. Early in the month, Lance R. Vick noticed that the maintainer of the NPM foreach package let their personal email domain expire, so they bought it and now controls foreach on NPM and the 36,826 projects that depend on it . Shortly afterwards, Drew DeVault published a related blog post titled When will we learn? that offers a brief timeline of major incidents in this area and, not uncontroversially, suggests that the correct way to ship packages is with your distribution s package manager .

Bootstrapping Bootstrapping is a process for building software tools progressively from a primitive compiler tool and source language up to a full Linux development environment with GCC, etc. This is important given the amount of trust we put in existing compiler binaries. This month, a bootstrappable mini-kernel was announced. Called boot2now, it comprises a series of compilers in the form of bootable machine images.

Google s new Assured Open Source Software service Google Cloud (the division responsible for the Google Compute Engine) announced a new Assured Open Source Software service. Noting the considerable 650% year-over-year increase in cyberattacks aimed at open source suppliers, the new service claims to enable enterprise and public sector users of open source software to easily incorporate the same OSS packages that Google uses into their own developer workflows . The announcement goes on to enumerate that packages curated by the new service would be:

• Regularly scanned, analyzed, and fuzz-tested for vulnerabilities.
• Have corresponding enriched metadata incorporating Container/Artifact Analysis data.
• Are built with Cloud Build including evidence of verifiable SLSA-compliance
• Are verifiably signed by Google.
• Are distributed from an Artifact Registry secured and protected by Google.

(Full announcement)

A retrospective on the Rust programming language Andrew bunnie Huang published a long blog post this month promising a critical retrospective on the Rust programming language. Amongst many acute observations about the evolution of the language s syntax (etc.), the post beings to critique the languages approach to supply chain security ( Rust Has A Limited View of Supply Chain Security ) and reproducibility ( You Can t Reproduce Someone Else s Rust Build ):

There s some bugs open with the Rust maintainers to address reproducible builds, but with the number of issues they have to deal with in the language, I am not optimistic that this problem will be resolved anytime soon. Assuming the only driver of the unreproducibility is the inclusion of OS paths in the binary, one fix to this would be to re-configure our build system to run in some sort of a chroot environment or a virtual machine that fixes the paths in a way that almost anyone else could reproduce. I say almost anyone else because this fix would be OS-dependent, so we d be able to get reproducible builds under, for example, Linux, but it would not help Windows users where chroot environments are not a thing.

(Full post)

Reproducible Builds IRC meeting The minutes and logs from our May 2022 IRC meeting have been published. In case you missed this one, our next IRC meeting will take place on Tuesday 28th June at 15:00 UTC on #reproducible-builds on the OFTC network.

A new tool to improve supply-chain security in Arch Linux kpcyrd published yet another interesting tool related to reproducibility. Writing about the tool in a recent blog post, kpcyrd mentions that although many PKGBUILDs provide authentication in the context of signed Git tags (i.e. the ability to verify the Git tag was signed by one of the two trusted keys ), they do not support pinning, ie. that upstream could create a new signed Git tag with an identical name, and arbitrarily change the source code without the [maintainer] noticing . Conversely, other PKGBUILDs support pinning but not authentication. The new tool, auth-tarball-from-git, fixes both problems, as nearly outlined in kpcyrd s original blog post.

diffoscope diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 212, 213 and 214 to Debian unstable. Chris also made the following changes:

• New features:
  • Add support for extracting vmlinuz Linux kernel images. [ ]
  • Support both python-argcomplete 1.x and 2.x. [ ]
  • Strip sticky etc. from x.deb: sticky Debian binary package [ ]. [ ]
  • Integrate test coverage with GitLab s concept of artifacts. [ ][ ][ ]
• Bug fixes:
  • Don t mask differences in .zip or .jar central directory extra fields. [ ]
  • Don t show a binary comparison of .zip or .jar files if we have observed at least one nested difference. [ ]
• Codebase improvements:
  • Substantially update comment for our calls to zipinfo and zipinfo -v. [ ]
  • Use assert_diff in test_zip over calling get_data with a separate assert. [ ]
  • Don t call re.compile and then call .sub on the result; just call re.sub directly. [ ]
  • Clarify the comment around the difference between --usage and --help. [ ]
• Testsuite improvements:
  • Test --help and --usage. [ ]
  • Test that --help includes the file formats. [ ]

Vagrant Cascadian added an external tool reference xb-tool for GNU Guix [ ] as well as updated the diffoscope package in GNU Guix itself [ ][ ][ ].

Distribution work In Debian, 41 reviews of Debian packages were added, 85 were updated and 13 were removed this month adding to our knowledge about identified issues. A number of issue types have been updated, including adding a new nondeterministic_ordering_in_deprecated_items_collected_by_doxygen toolchain issue [ ] as well as ones for mono_mastersummary_xml_files_inherit_filesystem_ordering [ ], extended_attributes_in_jar_file_created_without_manifest [ ] and apxs_captures_build_path [ ]. Vagrant Cascadian performed a rough check of the reproducibility of core package sets in GNU Guix, and in openSUSE, Bernhard M. Wiedemann posted his usual monthly reproducible builds status report.

Upstream patches The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Bernhard M. Wiedemann:
  • gtkmm-documentation (merged; sorting issue)
  • librespot (merged; random BuildID issue)
  • lirc (merged)
  • lsof (uname/hostname problem)
  • solanum (merged, possibly a race condition)
• Chris Lamb:
  • #1010845 filed against logapp.
  • #1010854 filed against mono.
  • #1010855 filed against longrun.
  • #1011452 filed against rust-simplelog.
  • #1011752 filed against freesas.
  • PeachPy (merged, sort entries)
• Johannes Schauer Marin Rodrigues:
  • #1010957 filed against man-db.
• Vagrant Cascadian:
  • #1010462 filed against mtink.
  • #1010463 filed against fceux.
  • #1010466 filed against glob2.
  • #1010483 filed against coinor-cgl.
  • #1010486 filed against metapixel.
  • #1010781 filed against ragel.
  • #1010785 filed against gdome2.
  • #1010787 filed against sgml-base-doc.
  • #1010789 filed against xarclock.
  • #1010790 filed against xgammon.
  • #1010825 filed against lwatch.
  • #1010828 filed against bbrun.
  • #1010830 filed against gscanbus.
  • #1010859 filed against libnss-gw-name.
  • #1010870 filed against pidgin-blinklight.
  • #1010871 filed against dvbtune.
  • #1010872 filed against efax.
  • #1010944 filed against quelcom.
  • #1010948 filed against xine-lib-1.2.
  • #1011034 filed against fusesmb.
  • #1011036 filed against mailfront.
  • #1011104 filed against convlit.
  • #1011109 filed against bitstormlite.
  • #1011257 filed against coinor-osi.
  • #1011402 filed against razor.
  • #1011405 filed against autoclass.
  • #1011428 filed against cdbackup.
  • #1011429 filed against dds2tar.
  • #1011469 filed against transcalc.
  • #1011470 filed against libapache2-mod-authz-unixgroup.
  • #1011471 filed against mgdiff.
  • #1011478 filed against scsitools.
  • #1011479 filed against fstrcmp.
  • #1011480 filed against libxsettings-client.
  • #1011481 filed against tamil-gtk2im.
  • #1011486 filed against tdfsb.
  • #1011488 filed against stymulator.
  • #1011489 filed against wiipdf.
  • #1011490 filed against gdigi.
  • #1011491 filed against getstream.
  • #1011493 filed against freecdb.
  • #1011495 filed against modglue.
  • #1011496 filed against nwall.
  • #1011498 filed against parprouted.
  • #1011499 filed against imagination.
  • #1011500 filed against tuxcmd-modules.
  • #1011501 filed against libapache2-mod-authn-yubikey.
  • #1011503 filed against libapache2-mod-auth-plain.
  • lcsync (remove build paths)

Reproducible builds website Chris Lamb updated the main Reproducible Builds website and documentation in a number of small ways, but also prepared and published an interview with Jan Nieuwenhuizen about Bootstrappable Builds, GNU Mes and GNU Guix. [ ][ ][ ][ ] In addition, Tim Jones added a link to the Talos Linux project [ ] and billchenchina fixed a dead link [ ].

Testing framework The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, the following changes were made:

• Holger Levsen:
  • Add support for detecting running kernels that require attention. [ ]
  • Temporarily configure a host to support performing Debian builds for packages that lack .buildinfo files. [ ]
  • Update generated webpages to clarify wishes for feedback. [ ]
  • Update copyright years on various scripts. [ ]
• Mattia Rizzolo:
  • Provide a facility so that Debian Live image generation can copy a file remotely. [ ][ ][ ][ ]
• Roland Clobus:
  • Add initial support for testing generated images with OpenQA. [ ]

And finally, as usual, node maintenance was also performed by Holger Levsen [ ][ ].

Misc news On our mailing list this month:

• John Neffenger posted that the early-access release of OpenJDK version 19 build 21 is reproducible.
• Mattia Rizzolo added a request around tentatively planning a Reproducible Builds summit in 2022.
• Bernhard M. Wiedemann posted about a Reproducible Builds meetup at the openSUSE conference in Nuremberg.
• Luca Boccassi asked for help getting arm64 binaries to build reproducibly for the Debian systemd package.
• Yaobin Wen asked a number of questions in an attempt to discover the best practices for manage Debian .dsc files using reprepro.

Contact If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.
• Twitter: @ReproBuilds
• Mailing list: rb-general@lists.reproducible-builds.org

The following contributors got their Debian Developer accounts in the last two months:

• Allison Randal (wendar)
• Carsten Schoenert (tijuca)
• Jeremy Bicha (jbicha)
• Luca Boccassi (bluca)
• Michael Hudson-Doyle (mwhudson)
• Elana Hashman (ehashman)

The following contributors were added as Debian Maintainers in the last two months:

• Ervin Heged s
• Tom Marble
• Lukas Schwaighofer
• Philippe Thierry

Congratulations!

The following contributors got their Debian Developer accounts in the last two months:

• Otto Kek l inen (otto)
• Dariusz Dwornikowski (darek)
• Daniel Stender (stender)
• Afif Elghraoui (afif)
• Victor Seva (vseva)
• James Cowgill (jcowgill)

The following contributors were added as Debian Maintainers in the last two months:

• Giovani Augusto Ferreira
• Ond ej Nov
• Jason Pleau
• Michael Robin Crusoe
• Ferenc W gner
• Enrico Rossi
• Christian Seiler
• Daniel Echeverry
• Ilias Tsitsimpis
• James Clarke
• Luca Boccassi

Congratulations!

What happened in the reproducible builds effort this week: Toolchain fixes

• Colin Watson uploaded groff/1.22.3-2 which implements support for SOURCE_DATE_EPOCH.
• Colin Watson uploaded halibut/1.1-2 which implements support for SOURCE_DATE_EPOCH.

Chris Lamb filled a bug on python-setuptools with a patch to make the generated requires.txt files reproducible. The patch has been forwarded upstream. Chris also understood why the she-bang in some Python scripts kept being undeterministic: setuptools as called by dh-python could skip re-installing the scripts if the build had been too fast (under one second). #804339 offers a patch fixing the issue by passing --force to setup.py install. #804141 reported on gettext asks for support of SOURCE_DATE_EPOCH in gettextize. Santiago Vila pointed out that it doesn't felt appropriate as gettextize is supposed to be an interactive tool. The problem reported seems to be in avahi build system instead. Packages fixed The following packages became reproducible due to changes in their build dependencies: celestia, dsdo, fonts-taml-tscu, fte, hkgerman, ifrench-gut, ispell-czech, maven-assembly-plugin, maven-project-info-reports-plugin, python-avro, ruby-compass, signond, thepeg, wagon2, xjdic. The following packages became reproducible after getting fixed:

• 4ti2/1.6.6+ds-1 uploaded by Jerome Benoit, fixed upstream.
• allegro4.4/2:4.4.2-7 uploaded by Andreas R nnquist, original patch by Reiner Herrmann.
• axel/2.5-2 by Joao Eriberto Mota Filho.
• bastet/0.43-4 by Markus Koschany.
• bbswitch/0.8-3 uploaded by Luca Boccassi, original patch by Reiner Herrmann.
• commons-math/2.2-5 by Emmanuel Bourg.
• fatresize/1.0.2-8 by Colin Watson, reported by Chris Lamb.
• giada/0.10.2~dfsg1-1 by IOhannes m zm lnig.
• groff/1.22.3-3 by Colin Watson.
• halibut/1.1-2 by Colin Watson.
• ivy/2.4.0-2 by Emmanuel Bourg.
• libfreemarker-java/2.3.23-2 by Emmanuel Bourg.
• libjna-java/4.2.1-1 by Emmanuel Bourg.
• lmemory/0.6c-8 by Markus Koschany.
• man-db/2.7.5-1 by Colin Watson.
• maven2-core/2.2.1-23 by Emmanuel Bourg.
• ncurses/6.0+20151024-2 by Sven Joachim, report by Esa Peuha.
• netmask/2.4.3-1 by Guilhem Moulin.
• ogre-1.9/1.9.0+dfsg1-7 uploaded by Manuel A. Fernandez Montecelo, original patch by Chris Lamb.
• praat/6.0.4-2 by Rafael Laboissiere.
• soundscaperenderer/0.4.2~dfsg-5 by IOhannes m zm lnig.
• usb-modeswitch-data/20151101-1 uploaded by Didier Raboud, original patch by Reiner Herrmann.

Some uploads fixed some reproducibility issues but not all of them:

• dbconfig-common/1.8.55 by Paul Gevers.
• mondrian/1:3.11.0.1-1 by Emmanuel Bourg.

Patches submitted which have not made their way to the archive yet:

• #803893 on goaccess by Guillaume Delacour: remove __DATE__ and __TIME__ macros.
• #803908 on starlink-pal by Chris Lamb: pass -info 0 to latex2html.

Chris Lamb closed a wrongly reopened bug against haskell-devscripts that was actually a problem in haddock. reproducible.debian.net FreeBSD tests are now run for three branches: master, stable/10, release/10.2.0. (h01ger) diffoscope development Support has been added for Free Pascal unit files (.ppc). (Paul Gevers) The homepage is now available using HTTPS, thanks to Let's Encrypt!. Work has been done to be able to publish diffoscope on the Python Package Index (also known as PyPI): the tlsh module is now optional, compatibility with python-magic has been added, and the fallback code to handle RPM has been fixed. Documentation update Reiner Herrmann, Paul Gevers, Niko Tyni, opi, and Dhole offered various fixes and wording improvements to the reproducible-builds.org. A mailing-list is now available to receive change notifications. NixOS, Guix, and Baserock are featured as projects working on reproducible builds. Package reviews 70 reviews have been removed, 74 added and 17 updated this week. Chris Lamb opened 22 new fail to build from source bugs. New issues this week: randomness_in_ocaml_provides, randomness_in_qdoc_page_id, randomness_in_python_setuptools_requires_txt, gettext_creates_ChangeLog_files_and_entries_with_current_date. Misc. h01ger and Chris Lamb presented Beyond reproducible builds at the MiniDebConf in Cambridge on November 8th. They gave an overview of where we stand and the changes in user tools, infrastructure, and development practices that we might want to see happening. Feedback on these thoughts are welcome. Slides are already available, and the video should be online soon. At the same event, a meeting happened with some members of the release team to discuss the best strategy regarding releases and reproducibility. Minutes have been posted on the Debian reproducible-builds mailing-list.