What happened in the reproducible builds effort between December 27th and January 2nd: Infrastructure dak now silently accepts and discards .buildinfo files (commit 1, 2), thanks to Niels Thykier and Ansgar Burchardt. This was later confirmed as working by Mattia Rizzolo. Packages fixed The following packages have become reproducible due to changes in their build dependencies: banshee-community-extensions, javamail, mono-debugger-libs, python-avro. The following packages became reproducible after getting fixed:

• avrdude/6.2-5 by Milan Kupcevic.
• blosxom/2.1.2-2 uploaded by Rhonda D'Vine, original patches (#777292, #793001) by Chris Lamb and akira.
• buzztrax/0.10.2-2 uploaded by Sebastian Dr ge, original patch by Chris Lamb, fixed upstream.
• dx/1:4.4.4-8 by Graham Inggs.
• gap-guava/3.12+ds1-3 by Jerome Benoit.
• goffice/0.10.26-1 uploaded by Dmitry Smirnov, fixed upstream.
• gunroar/0.15.dfsg1-8 uploaded by Markus Koschany, original patch by Reiner Herrmann.
• iceweasel/43.0.2-1 by Mike Hommey.
• ii-esu/1.0a.dfsg1-7 uploaded by Markus Koschany, original patch by Reiner Herrmann.
• jing-trang/20131210+dfsg+1-4 by Samuel Thibault.
• mstflint/4.1.0+1.46.gb1cdaf7-1 by Mehdi Dogguy.
• mu-cade/0.11.dfsg1-9 uploaded by Markus Koschany, original patch by Reiner Herrmann.
• mumble/1.2.12-1 by Christopher Knadle.
• netris/0.52-10 by Rhonda D'Vine, original patches (#778201, #793707) by Chris Lamb and akira.
• onboard/1.1.2-2 uploaded by Mike Gabriel, original patch by Reiner Herrmann.
• parsec47/0.2.dfsg1-7 uploaded by Markus Koschany, original patch by Reiner Herrmann.
• pathological/1.1.3-14 by Markus Koschany.
• projectl/1.001.dfsg1-8 uploaded by Markus Koschany, original patch by Reiner Herrmann.
• re2c/0.15.3-1 by JCF Ploemen.
• s3d/0.2.2-14 by Sven Eckelmann.
• tulip/4.8.0dfsg-2 by Yann Dirson.
• val-and-rick/0.1a.dfsg1-5 uploaded by Markus Koschany, original patch by Reiner Herrmann.
• xterm/321-1 by Sven Joachim.

Some uploads fixed some reproducibility issues, but not all of them:

• debian-installer/20160101 uploaded by Cyril Brulebois with several fixes from Steven Chamberlain.
• drbd-utils/8.9.5-1 by Apollon Oikonomopoulos.
• hhvm/3.11.0+dfsg-1 by Faidon Liambotis.
• rkward/0.6.4-1 uploaded by Thomas Friedrichsmeier, original patch by Philip Rinn.
• rsbackup/3.0-2 uploaded by Matthew Vernon, original patches (#777394, #793716) by Chris Lamb and akira.
• tin/1:2.3.2-1 by Marco d'Itri.
• transdecoder/2.0.1+dfsg-2 uploaded by Andreas Tille, original patch by Chris Lamb.
• tumiki-fighters/0.2.dfsg1-7 uploaded by Markus Koschany, original patch by Reiner Herrmann.

Untested changes:

• fltk1.1/1.1.10-20 by Aaron M. Ucko, currently FTBFS.
• fltk1.3/1.3.3-5 by Aaron M. Ucko, currently FTBFS.

reproducible.debian.net The testing distribution (the upcoming stretch) is now tested on armhf. (h01ger) Four new armhf build nodes provided by Vagrant Cascandian were integrated in the infrastructer. This allowed for 9 new armhf builder jobs. (h01ger) The RPM-based build system, koji, is now in unstable and testing. (Marek Marczykowski-G recki, Ximin Luo). Package reviews 131 reviews have been removed, 71 added and 53 updated in the previous week. 58 new FTBFS reports were made by Chris Lamb and Chris West. New issues identified this week: nondeterminstic_ordering_in_gsettings_glib_enums_xml, nondeterminstic_output_in_warnings_generated_by_breathe, qt_translate_noop_nondeterminstic_ordering. Misc. Steven Chamberlain explained in length why reproducible cross-building across architectures mattered, and posted results of his tests comparing a stage1 debootstrapped chroot of linux-i386 once done from official Debian packages, the others cross-built from kfreebsd-amd64.

What happened in the reproducible builds effort this week: Toolchain fixes

• Joachim Breitner uploaded haskell-devscripts/0.9.11 which ads support for UTF-8 encoded debian/control file with all locales. Original patch by Chris Lamb.
• Jonas Smedegaard uploaded ghostscript which adds support for SOURCE_DATE_EPOCH. Original patch by Dhole.

akira submitted a patch to make cdbs export SOURCE_DATE_EPOCH. She uploded a package with the enhancement to the experimental reproducible repository. Packages fixed The following 15 packages became reproducible due to changes in their build dependencies: dracut, editorconfig-core, elasticsearch, fish, libftdi1, liblouisxml, mk-configure, nanoc, octave-bim, octave-data-smoothing, octave-financial, octave-ga, octave-missing-functions, octave-secs1d, octave-splines, valgrind. The following packages became reproducible after getting fixed:

• ant-contrib/1.0~b3+svn177-7 by Emmanuel Bourg.
• authbind/2.1.1+nmu1 uploaded by Johannes Schauer, original patch by akira.
• elektra/0.8.12-1 uploaded by Pino Toscano, original patch by akira.
• glance/2015.1.0-3 by Thomas Goirand.
• gnumeric/1.12.23-1 uploaded by Dmitry Smirnov, original patch by Daniel Kahn Gillmor.
• libdevice-cdio-perl/0.3.0-5 uploaded by gregor herrmann, report by Chris Lamb.
• libxray-scattering-perl/3.0.1-1.1 uploaded by gregor herrmann, original patch by Reiner Herrmann.
• libxray-spacegroup-perl/0.1.1-2.1 uploaded by gregor herrmann, original patch by Chris Lamb.
• ryu/3.23-2 by Dariusz Dwornikowski.

Some uploads fixed some reproducibility issues but not all of them:

• apophenia/0.999e+ds-1 uploaded by Jerome Benoit, original patch by akira.
• xbs/0-10 uploaded by Matthew Vernon, original patch by Colin Watson.
• bbswitch/0.8-2 uploaded by Vincent Cheng, original patch by Chris Lamb.
• mariadb-10.0/10.0.20-3 by Otto Kek l inen.
• icedove/38.0.1-1 uploaded by Christoph Goehre, improvements by Carsten Schoenert.
• apache2/2.4.16-1 uploaded by Stefan Fritsch, improvements by Jean-Michel Vourg re.

In contrib, Dmitry Smirnov improved libdvd-pkg with 1.3.99-1-1. Patches submitted which have not made their way to the archive yet:

• #793705 on mime-support by akira: set the mtimes of all files which are modified during builds to the latest debian/changelog entry.
• #793922 on polymake by Chris Lamb: sort Perl hash keys.
• #793980 on lsof by Valentin Lorentz: removes extra informations from the build system..
• #793996 on at by Valentin Lorentz: use absolute values for chmod.
• #794005 on python-dtcwt by Chris Lamb: use a constant seed for the random number generator.
• #794011 on gzip by Valentin Lorentz: remove date from texinfo header.
• #794014 on moin by Dhole: normalizes the timezone and fixes timestamps from the files compressed with zip.
• #794106 on cryptsetup by Valentin Lorentz: use date from latest debian/changelog entry in manpage.
• #794130 on coq by Valentin Lorentz: use C locale and UTC timezone when generating the build date.
• #794225 on libsyncml by akira: export SOURCE_DATE_EPOCH.
• #794239 on zipios++ by akira: export SOURCE_DATE_EPOCH.
• #794247 on whizzytex by Dhole: remove current date from documentation.
• #794248 on cortado by Dhole: allow the build date to be set externally and use time from the latest debian/changelog entry.
• #794395 on classified-ads by Reiner Herrmann: remove timestamps from PNG images.
• #794398 on clhep by Reiner Herrmann: sort source file list.
• #794399 on parsec47 by Reiner Herrmann: use C locale when sorting source files.
• #794400 on tumiki-fighters by Reiner Herrmann: use C locale when sorting source files.

reproducible.debian.net Four armhf build hosts were provided by Vagrant Cascadian and have been configured to be used by jenkins.debian.net. Work on including armhf builds in the reproducible.debian.net webpages has begun. So far the repository comparison page just shows us which armhf binary packages are currently missing in our repo. (h01ger) The scheduler has been changed to re-schedule more packages from stretch than sid, as the gcc5 transition has started This mostly affects build log age. (h01ger) A new depwait status has been introduced for packages which can't be built because of missing build dependencies. (Mattia Rizzolo) debbindiff development Finally, on August 31st, Lunar released debbindiff 27 containing a complete overhaul of the code for the comparison stage. The new architecture is more versatile and extensible while minimizing code duplication. libarchive is now used to handle cpio archives and iso9660 images through the newly packaged python-libarchive-c. This should also help support a couple other archive formats in the future. Symlinks and devices are now properly compared. Text files are compared as Unicode after being decoded, and encoding differences are reported. Support for Sqlite3 and Mono/.NET executables has been added. Thanks to Valentin Lorentz, the test suite should now run on more systems. A small defiency in unquashfs has been identified in the process. A long standing optimization is now performed on Debian package: based on the content of the md5sums control file, we skip comparing files with matching hashes. This makes debbindiff usable on packages with many files. Fuzzy-matching is now performed for files in the same container (like a tarball) to handle renames. Also, for Debian .changes, listed files are now compared without looking the embedded version number. This makes debbindiff a lot more useful when comparing different versions of the same package. Based on the rearchitecturing work has been done to allow parallel processing. The branch now seems to work most of the time. More test needs to be done before it can be merged. The current fuzzy-matching algorithm, ssdeep, has showed disappointing results. One important use case is being able to properly compare debug symbols. Their path is made using the Build ID. As this identifier is made with a checksum of the binary content, finding things like CPP macros is much easier when a diff of the debug symbols is available. Good news is that TLSH, another fuzzy-matching algorithm, has been tested with much better results. A package is waiting in NEW and the code is ready for it to become available. A follow-up release 28 was made on August 2nd fixing content label used for gzip2, bzip2 and xz files and an error on text files only differing in their encoding. It also contains a small code improvement on how comments on Difference object are handled. This is the last release name debbindiff. A new name has been chosen to better reflect that it is not a Debian specific tool. Stay tuned! Documentation update Valentin Lorentz updated the patch submission template to suggest to write the kind of issue in the bug subject. Small progress have been made on the Reproducible Builds HOWTO while preparing the related CCCamp15 talk. Package reviews 235 obsolete reviews have been removed, 47 added and 113 updated this week. 42 reports for packages failing to build from source have been made by Chris West (Faux). New issue added this week: haskell_devscripts_locale_substvars. Misc. Valentin Lorentz wrote a script to report packages tested as unreproducible installed on a system. We encourage everyone to run it on their systems and give feedback!

Thorsten Glaser reported Debian bug #780000 on Saturday March 7th 2015, against the gcc-4.9 package. Bug #770000 was reported as of November 18th so there have been 10,000 bugs in about 3.5 months, which was significantly slower than earlier. Matthew Vernon reported Debian bug #790000 on Friday June 26th 2015, against the pcre3 package. Thus, there have been 10,000 bugs in 3.5 months again. It seems that the bug report rate stabilized again. Sorry for missing bug #780000 annoucement. I'm doing this since....November 2007 for bug #450000 and it seems that this lack of attention is somehow significant wrt my involvment in Debian. Still, this involvment is still here and I'll try to "survive" in the project until we reach bug #1000000...:-) See you for bug #800000 annoucement and the result of the bets we placed on the date it would happen.

What happened about the reproducible builds effort for this week: Toolchain fixes

• Guillem Jover uploaded dpkg/1.18.0 which now uses an approximation to compute Installed-Size, making it indpendent from the underlying filesystem. It now always sort the Dpkg::Dist::Files files list on output to make the output stable with parallel builds.
• Lunar uploaded mozilla-devscripts/0.40 which told xpi-pack to skip saving extra zip attributes when making jar.
• Dominique Dumont uploaded libmodule-build-perl/0.421100-2 which makes the output deterministic. Original patch by Lunar.

Lunar rebased our custom dpkg on the new release, removing a now unneeded patch identified by Guillem Jover. An extra sort in the buildinfo generator prevented a stable order and was quickly fixed once identified. Mattia Rizzolo also rebased our custom debhelper on the latest release. Packages fixed The following 30 packages became reproducible due to changes in their build dependencies: animal-sniffer, asciidoctor, autodock-vina, camping, cookie-monster, downthemall, flashblock, gamera, httpcomponents-core, https-finder, icedove-l10n, istack-commons, jdeb, libmodule-build-perl, libur-perl, livehttpheaders, maven-dependency-plugin, maven-ejb-plugin, mozilla-noscript, nosquint, requestpolicy, ruby-benchmark-ips, ruby-benchmark-suite, ruby-expression-parser, ruby-github-markup, ruby-http-connection, ruby-settingslogic, ruby-uuidtools, webkit2gtk, wot. The following packages became reproducible after getting fixed:

• aisleriot/1:3.16.2-1 uploaded by Andreas Henriksson, original patch by Chris Lamb.
• aws-sdk-for-php/2.8.5-1 by David Pr vot.
• bamtools/2.3.0+dfsg-3 uploaded by Andreas Tille, fix by Michael R. Crusoe.
• base-files/9.2 by Santiago Vila, some patches by Lunar.
• debian-keyring/2015.05.17 by Daniel Kahn Gillmor.
• debram/2.0.0.2 by Thaddeus H. Black.
• dianara/1.3.0-2 by M nica Ram rez Arceda.
• gazebo/5.0.1+dfsg-1~exp1 by Jose Luis Rivero.
• glassfish/1:2.1.1-b31g+dfsg1-3 uploaded by Emmanuel Bourg, original patch by Daniel Kahn Gillmor.
• lcdproc/0.5.7-3 by Dominique Dumont.
• libalien-sdl-perl/1.446-2 by Dominique Dumont.
• libvirt-python/1.2.15-1 uploaded by Guido G nther, original patch by Chris Lamb.
• libxmpcore-java/5.1.2-3 by Emmanuel Bourg.
• pdb2pqr/2.0.0+dfsg-1 uploaded by Andreas Tille, original patch by Reiner Herrmann.
• puredata/0.46.6-2 by Paul Brossier.
• qt-gstreamer/1.2.0-2 by Diane Trout.
• socat/1.7.3.0-1 uploaded by Laszlo Boszormenyi, original patch by Lunar.
• swaks/20130209.0-5 by Andreas Metzler, some patches by Chris Lamb.
• tf/1:4.0s1-19 by Jan Niehusmann.
• unzip/6.0-17 uploaded by Santiago Vila, original patch by Lunar.
• yorick/2.2.04+dfsg1-2 by by Thibaut Paumard.
• zip/3.0-10 by Santiago Vila, some patches by Chris Lamb.

Some uploads fixed some reproducibility issues but not all of them:

• bible-kjv/4.27 uploaded by Matthew Vernon, original patch by Chris Lamb.
• calendar/2.04-1 by St phane Glondu.
• cupt/2.9.0 uploaded by Eugene V. Lyubimkin, original patch by Chris Lamb.
• dactyl/1.2~hg7166-1 uploaded by Michael Schutte, original patch by Chris Lamb.
• ghc/7.10.1-5 by Joachim Breitner.
• icedove/38.0~b5-1 by Carsten Schoenert.
• jd/1:2.8.9-150226-2 by Hideki Yamane.
• libparse-debianchangelog-perl/1.2.0-2 by intrigeri.
• winswitch/0.12.21+dfsg-1 by Dmitry Smirnov.

Patches submitted which did not make their way to the archive yet:

• #775531 on console-setup by Reiner Herrmann: update and split patch written in January.
• #785535 on maradns by Reiner Herrmann: use latest entry in debian/changelog as build date.
• #785549 on dist by Reiner Herrmann: set hostname and domainname to predefined value.
• #785583 on s5 by Juan Picca: set timezone to UTC when unzipping files.
• #785617 on python-carrot by Juan Picca: use latest entry in debian/changelog as documentation build date.
• #785774 on afterstep by Juan Picca: modify documentation generator to allow a build date to be set instead of the current time, then use latest entry in debian/changelog as reference.
• #786508 on ttyload by Juan Picca: remove timestamp from documentation.
• #786568 on linux-minidisc by Lunar: use latest entry in debian/changelog as build date.
• #786615 on kfreebsd-10 by Steven Chamberlain: make order of file in source tarballs stable.
• #786633 on webkit2pdf by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
• #786634 on libxray-scattering-perl by Reiner Herrmann: tell Storable::nstore to produce sorted output.
• #786637 on nvidia-settings by Lunar: define DATE, WHOAMI, andHOSTNAME_CMD to stable values.
• #786710 on armada-backlight by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
• #786711 on leafpad by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
• #786714 on equivs by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.

Also, the following bugs have been reported:

• #785536 on maradns by Reiner Herrmann: unreproducible deadwood binary.
• #785624 on doxygen by Christoph Berg: timestamps in manpages generated makes builds non-reproducible.
• #785736 on git-annex by Daniel Kahn Gillmor: documentation should be made reproducible.
• #786593 on wordwarvi by Holger Levsen: please provide a --distrobuild build switch.
• #786601 on sbcl by Holger Levsen: FTBFS when locales-all is installed instead of locales.
• #786669 on ruby-celluloid by Holger Levsen: tests sometimes fail, causing ftbfs sometimes.
• #786743 on obnam by Holger Levsen: FTBFS.

reproducible.debian.net Holger Levsen made several small bug fixes and a few more visible changes:

• For packages in testing, comparisions will be done using the sid version of debbindiff.
• The scheduler will now schedule old packages from sid twice often as the ones in testing as we care more about the former at the moment.
• More statistics are now visible and the layout has been improved.
• Variations between the first and second build are now explained on the statistics page.

strip-nondeterminism Version 0.007-1 of strip-nondeterminism the tool to post-process various file formats to normalize them has been uploaded by Holger Levsen. Version 0.006-1 was already in the reproducible repository, the new version mainly improve the detection of Maven's pom.properties files. debbindiff development At the request of Emmanuel Bourg, Reiner Herrmann added a comparator for Java .class files. Documentation update Christoph Berg created a new page for the timestamps in manpages created by Doxygen. Package reviews 93 obsolete reviews have been removed, 76 added and 43 updated this week. New identified issues: timestamps in manpages generated by Doxygen, modification time differences in files extracted by unzip, tstamp task used in Ant build.xml, timestamps in documentation generated by ASDocGen. The description for build id related issues has been clarified. Meetings Holger Levsen announced a first meeting on Wednesday, June 3rd, 2015, 19:00 UTC. The agenda is amendable on the wiki. Misc. Lunar worked on a proof-of-concept script to import the build environment found in .buildinfo files to UDD. Lucas Nussbaum has positively reviewed the proposed schema. Holger Levsen cleaned up various experimental toolchain repositories, marking merged brances as such.

Out of curiosity, and because it is Sunday morning and I have a cold and can't get my brain to do anything tricky, I counted the number of candidates in each year's DPL elections.

Year	Count	Names
1999	4	Joseph Carter, Ben Collins, Wichert Akkerman, Richard Braakman
2000	4	Ben Collins, Wichert Akkerman, Joel Klecker, Matthew Vernon
2001	4	Branden Robinson, Anand Kumria, Ben Collins, Bdale Garbee
2002	3	Branden Robinson, Rapha l Hertzog, Bdale Garbee
2003	4	Moshe Zadka, Bdale Garbee, Branden Robinson, Martin Michlmayr
2004	3	Martin Michlmayr, Gergely Nagy, Branden Robinson
2005	6	Matthew Garrett, Andreas Schuldei, Angus Lees, Anthony Towns, Jonathan Walther, Branden Robinson
2006	7	Jeroen van Wolffelaar, Ari Pollak, Steve McIntyre, Anthony Towns, Andreas Schuldei, Jonathan (Ted) Walther, Bill Allombert
2007	8	Wouter Verhelst, Aigars Mahinovs, Gustavo Franco, Sam Hocevar, Steve McIntyre, Rapha l Hertzog, Anthony Towns, Simon Richter
2008	3	Marc Brockschmidt, Rapha l Hertzog, Steve McIntyre
2009	2	Stefano Zacchiroli, Steve McIntyre
2010	4	Stefano Zacchiroli, Wouter Verhelst, Charles Plessy, Margarita Manterola
2011	1	Stefano Zacchiroli (no vote yet)

Winner indicate by boldface. I expect Zack to win over "None Of The Above", so I went ahead and boldfaced him already, even if there has not been a vote for this year. Median number of candidates is 4.

Nearly a year ago people starting worrying about the complexity of SHA-1 being reduced and the potential availability of viable attacks against things such as PGP keys that used SHA-1. Many people (myself included) generated a new key, or updated preferences on keys that were otherwise strong enough. There were worries about what this might mean for Debian. We were getting ahead of ourselves a bit though. Firstly there haven't been any public viable attacks that I'm aware of (though of course this doesn't mean we shouldn't continue to migrate away), but secondly there's a much easier method of attack. PGP v3 keys. To quote RFC4880:

V3 keys are deprecated. They contain three weaknesses. First, it is relatively easy to construct a V3 key that has the same Key ID as any other key because the Key ID is simply the low 64 bits of the public modulus. Secondly, because the fingerprint of a V3 key hashes the key material, but not its length, there is an increased opportunity for fingerprint collisions. Third, there are weaknesses in the MD5 hash algorithm that make developers prefer other algorithms. See below for a fuller discussion of Key IDs and fingerprints.

At the time of writing Debian has 21 remaining v3 keys. This is a significant improvement over a year ago, when we had 200, but it's still 21 more than I'd like. I've been chasing people since last May (starting with those who had v3 + v4 keys, all of whom now only have a v4 key) and we're down to the stragglers. So it's time to name and shame, in the hope of kicking them into action. The following keys are what's left (doesn't match the currently active keyring because we've had a few replacements since the last promote):

0x0D2156BD3D97C149 Michael Stone <mstone>
0x225FD911CD269B31 Carlos Barros <cbf>
0x31E73F14E298966D James R. Van Zandt <jrv>
0x366CD3FEEBC11B01 Chris Waters <xtifr>
0x37A73FE355E8BC4D Frederic Lepied <lepied>
0x3E973117DCC528E9 Ardo van Rangelrooij <ardo>
0x5C7A46637953F711 Rich Sahlender <rsahlen>
0x5D6560F85F30F005 Craig Brozefsky <craig>
0x6B0E322836129171 Jim Westveer <jwest>
0x723724B4A5B6DD31 Christian Meder <meder>
0x7629B22ED71DAABD Adrian Bridgett <bridgett>
0x8FFC405EFD5A67CD Adam Di Carlo <aph>
0xB0D269DE17F3D4D1 Matthew Vernon <matthew>
0xBC151FC8D2A913A1 Peter S Galbraith <psg>
0xC1A0A171C2DCD3B1 Jim Mintha <jmintha>
0xC3168EBA23F5ADDB Ian Jackson <iwj>
0xCE951B1160D74C7D Patrick Cole <ltd>
0xE82A8B0D57137FE5 Paul Seelig <pseelig>
0xF20E242CE77AC835 Brian White <bcwhite>
0xFBAA570C3087194D Alan Bain <afrb2>
0xFFD1B4AC7C19FD19 David Engel <david>

Of these keys only 2 voted in the recent DPL election. 8 have failed to make any response to my mails (3 since last August). Only 9 have uploaded a package since August 2008. And 10 were already known to the MIA database. Some of them have stated they'll sort out a new key, but not yet done so.

If you are one of these people, please either get a new key sorted and signed and reply to the mails I've sent you, or reply and say you no longer wish to be involved in Debian. And if you know any of these people, encourage them to get a new key sorted and offer to sign it for them.