My monthly report covers a large part of what I have been doing in the free software world. I write it for my donors (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it s one of the best ways to find volunteers to work with me on projects that matter to me. Debian LTS This month I was allocated 12h but I only spent 10.5h. During this time, I continued my work on exiv2. I finished reproducing all the issues and then went on doing code reviews to confirm that vulnerabilities were not present when the issue was not reproducible. I found two CVE where the vulnerability was present in the wheezy version and I posted patches in the upstream bug tracker: #57 and #55. Then another batch of 10 CVE appeared and I started the process over I m currently trying to reproduce the issues. While doing all this work on exiv2, I also uncovered a failure to build on the package in experimental (reported here). Misc Debian/Kali work Debian Live. I merged 3 live-build patches prepared by Matthijs Kooijman and added an armel fix to cope with the the rename of the orion5x image into the marvell one. I also uploaded a new live-config to fix a bug with the keyboard configuration. Finally, I also released a new live-installer udeb to cope with a recent live-build change that broke the locale selection during the installation process. Debian Installer. I prepared a few patches on pkgsel to merge a few features that had been added to Ubuntu, most notably the possibility to enable unattended-upgrades by default. More bug reports. I investigated much further my problem with non-booting qemu images when they are built by vmdebootstrap in a chroot managed by schroot (cf #872999) and while we have much more data, it s not yet clear why it doesn t work. But we have a working work-around While investigating issues seen in Kali, I opened a bunch of reports on the Debian side:

• #874657: pcmanfm: should have explicit recommends on lxpolkit polkit-1-auth-agent
• #874626: bin-nmu request to complete two transitions and bring back some packages in testing
• #875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

Packaging. I sponsored two uploads (dirb and python-elasticsearch). Debian Handbook. My work on updating the book mostly stalled. The only thing I did was to review the patch about wireless configuration in #863496. I must really get back to work on the book! Thanks See you next month for a new summary of my activities.

No comment Liked this article? Click here. My blog is Flattr-enabled.

What happened in the Reproducible Builds effort between May 8th and May 14th 2016: Documentation updates

• Ximin Luo spent some work on improving and updating our documentation:
  • updated the SOURCE_DATE_EPOCH adoption page at wiki.debian.org/ReproducibleBuilds/TimestampsProposal with a compilation of our reasonings versus common arguments encountered with package maintainers and upstream developers.
  • updated wiki.debian.org/ReproducibleBuilds/Howto
  • and also moved resolved issues to wiki.debian.org/ReproducibleBuilds/OldIssues.
• https://anonscm.debian.org/git/reproducible/ has been cleaned up by Ximin, including the removal of the link from diffoscope.git to debbindiff.git.

Toolchain fixes

• dpkg 1.18.7 has been uploaded to unstable, after which Mattia Rizzolo took care of rebasing our patched version.
  • this prompted h01ger to restart the discussion about reproducible dpkg for sid and stretch
  • to which Guillem replied with a status update.
• gcc-5 and gcc-6 migrated to testing with the patch to honour SOURCE_DATE_EPOCH
• Ximin Luo started an upstream discussion with the Ghostscript developers.
• Norbert Preining has uploaded a new version of texlive-bin with these changes relevant to us:
  • imported Upstream version 2016.20160512.41045 support for suppressing timestamps (SOURCE_DATE_EPOCH) (Closes: #792202)
  • add support for SOURCE_DATE_EPOCH also to luatex
• cdbs 0.4.131 has been uploaded to unstable by Jonas Smedegaard, fixing these issues relevant to us:
  • #794241: export SOURCE_DATE_EPOCH. Original patch by akira
  • #764478: call dh_strip_nondeterminism if available. Original patch by Holger Levsen
• libxslt 1.1.28-3 has been uploaded to unstable by Mattia Rizzolo, fixing the following toolchain issues:
  • #823857: backport patch from upstream to provide stable IDs in the genrated documents.
  • #791815: Honour SOURCE_DATE_EPOCH when embedding timestamps in docs. Patch by Eduard Sanou.

Packages fixed The following 28 packages have become newly reproducible due to changes in their build dependencies: actor-framework ask asterisk-prompt-fr-armelle asterisk-prompt-fr-proformatique coccinelle cwebx d-itg device-tree-compiler flann fortunes-es idlastro jabref konclude latexdiff libint minlog modplugtools mummer mwrap mxallowd mysql-mmm ocaml-atd ocamlviz postbooks pycorrfit pyscanfcs python-pcs weka The following 9 packages had older versions which were reproducible, and their latest versions are now reproducible again due to changes in their build dependencies: csync2 dune-common dune-localfunctions libcommons-jxpath-java libcommons-logging-java libstax-java libyanfs-java python-daemon yacas The following packages have become newly reproducible after being fixed:

• asymptote/2.38-1 by Norbert Preining, original patch by Alexis Bienven e.
• bnd/2.4.1-4 by Emmanuel Bourg.
• cgal/4.8-4 by Joachim Reichel.
• courier/0.76.1-2 by Ond ej Sur , original patch by Alexis Bienven e.
• dict-foldoc/20160505-1 by Iustin Pop, original patch by Reiner Herrmann.
• emoslib/2:4.4.1-2 by Alastair McKinstry, original patch by boyska.
• libksba/1.3.4-3 by Andreas Metzler.
• mp4h/1.3.1-15 by Axel Beckert.
• stk/4.5.2+dfsg-2 by Felipe Sateler, original patch by Alexis Bienven e.
• sympow/1.023-7 by Jerome Benoit.
• x11proto-input/2.3.2-1 by Julien Cristau, original patch by Eduard Sanou.

The following packages had older versions which were reproducible, and their latest versions are now reproducible again after being fixed:

• klibc/2.0.4-9 by Ben Hutchings.

Some uploads have fixed some reproducibility issues, but not all of them:

• allegro4.4/2:4.4.2-8 by Andreas R nnquist, original patch by Daniel Shahaf.
• gearmand/1.0.6-7 by Alexandre Mestiashvili, original patch by Chris Lamb.
• mame/0.172-1 by Jordi Mallach.
• python-babel/1.3+dfsg.1-7 by Jean-Michel Vourg re, original patch by Val Lorentz.
• openttd/1.6.0-1 by Matthijs Kooijman.
• blender/2.77.a+dfsg0-4 by Matteo F. Vescovi, original patch by Campbell Burton.
• unburden-home-dir/0.4 by Axel Beckert.
• refpolicy/2:2.20140421-10 by Laurent Bigonville, original patch by Chris Lamb.
• kdiff3/0.9.98-3 by Eike Sauer.

Patches submitted that have not made their way to the archive yet:

• #787424 against emacs24 by Alexis Bienven e: order hashes when generating .el files
• #823764 against sen by Daniel Shahaf: render the build timestamp in a consistent timezone
• #823797 against openclonk by Alexis Bienven e: honour SOURCE_DATE_EPOCH
• #823961 against herbstluftwm by Fabian Wolff: honour SOURCE_DATE_EPOCH
• #824049 against emacs24 by Alexis Bienven e: make start value of gensym-counter reproducible
• #824050 against emacs24 by Alexis Bienven e: make autoloads files reproducible
• #824182 against codeblocks by Fabian Wolff: honour SOURCE_DATE_EPOCH
• #824263 against cmake by Reiner Herrmann: sort file lists from file(GLOB ...)

Package reviews 344 reviews have been added, 125 have been updated and 20 have been removed in this week. 14 FTBFS bugs have been reported by Chris Lamb. tests.reproducible-builds.org

• bpi0 has been reinstalled with a new ssd. (vagrant/h01ger)
• A new navigation menu for the Debian pages at https://tests.reproducible-builds.org/ has been implemented. (h01ger)

Misc. Dan Kegel sent a mail to report about his experiments with a reproducible dpkg PPA for Ubuntu. According to him sudo add-apt-repository ppa:dank/dpkg && sudo apt-get update && sudo apt-get install dpkg should be enough to get reproducible builds on Ubuntu 16.04. This week's edition was written by Ximin Luo and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.