Lunar: Reproducible builds: week 40 in Stretch cycle
What happened in the reproducible
builds effort between January 24th
and January 30th:
Media coverage
Holger Levsen was interviewed by the FOSDEM team to introduce his talk on Sunday 31st.
Toolchain fixes
Jonas Smedegaard uploaded d-shlibs/0.63 which makes the order of dependencies generated by d-devlibdeps stable accross locales. Original patch by Reiner Herrmann.
Packages fixed
The following 53 packages have become reproducible due to changes in their
build dependencies:
appstream-glib,
aptitude,
arbtt,
btrfs-tools,
cinnamon-settings-daemon,
cppcheck,
debian-security-support,
easytag,
gitit,
gnash,
gnome-control-center,
gnome-keyring,
gnome-shell,
gnome-software,
graphite2,
gtk+2.0,
gupnp,
gvfs,
gyp,
hgview,
htmlcxx,
i3status,
imms,
irker,
jmapviewer,
katarakt,
kmod,
lastpass-cli,
libaccounts-glib,
libam7xxx,
libldm,
libopenobex,
libsecret,
linthesia,
mate-session-manager,
mpris-remote,
network-manager,
paprefs,
php-opencloud,
pisa,
pyacidobasic,
python-pymzml,
python-pyscss,
qtquick1-opensource-src,
rdkit,
ruby-rails-html-sanitizer,
shellex,
slony1-2,
spacezero,
spamprobe,
sugar-toolkit-gtk3,
tachyon,
tgt.
The following packages became reproducible after getting fixed:
- angband-doc/3.0.3.6 by Manoj Srivastava, obsolete patch by Chris Lamb.
- atdgen/1.7.2-1 by St phane Glondu.
- bibtool/2.63+ds-1 by Jerome Benoit.
- cglib/3.2.0-1 by Emmanuel Bourg.
- cmst/2016.01.28-1 by Alf Gaida.
- coreutils/8.25-1 uploded by Michael Stone, fixed upstream.
- doc-base/0.10.7 uploaded by Robert Luberda, original patch by Dhole.
- fpc/3.0.0+dfsg-1 uploaded by Paul Gevers.
- libaqbanking/5.6.4beta-1 by Micha Lenk.
- libgcrypt20/1.6.4-5 uploaded by Andreas Metzler, original patch by Lunar.
- libgwenhywfar/4.15.2beta-1 by Micha Lenk.
- libxdmcp/1:1.1.2-1.1 by Helmut Grohne (report).
- lpe/1.2.8-2 by Adam Majer, obsolete patches (#778197, #793697 by Chris Lamb and akira.
- mariadb-10.0/10.0.23-2 by Otto Kek l inen.
- mixxx/2.0.0~dfsg-1 by Sebastian Ramacher.
- pd-lua/0.7.3-1 by IOhannes m zm lnig.
- pd-zexy/2.2.6-2 by IOhannes m zm lnig.
- polymake/3.0-1 uploaded by David Bremner, fixed upstream.
- prometheus/0.16.2+ds-1 by Mart n Ferrari.
- screengrab/1.95+20160128-1 uploaded by Alf Gaida (report).
- spykeviewer/0.4.4-1 by Robert Pr pper, original patch by Reiner Herrmann.
- testdisk/7.0-1 uploaded by Roland Stigge, upstream patch reported by Mattia Rizzolo.
- xorg/1:7.7+13 uploaded by Timo Aaltonen, original patch by Dhole, merged by Andreas Boll.
Some uploads fixed some reproducibility issues, but not all of them:
- gnubg/1.05.000-4 by Russ Allbery.
- grcompiler/4.2-6 by Hideki Yamane.
- sdlgfx/2.0.25-5 fix by Felix Geyer, uploaded by Gianfranco Costamagna.
Patches submitted which have not made their way to the archive yet:
- #812876 on glib2.0 by Lunar: ensure that functions are sorted using the C locale when
giotypefuncs.c is generated.
diffoscope development
diffoscope 48 was released on January 26th. It fixes several issues introduced by the retrieval of extra symbols from Debian debug packages. It also restores compatibility with older versions of binutils which does not support readelf --decompress.
strip-nondeterminism development
strip-nondeterminism 0.015-1 was uploaded on January 27th. It fixes handling of signed JAR files which are now going to be ignored to keep the signatures intact.
Package reviews
54 reviews have been removed, 36 added and 17 updated in the previous week.
30 new FTBFS bugs have been submitted by Chris Lamb, Michael Tautschnig, Mattia Rizzolo, Tobias Frost.
Misc.
Alexander Couzens and Bryan Newbold have been busy fixing more issues in OpenWrt.
Version 1.6.3 of FreeBSD's package manager pkg(8) now supports SOURCE_DATE_EPOCH.
Ross Karchner did a lightning talk about reproducible builds at his work place and shared the slides.
d-devlibdeps stable accross locales. Original patch by Reiner Herrmann.
Packages fixed
The following 53 packages have become reproducible due to changes in their
build dependencies:
appstream-glib,
aptitude,
arbtt,
btrfs-tools,
cinnamon-settings-daemon,
cppcheck,
debian-security-support,
easytag,
gitit,
gnash,
gnome-control-center,
gnome-keyring,
gnome-shell,
gnome-software,
graphite2,
gtk+2.0,
gupnp,
gvfs,
gyp,
hgview,
htmlcxx,
i3status,
imms,
irker,
jmapviewer,
katarakt,
kmod,
lastpass-cli,
libaccounts-glib,
libam7xxx,
libldm,
libopenobex,
libsecret,
linthesia,
mate-session-manager,
mpris-remote,
network-manager,
paprefs,
php-opencloud,
pisa,
pyacidobasic,
python-pymzml,
python-pyscss,
qtquick1-opensource-src,
rdkit,
ruby-rails-html-sanitizer,
shellex,
slony1-2,
spacezero,
spamprobe,
sugar-toolkit-gtk3,
tachyon,
tgt.
The following packages became reproducible after getting fixed:
- angband-doc/3.0.3.6 by Manoj Srivastava, obsolete patch by Chris Lamb.
- atdgen/1.7.2-1 by St phane Glondu.
- bibtool/2.63+ds-1 by Jerome Benoit.
- cglib/3.2.0-1 by Emmanuel Bourg.
- cmst/2016.01.28-1 by Alf Gaida.
- coreutils/8.25-1 uploded by Michael Stone, fixed upstream.
- doc-base/0.10.7 uploaded by Robert Luberda, original patch by Dhole.
- fpc/3.0.0+dfsg-1 uploaded by Paul Gevers.
- libaqbanking/5.6.4beta-1 by Micha Lenk.
- libgcrypt20/1.6.4-5 uploaded by Andreas Metzler, original patch by Lunar.
- libgwenhywfar/4.15.2beta-1 by Micha Lenk.
- libxdmcp/1:1.1.2-1.1 by Helmut Grohne (report).
- lpe/1.2.8-2 by Adam Majer, obsolete patches (#778197, #793697 by Chris Lamb and akira.
- mariadb-10.0/10.0.23-2 by Otto Kek l inen.
- mixxx/2.0.0~dfsg-1 by Sebastian Ramacher.
- pd-lua/0.7.3-1 by IOhannes m zm lnig.
- pd-zexy/2.2.6-2 by IOhannes m zm lnig.
- polymake/3.0-1 uploaded by David Bremner, fixed upstream.
- prometheus/0.16.2+ds-1 by Mart n Ferrari.
- screengrab/1.95+20160128-1 uploaded by Alf Gaida (report).
- spykeviewer/0.4.4-1 by Robert Pr pper, original patch by Reiner Herrmann.
- testdisk/7.0-1 uploaded by Roland Stigge, upstream patch reported by Mattia Rizzolo.
- xorg/1:7.7+13 uploaded by Timo Aaltonen, original patch by Dhole, merged by Andreas Boll.
Some uploads fixed some reproducibility issues, but not all of them:
- gnubg/1.05.000-4 by Russ Allbery.
- grcompiler/4.2-6 by Hideki Yamane.
- sdlgfx/2.0.25-5 fix by Felix Geyer, uploaded by Gianfranco Costamagna.
Patches submitted which have not made their way to the archive yet:
- #812876 on glib2.0 by Lunar: ensure that functions are sorted using the C locale when
giotypefuncs.c is generated.
diffoscope development
diffoscope 48 was released on January 26th. It fixes several issues introduced by the retrieval of extra symbols from Debian debug packages. It also restores compatibility with older versions of binutils which does not support readelf --decompress.
strip-nondeterminism development
strip-nondeterminism 0.015-1 was uploaded on January 27th. It fixes handling of signed JAR files which are now going to be ignored to keep the signatures intact.
Package reviews
54 reviews have been removed, 36 added and 17 updated in the previous week.
30 new FTBFS bugs have been submitted by Chris Lamb, Michael Tautschnig, Mattia Rizzolo, Tobias Frost.
Misc.
Alexander Couzens and Bryan Newbold have been busy fixing more issues in OpenWrt.
Version 1.6.3 of FreeBSD's package manager pkg(8) now supports SOURCE_DATE_EPOCH.
Ross Karchner did a lightning talk about reproducible builds at his work place and shared the slides.
giotypefuncs.c is generated.readelf --decompress.
Nearly a year ago people starting worrying about the complexity of SHA-1 being reduced and the potential availability of viable attacks against things such as PGP keys that used SHA-1. Many people (myself included) generated a new key, or updated preferences on keys that were otherwise strong enough. There were worries about what this might mean for Debian. We were getting ahead of ourselves a bit though. Firstly there haven't been any public viable attacks that I'm aware of (though of course this doesn't mean we shouldn't continue to migrate away), but secondly there's a much easier method of attack. PGP v3 keys. To quote