Here's what happened in the Reproducible Builds effort between Sunday April 23 and Saturday April 29 2017: Past and upcoming events On April 26th Chris Lamb gave a talk at foss-north 2017 in Gothenburg, Sweden on Reproducible Builds. Between May 5th-7th the Reproducible Builds Hackathon 2017 will take place in Hamburg, Germany. Then on May 26th Bernhard M. Wiedemann will give a talk titled reproducible builds in openSUSE (2017) at the openSUSE Conference 2017 in N rnberg, Germany. Media coverage Already on April 19th Sylvain Beucler wrote a yet another follow-up post Practical basics of reproducible builds 3, after part 1 and part 2 of his series. Toolchain development and fixes Michael Woerister of the Rust project has implemented file maps that affect all path-related compiler information, including "error messages, metadata, debuginfo, and the file!() macro alike". Ximin Luo with support from some other Rust developers and contributors helped steer the final result into something that was compatible with reproducible builds. Many thanks to all involved, especially for the patience of discussing this over several months. Ximin wrote a first-attempt patch to fix R build-path issues. It made 460/477 R packages reproducible, but also caused 3 of these to FTBFS. See randomness_in_r_rdb_rds_databases for details. Bugs filed and patches sent upstream Chris Lamb:

• #861133 filed against tf.
• #861443 filed against ora2pg.

Bernhard M. Wiedemann filed a number of patches upstream:

• intltool
• xine-ui
• tboot
• javapackages
• mxml, which got merged already.
• calibre, also merged.
• wammu, merged as well.

Reviews of unreproducible packages 102 package reviews have been added, 64 have been updated and 24 have been removed in this week, adding to our knowledge about identified issues. 3 issue types have been updated:

• Added captures_build_path_in_beam_files, recategorise some erlang packages with captures_build_path into this issue instead.
• Removed timestamps_in_beam_files.
• Holger started reviewing blacklisted_on_jenkins and blacklisted_on_jenkins_armhf_only and found quite some packages which don't need to be blacklisted anymore.

Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

• Aaron M. Ucko (1)
• Adrian Bunk (1)
• Chris Lamb (4)
• Santiago Vila (2)

diffoscope development diffoscope 82 was uploaded to experimental by Chris Lamb. It included contributions from:

• Chris Lamb:
  • Add support for Ogg Vorbis files.
• Vagrant Cascadian:
  • Add support for .dtb (device tree blob) files. (Closes: #861109).

Changes from previous weeks that were also released with 82:

• Ximin Luo
  • Add support for R .rds and .rdb object files.
• Chris Lamb
  • Add support for comparing Pcap files.
  • Add support for .docx and .odt files via docx2txt & odt2txt.
  • Add support for PGP files via pgpdump.
  • Various documentation and test improvements.
  • Various bug fixes and code quality improvements.
• Sylvain Beucler
  • Display differences in zip platform-specific timestamps.

Misc. This week's edition was written by Ximin Luo, Chris Lamb and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

What happened in the Reproducible Builds effort between Sunday November 27 and Saturday December 3 2016: Reproducible work in other projects

• Ducible is a new tool to make Windows builds reproducible.
• Manish Goregaokar wrote about Reflections on Rusting Trust.

Media coverage, etc.

• There was a Reproducible Builds hackathon in Boston with contributions from Dafydd, Valerie, Clint, Harlen, Anders, Robbie and Ben. (See the "Bugs filed" section below for the results).
• Distrowatch mentioned Webconverger's reproducible status.

Bugs filed Chris Lamb:

• #846588 filed against minicoredumper.
• #846647 filed against tinyeartrainer.
• #846842 filed against nethogs.

Clint Adams:

• #846892 filed against pkg-mozilla-archive-keyring.

Dafydd Harries:

• #846893 filed against flac.

Daniel Shahaf:

• #846832 filed against patat.

Reiner Herrmann:

• #845991 filed against pathogen.

Valerie R Young:

• #846878 filed against taggrepper.
• #846890 filed against ipsvd.
• #846891 filed against integrit.

Reviews of unreproducible packages 15 package reviews have been added, 4 have been updated and 26 have been removed in this week, adding to our knowledge about identified issues. 2 issue types have been added:

• nondeterminstic_ordering_in_casacore_tables
• nondeterminstic_output_from_uglifyjs

Weekly QA work During our reproducibility testing, some FTBFS bugs have been detected and reported by:

• Chris Lamb (5)
• Lucas Nussbaum (8)
• Santiago Vila (1)

diffoscope development

• diffoscope 63 was uploaded to unstable by Ximin Luo:
  • Greatly improve speed for large archives by fixing O(n^2) complexity for archive member lookup.
  • add +/- buttons to toggle visibility of parts of the diff
  • Output coloured diff using colordiff(1) via --text-color= never,auto,always

Is is available now in Debian, Archlinux and on PyPI. strip-nondeterminism development

• At the Reproducible Builds Boston hackathon Anders Kaseorg filed #846895 treat .par files as Zip archives, including a patch which was merged into master.

reprotest development

• reprotest 0.4 was uploaded to unstable by Ximin Luo:
  • disorderfs variation: don't query the testbed, put that in the script instead
  • Add a build_path_same variation to run builds from the same path
  • Fix auto-presets in the case of a file in the current directory
  • Fix d/control so reprotesting reprotest in sbuild works (6 reproductions)
  • Add util-linux to Recommends since we use it to vary some things

tests.reproducible-builds.org

• Holger made a couple of changes:
  • Group all "done" and all "open" usertagged bugs together in the bugs graphs and move the "done bugs" from the bottom of these gaps.
  • Update list of packages installed on .debian.org machines.
  • Made the maintenance jobs run every 2h instead of 3h.
  • Various bug fixes and minor improvements.
• After thorough review by Mattia, some patches by Valerie were merged in preparation of the switch from sqlite to Postgresql, most notably a conversion to the sqlalchemy expression language.
• Holger gave a talk at Profitbricks about how Debian is using 168 cores, 503 GB RAM and 5 TB storage to make jenkins.debian.net and tests.reproducible-builds.org run. Many thanks to Profitbricks for supporting jenkins.debian.net since August 2012!
• Holger created a Jenkins job to build reprotest from git master branch.
• Finally, the Jenkins Naginator plugin was installed to retry git cloning in case of Alioth/network failures, this will benefit all jobs using Git on jenkins.debian.net.

Misc. This week's edition was written by Chris Lamb, Valerie Young, Vagrant Cascadian, Holger Levsen and reviewed by a bunch of Reproducible Builds folks on IRC.

What happened in the Reproducible Builds effort between Sunday October 16 and Saturday October 22 2016: Media coverage

• Chris Lamb presented at Software Freedom Kosovo on reproducible builds on Saturday 22nd October.

Upcoming events

• J rgen Rose will be giving a talk on Enforcing reproducible builds with Eclipse Package Drone at EclipseCon Europe 2016 in Ludwigsburg, Germany on October 27th.

buildinfo.debian.net In order to build packages reproducibly, you not only need identical sources but also some external definition of the environment used for a particular build. This definition includes the inputs and the outputs and, in the Debian case, are available in a $package_$architecture_$version.buildinfo file. We anticipate the next dpkg upload to sid will create .buildinfo files by default. Whilst it's clear that we also need to teach dak to deal with them (#763822) its not actually clear how to handle .buildinfo files after dak has processed them and how to make them available to the world. To this end, Chris Lamb has started development on a proof-of-concept .buildinfo server to see what issues arise. Source Reproducible work in other projects

• Ximin Luo submitted a patch to GCC as a prerequisite for future patches to make debugging symbols reproducible.

Packages reviewed and fixed, and bugs filed

• #841274 filed against node-once by Chris Lamb.
• #841342 filed against zshdb by Chris Lamb.
• #841427 filed against unifdef by Chris Lamb.
• #841440 filed against rdp-alignment by Chris Lamb.
• #841497 filed against cf-python by Chris Lamb.
• #841694 filed against dvdauthor by Reiner Herrmann.
• #841698 filed against node-lodash by Chris Lamb.
• #841701 filed against libtext-charwidth-perl by Reiner Herrmann.
• #841702 filed against libapt-pkg-perl by Reiner Herrmann.
• #841703 filed against libio-pty-perl by Reiner Herrmann.
• #841707 filed against eximdoc4 by Chris Lamb.

Reviews of unreproducible packages 99 package reviews have been added, 3 have been updated and 6 have been removed in this week, adding to our knowledge about identified issues. 6 issue types have been added:

• bin_sh_is_bash
• captures_build_arch
• captures_build_path_via_assert
• docbook_to_man_one_byte_delta_on_i386
• graphviz_nondeterminstic_output
• randomness_in_documentation_generated_by_scilab

Weekly QA work During of reproducibility testing, some FTBFS bugs have been detected and reported by:

• Chris Lamb (23)
• Daniel Reichelt (2)
• Lucas Nussbaum (1)
• Santiago Vila (18)

diffoscope development

• Mattia Rizzolo:
  • tests/ppu: skip some PPU tests if ppudump is < 3.0.0
  • ppu: ignore decoding errors from ppudump while filtering the output
  • ppu: don't do run a full ppudump while only looking for PPU file version
  • debian: bump debhelper compat level to 10, no changes needed.
• Michel Messerschmidt:
  • Add rudimentary support for OpenDocumentFormat files

tests.reproducible-builds.org

• h01ger increased the diskspace for reproducible content on Jenkins. Thanks to ProfitBricks.
• Valerie Young supplied a patch to make Python SQL interface more SQLite/PostgresSQL agnostic.
• lynxis worked hard to make LEDE and OpenWrt builds happen on two hosts.

Misc. Our poll to find a good time for an IRC meeting is still running until Tuesday, October 25st; please reply as soon as possible. We need a logo! Some ideas and requirements for a Reproducible Builds logo have been documented in the wiki. Contributions very welcome, even if simply by forwarding this information. This week's edition was written by Chris Lamb & Holger Levsen and reviewed by a bunch of Reproducible Builds folks on IRC.

OpenStack Newton is released, and uploaded to Sid OpenStack Newton was released on the Thursday 6th of October. I was able to upload nearly all of it before the week-end, though there was a bit of hick-ups still, as I forgot to upload python-fixtures 3.0.0 to unstable, and only realized it thanks to some bug reports. As this is a build time dependency, it didn t disrupt Sid users too much, but 38 packages wouldn t build without it. Thanks to Santiago Vila for pointing at the issue here. As of writing, a lot of the Newton packages didn t migrate to Testing yet. It s been migrating in a very messy way. I d love to improve this process, but I m not sure how, if not filling RC bugs against 250 packages (which would be painful to do), so they would migrate at once. Suggestions welcome. Bye bye Jenkins For a few years, I was using Jenkins, together with a post-receive hook to build Debian Stable backports of OpenStack packages. Though nearly a year and a half ago, we had that project to build the packages within the OpenStack infrastructure, and use the CI/CD like OpenStack upstream was doing. This is done, and Jenkins is gone, as of OpenStack Newton. Current status As of August, almost all of the packages Git repositories were uploaded to OpenStack Gerrit, and the build now happens in OpenStack infrastructure. We ve been able to build all packages a release OpenStack Newton Debian packages using this system. This non-official jessie backports repository has also been validated using Tempest. Goodies from Gerrit and upstream CI/CD It is very nice to have it built this way, so we will be able to maintain a full CI/CD in upstream infrastructure using Newton for the life of Stretch, which means we will have the tools to test security patches virtually forever. Another thing is that now, anyone can propose packaging patches without the need for an Alioth account, by sending a patch for review through Gerrit. It is our hope that this will increase the likeliness of external contribution, for example from 3rd party plugins vendors (ie: networking driver vendors, for example), or upstream contributors themselves. They are already used to Gerrit, and they all expected the packaging to work this way. They are all very much welcome. The upstream infra: nodepool, zuul and friends
The OpenStack infrastructure has been described already in planet.debian.org, by Ian Wienand. So I wont describe it again, he did a better job than I ever would. How it works All source packages are stored in Gerrit with the deb- prefix. This is in order to avoid conflict with upstream code, and to easily locate packaging repositories. For example, you ll find Nova packaging under https://git.openstack.org/cgit/openstack/deb-nova. Two Debian repositories are stored in the infrastructure AFS (Andrew File System, which means a copy of that repository exist on each cloud were we have compute resources): one for the actual deb-* builds, under jessie-newton , and one for the automatic backports, maintained in the deb-auto-backports gerrit repository. We re using a git tag based workflow. Every Gerrit repository contains all of the upstream branch, plus a debian/newton branch, which contains the same content as a tag of upstream, plus the debian folder. The orig tarball is generated using git archive , then used by sbuild to produce binaries. To package a new upstream release, one simply needs to git merge -X theirs FOO (where FOO is the tag you want to merge), then edit debian/changelog so that the Debian package version matches the tag, then do git commit -a amend , and simply git review . At this point, the OpenStack CI will build the package. If it builds correctly, then a core reviewer can approve the merge commit , the patch is merged, then the package is built and the binary package published on the OpenStack Debian package repository. Maintaining backports automatically The automatic backports is maintained through a Gerrit repository called deb-auto-backports containing a packages-list file that simply lists source packages we need to backport. On each new CR (change request) in Gerrit, thanks to some madison-lite and dpkg compare-version magic, the packages-list is used to compare what s in the Debian archive and what we have in the jessie-newton-backports repository. If the version is lower in our repository, or if the package doesn t exist, then a build is triggered. There is the possibility to backport from any Debian release (using the -d flag in the packages-list file), and even we can use jessie-backports to just rebuild the package. I also had to write a hack to just download from jessie-backports without rebuilding, because rebuilding the webkit2gtk package (needed by sphinx) was taking too resources (though we ll try to never use it, and rebuild packages when possible). The nice thing with this system, is that we don t need to care much about maintaining packages up-to-date: the script does that for us. Upstream Debian repository are NOT for production The produced package repositories are there because we have interconnected build dependencies, needed to run unit test at build time. It is the only reason why such Debian repository exist. They are not for production use. If you wish to deploy OpenStack, we very much recommend using packages from distributions (like Debian or Ubuntu). Indeed, the infrastructure Debian repositories are updated multiple times daily. As a result, it is very likely that you will experience failures to download (hash or file size mismatch and such). Also, the functional tests aren t yet wired in the CI/CD in OpenStack infra, and therefore, we cannot guarantee yet that the packages are usable. Improving the build infrastructure There s a bunch of things which we could do to improve the build process. Let me give a list of things we want to do.

• Get sbuild pre-setup in the Jessie VM images, so we can win 3 minutes per build. This means writing a diskimage-builder element for sbuild.
• Have the infrastructure use a state-of-the-art Debian ftp-sync mirror, instead of the current reprepro mirroring which produces an unsigned reprository, which we can t use for sbuild-createchroot. This will improve things a lot, as currently, there s lots of build failures because of httpredir.debian.org mirror inconsistencies (and these are very frustrating loss of time).
• For each packaging change, there s 3 build: the check job, the gate job, and the POST job. This is a loss of time and resources, as we need to build a package once only. It will be hopefully possible to fix this when the OpenStack infra team will deploy Zuul 3.

Generalizing to Debian During Debconf 16, I had very interesting talks with the DSA (Debian System Administrator) about deploying such a CI/CD for the whole of the Debian archive, interfacing Gerrit with something like dgit and a build CI. I was told that I should provide a proof of concept first, which I very much agreed with. Such a PoC is there now, within OpenStack infra. I very much welcome any Debian contributor to try it, through a packaging patch. If you wish to do so, you should read how to contribute to OpenStack here: https://wiki.openstack.org/wiki/How_To_Contribute#If_you.27re_a_developer and then simply send your patch with git review . This system, however, currently only fits the git tag based packaging workflow. We d have to do a little bit more work to make it possible to use pristine-tar (basically, allow to push in the upstream and pristine-tar branches without any CI job connected to the push). Dear DSA team, as we now nice PoC that is working well, on which the OpenStack PKG team is maintaining 100s of packages, shall we try to generalize and provide such infrastructure for every packaging team and DDs?

Here is what happened in the Reproducible Builds effort between Sunday September 18 and Saturday September 24 2016: Outreachy We intend to participate in Outreachy Round 13 and look forward for new enthusiastic applications to contribute to reproducible builds. We're offering four different areas to work on:

• Improve test and debugging tools.
• Improving reproducibility of Debian packages.
• Improving Debian infrastructure.
• Help collaboration across distributions.

Reproducible Builds World summit #2 We are planning e a similar event to our Athens 2015 summit and expect to reveal more information soon. If you haven't been contacted yet but would like to attend, please contact holger. Toolchain development and fixes Mattia uploaded dpkg/1.18.10.0~reproducible1 to our experimental repository. and covered the details for the upload in a mailing list post. The most important change is the incorporation of improvements made by Guillem Jover (dpkg maintainer) to the .buildinfo generator. This is also in the hope that it will speed up the merge in the upstream. One of the other relevant changes from before is that .buildinfo files generated from binary-only builds will no longer include the hash of the .dsc file in Checksums-Sha256 as documented in the specification. Even if it was considered important to include a checksum of the source package in .buildinfo, storing it that way breaks other assumptions (eg. that Checksums-Sha256 contains only files part of that are part of a single upload, wheras the .dsc might not be part of that upload), thus we look forward for another solution to store the source checksum in .buildinfo. Bugs filed

• #838713 filed against python-xlib by Chris Lamb.
• #838754 filed against golang-google-grpc by Chris Lamb.
• #838188 filed against ocaml by Johannes Schauer.
• #838785 filed against funnelweb by Reiner Herrmann.

Reviews of unreproducible packages 250 package reviews have been added, 4 have been updated and 4 have been removed in this week, adding to our knowledge about identified issues. 4 issue types have been added:

• captures_users_gecos issue
• timestamps_in_org_mode_html_output toolchain issue.
• varnish_vmodtool_random_file_id
• gpg_keyring_magic_bytes_differ

3 issue types have been updated:

• timestamps_in_org_mode_html_output more generally.
• timestamps_in_documentation_generated_by_texi2html
• randomness_in_ocaml_preprocessed_files

Weekly QA work FTBFS bugs have been reported by:

• Chris Lamb (11)
• Santiago Vila (2)

Documentation updates h01ger created a new Jenkins job so that every commit pushed to the master branch for the website will update reproducible-builds.org. diffoscope development

• Mattia Rizzolo:
  • Skip rlib tests if the "nm" tool is missing
• Ximin Luo:
  • Give better advice about what envvar to set to make the console work
  • tests/basic-command-line: check exit code and use a more complex example
  • Add a script to check sizes of dependencies
  • Don't use unicode quotes to avoid breakage under LC_ALL=C

strip-nondeterminism development

• Chris Lamb:
  • .perltidyrc: Add from lintian.
  • .perltidyrc: We use tabs, not spaces.
  • Run perltidy

reprotest development

• Ximin Luo uploaded reprotest 0.3 and 0.3.1 to unstable with these changes:
  • Make some variations more reliable, so tests don't fail
  • Add a safety device to guard against typos
  • Address lintian warnings
  • Remove any existing artifact, in case the build script doesn't overwrite it
  • Fix the logic of some tests, and don't vary fileordering on Debian buildds
  • Use the magic of VIRTUALENV_DOWNLOAD=no, seen in tox's own autopkgtest tests
  • Flush so subprocess output is guaranteed to appear later
  • Don't error if the build command generates stderr
  • Default tests to run on "null" only since it takes effort to set up the others
  • hey dawg i herd u liek tests so i put some tests in ur tests so u can test while u test
  • Make no_clear_on_error optional; we don't want to pass it in everywhere e.g. tests
  • Output a nice big obvious summary at the end when successful
  • Don't repeat documentation in two different places, move it all to --help
  • More reliable build artifact pattern matching, and update docs
  • Use a list comprehension for slightly more idiomatic python than map/lambda
  • Make multi-component artifact patterns like '.deb .changes' work correctly
  • Add a --no-clean-on-error option so you can analyse what went wrong
  • More help text for virtual_server_args
  • Support shell patterns as the build_artifact
  • Use sys.exit inside main(), not check() as it's more idiomatic
  • Pass kind='build' to check_exec so it doesn't time out after 100s
  • adt_testbed: add stdout/stderr to the "auxverb failed" error message, if available
  • If no virtual_server is given then use "null"

tests.reproducible-builds.org

• The full rebuild of all packages in unstable (for all tested archs) with the new build path variation has been completed. This has had the result that we are down to ~75% reproducible packages in unstable now. In comparison, for testing (where we don't vary the build path) we are still at ~90%. IRC notifications for unstable have been enabled again. (Holger)
• Make the notes job robust about bad data (see #833695 and #833738). (Holger)
• Setup profitbricks-build7 running stretch as testing reproducible builds of F-Droid need to use a newer version of vagrant in order to support running vagrant VMs with kvm on kvm. (Holger)
• The misbehaving 'opi2a' armhf node has been replaced with a Jetson-TK1 board kindly donated by NVidia. This machine is using an NVIDIA tegra-k1 (cortex-a15) quad-core board. (vagrant and Holger)

Misc. This week's edition was written by Chris Lamb, Holger Levsen and Mattia Rizzolo and reviewed by a bunch of Reproducible Builds folks on IRC.

What happened in the Reproducible Builds effort between Sunday September 11 and Saturday September 17 2016: Toolchain developments Ximin Luo started a new series of tools called (for now) debrepatch, to make it easier to automate checks that our old patches to Debian packages still apply to newer versions of those packages, and still make these reproducible. Ximin Luo updated one of our few remaining patches for dpkg in #787980 to make it cleaner and more minimal. The following tools were fixed to produce reproducible output:

• naturaldocs/1.51-2 by Petter Reinholdtsen, original patch by Chris Lamb.

Packages reviewed and fixed, and bugs filed The following updated packages have become reproducible - in our current test setup - after being fixed:

• elog/3.1.2-1-1 by Roger Kalt, original patch by Reiner Herrmann.
• eyed3/0.6.18-3 by Petter Reinholdtsen, original patch by Chris Lamb.
• frog/0.13.5-1 by Maarten van Gompel, original patch by Chris Lamb.
• gtranslator/2.91.7-3 by Andreas Henriksson, original patch by Reiner Herrmann.
• sozi/12.05-1.1 by Daniel Kahn Gillmor, original patch by Chris Lamb.

The following updated packages appear to be reproducible now, for reasons we were not able to figure out. (Relevant changelogs did not mention reproducible builds.)

• evince/3.21.92-1 by Michael Biebl.
• gnome-control-center/1:3.21.92-2 by Rapha l Hertzog.
• libipathverbs/1.3-2 by Ana Beatriz Guerrero Lopez.
• pagekite/0.5.8e-2 by Petter Reinholdtsen.

The following 3 packages were not changed, but have become reproducible due to changes in their build-dependencies: jaxrs-api python-lua zope-mysqlda. Some uploads have addressed some reproducibility issues, but not all of them:

• eurephia/1.1.0-6 by Alberto Gonzalez Iniesta, original patch by Chris Lamb.
• fdroidserver/0.7.0-1 by Hans-Christoph Steiner, original patch by Chris Lamb.
• mini-buildd/1.0.18 by Stephan S rken.
• nbc/1.2.1.r4+dfsg-3 by Petter Reinholdtsen, original patch by Chris Lamb.
• ncurses/6.0+20160910-1 by Sven Joachim, #818067 by Niels Thykier.
• python-kinterbasdb/3.3.0-4 by Santiago Vila, original patch by Chris Lamb.
• snapper/0.3.3-1 Hideki Yamane, original patch by Sascha Steinbiss.

Patches submitted that have not made their way to the archive yet:

• #838188 filed against ocaml by Johannes Schauer.

Reviews of unreproducible packages 462 package reviews have been added, 524 have been updated and 166 have been removed in this week, adding to our knowledge about identified issues. 25 issue types have been updated:

• Added a new annotation for issues called "fix-deterministic" to help us update package reviews more easily. This indicates whether we expect that an issue would always happen on Jenkins; i.e. if there is a successful build, then we know the issue is fixed for that package and can update our notes.
• Added random_order_in_sisu_javax_inject_named and too_much_input_for_diff.
• Removed timestamps_in_manpages_generated_by_ronn.
• Updated timestamps_in_allegro_dat_files. Additionally, 21 issues were marked with "fix-deterministic".

Weekly QA work FTBFS bugs have been reported by:

• Chris Lamb (10)
• Filip Pytloun (1)
• Santiago Vila (1)

diffoscope development A new version of diffoscope 60 was uploaded to unstable by Mattia Rizzolo. It included contributions from:

• Mattia Rizzolo:
  • Various packaging and testing improvements.
• HW42:
  • minor wording fixes
• Reiner Herrmann:
  • minor wording fixes

It also included from changes previous weeks; see either the changes or commits linked above, or previous blog posts 72 71 70. strip-nondeterminism development New versions of strip-nondeterminism 0.027-1 and 0.028-1 were uploaded to unstable by Chris Lamb. It included contributions from:

• Chris Lamb:
  • Testing improvements, including better handling of timezones.

disorderfs development A new version of disorderfs 0.5.1 was uploaded to unstable by Chris Lamb. It included contributions from:

• Andrew Ayer and Chris Lamb:
  • Support relative paths for ROOTDIR; it no longer needs to be an absolute path.
• Chris Lamb:
  • Print the behaviour (shuffle/reverse/sort) on startup to stdout.

It also included from changes previous weeks; see either the changes or commits linked above, or previous blog posts 70. Misc. This week's edition was written by Ximin Luo and reviewed by a bunch of Reproducible Builds folks on IRC.

What happened in the Reproducible Builds effort between Sunday August 21 and Saturday August 27 2016: GSoC and Outreachy updates

• Satyam Zode's final report for GSOC 2016

Packages reviewed and fixed, and bugs filed

• #834976 filed against auto-apt-proxy by Chris Lamb.
• #835637 filed against myghty by Chris Lamb.
• #835061 filed against varnish by Chris Lamb.
• #835633 filed against pleiades by Chris Lamb.
• #835625 filed against nikwi by Chris Lamb.
• #835263 filed against binutils-m68hc1x by Chris Lamb.
• #835448 filed against eekboek by Chris Lamb.
• #835143 filed against ttf-tiresias by Chris Lamb.
• #835637 filed against myghty by Chris Lamb.
• #835495 filed against broccoli by Chris Lamb.
• #835129 filed against dateutils by Chris Lamb.
• #835051 filed against sheepdog by Chris Lamb.
• #835145 filed against udpcast by Chris Lamb.
• #834983 filed against eyed3 by Chris Lamb.
• #835617 filed against congress by Chris Lamb.
• #835376 filed against lilyterm by Chris Lamb.
• #835130 filed against ircd-ircu by Chris Lamb.
• #835262 filed against radare2 by Chris Lamb.
• #835193 filed against phpdox by Chris Lamb.
• #835265 filed against argyll by Chris Lamb.
• #835259 filed against quvi by Chris Lamb.
• #835371 filed against dispcalgui by Chris Lamb.
• #835147 filed against javatools by Chris Lamb.
• #834988 filed against twitter-bootstrap3 by Chris Lamb.
• #835463 filed against fdroidserver by Chris Lamb.
• #835646 filed against dh-lua by Chris Lamb.
• #835447 filed against libmodule-build-withxspp-perl by Chris Lamb.
• #835418 filed against libfm by Chris Lamb.
• #835143 filed against ttf-tiresias by Chris Lamb.
• #834993 filed against oss4 by Reiner Herrmann.

Reviews of unreproducible packages 10 package reviews have been added and 6 have been updated this week, adding to our knowledge about identified issues. A large number of issue types have been updated:

• Add captures_build_path issue and some packages affected by it
• Add golang_compiler_captures_build_path_in_binary and move obfs4proxy to it
• Move 7 golang packages from captures_build_path to golang_compiler_captures_build_path_in_binary
• Add new:
  • random_order_in_lua_version_substvar
  • href_links_mangled_by_node_marked
  • perl_extutils_xspp_captures_build_path
  • timestamp_added_by_java_util_properties
• Fixes for issues created:
  • perl_extutils_xspp_captures_build_path
  • random_order_in_lua_version_substvar
  • random_order_in_javahelper_substvars
• Patch for zope_random_field_order_in_dzproduct uploaded.
• Rename:
  • use_epydoc randomness_in_documentation_generated_by_epydoc so it at least matches the others
  • random_order_in_javahelper_depends issue to random_order_in_javahelper_substvars
• Fix the link for the golang issue, previous link is for random_build_path_by_golang_compiler a different issue
• Add a tip regarding how to call ./configure for rust
• Add offending source line for gcc-defaults.

Weekly QA work 29 FTBFS bugs have been reported by:

• Chris Lamb (27)
• Daniel Stender (1)
• Santiago Vila (1)

diffoscope development

• Chris Lamb:
  • Add tests for skip_unless_tool_exists helper.
  • comparators/elf.py: Specify string format arguments as logging function parameters, not using interpolation.
  • presenters/html:
    • Use html.escape over xml.sax.saxutils.escape.
    • Don't use unsafe cgi.escape method as its quote kwarg -- which enables escaping of quotation marks -- is False by default.
  • Tidy imports in Debian comparator and tests.
  • Skip Haskell tests if GHC version does not match. (Closes: #835055)
  • Use pytest.xfail over assert False.
  • Use the debian_fallback.X as the fallback for debian.DotBuildinfoFile (not debian.X).
  • Rename skip_unless_tool_exists -> skip_unless_tools_exist and fix logic.
  • Avoid ugly DRY violations in diffoscope.comparators.__init__ by dynamically importing classes via a single list.
• Satyam Zode:
  • Improve diffoscope behaviour for .changes
• Mattia Rizzolo:
  • Be even more verbose about failing tests
  • d/control: alternate build-dependency on default-jdk-headless default-jdk, to ease backporting to older debian releases
  • add default-jdk to the alternate packages for javap for Debian; default-jdk-headless is not available in older Debian releases
  • in the tests only, normalize xxd's output so that we can compare jessie's xxd with stretch's
  • tests:
    • skip test_squashfs.py.test_superblock if squashfs is too old
    • rewrite tool_older_than() into skip_unless_tool_is_older_than()
    • factor out a tools_missing() function
• J r my Bobbio:
  • Properly skip test requiring python-debian when unavailable
• Ximin Luo:
  • Add a --no-max flag to disable all limits and have max_report_size also honour 0 to mean "no limit"
  • Actually only scan whole file when filename ends in ".rom"
  • Show the timestamp when logging so I know which steps take longer

Holger also created another test job for diffoscope on jenkins.debian.net, so that now also all commits to branches other than master are being tested. strip-nondeterminism development strip-nondeterminism 0.023-1 was uploaded by Chris Lamb:

 * Support Android .apk files with the JAR normalizer.
 * handlers/png.pm: Drop unused Archive::Zip import
 * Remove hyphen from non-determinism and non-deterministic.
 * javaproperties.pm: Match more styles of .properties and loosen filename matching.
 * Improve tests:
   - Make fixture runner generic to all normalizer types.
   - Replace (single) pearregistry test with a fixture.
   - Set a canonical time for fixture tests.
   - Add gzip testcase fixture.
   - Replace t/javadoc.t with fixture
   - Replace t/ar.t with a fixture.
   - t/javaproperties: move pom.properties and version.properties tests to fixtures
   - t/fixtures.t: move to using subtests
   - t/fixtures.t: Explicitly test that we can find a normalizer
   - t/fixtures.t: Don't run normalizer if we didn't find one.

strip-nondeterminism 0.023-2 uploaded by Mattia Rizzolo to allow stderr in autopkgtest. disorderfs development

• Chris Lamb:
  • Add --sort-dirents=yes no option for forcing deterministic.
  • Testsuite:
    • Add tests for sorting and reversing directory entries.
    • shuffle: Test that --shuffle-dirents works as directed.
    • common: Factor out utility to get variations from mount target.
    • common: Factor out "Fail" utility.

tests.reproducible-builds.org Debian:

• Since we introduced build path variations for unstable and experimental last week, our IRC channel has been flooded with notifcations about packages becoming unreproducible - and you might have noticed some of your packages having become unreproducible recently too. To make our IRC more bearable again, notifications for status changes on i386 and armhf have been disabled, so that now we only get notifications for status changes in unstable. (h01ger)
• Link to jenkins documentation in every page (h01ger)
• The "pre build" check, whether a node is up, now also detects if a node has a read-only filesystem, which sometimes happens on some broken armhf nodes. (h01ger)
• To further improve monitoring of those armhf nodes Work to make them send mails (through an ISP which is blocking outgoing mails) has been started and should be finished next week. (h01ger)
• As one of the armhf nodes (opi2a) is acting strange, a workaround has been added to make it's deployment work despite that. (h01ger)
• Collapse whitespace to avoid ugly "trailing underlines" in hyperlinks for diffoscope results and pkg sets (Chris Lamb)
• Give details HTML elements "cursor: pointer" CSS property to highlight they are clickable. (Chris Lamb)
• The db connection timeout has been raised to a minute when using SQLAlchemy too. (h01ger).

Somewhat related to reproducible builds there has been a first Debian jenkins team maintainance meeting on the #debian-qa IRC channel, to discuss current issues with the setup and to start the work of migrating jenkins.debian.net to jenkins.debian.org. The next meeting will take place on September 28th 2016 at 19 UTC. Misc. This week's edition was written by Chris Lamb and Holger Levsen and reviewed by a bunch of Reproducible Builds folks on IRC.

What happened in the Reproducible Builds effort between Sunday August 14 and Saturday August 20 2016: Fasten your seatbelts Important note: we enabled build path variation for unstable now, so your package(s) might become unreproducible, while previously it was said to be reproducible given a specific build path it probably still is reproducible but read on for the details below in the tests.reproducible-builds.org section! As said many times: this is still research and we are working to make it reality. Media coverage Daniel Stender blogged about python packaging and explained some caveats regarding reproducible builds. Toolchain developments Thomas Schmitt uploaded xorriso which now obeys SOURCE_DATE_EPOCH. As stated in its man pages:

ENVIRONMENT
[...]
SOURCE_DATE_EPOCH  belongs to the specs of reproducible-builds.org.  It
is supposed to be either undefined or to contain a decimal number which
tells the seconds since january 1st 1970. If it contains a number, then
it is used as time value to set the  default  of  --modification-date=,
--gpt_disk_guid,  and  --set_all_file_dates.  Startup files and program
options can override the effect of SOURCE_DATE_EPOCH.

Packages reviewed and fixed, and bugs filed The following packages have become reproducible after being fixed:

• cadencii/3.3.9+svn20110818.r1732-5 by Ying-Chun Liu, original patch by Chris Lamb.
• cfengine3/3.7.4-3 by Antonio Radici.
• findbugs/3.1.0~preview2-1 by Emmanuel Bourg.
• gcpegg/5.1-14 by Bdale Garbee, original patch by Chris Lamb.
• gnunet-gtk/0.10.1-4 by Bertrand Marc, original patch by Chris Lamb.
• konwert/1.8-12 by Yann Dirson, original patch by Chris Lamb.
• link-grammar/5.3.8-2 by Jeremy Bicha, original patch by Chris Lamb.
• metastudent-data/2.0.1-1 by Sascha Steinbiss.
• pixmap/2.6pl4-20 by Paul Slootman, original patch by Chris Lamb Maria Valentina Marin a.k.a. Akira.
• python-afl/0.5.4-2 by Daniel Stender.
• tf5/5.0beta8-6 by Russ Allbery, original patch by Chris Lamb.
• triplane/1.0.8-2 by Markus Koschanyover, original patch by Chris Lamb.
• vips/8.3.3-1 by Laszlo Boszormenyi, original patch by Chris Lamb.
• xzgv/0.9.1-4 by Theodore Y. Ts'o, original patch by Chris Lamb.

The following updated packages appear to be reproducible now, for reasons we were not able to figure out. (Relevant changelogs did not mention reproducible builds.)

• vulkan/1.0.21.0+dfsg1-1 by Timo Aaltonen.

The following 2 packages were not changed, but have become reproducible due to changes in their build-dependencies: tagsoup tclx8.4. Some uploads have addressed some reproducibility issues, but not all of them:

• cappuccino/0.5.1-4 by Breno Leitao, original patch by Chris Lamb.
• darkice/1.3-0.1 by Nicolas Bouleng.
• flask-restful/0.3.5-1 by Ond ej Nov , original patch by Chris Lamb.
• kodi/16.1+dfsg1-2 by Balint Reczey, original patch by Lukas Rechberger.
• libaws/3.3.2-3 by Nicolas Bouleng.
• liblog4ada/1.3-1 by Nicolas Bouleng.
• libxmlezout/1.06.1-8 by Nicolas Bouleng.
• ruby-rmagick/2.15.4+dfsg-2 by Antonio Terceir, original patch from Chris Lamb.
• taggrepper/0.05-2 by Kumar Appaiah, original patch and original patch from Maria Valentina Marin.
• xotcl/1.6.8-2 by Stefan Sobernig, original patch by Chris Lamb.

Patches submitted that have not made their way to the archive yet:

• #834755 against apt-cacher-ng by Chris Lamb.
• #834976 against auto-apt-proxy by Chris Lamb.
• #834549 against botan1.10 by Chris Lamb.
• #834861 against cookiecutter by Chris Lamb.
• #834779 against dicom3tools by Chris Lamb.
• #834859 against echoping by Chris Lamb.
• #834983 against eyed3 by Chris Lamb.
• #834735 against filepp by Chris Lamb.
• #834957 against flashrom by Chris Lamb.
• #834773 against gkrellm by Chris Lamb.
• #834292 against gr-radar by Chris Lamb.
• #834956 against ircd-irc2 by Chris Lamb.
• #834897 against jpy by Chris Lamb.
• #834452 against libdc0 by Chris Lamb.
• #834324 against libnss-ldap by Reiner Herrmann.
• #834945 against libquvi by Chris Lamb.
• #834534 against librep by Chris Lamb.
• #834537 against mozvoikko by Chris Lamb.
• #834857 against nagios-nrpe by Chris Lamb.
• #834316 against openocd by Reiner Herrmann.
• #834993 against oss4 by Reiner Herrmann.
• #834302 against pd-flite by Reiner Herrmann.
• #834754 against phpab by Chris Lamb.
• #834279 against phpldapadmin by Chris Lamb.
• #834277 against pybit by Chris Lamb.
• #834553 against pyicu by Chris Lamb.
• #834541 against ruby-pg by Chris Lamb.
• #835051 against sheepdog by Chris Lamb.
• #834896 against ttf-tiresias by Chris Lamb.
• #834780 against tuxpaint-config by Chris Lamb.
• #834988 against twitter-bootstrap3 by Chris Lamb.
• #834776 against uhub by Chris Lamb.
• #835061 against varnish by Chris Lamb.

Bug tracker house keeping:

• Chris Lamb pinged 164 bugs he filed more than 90 days ago which have a patch and had no maintainer reaction.

Reviews of unreproducible packages 55 package reviews have been added, 161 have been updated and 136 have been removed in this week, adding to our knowledge about identified issues. 2 issue types have been updated:

• Added user_in_documentation_generated_by_gsdoc
• Added locale_differences_in_pom

Weekly QA work FTBFS bugs have been reported by:

• Chris Lamb (16)
• Santiago Vila (2)

diffoscope development Chris Lamb, Holger Levsen and Mattia Rizzolo worked on diffoscope this week. Improvements were made to SquashFS and JSON comparison, the https://try.diffoscope.org/ web service, documentation, packaging, and general code quality. diffoscope 57, 58, and 59 were uploaded to unstable by Chris Lamb. Versions 57 and 58 were both broken, so Holger set up a job on jenkins.debian.net to test diffoscope on each git commit. He also wrote a CONTRIBUTING document to help prevent this from happening in future. From these efforts, we were also able to learn that diffoscope is now reproducible even when built across multiple architectures:

< h01ger>   https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope.html shows these packages were built on amd64:
< h01ger>    bd21db708fe91c01ba1c9cb35b9d41a7c9b0db2b 62288 diffoscope_59_all.deb
< h01ger>    366200bf2841136a4c8f8c30bdc87057d59a4cdd 20146 trydiffoscope_59_all.deb
< h01ger>   and on i386:
< h01ger>    bd21db708fe91c01ba1c9cb35b9d41a7c9b0db2b 62288 diffoscope_59_all.deb
< h01ger>    366200bf2841136a4c8f8c30bdc87057d59a4cdd 20146 trydiffoscope_59_all.deb
< h01ger>   and on armhf:
< h01ger>    bd21db708fe91c01ba1c9cb35b9d41a7c9b0db2b 62288 diffoscope_59_all.deb
< h01ger>    366200bf2841136a4c8f8c30bdc87057d59a4cdd 20146 trydiffoscope_59_all.deb

And those also match the binaries uploaded by Chris in his diffoscope 59 binary upload to ftp.debian.org, yay! Eating our own dogfood and enjoying it! tests.reproducible-builds.org Debian related:

• show percentage of results in the last 24/48h (h01ger)
• switch python database backend to SQLAlchemy (Valerie)
• vary build path varitation for unstable and experimental for all architectures. (h01ger)

The last change probably will have an impact you will see: your package might become unreproducible in unstable and this will be shown on tracker.debian.org, while it will still be reproducible in testing. We've done this, because we think reproducible builds are possible with arbitrary build paths. But: we don't think those are a realistic goal for stretch, where we still recommend to use .buildinfo to record the build patch and then do rebuilds using that path. We are doing this, because besides doing theoretical groundwork we also have a practical goal: enable users to independently verify builds. And if they only can do this with a fixed path, so be it. For now To be clear: for Stretch we recommend that reproducible builds are done in the same build path as the "original" build. Finally, and just for our future references, when we enabled build path variation on Saturday, August 20th 2016, the numbers for unstable were:

suite	all	reproducible	unreproducible	ftbfs	depwait	not for this arch	blacklisted
unstable/amd64	24693	21794 (88.2%)	1753 (7.1%)	972 (3.9%)	65 (0.2%)	95 (0.3%)	10 (0.0%)
unstable/i386	24693	21182 (85.7%)	2349 (9.5%)	972 (3.9%)	76 (0.3%)	103 (0.4%)	10 (0.0%)
unstable/armhf	24693	20889 (84.6%)	2050 (8.3%)	1126 (4.5%)	199 (0.8%)	296 (1.1%)	129 (0.5%)

Misc. Ximin Luo updated our git setup scripts to make it easier for people to write proper descriptions for our repositories. This week's edition was written by Ximin Luo and Holger Levsen and reviewed by a bunch of Reproducible Builds folks on IRC.

What happened in the Reproducible Builds effort between June 26th and July 2nd 2016: Read on to find out why we're lagging some weeks behind ! GSoC and Outreachy updates

• Ceridwen described using autopkgtest code to communicate with containers and how to test the container handling.
• reprotest 0.1 has been accepted into Debian unstable, and any user reports, bug reports, feature requests, etc. would be appreciated. This is still an alpha release, and nothing is set in stone.

Toolchain fixes

• Matthias Klose uploaded doxygen/1.8.11-3 to Debian unstable (closing #792201) with the upstream patch improving SOURCE_DATE_EPOCH support by using UTC as timezone when parsing the value. This was the last patch we were carrying in our repository, thus this upload obsoletes the version in our experimental repository.
• cmake/3.5.2-2 was uploaded by Felix Geyer, which sorts file lists obtained with file(GLOB).
• Dmitry Shachnev uploaded sphinx/1.4.4-2, which fixes a timezone related issue when SOURCE_DATE_EPOCH is set.

With the doxygen upload we are now down to only 2 modified packages in our repository: dpkg and rdfind. Weekly reports delay and the future of statistics To catch up with our backlog of weekly reports we have decided to skip some of the statistics for this week. We might publish them in a future report, or we might switch to a format where we summarize them more (and which we can create (even) more automatically), we'll see. We are doing these weekly statistics because we believe it's appropriate and useful to credit people's work and make it more visible. What do you think? We would love to hear your thoughts on this matter! Do you read these statistics? Somewhat? Actually, thanks to the power of notmuch, Holger came up with what you can see below, so what's missing for this week are the uploads fixing irreprodubilities. Which we really would like to show for the reasons stated above and because we really really need these uploads to happen But then we also like to confirm the bugs are really gone, which (atm) requires manual checking, and to look for the words "reproducible" and "deterministic" (and spelling variations) in debian/changelogs of all uploads, to spot reproducible work not tracked via the BTS. And we still need to catch up on the backlog of weekly reports. Bugs submitted with reproducible usertags It seems DebCamp in Cape Town was hugely successful and made some people get a lot of work done: 61 bugs have been filed with reproducible builds usertags and 60 of them had patches:

• #829365 against pdl by Reiner Herrmann: please make the build reproducible.
• #829362 against ruby-ronn by Chris Lamb: please make the output reproducible.
• #829357 against ctop by Chris Lamb: please make the build reproducible.
• #829325 against txt2tags by Chris Lamb: please make the output reproducible.
• #829323 against pdl by Reiner Herrmann: please generated sorted output.
• #829322 against libpdl-netcdf-perl by Reiner Herrmann: please make the build reproducible.
• #829320 against libpdl-io-hdf5-perl by Reiner Herrmann: please make the build reproducible.
• #829297 against check-all-the-things by Chris Lamb: please make the build reproducible.
• #829296 against perl by Chris Lamb: please make the output of ParseXS.pm reproducible.
• #829295 against libextutils-parsexs-perl by Chris Lamb: please make the output reproducible.
• #829270 against tomsfastmath by Reiner Herrmann: please make the build reproducible.
• #829263 against libmemcached-libmemcached-perl by Chris Lamb: please make the build reproducible.
• #829262 against slashem by Reiner Herrmann: please make the build reproducible.
• #829261 against passwordsafe by Reiner Herrmann: please make the build reproducible.
• #829249 against ncftp by Reiner Herrmann: please make the build reproducible.
• #829133 against icon by Reiner Herrmann: please make the build reproducible.
• #829129 against ayttm by Reiner Herrmann: please make the build reproducible.
• #829011 against link-grammar by Jeremy Bicha and Chris Lamb: please make the build reproducible.
• #829000 against fracplanet by Reiner Herrmann: please make the build reproducible.
• #828994 against syncthing by Dhole: please make the build reproducible.
• #828993 against openttd by Reiner Herrmann: please make the build reproducible.
• #828989 against ntp by Reiner Herrmann: please make the build reproducible.
• #828977 against faust by Reiner Herrmann: please make the build reproducible.
• #828971 against clasp by Reiner Herrmann: please make the build reproducible.
• #828969 against dogecoin by Reiner Herrmann: please make the build reproducible.
• #828909 against qtruby by Reiner Herrmann: please make the build reproducible.
• #828906 against mailfilter by Reiner Herrmann: please make the build reproducible.
• #828898 against lordsawar by Reiner Herrmann: please make the build reproducible.
• #828891 against bbdb by Reiner Herrmann: please make the build reproducible.
• #828890 against libsdl2-gfx by Reiner Herrmann: please make the build reproducible.
• #828888 against aspell-en by Reiner Herrmann: please make the build reproducible.
• #828876 against ario by Reiner Herrmann: please make the build reproducible.
• #828867 against zephyr by Reiner Herrmann: please make the build reproducible.
• #828856 against lrzsz by Reiner Herrmann: please make the build reproducible.
• #828855 against wmweather by Reiner Herrmann: please make the build reproducible.
• #828852 against moblin-icon-theme by Reiner Herrmann: please make the build reproducible.
• #828810 against fakeroot by Juan Picca: [PATCH] Make the build reproducible.
• #828793 against minicom by Reiner Herrmann: please make the build reproducible.
• #828791 against fio by Reiner Herrmann: please make the build reproducible.
• #828790 against debiandoc-sgml-doc by Dhole: please make the build reproducible.
• #828788 against pyparted by Reiner Herrmann: please make the build reproducible.
• #828786 against tcptraceroute by Reiner Herrmann: please make the build reproducible.
• #828780 against iptraf by Reiner Herrmann: please make the build reproducible.
• #828778 against module-assistant by Reiner Herrmann: please make the build reproducible.
• #828766 against liblucy-perl by Reiner Herrmann: please make the build reproducible.
• #828762 against slang2 by Reiner Herrmann: please make the build reproducible.
• #828756 against python-reportlab by Reiner Herrmann: please make the build reproducible.
• #828752 against mod-dnssd by Reiner Herrmann: please make the build reproducible.
• #828749 against telepathy-salut by Reiner Herrmann: please make the build reproducible.
• #828748 against libphonenumber by Reiner Herrmann: please make the build reproducible.
• #828745 against directfb by Reiner Herrmann: please make the build reproducible.
• #828683 against mc by Reiner Herrmann and Yury V. Zaytsev: please make the build reproducible.
• #828681 against keyutils by Reiner Herrmann: please make the build reproducible.
• #828680 against debiandoc-sgml-doc-pt-br by Dhole: please make the build reproducible.
• #828639 against libmarpa-r2-perl by Reiner Herrmann: please make the build reproducible.
• #828636 against libembperl-perl by Axel Beckert, Reiner Herrmann and gregor herrmann: please make the build reproducible.
• #828635 against libnet-tclink-perl by Reiner Herrmann: please make the build reproducible.
• #828628 against media-player-info by Reiner Herrmann: please make the build reproducible.
• #828627 against uim by Alexis Bienven e: please make the build reproducible (locale).
• #828226 against tiger by Alexis Bienven e: please make the build reproducible (environment, locale).
• #828222 against pygoocanvas by Chris Lamb: please make the build reproducible.
• #828216 against pyinfra by Daniel Stender: assertion error with timestamps.

Package reviews 437 new reviews have been added (though most of them were just linking the bug, "only" 56 new issues in packages were found), an unknown number has been been updated and 60 have been removed in this week, adding to our knowledge about identified issues. 4 new issue types have been found:

• random_order_of_pdf_ids_generated_by_latex
• unsorted_pdl_output
• timestamps_in_output_generated_by_txt2tags
• random_order_in_documentation_generated_by_naturaldocs

Weekly QA work 98 FTBFS bugs have been reported by Chris Lamb and Santiago Vila. diffoscope development

• Reiner Herrmann clarified the help text for the input arguments.
• #829115 against diffoscope by Axel Beckert and Mattia Rizzolo:: /comparators/ps.py: TypeError: cannot use a string pattern on a bytes-like object.

strip-nondeterminism development

• Chris Lamb made sure that .zhfst files are treated as ZIP files.

tests.reproducible-builds.org

• Mattia Rizzolo uploaded pbuilder/0.225.1~bpo8+1 to jessie-backports and it has been installed on all build nodes. As a consequence all armhf and i386 builds will be done with eatmydata; this will hopefully cut down the build time by a noticable factor.

Misc. This week's edition was written by Mattia Rizzolo, Reiner Herrmann, Ceridwen and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.

What happened in the Reproducible Builds effort between June 19th and June 25th 2016. Media coverage

• Holger Levsen gave a talk at openSUSE Conference 2016 explaining the general idea and status of Reproducible Builds. This talk is available as video recording.
• This was followed by Bernhard Wiedemannn, detailing his work on Reproducible Builds for openSUSE which is also available as video recording:
  • openSUSE uses SOURCE_DATE_EPOCH now too
  • How to create bit-for-bit identical RPMs
  • How strip-nondeterminism is Python and thus unsuitable for the openSUSE base system
• Mozilla awarded $77k to work on reproducible builds for Tails. The goal is to enable anyone (given sufficient technical skills and hardware resources) to rebuild from source a given Tails release, in order to independently verify that it matches the ISO image that was published. A substantial part of this work will be done in Debian: for example, to make the side-effects of some packages' post-installation scripts deterministic. On the longer term, this work should benefit other projects that want to make their own builds reproducible (e.g. operating system images for the cloud and embedded systems, operating system installation media, other Live systems).

GSoC and Outreachy updates

• Valerie Young published a report detailing what she did the last week regarding improving tests.reproducible-builds.org/debian.
• Ceridwen announced reprotest's arrival in the NEW queue and discussed autopkgtest's layout.

Toolchain fixes

• Anton Gladky uploaded an NMU of python-setuptools, which sorts entries in native_libs.txt files (#825857).

Other upstream fixes Emil Velikov searched on IRC for hints on how to guarantee unique values during build to invalidate shader caches in Mesa, when also no VCS information is available. A possible solution is a timestamp, which is unique enough for local builds, but can still be reproducible by allowing it to be overwritten with SOURCE_DATE_EPOCH. Packages fixed The following 9 packages have become reproducible due to changes in their build dependencies: cclib librun-parts-perl llvm-toolchain-snapshot python-crypto python-openid r-bioc-shortread r-bioc-variantannotation ruby-hdfeos5 sqlparse The following packages have become reproducible after being fixed:

• allegro4.4/2:4.4.2-9 by Tobias Hansen, original patch by Reiner Herrmann.
• atomicparsley/0.9.6-1 by Jonas Smedegaard.
• dwarfutils/20160613-1 by Fabian Wolff, original patch by Reiner Herrmann.
• dwm/6.1-3 by Hugo Lefeuvre, original patch by Reiner Herrmann.
• funtools/1.4.6+git150811-3 by Ole Streicher, original patch by Alexis Bienven e.
• golang-github-appc-spec/0.8.4+dfsg-1 by Dmitry Smirnov.
• golang-github-appc-docker2aci/0.11.1+dfsg-1 Dmitry Smirnov.
• hdf-eos5/5.1.15.dfsg.1-7 by Alastair McKinstry.
• hmmer2/2.3.2-11 by Sascha Steinbiss, original patch by Chris Lamb.
• jpy/0.8-2 by Alastair McKinstry.
• lazarus/1.6+dfsg-4 by Paul Gevers.
• pgbackrest/1.02-2 by Adrian Vondendriesch.
• siege/4.0.2-1 by Josue Abarca.
• starlink-pal/0.5.0-4 by Ole Streicher, original patch by Chris Lamb.
• stylish-haskell/0.5.17.0-2 by Sean Whitton.
• xprobe/0.3-3 by Sophie Brun, original patch by Reiner Herrmann.

Some uploads have fixed some reproducibility issues, but not all of them:

• hdfeos4/2.19v1.00+dfsg.1-5 by Alastair McKinstry.
• icu4j/57.1-2 by Tony Mancill, original patch by Chris Lamb.
• pari/2.7.6-1 by Bill Allombert,

Patches submitted that have not made their way to the archive yet:

• #827684 against cgoban by Chris Lamb: set SHELL to static value.
• #827731 against tin by Alexis Bienven e: drop patch which overwrites __DATE__/__TIME__ macros, since gcc can handle it now
• #827863 against swedish by Alexis Bienven e: use C locale for sorting.
• #827987 against glances by Chris Lamb: Use SOURCE_DATE_EPOCH for embedded timestamp.
• #827994 against cmtk by Chris Lamb: use C locale for sorting.
• #828008 against aghermann by Chris Lamb: honour SOURCE_DATE_EPOCH for timestamps embedded into manpages.
• #828012 against bind9 by Chris Lamb: honour SOURCE_DATE_EPOCH for embedded timestamp.
• #828017 against frog by Chris Lamb: don't include pyc/pyo files in the package.
• #828021 against extra-cmake-modules by Scarlett Clark: normalize permission and file order in tarballs.
• #828060 against libffado by Chris Lamb: exclude file with test output from package.
• #828066 against gsmlib by Chris Lamb: honour SOURCE_DATE_EPOCH for timestamps embedded into manpages.
• #828067 against grib-api by Chris Lamb: exclude pyc files from package.
• #828122 against libxmlbird by Chris Lamb: sort list of globbed files.
• #828123 against magnum by Chris Lamb: use static value for embedded hostname.
• #828131 against pyjwt by Chris Lamb: exclude coverage data from package.
• #828145 against mkdocs by Chris Lamb: honour SOURCE_DATE_EPOCH for embedded timestamp.
• #828164 against zeal by Chris Lamb: use UTC for embedded timestamp.
• #828168 against x42-plugins by Daniel Shahaf: use printf instead of non-portable echo.

Package reviews 139 reviews have been added, 20 have been updated and 21 have been removed in this week. New issues found:

• timestamps_in_pdf_generated_by_reportlab
• r_base_appends_built_header_to_description_files
• timestamps_in_documentation_generated_by_mkdocs

53 FTBFS bugs have been reported by Chris Lamb, Santiago Vila and Mateusz ukasik. diffoscope development

• Satyam Zode added argument completion.
• Chris Lamb made the confusing "No differences found inside, yet data differs" message less confusing.

Quote of the week "My builds are so reproducible, they fail exactly every second time." Johannes Ziemke (@discordianfish) Misc. This week's edition was written by Chris Lamb (lamby), Reiner Herrmann and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.

What happened in the Reproducible Builds effort between June 12th and June 18th 2016: Media coverage

• Sune Vuorela blogged about making Qt documentation reproducible while spending good times in the Alps.

GSoC and Outreachy updates Weekly reports by our participants:

• Scarlett Clark
• Satyam Zode

Toolchain fixes

• texlive-bin/2016.20160513.41080-3 has been uploaded to unstable, featuring support for FORCE_SOURCE_DATE. See the last post for details on it.
• doxygen/1.4.4-1 has been uploaded to unstable, fixing #822197 (upstream bug), which caused some generated html file to contain unreproducible memory addresses of Python objects used at build time.
• debhelper/9.20160618 has been uploaded to unstable, fixing #824490, which instructs ant to not save the username of the build user in the generated files. Original patch by Emmanuel Bourg.
• HW42 reported a long-known (although only internally) bug in our dpkg-buildinfo. this particular bug doesn't affect our current infrastructure, but it's a blocker for having .buildinfo support merged upstream.
• epydoc/3.0.1+dfsg-13 and 3.0.1+dfsg-14 have been uploaded by Kenneth J. Pronovici which fixes nondeterministic ordering issues in generated documentation and removes memory addresses. Original patches (#825968 and #827416) by Sascha Steinbiss.

With this upload of texlive-bin we decided to stop keeping our patched fork of as most of the patches for SOURCE_DATE_EPOCH support had been integrated upstream already, and the last one (making FORCE_SOURCE_DATE default to 1) had been refused. So, we are now going to let the archive be rebuilt against unstable's texlive-bin and see how many packages will become unreproducible with this change; once enough data will be collected we will ponder whether FORCE_SOURCE_DATE should be exported by helper tools (such as debhelper) or manually exported by every package that needs it. (For those wondering: we still recommend to follow SOURCE_DATE_EPOCH always and don't recommend other projects to implement FORCE_SOURCE_DATE ) With the drop of texlive-bin we now have only three modified packages in our experimental repository. Reproducible work in other projects

• Ed Maste sent a patch to have ELF Tool Chain's elfcopy support SOURCE_DATE_EPOCH.
• Ed Maste changed FreeBSD's ar(1) to have a reproducible output by default when invoked with -s.
• Ed Maste merged changes from NetBSD's makefs to FreeBSD's to add a command line option for setting the timestamp.
• Ed Maste reported on FreeBSD package reproducibility details from the investigation for his BSDCan talk, including diffoscope results for the non-reproducible packages.
• Holger Levsen spent some time thinking and documenting how to store package notes and issues in a multi-distribution friendly manner, so that we can share these issues and notes between reproducible efforts across different projects. Thoughts we had about this topic during the Athens meeting last December are included in the updated README.

Packages fixed The following 12 packages have become reproducible due to changes in their build dependencies: django-floppyforms flask-restful hy jets3t kombu llvm-toolchain-3.8 moap python-bottle python-debtcollector python-django-debug-toolbar python-osprofiler stevedore The following packages have become reproducible after being fixed:

• adios/1.9.0-10 by Alastair McKinstry.
• airstrike/0.99+1.0pre6a-8 by Markus Koschany, original patch by Reiner Herrmann.
• apt-dater/1.0.3-1 by Patrick Matth i, original patch by Chris Lamb.
• bitlbee/3.4.2-1 by Jelmer Vernoo .
• dar/2.5.5-1 by Laszlo Boszormenyi.
• fastjet/3.0.6+dfsg-2 by Mattia Rizzolo, original patch by Maria Valentina Marin.
• libretro-beetle-pce-fast/0.9.38.7+git20160609-1 by S rgio Benjamim, original patch by Reiner Herrmann.
• libretro-beetle-psx/0.9.38.6+git20151019-2 by S rgio Benjamim, original patch by Reiner Herrmann.
• mx/1.99.4-1 by Ying-Chun Liu.
• python-coverage/4.1+dfsg.1-1 by Ben Finney.
• shiro/1.2.5-1 by Tony Mancill, original patch by Chris Lamb.
• splix/2.0.0+svn315-5 by Didier Raboud.
• u-boot/2016.07~rc1+dfsg1-3 by Vagrant Cascadian, debugging and patch by HW42, patches submitted upstream.

Some uploads have fixed some reproducibility issues, but not all of them:

• gcc-mingw-w64/18 by Stephen Kitt.
• gnuplot/5.0.3+dfsg3-6 by Anton Gladky, original patch by Alexis Bienven e.

Uploads with reproducibility fixes that currently fail to build:

• ruby2.3/2.3.1-3 by Christian Hofstaedtler, avoids unreproducible rbconfig.rb files by always using bash for building.

Patches submitted that have not made their way to the archive yet:

• #827109 against asciijump by Reiner Herrmann: sort source files for deterministic linking order.
• #827112 against boswars by Reiner Herrmann: sort source files for deterministic linking order.
• #827114 against overgod by Reiner Herrmann: use C locale for sorting source files.
• #827115 against netpbm by Alexis Bienven e: honour SOURCE_DATE_EPOCH while generating output.
• #827124 against funguloids by Reiner Herrmann: use C locale for sorting files.
• #827145 against scummvm by Reiner Herrmann: don't embed extra fields in zip archive and build with proper host architecture.
• #827150 against netpanzer by Reiner Herrmann: sort source files for deterministic linking order.
• #827172 against reaver by Alexis Bienven e: sort object files for deterministic linking order.
• #827187 against latex2html by Alexis Bienven e: iterate deterministic over Perl hashes; honour SOURCE_DATE_EPOCH for output; strip username from output; sort index keys.
• #827313 against cherrypy3 by Sascha Steinbiss: prevent memory addresses in output.
• #827361 against matplotlib by Alexis Bienven e: honour SOURCE_DATE_EPOCH in output and sort keys while iterating over dict.
• #827382 against dwarfutils by Reiner Herrmann: fix array size, which caused memory from outside a table to be embedded into output.
• #827384 against skytools3 by Sascha Steinbiss: use stable sorting order and remove timestamps from documentation.
• #827419 against ldaptor by Sascha Steinbiss: sort list of input files and prevent home directory from leaking into documentation.
• #827546 against git-buildpackage by Sascha Steinbiss: replace timestamps in documentation with changelog date; prevent temporary paths in documentation.
• #827572 against xprobe by Reiner Herrmann: sort list of object files in static library archives.

Package reviews 36 reviews have been added, 12 have been updated and 31 have been removed in this week. 17 FTBFS bugs have been reported by Chris Lamb, Santiago Vila and Dominic Hargreaves. diffoscope development Satyam worked on argument completion (#826711) for diffoscope. strip-nondeterminism development Mattia Rizzolo uploaded strip-nondeterminism 0.019-1~bpo8+1 to jessie-backports. reprotest development Ceridwen filed an Intent To Package (ITP) bug for reprotest as #827293. tests.reproducible-builds.org

• Mattia Rizzolo uploaded pbuilder 0.225 to unstable, providing built-in support for eatmydata. We're planning to use it in armhf and i386 builders where we don't build in tmpfs, to increase the build speed some more.
• Valery Young reworked the appearance of the package page, hopefully making them more intuitive and usable. In the process she changed the script generating them to use a real templating system, thus improving maintenance for the future.
• Holger adjusted the scheduler to reschedule packages in state 'depwait' after two days instead of three.
• Mattia added the bug title next to the bug numbers in the notes.

Misc. This week's edition was written by Mattia Rizzolo, Reiner Herrmann, Ed Maste and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.

What happened in the Reproducible Builds effort between June 5th and June 11th 2016: Media coverage Ed Maste gave a talk at BSDCan 2016 on reproducible builds (slides, video). GSoC and Outreachy updates Weekly reports by our participants:

• Scarlett Clark worked on making some packages reproducible, focusing on KDE backend and utility programs.
• Ceridwen published an initial design for the interface for reprotest, including a discussion on different types of build variations and the difficulties of specifying certain types of variations.
• Valerie Young improved documentation for building our tests website, began migrating Debian-specific pages into a new namespace, and planned future work around its navigation.

Documentation update - Ximin Luo proposed a modification to our SOURCE_DATE_EPOCH spec explaining FORCE_SOURCE_DATE. Some upstream build tools (e.g. TeX, see below) have expressed a desire to control which cases of embedded timestamps should obey SOURCE_DATE_EPOCH. They were not convinced by our arguments on why this is a bad idea, so we agreed on an environment variable FORCE_SOURCE_DATE for them to implement their desired behaviour - named generically, so that at least we can set it centrally. For more details, see the text just linked. However, we strongly urge most build tools not to use this, and instead obey SOURCE_DATE_EPOCH unconditionally in all cases. Toolchain fixes

• TeX Live 2016 released with SOURCE_DATE_EPOCH support for all engines except LuaTeX and original TeX.
• Continued discussion (alternative archive) with TeX upstream, about SOURCE_DATE_EPOCH corner cases, eventually resulting in the FORCE_SOURCE_DATE proposal from above.
• gcc-5/5.4.0-4 by Matthias Klose now avoids storing -fdebug-prefix-map in DW_AT_producer, thanks to original patch by Daniel Kahn Gillmor.
• sphinx/1.4.3-1 by Dmitry Shachnev now drops Debian-specific patches relating to SOURCE_DATE_EPOCH applied upstream, original patch by Alexis Bienven e.
• asciidoctor/1.5.4-2 by C dric Boutillier now supports SOURCE_DATE_EPOCH, thanks to original patch by Alexis Bienven e.
• dh-python/1.5.4-2 by Piotr O arowski now behaves better in some cases, thanks to original patch by Chris Lamb.

Packages fixed The following 16 packages have become reproducible due to changes in their build-dependencies: apertium-dan-nor apertium-swe-nor asterisk-prompt-fr-armelle blktrace canl-c code-saturne coinor-symphony dsc-statistics frobby libphp-jpgraph paje.app proxycheck pybit spip tircd xbs The following 5 packages are new in Debian and appear to be reproducible so far: golang-github-bowery-prompt golang-github-pkg-errors golang-gopkg-dancannon-gorethink.v2 libtask-kensho-perl sspace The following packages had older versions which were reproducible, and their latest versions are now reproducible again after being fixed:

• excellent-bifurcation/0.0.20071015-8 by Vincent Cheng, original patch by Reiner Herrmann.
• gnurobbo/0.68+dfsg-2 by Stephen Kitt, original patch by Reiner Herrmann.

The following packages have become reproducible after being fixed:

• gdbm/1.8.3-14 by Matthias Klose, original patch by J r my Bobbio.
• miceamaze/4.2.1-3 by Sarah COUDERT, original patch by Reiner Herrmann.
• netcdf/1:4.4.1~rc2-1~exp3 by Bas Couwenberg.
• osmo-bts/0.4.0-2 by Ruben Undheim.
• pd-hcs/0.1-3 by IOhannes m zm lnig.
• pd-hid/0.7-2 by IOhannes m zm lnig.
• python-certbot/0.8.0-1 by Harlan Lieberman-Berg, original patch by Chris Lamb.
• python-csb/1.2.3+dfsg-3 by Sascha Steinbiss.
• python-osprofiler/1.3.0-2 by Thomas Goirand.
• usb-modeswitch-data/20160112-3 by Didier Raboud, original patch by intrigeri.

Some uploads have fixed some reproducibility issues, but not all of them:

• bzr/2.7.0-7 by Jelmer Vernoo .
• clanlib/1.0~svn3827-5 by Stephen Kitt, original patch by Chris Lamb.
• dwarfutils/20160507+git20160523.9086738-1 by Fabian Wolff.
• fakeroot/1.20.2-2 by Clint Adams, original patch.
• fastqtl/2.184+dfsg-2 by Dylan A ssi, original patch by Chris Lamb.
• gnuplot/5.0.3+dfsg3-3 by Anton Gladky.
• lazarus/1.6+dfsg-3 by Paul Gevers.
• python-pygit2/0.24.0-3 by Ond ej Nov .

Patches submitted that have not made their way to the archive yet:

• #806331 against xz-utils by Ximin Luo: make the selected POSIX shell stable accross build environments
• #806494 against gnupg by intrigeri: Make man pages not embed a build-time dependent timestamp
• #806945 against bash by Reiner Herrmann and Ximin Luo: Use the system man2html, and set PGRP_PIPE unconditionally.
• #825857 against python-setuptools by Anton Gladky: sort libs in native_libs.txt
• #826408 against brainparty by Reiner Herrmann: Sort object files for deterministic linking order
• #826416 against blockout2 by Reiner Herrmann: Sort the list of source files
• #826418 against xgalaga++ by Reiner Herrmann: Sort source files to get a deterministic linking order
• #826423 against kraptor by Reiner Herrmann: Sort source files for deterministic linking order
• #826431 against traceroute by Reiner Herrmann: Sort lists of libraries/source/object files
• #826544 against doc-debian by intrigeri: make the created files stable regardless of the locale
• #826676 against python-openstackclient by Chris Lamb: make the build reproducible
• #826677 against cadencii by Chris Lamb: make the build reproducible
• #826760 against dctrl-tools by Reiner Herrmann: Sort object files for deterministic linking order
• #826951 against slicot by Alexis Bienven e: please make the build reproducible (fileordering)
• #826982 against hoichess by Reiner Herrmann: Sort object files for deterministic linking order

Package reviews 68 reviews have been added, 19 have been updated and 28 have been removed in this week. New and updated issues:

• cryptographic_signature
• timestamps_in_maven_version_files
• ftbfs_build-indep_not_build_on_some_archs
• timestamps_added_by_xbean_spring
• timestamps_in_maven_metadata_local_xml_files
• timestamps_in_documentation_generated_by_asciidoctor

26 FTBFS bugs have been reported by Chris Lamb, 1 by Santiago Vila and 1 by Sascha Steinbiss. diffoscope development

• Mattia Rizzolo uploaded diffoscope/54 to jessie-backports.

strip-nondeterminism development

• Mattia uploaded strip-nondeterminism/0.018-1 to jessie-backports, to support a debhelper backport.
• Andrew Ayer uploaded strip-nondeterminism/0.018-2 fixing #826700, a packaging improvement for Multi-Arch to ease cross-build situations.
• 2 days later Andrew released strip-nondeterminism/0.019; now strip-nondeterminism is able to:
  • recursively normalize JAR files embedded within JAR files (#823917)
  • clamp the timestamp, the same way tar >=1.28-2.2 can (for now available only for gzip archives)

disorderfs development

• Andrew Ayer released disorderfs/0.4.3, fixing a issue with umask handling (#826891)

tests.reproducible-builds.org

• Valerie Young namespaced the Debian-specific pages to /debian/ namespace, with redirects to for the previous URLs.
• Holger Levsen improved the reliability of build jobs: the availability of both build nodes (for a given build) is now being tested when a build job is started, to better cope when one of the 25 build nodes go down for some reason.
• Ximin Luo improved the index of identified issues to include the total popcon scores of each issue, which is now also used for sorting that page.

Misc. Steven Chamberlain submitted a patch to FreeBSD's makefs to allow reproducible builds of the kfreebsd installer. Ed Maste committed a patch to FreeBSD's binutils to enable determinstic archives by default in GNU ar. Helmut Grohne experimented with cross+native reproductions of dash with some success, using rebootstrap. This week's edition was written by Ximin Luo, Chris Lamb, Holger Levsen, Mattia Rizzolo and reviewed by a bunch of Reproducible builds folks on IRC.

What happened in the Reproducible Builds effort between May 22nd and May 28th 2016: Media coverage

• Holger Levsen was invited to RIPE72 to talk about Reproducible Builds and a hope for a more secure future (Video, 25min and slides) in the cooperative workgroup.
• Scarlett Clark blogged about her first week of Outreachy work trying to make packages build reproducible, describing her efforts with kapptemplate, choqok and kdevplatform.

Documentation update

• The wiki page TimestampsProposal has been extended to cover more usage examples and to list more softwares supporting SOURCE_DATE_EPOCH. (Axel Beckert, Dhole and Ximin Luo)
• h01ger started a reference card for tools and information about reproducible builds but hasn't progressed much yet. Help with it is much welcome, this is also a good opportunity to learn about this project The idea is simply to have one coherent place with pointers to all the stuff we have and provide, without repeating nor replacing other documentation.

Toolchain fixes

• Alexis Bienven e submitted a patch (#824050) against emacs24 for SOURCE_DATE_EPOCH support in autoloads files, but upstream already disabled timestamps by default some time before.
• proj/4.9.2-3 uploaded by Bas Couwenberg (original patch by Alexis Bienven ) properly initializes memory with zero to prevent the nad2bin tool from leaking random memory content into output artefacts.
• Reiner Herrmann submitted a patch (#825569, upstream) against Ruby to sort object files in generated Makefiles, which are used to compile C sources that are part of Ruby projects.

Packages fixed The following 18 packages have become reproducible due to changes in their build dependencies: canl-c configshell dbus-java dune-common frobby frown installation-guide jexcelapi libjsyntaxpane-java malaga octave-ocs paje.app pd-boids pfstools r-cran-rniftilib scscp-imcce snort vim-addon-manager The following packages have become reproducible after being fixed:

• apngasm/2.7-2 by Manuel A. Fernandez Montecelo, original patch by Reiner Herrmann.
• apngdis/2.5-2 by Manuel A. Fernandez Montecelo, original patch by Reiner Herrmann.
• apngopt/1.2-2 by Manuel A. Fernandez Montecelo, original patch by Reiner Herrmann.
• asio/1:1.10.6-4 by Markus Wanner.
• bowtie/1.1.2-4 by Sascha Steinbiss.
• bowtie2/2.2.9-2 by Sascha Steinbiss.
• breeze/4:5.6.4-1 by Maximiliano Curia, original patch by Eduard Sanou.
• cain/1.10+dfsg-2 by Sascha Steinbiss.
• cdist/4.0.0-2 by Dmitry Bogatov, original patch by Chris Lamb.
• crossroads/2.81-1 by Reiner Herrmann.
• elasticsearch/1.7.5-1 by Emmanuel Bourg.
• gdal/2.1.0+dfsg-3 by Bas Couwenberg, original patch by Alexis Bienven e.
• grass/7.0.4-2 by Bas Couwenberg, original patch by Alexis Bienven e.
• jaligner/1.0+dfsg-3 by Michael R. Crusoe.
• khmer/2.0+dfsg-7 by Michael R. Crusoe.
• libhdf4/4.2.11-2 by Bas Couwenberg.
• libjspeex-java/0.9.7-4 by Emmanuel Bourg.
• libmialm/1.0.9-1 by Gert Wollny.
• libtheora/1.1.1+dfsg.1-10 by Petter Reinholdtsen.
• odil/0.6.0-2 by Julien Lamy.
• pacemaker/1.1.15~rc3-1 by Ferenc W gner.
• pvm/3.4.6-1 by James Clarke.
• rna-star/2.5.2a+dfsg-2 by Sascha Steinbiss.
• smalt/0.7.6-6 by Sascha Steinbiss.
• soapdenovo2/240+dfsg-3 by Sascha Steinbiss.
• svtplay-dl/1.1-1 by Olof Johansson.
• t-coffee/11.00.8cbe486-3 by Sascha Steinbiss.
• toppred/1.10-3 by Sascha Steinbiss.
• transdecoder/3.0.0+dfsg-2 by Michael R. Crusoe.
• vpim/0.695-1.4 by Herbert Parentes Fortes Neto.
• vtk-dicom/0.7.7-2 by Gert Wollny.
• xplc/0.3.13-6 by Reiner Herrmann.

Some uploads have fixed some reproducibility issues, but not all of them:

• codeblocks/16.01+dfsg-1 by Vincent Cheng, original patch by Fabian Wolff.
• gmt/5.2.1+dfsg-6 by Bas Couwenberg, original patch by Alexis Bienven .

Patches submitted that have not made their way to the archive yet:

• #803547 against bbswitch (reopened) by Reiner Herrmann: sort members of tar archive
• #806945 against bash (follow-up) by Reiner Herrmann: use system man2html instead of embedded copy
• #825122 against kapptemplate by Scarlett Clark: set owner/group of members in tarball to root
• #825138 against console-setup by Reiner Herrmann: fix umask issue; sort entries in shell script; sort fontsets/charmaps locale-independently
• #825285 against kodi by Lukas Rechberger: replace build timestamps with version numbers
• #825322 against choqok by Scarlett Clark: force UTF-8 locale so kconfig_compiler behaves correctly
• #825544 against wavemon by Reiner Herrmann: sort list of object files
• #825545 against dwm by Reiner Herrmann: sort list of header files
• #825547 against tennix by Reiner Herrmann: sort list of data files being archived
• #825584 against ffmpeg2theora by Reiner Herrmann: sort list of source files
• #825588 against kball by Reiner Herrmann: sort list of source files
• #825634 against miceamaze by Reiner Herrmann: sort list of object files
• #825643 against dash by Reiner Herrmann: fix sorting of struct members in generated source file
• #825655 against libselinux by Reiner Herrmann: sort list of source files
• #825656 against libsepol by Reiner Herrmann: sort list of source files
• #825674 against libsemanage by Reiner Herrmann: sort list of source files

Package reviews 123 reviews have been added, 57 have been updated and 135 have been removed in this week.

• 5 new issues have been identified:
  • timestamps_in_pdf_generated_by_imagemagick
  • ruby_mkmf_makefile_unsorted_objects
  • timestamps_from_timestamp_macro
  • scons_doesnt_pass_environment_to_build_tools
  • timestamps_from_cpp_macros_in_d

21 FTBFS bugs have been reported by Chris Lamb and Santiago Vila. strip-nondeterminism development

• strip-nondeterminsim development: treat *.htb as Zip files (by Sascha Steinbiss).
• strip-nondeterminism 0.017-1 uploaded by h01ger.

tests.reproducible-builds.org

• The kde pkg set was extended, though the change ain't visible yet, as there are currently non-installable packages in it (and so the set can't be computed). (h01ger)

Misc.

• Mattia improved misc.git/reports (=the tools to help writing the weekly statistics for this blog) some more.

This week's edition was written by Reiner Herrmann and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.

What happened in the Reproducible Builds effort between May 15th and May 21st 2016: Media coverage Blog posts from our GSoC and Outreachy contributors:

• Val's first post describing her plans for improving tests.reproducible-builds.org.
• ceridwen's first post describing her plans for reprotest, the universal reproducibility testing tool.
• Scarlett's and Satyam's first posts were linked in previous week's report already.

Documentation update Ximin Luo clarified instructions on how to set SOURCE_DATE_EPOCH. Toolchain fixes

• Joao Eriberto Mota Filho uploaded txt2man/1.5.6-4, which honours SOURCE_DATE_EPOCH to generate reproducible manpages (original patch by Reiner Herrmann).
• Dmitry Shachnev uploaded sphinx/1.4.1-1 to experimental with improved support for SOURCE_DATE_EPOCH (original patch by Alexis Bienven e).
• Emmanuel Bourg submitted a patch against debhelper to use a fixed username while building ant packages.

Other upstream fixes

• Doxygen merged a patch by Ximin Luo, which uses UTC as timezone for embedded timestamps.
• CMake applied a patch by Reiner Herrmann in their next branch, which sorts file lists obtained with file(GLOB).
• GNU tar 1.29 with support for --clamp-mtime has been released upstream, closing #816072, which was the blocker for #759886 "dpkg-dev: please make mtimes of packaged files deterministic" which we now hope will be closed soon.

Packages fixed The following 18 packages have become reproducible due to changes in their build dependencies: abiword angband apt-listbugs asn1c bacula-doc bittornado cdbackup fenix gap-autpgrp gerbv jboss-logging-tools invokebinder modplugtools objenesis pmw r-cran-rniftilib x-loader zsnes The following packages have become reproducible after being fixed:

• ball/1.4.3~beta1-1 by Andreas Tille.
• chrony/2.3-1 by Vincent Blut, original patch by Alexis Bienven e.
• corosync/2.3.5-7 by Ferenc W gner.
• gap-ctbllib/1r2p2.dfsg.0-3 by Bill Allombert, original patch by Alexis Bienven e.
• kdiff3/0.9.98-3 by Eike Sauer.
• netcdf-cxx/4.3.0+ds-3 by Bas Couwenberg.
• netcdf-fortran/4.4.4+ds-2 by Bas Couwenberg.
• primesieve/5.6.0+ds-2 by Jerome Benoit.
• ray/2.3.1-4 by Sascha Steinbiss.
• rocksdb/4.5.1-1 by Laszlo Boszormenyi, original patch by Chris Lamb.
• shapelib/1.3.0-8 by Bas Couwenberg.
• swift/2.7.0-3 by Ond ej Nov .
• t-coffee/11.00.8cbe486-3 by Sascha Steinbiss.
• webkit2pdf/0.3-2 by Ricardo Mones, original patch by Reiner Herrmann.
• wise/2.4.1-18 by Sascha Steinbiss.

Some uploads have fixed some reproducibility issues, but not all of them:

• bzr/2.7.0-6 by Jelmer Vernoo .
• libsdl2/2.0.4+dfsg2-1 by Manuel A. Fernandez Montecelo.
• pvm/3.4.5-13 by James Clarke.
• refpolicy/2:2.20140421-11 by Laurent Bigonville.
• subvertpy/0.9.3-4 by Jelmer Vernoo .

Patches submitted that have not made their way to the archive yet:

• #824413 against binutils by Chris Lamb: filter build user and date from test log case-insensitively
• #824452 against python-certbot by Chris Lamb: prevent PID from being embedded into documentation (forwarded upstream)
• #824453 against gtk-gnutella by Chris Lamb: use SOURCE_DATE_EPOCH for deterministic timestamp (merged upstream)
• #824454 against python-latexcodec by Chris Lamb: fix for parsing the changelog date
• #824472 against torch3 by Alexis Bienven e: sort object files while linking
• #824501 against cclive by Alexis Bienven e: use SOURCE_DATE_EPOCH as embedded build date
• #824567 against tkdesk by Alexis Bienven e: sort order of files which are parsed by mkindex script
• #824592 against twitter-bootstrap by Alexis Bienven e: use shell-independent printing
• #824639 against openblas by Alexis Bienven e: sort object files while linking
• #824653 against elkcode by Alexis Bienven e: sort list of files locale-independently
• #824668 against gmt by Alexis Bienven e: use SOURCE_DATE_EPOCH for embedded timestamp (similar patch by Bas Couwenberg already applied and forwarded upstream)
• #824808 against gdal by Alexis Bienven e: sort object files while linking
• #824951 against libtomcrypt by Reiner Herrmann: use SOURCE_DATE_EPOCH for timestamp embedded into metadata

Reproducibility-related bugs filed:

• #824420 against python-phply by ceridwen: parsetab.py file is not included when building with DEB_BUILD_OPTIONS="nocheck"
• #824572 against dpkg-dev by XImin Luo: request to export SOURCE_DATE_EPOCH in /usr/share/dpkg/*.mk.

Package reviews 51 reviews have been added, 19 have been updated and 15 have been removed in this week.

• Two new issues have been found:
  • random_order_in_static_library_by_icmake
  • timestamps_in_manpages_generated_by_latex2man

22 FTBFS bugs have been reported by Chris Lamb, Santiago Vila, Niko Tyni and Daniel Schepler. tests.reproducible-builds.org

• Icons have been added to the package test history pages (h01ger).
• Test performance and variation pages have been splitted out of the dashboard view (h01ger).
• A new pkg set has been added: packages maintained by debian-med-packaging@l.a.d.o (h01ger).
• The preliminary results for testing have improved further:
  • testing/amd64 has 20944 / 90.2% reproducible packages now,
  • testing/i386 has reached 20013 / 86.3% reproducible packages,
  • testing/armhf has come close with 19951 / 86.0%.

Misc.

• During the discussion on debian-devel about PIE, an archive rebuild was suggested by B lint R czey, and Holger Levsen suggested to coordinate this with a required archive rebuild for reproducible builds.
• Ximin Luo improved misc.git/reports (=the tools to help writing the weekly statistics for this blog) quite a bit, h01ger contributed a little too.

This week's edition was written by Reiner Herrmann and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.

What happened in the Reproducible Builds effort between April 24th and 30th 2016. Media coverage Reproducible builds were mentioned explicitly in two talks at the Mini-DebConf in Vienna:

• Martin Michlmayr had a talk in which he presented an overview about innovations and changes in Debian in the last years. Martin expressed his disappointment that there was no talk from us in Vienna (we'll fix this at DebConf16 in Cape Town) and described the reproducible builds work as "a real innovation". His talk is very much worth seeing, whatever your current perspective, it might change your view on Debian.
• Ben Hutchings explains how Secure Boot will use signed kernels via separate signature packages and how this was designed with reproducible builds in mind.

Aspiration together with the OTF CommunityLab released their report about the Reproducible Builds summit in December 2015 in Athens. Toolchain fixes Now that the GCC development window has been opened again, the SOURCE_DATE_EPOCH patch by Dhole and Matthias Klose to address the issue timestamps_from_cpp_macros (__DATE__ / __TIME__) has been applied upstream and will be released with GCC 7. Following that Matthias Klose also has uploaded gcc-5/5.3.1-17 and gcc-6/6.1.1-1 to unstable with a backport of that SOURCE_DATE_EPOCH patch. Emmanuel Bourg uploaded maven/3.3.9-4, which uses SOURCE_DATE_EPOCH for the maven.build.timestamp. (SOURCE_DATE_EPOCH specification) Other upstream changes Alexis Bienven e submitted a patch to Sphinx which extends SOURCE_DATE_EPOCH support for copyright years in generated documentation. Packages fixed The following 12 packages have become reproducible due to changes in their build dependencies: hhvm jcsp libfann libflexdock-java libjcommon-java libswingx1-java mobile-atlas-creator not-yet-commons-ssl plexus-utils squareness svnclientadapter The following packages have became reproducible after being fixed:

• anope/2.0.3-2 by Dominic Hargreaves, original patch by Alexis Bienven e.
• apparmor-profiles-extra/1.7 by intrigeri, patch by Felix Geyer.
• basket/2.10~beta+git20160425.b77687f-1 by Luigi Toscano, original patch by Alexis Bienven e.
• bind-dyndb-ldap/8.0-2 by Timo Aaltonen.
• bliss/0.73-1 by Jerome Benoit.
• gap-alnuth/3.0.0-3 by Bill Allombert.
• gap-radiroot/2.7-2 by Bill Allombert.
• genometools/1.5.8+ds-3 by Sascha Steinbiss.
• gprbuild/2015-3 by Nicolas Boulenguez.
• gtkhash/0.7.0-3 by M nica Ram rez Arceda.
• josm/0.0.svn10161+dfsg-1 by Bas Couwenberg.
• libjgoodies-animation-java/1.4.3-1 by Markus Koschany.
• ltrsift/1.0.2-7 by Sascha Steinbiss.
• mutt/1.6.0-1 by Matteo F. Vescovi, original patch by Daniel Shahaf.
• netsniff-ng/0.6.1-1 by Kartik Mistry, original patch by Reiner Herrmann.
• netrw/1.3.2-3 by Giovanni Mascellani.
• openthesaurus/20160424-3 by Rene Engelhard, original patch by Dhole.
• php-pear/1:1.10.1+submodules+notgz-8 by Mathieu Parent.
• samba/2:4.4.2+dfsg-2 by Jelmer Vernoo .
• swift/2.7.0-3 by Ond ej Nov .
• tp-smapi/0.42-1 by Evgeni Golov, original patch by Chris Lamb.
• vifm/0.8.1a-0.1 by Ond ej Nov .
• xfonts-mplus/1:2.2.4-2 by Hideki Yamane, original patch by Chris Lamb.
• xpa/2.1.17-2 by Ole Streicher, original patch by Alexis Bienven e.

Some uploads have fixed some reproducibility issues, but not all of them:

• camitk/4.0.0~beta-1 by Emmanuel Promayon, original patch by Maria Valentina Marin.
• elastix/4.8-8 by Gert Wollny.
• freefem++/3.46+dfsg1-1 by Dimitrios Eftaxiopoulos, original patch by Alexis Bienven e.
• grib-api/1.15.0-1 by Alastair McKinstry, original patch by Santiago Vila.
• isorelax/20041111-9 by Emmanuel Bourg.
• libical/2.0.0-0.1 by Andreas Henriksson, original patch by Chris Lamb.
• sawfish/1:1.11.90-1 by Jose M Calhariz, original patch by Alexis Bienven e.
• singular/4.0.3-p1+ds-1 by Jerome Benoit.
• syslinux/3:6.03+dfsg-12 by Mattia Rizzolo, original patch by Reiner Herrmann.
• transdecoder/2.0.1+dfsg-3 by Michael R. Crusoe, original patch by Dhole.

Patches submitted that have not made their way to the archive yet:

• #822566 against stk by Alexis Bienven e: sort lists of object files for reproducible linking order.
• #822948 against shotwell by Alexis Bienven e: normalize tarball permissions and use locale/timezone-independent modification time.
• #822963 against htop by Alexis Bienven e: use SOURCE_DATE_EPOCH for embedded copyright year, which has before already been applied in git and upstream.

Package reviews 95 reviews have been added, 15 have been updated and 129 have been removed in this week. 22 FTBFS bugs have been reported by Chris Lamb and Martin Michlmayr. diffoscope development

• diffoscope 52~bpo8+1 has been uploaded to jessie-backports by Mattia Rizzolo, where it is currently waiting for NEW-approval.
• Support for the deb(5) format (uncompressed data.tar/control.tar, control.tar.xz) (Closes: #818414) has been completed by Reiner Herrmann in git.

strip-nondeterminism development

• Support for EPUB documents has been added (to the development version in git) by Holger Levsen, to address the timestamps_in_epub issue.

tests.reproducible-builds.org

• To monitor the uptodateness of diffoscope everywhere, tests checking this on FreeBSD, NetBSD & MacPorts were added. Tests on other distributions will be added once the relevant bugs in whohas are fixed in jessie. (h01ger)

Misc. Amongst the 29 interns who will work on Debian through GSoC and Outreachy there are four who will be contributing to Reproducible Builds for Debian and Free Software. We are very glad to welcome ceridwen, Satyam Zode, Scarlett Clark and Valerie Young and look forward to working together with them the coming months (and maybe beyond)! This week's edition was written by Reiner Herrmann and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.

What happened in the reproducible builds effort between April 10th and April 16th 2016: Toolchain fixes

• Roland Rosenfeld uploaded transfig/1:3.2.5.e-6 which honors SOURCE_DATE_EPOCH. Original patch by Alexis Bienven e.
• Bill Allombert uploaded gap/4r8p3-2 which makes convert.pl honor SOURCE_DATE_EPOCH. Original patch by Jerome Benoit, duplicate patch by Dhole.
• Emmanuel Bourg uploaded ant/1.9.7-1 which makes the Javadoc task use UTF-8 as the default encoding if none was specified and SOURCE_DATE_EPOCH is set.

Antoine Beaupr suggested that gitpkg stops recording timestamps when creating upstream archives. Antoine Beaupr also pointed out that git-buildpackage diverges from the default gzip settings which is a problem for reproducibly recreating released tarballs which were made using the defaults. Alexis Bienven e submitted a patch extending sphinx SOURCE_DATE_EPOCH support to copyright year. Packages fixed The following packages have become reproducible due to changes in their build dependencies: atinject-jsr330, avis, brailleutils, charactermanaj, classycle, commons-io, commons-javaflow, commons-jci, gap-radiroot, jebl2, jetty, libcommons-el-java, libcommons-jxpath-java, libjackson-json-java, libjogl2-java, libmicroba-java, libproxool-java, libregexp-java, mobile-atlas-creator, octave-econometrics, octave-linear-algebra, octave-odepkg, octave-optiminterp, rapidsvn, remotetea, ruby-rinku, tachyon, xhtmlrenderer. The following packages became reproducible after getting fixed:

• autopkgtest/3.20.3 uploaded by Martin Pitt, original patch by Alexis Bienven e.
• fop/1:2.1-3 uploaded by Mathieu Malaterre, original patch by Alexis Bienven e.
• fwupdate/0.5-4 by Mario Limonciello.
• gem/1:0.93.3-10 by IOhannes m zm lnig.
• imview/1.1.9c-16 by Anton Gladky.
• libappindicator/0.4.92-4 by Adam Borowski.
• libjlha-java/0.0.20050504-9 by Emmanuel Bourg.
• lwjgl/2.9.3+dfsg-1 by Markus Koschany.
• lxc/1:2.0.0~rc15-1 uploaded by Evgeni Golov, original patch by Reiner Herrmann.
• manpages-de/1.12-1 uploaded by Tobias Quathamer, original patch by Reiner Herrmann.
• pd-mrpeach/0.1~svn17615-1 by IOhannes m zm lnig.
• pyhoca-gui/0.5.0.6-1 uploaded by Mike Gabriel, original patch by Chris Lamb.
• r-cran-spatstat/1.45-0-1 by Andreas Tille.
• s5/1.1.dfsg.2-6 uploaded by Peter Pentchev, original patch by Juan Picca.
• samba/2:4.3.8+dfsg-1 by Jelmer Vernoo .
• sim4/0.0.20121010-3 uploaded by Andreas Tille, original patch by Alexis Bienven e.
• svxlink/15.11-1 uploaded by Felix Lechner, fixed upstream.
• tinc/1.0.28-1 by Guus Sliepen, fixed upstream.
• ucblogo/6.0+dfsg-1 by Reiner Herrmann.

Some uploads fixed some reproducibility issues, but not all of them:

• mm-common/0.9.10-1 by Michael Biebl.

Patches submitted which have not made their way to the archive yet:

• #820603 on viking by Alexis Bienven e: fix icon headers inclusion order.
• #820661 on nullmailer by Alexis Bienven e: fix the order in which files are included in the static archive.
• #820668 on sawfish by Alexis Bienven e: fix file ordering in theme archives, strip hostname and username from the config.h file, and honour SOURCE_DATE_EPOCH when creating the config.h file.
• #820740 on bless by Alexis Bienven e: always use /bin/sh as shell.
• #820742 on gmic by Alexis Bienven e: strip the build date from help messages.
• #820809 on wsdl4j by Alexis Bienven e: use a plain text representation of the copyright character.
• #820815 on freefem++ by Alexis Bienven e: fix the order in which files are included in the .edp files, and honour SOURCE_DATE_EPOCH when using the build date.
• #820869 on pyexiv2 by Alexis Bienven e: honour the SOURCE_DATE_EPOCH environment variable through the ustrftime function, to get a reproducible copyright year.
• #820932 on fim by Alexis Bienven e: fix the order in which files are joined in header files, strip the build date from fim binary, make the embeded vim2html script honour SOURCE_DATE_EPOCH variable when building the documentation, and force language to be English when using bison to make a grammar that is going to be parsed using English keywords.
• #820990 on grib-api by Santiago Vila: always call dh-buildinfo.

diffoscope development Zbigniew J drzejewski-Szmek noted in #820631 that diffoscope doesn't work properly when a file contains several cpio archives. Package reviews 21 reviews have been added, 14 updated and 22 removed in this week. New issue found: timestamps_in_htm_by_gap. Chris Lamb reported 10 new FTBFS issues. Misc. The video and the slides from the talk "Reproducible builds ecosystem" at LibrePlanet 2016 have been published now. This week's edition was written by Lunar and Holger Levsen. h01ger automated the maintenance and publishing of this weekly newsletter via git.

What happened in the reproducible builds effort between March 20th and March 26th: Toolchain fixes

• Sebastian Ramacher uploaded breathe/4.2.0-1 which makes its output deterministic. Original patch by Chris Lamb, merged upstream.
• Rafael Laboissiere uploaded octave/4.0.1-1 which allows packages to be built in place and avoid unreproducible builds due to temporary build directories appearing in the .oct files.

Daniel Kahn Gillmor worked on removing build path from build symbols submitting a patch adding -fdebug-prefix-map to clang to match GCC, another patch against gcc-5 to backport the removal of -fdebug-prefix-map from DW_AT_producer, and finally by proposing the addition of a normalizedebugpath to the reproducible feature set of dpkg-buildflags that would use -fdebug-prefix-map to replace the current directory with . using -fdebug-prefix-map. Sergey Poznyakoff merged the --clamp-mtime option so that it will be featured in the next Tar release. This option is likely to be used by dpkg-deb to implement deterministic mtimes for packaged files. Packages fixed The following packages have become reproducible due to changes in their build dependencies: augeas, gmtkbabel, ktikz, octave-control, octave-general, octave-image, octave-ltfat, octave-miscellaneous, octave-mpi, octave-nurbs, octave-octcdf, octave-sockets, octave-strings, openlayers, python-structlog, signond. The following packages became reproducible after getting fixed:

• atheme-services/7.0.7-1 by Antoine Beaupr .
• boa-constructor/0.6.1-16 by Reiner Herrmann.
• calculix-ccx/2.10-1 by Wolfgang F tterer, fixed upstream.
• deap/1.0.2.post2-2 by Daniel Stender.
• debian-keyring/2016.03.22 uploaded by Jonathan McDowell, fix by Niels Thykier, obsolete patch by Satyam Zode.
• firefox-kwallet5/1.0-2 by Sandro Knau .
• fox1.6/1.6.51-1 by Joachim Wiedorn.
• gdnsd/2.2.3-1 by Faidon Liambotis.
• glib2.0/2.48.0-1 uploaded by Iain Lane, original patch by Lunar, merged upstream.
• jwm/2.3.4-1 uploaded by Samuel Henrique Oltramari Pinto, fix by Reiner Herrmann.
• libasm4-java/5.0.4-2 by Emmanuel Bourg.
• libjna-java/4.2.2-1 by Emmanuel Bourg.
• libsynthesis/3.4.0.47.5+syncevolution-1.5.1-1 uploaded by Tino Mettler, patch by Reiner Herrmann.
• logback/1:1.1.6-1 by Emmanuel Bourg.
• nethack/3.6.0-2 uploaded by James Cowgill, patch by Reiner Herrmann.
• php-htmlpurifier/4.7.0-2 by David Pr vot.
• psocksxx/1.1.0-1 by Gianfranco Costamagna.
• sbmltoolbox/4.1.0-3 uploaded by Afif Elghraoui, original patch by Reiner Herrmann.
• spades/3.7.1+dfsg-2 by Sascha Steinbiss.
• sprng/2.0a-10 uploaded by Dirk Eddelbuettel, original patch by Reiner Herrmann.

Some uploads fixed some reproducibility issues, but not all of them:

• gle-graphics/4.2.5-2 by Christian T. Steigies.
• kexec-tools/1:2.0.10-2 uploaded by Khalid Aziz, original patch by Lunar.
• pdal/1.1.0-4 by Bas Couwenberg.
• tcl8.5/8.5.19-2 uploaded by Sergei Golovan, original patch.
• tcl8.6/8.6.5+dfsg-2 uploaded by Sergei Golovan, original patch.

Patches submitted which have not made their way to the archive yet:

• #818742 on milkytracker by Reiner Herrmann: sorts the list of source files.
• #818752 on tcl8.4 by Reiner Herrmann: sort source files using C locale.
• #818753 on tk8.6 by Reiner Herrmann: sort source files using C locale.
• #818754 on tk8.5 by Reiner Herrmann: sort source files using C locale.
• #818755 on tk8.4 by Reiner Herrmann: sort source files using C locale.
• #818952 on marionnet by ceridwen: dummy out build date and uname to make build reproducible.
• #819334 on avahi by Reiner Herrmann: ship upstream changelog instead of the one generated by gettextize (although duplicate of #804141 by Santiago Vila).

tests.reproducible-builds.org i386 build nodes have been setup by converting 2 of the 4 amd64 nodes to i386. (h01ger) Package reviews 92 reviews have been removed, 66 added and 31 updated in the previous week. New issues: timestamps_generated_by_xbean_spring, timestamps_generated_by_mangosdk_spiprocessor. Chris Lamb filed 7 FTBFS bugs. Misc. On March 20th, Chris Lamb gave a talk at FOSSASIA 2016 in Singapore. The very same day, but a few timezones apart, h01ger did a presentation at LibrePlanet 2016 in Cambridge, Massachusetts. Seven GSoC/Outreachy applications were made by potential interns to work on various aspects of the reproducible builds effort. On top of interacting with several applicants, prospective mentors gathered to review the applications.

What happened in the reproducible builds effort between March 20th and March 26th:

Toolchain fixes

• Sebastian Ramacher uploaded breathe/4.2.0-1 which makes its output deterministic. Original patch by Chris Lamb, merged uptream.
• Rafael Laboissiere uploaded octave/4.0.1-1 which allows packages to be built in place and avoid unreproducible builds due to temporary build directories appearing in the .oct files.

Daniel Kahn Gillmor worked on removing build path from build symbols submitting a patch adding -fdebug-prefix-map to clang to match GCC, another patch against gcc-5 to backport the removal of -fdebug-prefix-map from DW_AT_producer, and finally by proposing the addition of a normalizedebugpath to the reproducible feature set of dpkg-buildflags that would use -fdebug-prefix-map to replace the current directory with . using -fdebug-prefix-map. As succesful result of lobbying at LibrePlanet 2016, the --clamp-mtime option will be featured in the next Tar release. This option is likely to be used by dpkg-deb to implement deterministic mtimes for packaged files.

Packages fixed The following packages have become reproducible due to changes in their build dependencies: augeas, gmtkbabel, ktikz, octave-control, octave-general, octave-image, octave-ltfat, octave-miscellaneous, octave-mpi, octave-nurbs, octave-octcdf, octave-sockets, octave-strings, openlayers, python-structlog, signond. The following packages became reproducible after getting fixed:

• atheme-services/7.0.7-1 by Antoine Beaupr .
• boa-constructor/0.6.1-16 by Reiner Herrmann.
• calculix-ccx/2.10-1 by Wolfgang F tterer, fixed upstream.
• deap/1.0.2.post2-2 by Daniel Stender.
• debian-keyring/2016.03.22 uploaded by Jonathan McDowell, fix by Niels Thykier, obsolete patch by Satyam Zode.
• firefox-kwallet5/1.0-2 by Sandro Knau .
• fox1.6/1.6.51-1 by Joachim Wiedorn.
• gdnsd/2.2.3-1 by Faidon Liambotis.
• glib2.0/2.48.0-1 uploaded by Iain Lane, original patch by Lunar, merged upstream.
• jwm/2.3.4-1 uploaded by Samuel Henrique Oltramari Pinto, fix by Reiner Herrmann.
• libasm4-java/5.0.4-2 by Emmanuel Bourg.
• libjna-java/4.2.2-1 by Emmanuel Bourg.
• libsynthesis/3.4.0.47.5+syncevolution-1.5.1-1 uploaded by Tino Mettler, patch by Reiner Herrmann.
• logback/1:1.1.6-1 by Emmanuel Bourg.
• nethack/3.6.0-2 uploaded by James Cowgill, patch by Reiner Herrmann.
• php-htmlpurifier/4.7.0-2 by David Pr vot.
• psocksxx/1.1.0-1 by Gianfranco Costamagna.
• sbmltoolbox/4.1.0-3 uploaded by Afif Elghraoui, original patch by Reiner Herrmann.
• spades/3.7.1+dfsg-2 by Sascha Steinbiss.
• sprng/2.0a-10 uploaded by Dirk Eddelbuettel, original patch by Reiner Herrmann.

Some uploads fixed some reproducibility issues, but not all of them:

• gle-graphics/4.2.5-2 by Christian T. Steigies.
• kexec-tools/1:2.0.10-2 uploaded by Khalid Aziz, original patch by Lunar.
• pdal/1.1.0-4 by Bas Couwenberg.
• tcl8.5/8.5.19-2 uploaded by Sergei Golovan, original patch.
• tcl8.6/8.6.5+dfsg-2 uploaded by Sergei Golovan, original patch.

Patches submitted which have not made their way to the archive yet:

• #818742 on milkytracker by Reiner Herrmann: sorts the list of source files.
• #818752 on tcl8.4 by Reiner Herrmann: sort source files using C locale.
• #818753 on tk8.6 by Reiner Herrmann: sort source files using C locale.
• #818754 on tk8.5 by Reiner Herrmann: sort source files using C locale.
• #818755 on tk8.4 by Reiner Herrmann: sort source files using C locale.
• #818952 on marionnet by ceridwen: dummy out build date and uname to make build reproducible.
• #819334 on avahi by Reiner Herrmann: ship upstream changelog instead of the one generated by gettextize (although duplicate of #804141 by Santiago Vila).

tests.reproducible-builds.org i386 build nodes have been setup by converting 2 of the 4 amd64 nodes to i386. (h01ger)

Package reviews 92 reviews have been removed, 66 added and 31 updated in the previous week. New issues: timestamps_generated_by_xbean_spring, timestamps_generated_by_mangosdk_spiprocessor. Chris Lamb filed 7 FTBFS bugs.

Misc. On March 20th, Chris Lamb gave a talk at FOSSASIA 2016 in Singapore. The very same day, but a few timezones apart, h01ger did a presentation at LibrePlanet 2016 in Cambridge, Massachusetts. Seven GSoC/Outreachy applications were made by potential interns to work on various aspects of the reproducible builds effort. On top of interacting with several applicants, prospective mentors gathered to review the applications. Huge thanks to Linda Naeun Lee for the new hackergotchi visible on Planet Debian.

What happened in the reproducible builds effort this week: Toolchain fixes Reiner Herrmann submitted a patch against debhelper to make dh_installinit source files in a stable order. Chris Lamb found how to make cython output deterministic by ordering the keys used to traverse a dict. Reiner Herrmann proposed a patch for pyside-tools to remove the timestamps embedded by rcc in the generated Python code. Mattia Rizzolo rebased our custom version of debhelper on version 9.20151126. As no objections have been made so far, Mattia Rizzolo has filled #805872 asking -Wdate-time to be turned on by default in dpkg-buildflag. Guillem has since sent a final warning before proceeding as such in the next dpkg upload. Russ Allbery added support for SOURCE_DATE_EPOCH in podlators 4.00 which Niko Tyni intend to backport to Perl 5.22. Packages fixed The following packages have become reproducible due to changes in their build dependencies: fontforge, golang-github-tinylib-msgp, libpango-perl, libparanamer-java, libxaw, sqljet, stringtemplate4, uzbl, zope-mysqlda. The following packages became reproducible after getting fixed:

• apt/1.1~exp9 uploaded by Michael Vogt, original patch by Lunar.
• libnet-interface-perl/1.012-3 uploaded by gregor herrmann, original patch by Reiner Herrmann.
• lightdm-gtk-greeter-settings/1.2.0-2 by James Lu, reported by Christian Kastner.
• lilo/1:24.2-1 uploaded by Joachim Wiedorn, original patch by Dmitry Bogatov.
• ncl/6.3.0-4 by Alastair McKinstry.
• pbuilder/0.221 uploaded by Mattia Rizzolo, patch by Reiner Herrmann.
• phantomjs/2.0.0+dfsg-1 uploaded by TANIGUCHI Takaki, fixed upstream.
• pxz/4.999.99~beta5+gitfcfea93-1 uploaded by Holger Levsen, original patch by Reiner Herrman.

Some uploads fixed some reproducibility issues, but not all of them:

• tiger/1:3.2.3-13 uploaded by Javier Fern ndez-Sanguino Pe a, original patch by Daniel Kahn Gillmor.

Patches submitted which have not made their way to the archive yet:

• #805773 on keylaunch by Chris Lamb: removes an automatically-updated copyright date from the build system.
• #805787 on deja-dup by Reiner Herrmann: use system help2man instead of embedded copy.
• #806321 on coreutils by Lunar: use system help2man instead of embedded copy.
• #806434 on mboxcheck by Reiner Herrmann: set the embedded date to the last date from the changelog.
• #806452 on lierolibre by Reiner Herrmann: set LC_ALL instead of LANG to ensure how dd output looks like.
• #806490 on binutils by Reiner Herrmann: filter user and date from test output.
• #806517 on onboard by Reiner Herrmann: sort the list of items parsed from pkg-config.
• #806547 on netsniff-ng by Reiner Herrmann: set LC_ALL=C when enumerating files to link.
• #806551 on libosmocore by Reiner Herrmann: use C locale and UTC when formatting the changelog date.
• #806552 on remake by Reiner Herrmann: set the mtime of the texinfo source to the latest debian/changelog entry.
• #806564 on libdigidoc by Reiner Herrmann: add support for SOURCE_DATE_EPOCH in VersionInfo.cmake.

Lunar reported two issues making xz-utils unreproducible (#806328, #806331). reproducible.debian.net A seventh armhf build node has been added (resulting of two more armhf build jobs). Thanks to Vagrant Cascadian for putting this Raspberry Pi 2B to help. (h01ger) jenkins.debian.net has been made more robust against network and proxy failures. (h01ger) A new 100 GB partition has been set up on reproducible.debian.net to prevent disk space issues. Thanks to ProfitBricks for its continuous support to our continuous test system. (h01ger) New graphs showing usertagged bugs have been added on the dashboard to measure the progress without FTBFS issues. Please note that comparing the two graphs might be misleading as more than 1300 FTBFS bugs have been inventoried. (h01ger) Package reviews 78 reviews have been removed, 116 added and 49 updated this week. 25 new FTBFS have been filed by Chris West, Chris Lamb and Santiago Vila. New issues identified this week: timestamps_in_documentation_generated_with_libwibble, copyright_year_in_documentation_generated_by_sphinx, timestamps_in_documentation_generated_by_glib_genpod, random_order_of_tmpfiles_in_postinst, random_order_in_cython_output, timestamps_in_python_code_generated_by_pyside. Reiner Herrmann and Lunar improved the prebuilder script: the script can now be called through a symlink, run parallel builds, calls diffoscope by its new name and ensure to install its recommends, and save the text output aside the HTML one. Reiner also added a script to lookup the last update of notes for a given package. Misc. Santiago Villa has been recently working on making sure that Arch:all packages were properly buildable by running dpkg-buildpackage -A. This uncovered a question that is probably not currently addressed by the policy: on which architectures should architecture-independent be buildable?

What happened in the reproducible builds effort this week: Toolchain fixes

• Colin Watson uploaded groff/1.22.3-2 which implements support for SOURCE_DATE_EPOCH.
• Colin Watson uploaded halibut/1.1-2 which implements support for SOURCE_DATE_EPOCH.

Chris Lamb filled a bug on python-setuptools with a patch to make the generated requires.txt files reproducible. The patch has been forwarded upstream. Chris also understood why the she-bang in some Python scripts kept being undeterministic: setuptools as called by dh-python could skip re-installing the scripts if the build had been too fast (under one second). #804339 offers a patch fixing the issue by passing --force to setup.py install. #804141 reported on gettext asks for support of SOURCE_DATE_EPOCH in gettextize. Santiago Vila pointed out that it doesn't felt appropriate as gettextize is supposed to be an interactive tool. The problem reported seems to be in avahi build system instead. Packages fixed The following packages became reproducible due to changes in their build dependencies: celestia, dsdo, fonts-taml-tscu, fte, hkgerman, ifrench-gut, ispell-czech, maven-assembly-plugin, maven-project-info-reports-plugin, python-avro, ruby-compass, signond, thepeg, wagon2, xjdic. The following packages became reproducible after getting fixed:

• 4ti2/1.6.6+ds-1 uploaded by Jerome Benoit, fixed upstream.
• allegro4.4/2:4.4.2-7 uploaded by Andreas R nnquist, original patch by Reiner Herrmann.
• axel/2.5-2 by Joao Eriberto Mota Filho.
• bastet/0.43-4 by Markus Koschany.
• bbswitch/0.8-3 uploaded by Luca Boccassi, original patch by Reiner Herrmann.
• commons-math/2.2-5 by Emmanuel Bourg.
• fatresize/1.0.2-8 by Colin Watson, reported by Chris Lamb.
• giada/0.10.2~dfsg1-1 by IOhannes m zm lnig.
• groff/1.22.3-3 by Colin Watson.
• halibut/1.1-2 by Colin Watson.
• ivy/2.4.0-2 by Emmanuel Bourg.
• libfreemarker-java/2.3.23-2 by Emmanuel Bourg.
• libjna-java/4.2.1-1 by Emmanuel Bourg.
• lmemory/0.6c-8 by Markus Koschany.
• man-db/2.7.5-1 by Colin Watson.
• maven2-core/2.2.1-23 by Emmanuel Bourg.
• ncurses/6.0+20151024-2 by Sven Joachim, report by Esa Peuha.
• netmask/2.4.3-1 by Guilhem Moulin.
• ogre-1.9/1.9.0+dfsg1-7 uploaded by Manuel A. Fernandez Montecelo, original patch by Chris Lamb.
• praat/6.0.4-2 by Rafael Laboissiere.
• soundscaperenderer/0.4.2~dfsg-5 by IOhannes m zm lnig.
• usb-modeswitch-data/20151101-1 uploaded by Didier Raboud, original patch by Reiner Herrmann.

Some uploads fixed some reproducibility issues but not all of them:

• dbconfig-common/1.8.55 by Paul Gevers.
• mondrian/1:3.11.0.1-1 by Emmanuel Bourg.

Patches submitted which have not made their way to the archive yet:

• #803893 on goaccess by Guillaume Delacour: remove __DATE__ and __TIME__ macros.
• #803908 on starlink-pal by Chris Lamb: pass -info 0 to latex2html.

Chris Lamb closed a wrongly reopened bug against haskell-devscripts that was actually a problem in haddock. reproducible.debian.net FreeBSD tests are now run for three branches: master, stable/10, release/10.2.0. (h01ger) diffoscope development Support has been added for Free Pascal unit files (.ppc). (Paul Gevers) The homepage is now available using HTTPS, thanks to Let's Encrypt!. Work has been done to be able to publish diffoscope on the Python Package Index (also known as PyPI): the tlsh module is now optional, compatibility with python-magic has been added, and the fallback code to handle RPM has been fixed. Documentation update Reiner Herrmann, Paul Gevers, Niko Tyni, opi, and Dhole offered various fixes and wording improvements to the reproducible-builds.org. A mailing-list is now available to receive change notifications. NixOS, Guix, and Baserock are featured as projects working on reproducible builds. Package reviews 70 reviews have been removed, 74 added and 17 updated this week. Chris Lamb opened 22 new fail to build from source bugs. New issues this week: randomness_in_ocaml_provides, randomness_in_qdoc_page_id, randomness_in_python_setuptools_requires_txt, gettext_creates_ChangeLog_files_and_entries_with_current_date. Misc. h01ger and Chris Lamb presented Beyond reproducible builds at the MiniDebConf in Cambridge on November 8th. They gave an overview of where we stand and the changes in user tools, infrastructure, and development practices that we might want to see happening. Feedback on these thoughts are welcome. Slides are already available, and the video should be online soon. At the same event, a meeting happened with some members of the release team to discuss the best strategy regarding releases and reproducibility. Minutes have been posted on the Debian reproducible-builds mailing-list.