What happened in the
reproducible
builds effort this week:
Toolchain fixes
Eric Dorlan uploaded
automake-1.15/1:1.15-2 which makes the output of
mdate-sh
deterministic.
Original patch by Reiner Herrmann.
Kenneth J. Pronovici uploaded
epydoc/3.0.1+dfsg-8 which now honors
SOURCE_DATE_EPOCH.
Original patch by Reiner Herrmann.
Chris Lamb
submitted a patch to
dh-python to make the order of the generated maintainer scripts deterministic. Chris also
offered a fix for a source of non-determinism in
dpkg-shlibdeps when packages have alternative dependencies.
Dhole
provided a patch to add support for
SOURCE_DATE_EPOCH
to
gettext.
Packages fixed
The following 78 packages became reproducible in our setup due to changes in their
build dependencies:
chemical-mime-data,
clojure-contrib,
cobertura-maven-plugin,
cpm,
davical,
debian-security-support,
dfc,
diction,
dvdwizard,
galternatives,
gentlyweb-utils,
gifticlib,
gmtkbabel,
gnuplot-mode,
gplanarity,
gpodder,
gtg-trace,
gyoto,
highlight.js,
htp,
ibus-table,
impressive,
jags,
jansi-native,
jnr-constants,
jthread,
jwm,
khronos-api,
latex-coffee-stains,
latex-make,
latex2rtf,
latexdiff,
libcrcutil,
libdc0,
libdc1394-22,
libidn2-0,
libint,
libjava-jdbc-clojure,
libkryo-java,
libphone-ui-shr,
libpicocontainer-java,
libraw1394,
librostlab-blast,
librostlab,
libshevek,
libstxxl,
libtools-logging-clojure,
libtools-macro-clojure,
litl,
londonlaw,
ltsp,
macsyfinder,
mapnik,
maven-compiler-plugin,
mc,
microdc2,
miniupnpd,
monajat,
navit,
pdmenu,
pirl,
plm,
scikit-learn,
snp-sites,
sra-sdk,
sunpinyin,
tilda,
vdr-plugin-dvd,
vdr-plugin-epgsearch,
vdr-plugin-remote,
vdr-plugin-spider,
vdr-plugin-streamdev,
vdr-plugin-sudoku,
vdr-plugin-xineliboutput,
veromix,
voxbo,
xaos,
xbae.
The following packages became reproducible after getting fixed:
Some uploads fixed some reproducibility issues but not all of them:
Patches submitted which have not made their way to the archive yet:
reproducible.debian.net
The statistics on the
main page of reproducible.debian.net are now updated every five minutes. A random unreviewed package is suggested in the look at a package form on every build. (h01ger)
A
new package set based new on the
Core Internet Infrastructure census has been added. (h01ger)
Testing of FreeBSD has started, though no results yet. More
details have been posted to the
freebsd-hackers
mailing list. The build is run on a new virtual machine running FreeBSD 10.1 with 3 cores and 6 GB of RAM, also sponsored by
Profitbricks.
strip-nondeterminism development
Andrew Ayer released version 0.009 of
strip-nondeterminism. The new version will strip locales from Javadoc, include the name of files causing errors, and
ignore unhandled (but rare) zip64 archives.
debbindiff development
Lunar continued its major refactoring to enhance code reuse and pave the way to fuzzy-matching and parallel processing. Most file comparators have now been converted to the new class hierarchy.
In order to support for archive formats, work has started on packaging
Python bindings for libarchive. While getting support for more archive formats with a common interface is very nice,
libarchive is a stream oriented library and might have bad performance with how debbindiff currently works. Time will tell if better solutions need to be found.
Documentation update
Lunar started a
Reproducible builds HOWTO intended to explain the different aspects of making software build reproducibly to the different audiences that might have to get involved like software authors, producers of binary packages, and distributors.
Package reviews
17 obsolete
reviews have
been removed, 212 added and 46 updated this week.
15 new bugs for packages failing to build from sources have been reported by Chris West (Faux), and Mattia Rizzolo.
Presentations
Lunar presented Debian efforts and some recipes on making software build reproducibly at
Libre Software Meeting 2015.
Slides and a
video recording are available.
Misc.
h01ger, dkg, and Lunar attended a
Core Infrastructure Initiative meeting. The progress and tools mode for the Debian efforts were shown. Several discussions also helped getting a better understanding of the needs of other free software projects regarding reproducible builds. The idea of a global append only log, similar to the logs used for
Certificate Transparency, came up on multiple occasions. Using such append only logs for keeping records of sources and build results has gotten the name Binary Transparency Logs . They would at least help identifying a compromised software signing key. Whether the benefits in using such logs justify the costs need more research.