Search Results: "Stephen Kitt"

17 April 2017

Sylvain Beucler: Practical basics of reproducible builds 3

On my quest to generate reproducible standalone binaries for GNU FreeDink, I met new friends but currently lie defeated by an unexpected enemy... Episode 1:

compiler version needs to be identical and recorded
build options and their order need to be identical and recorder
build path needs to be identical and recorded (otherwise debug symbols - and BuildIDs - change)
diffoscope helps checking for differences in build output

Episode 2:

use -Wl,--no-insert-timestamp for .exe (with old binutils 2.25 caveat)
no need to set a build path for stripped .exe (no ELF BuildID)
reprotest helps checking build variations automatically
MXE stack is apparently deterministic enough for a reproducible static build
umask needs to be identical and recorded
file timestamps needs to be set and recorded (more on this in a future episode)

First, the random build differences when using -Wl,--no-insert-timestamp were explained.
peanalysis shows random build dates:

$ reprotest 'i686-w64-mingw32.static-gcc hello.c -I /opt/mxe/usr/i686-w64-mingw32.static/include -I/opt/mxe/usr/i686-w64-mingw32.static/include/SDL2 -L/opt/mxe/usr/i686-w64-mingw32.static/lib -lmingw32 -Dmain=SDL_main -lSDL2main -lSDL2 -lSDL2main -Wl,--no-insert-timestamp -luser32 -lgdi32 -lwinmm -limm32 -lole32 -loleaut32 -lshell32 -lversion -o hello && chmod 700 hello && analysePE.py hello   tee /tmp/hello.log-$(date +%s); sleep 1' 'hello'
$ diff -au /tmp/hello.log-1*
--- /tmp/hello.log-1490950327   2017-03-31 10:52:07.788616930 +0200
+++ /tmp/hello.log-1523203509   2017-03-31 10:52:09.064633539 +0200
@@ -18,7 +18,7 @@
 found PE header (size: 20)
     machine: i386
     number of sections: 17
-    timedatestamp: -1198218512 (Tue Jan 12 05:31:28 1932)
+    timedatestamp: 632430928 (Tue Jan 16 09:15:28 1990)
     pointer to symbol table: 4593152 (0x461600)
     number of symbols: 11581 (0x2d3d)
     size of optional header: 224
@@ -47,7 +47,7 @@
     Win32VersionValue: 0
     size of image (memory): 4640768
     size of headers (offset to first section raw data): 1536
-    checksum (for drivers): 4927867
+    checksum (for drivers): 4922616
     subsystem: 3
         win32 console binary
     DllCharacteristics: 0

Stephen Kitt mentioned 2 simple patches (1 2) fixing uninitialized memory in binutils. These patches fix the variation and were submitted to MXE (pull request).

Next was playing with compiler support for SOURCE_DATE_EPOCH (which e.g. sets __DATE__ macros).
The FreeDink DFArc frontend historically displays a build date in the About box:

    "Build Date: %s\n", ..., __TDATE__

sadly support is only landing upstream in GCC 7 :/
I had to remove that date.

Now comes the challenging parts. All my tests with reprotest checked. I started writing a reproducible build environment based on Docker (git browse).
At first I could not run reprotest in the container, so I reworked it with SSH support, and reprotest validated determinism.
(I also generate a reproducible .zip archive, more on that later.) So far so good, but were the release identical when running reprotest successively on the different environments?
(reminder: this is a .exe build that is insensitive to varying path, hence consistent in a full reprotest)

$ sha256sum *.zip
189d0ca5240374896c6ecc6dfcca00905ae60797ab48abce2162fa36568e7cf1  freedink-109.0-bin-buildsh.zip
e182406b4f4d7c3a4d239eee126134ba5c0304bbaa4af3de15fd4f8bda5634a9  freedink-109.0-bin-docker.zip
e182406b4f4d7c3a4d239eee126134ba5c0304bbaa4af3de15fd4f8bda5634a9  freedink-109.0-bin-reprotest-docker.zip
37007f6ee043d9479d8c48ea0a861ae1d79fb234cd05920a25bb3db704828ece  freedink-109.0-bin-reprotest-null.zip

Ouch! Even though both the Docker and my host are running Stretch, there are differences.

For the two host builds (direct and reprotest), there is a subtle but simple difference: HOME.
HOME is invariably non-existant in reprotest, while my normal compilation environment has an existing home (duh!). This caused a subtle bug when cross-compiling with mingw and wine-binfmt:

existing home: ./configure attempts to run conftest.exe, wine can create ~/.wine, conftest.exe runs with binfmt emulation, configure assumes:

  checking whether we are cross compiling... no

non-existing home: ./configure attempts to run conftest.exe, wine can't create ~/.wine, conftest.exe fails, configure assumes:

  checking whether we are cross compiling... yes

The respective binaries were very different notably due to a different config.h.
This can be fixed by specifying --build in addition to --host when calling ./configure. I suggested reprotest have one of the tests with a valid HOME (#860428).

Now comes the big one, after the fix I still got:

$ sha256sum *.zip
3545270ef6eaa997640cb62d66dc610a328ce0e7d412f24c8f18fdc7445907fd  freedink-109.0-bin-buildsh.zip
cc50ec1a38598d143650bdff66904438f0f5c1d3e2bea0219b749be2dcd2c3eb  freedink-109.0-bin-docker.zip
3545270ef6eaa997640cb62d66dc610a328ce0e7d412f24c8f18fdc7445907fd  freedink-109.0-bin-reprotest-chroot.zip
cc50ec1a38598d143650bdff66904438f0f5c1d3e2bea0219b749be2dcd2c3eb  freedink-109.0-bin-reprotest-docker.zip
3545270ef6eaa997640cb62d66dc610a328ce0e7d412f24c8f18fdc7445907fd  freedink-109.0-bin-reprotest-null.zip

There is consistency on my host, and consistency within docker, but both are different.
Moreover, all the .o files were identical, so something must have gone wrong when compiling the libs, that is MXE. After many checks it appears that libstdc++.a is different.
Just overwriting it gets me a consistent FreeDink release on all environments.
Still, when rebuilding it (make gcc), libstdc++.a always has the same environment-dependent checksum.

45f8c5d50a68aa9919ee3602a4e3f5b2bd0333bc8d781d7852b2b6121c8ba27b  /opt/mxe/usr/lib/gcc/i686-w64-mingw32.static/5.4.0/libstdc++.a  # host
6870b84f8e17aec4b5cf23cfe9c2e87e40d9cf59772a92707152361b6ebc1eb4  /opt/mxe/usr/lib/gcc/i686-w64-mingw32.static/5.4.0/libstdc++.a  # docker

The 2 libraries are much different, there's barely any blue in hexcompare. At that time, I realized that the Docker "official" Debian are not really official, as Joey explains.
Could it be that Docker maliciously tampered with the compiler as Ken Thompson warned in 1984?? Well before jumping to conclusion let's mix & match.

First I rsync a copy of my Docker filesystem and run it in a host chroot with a reset environment.

$ sudo env -i /usr/sbin/chroot chroot-docker/
$ exec bash -l
$ cd /opt/mxe
$ touch src/gcc.mk
$ sha256sum /opt/mxe/usr/lib/gcc/i686-w64-mingw32.static/5.4.0/libstdc++.a 
6870b84f8e17aec4b5cf23cfe9c2e87e40d9cf59772a92707152361b6ebc1eb4  /opt/mxe/usr/lib/gcc/i686-w64-mingw32.static/5.4.0/libstdc++.a
$ make gcc
[build]     gcc                    i686-w64-mingw32.static
[done]      gcc                    i686-w64-mingw32.static                                 2709464 KiB    7m2.039s
$ sha256sum /opt/mxe/usr/lib/gcc/i686-w64-mingw32.static/5.4.0/libstdc++.a 
45f8c5d50a68aa9919ee3602a4e3f5b2bd0333bc8d781d7852b2b6121c8ba27b  /opt/mxe/usr/lib/gcc/i686-w64-mingw32.static/5.4.0/libstdc++.a
# consistent with host builds

Then I import my previous reprotest chroot (plain debootstrap) in Docker:

$ sudo tar -C chroot -c .   docker import - chroot-debootstrap
$ docker run -ti chroot-debootstrap /bin/bash
$ sha256sum /opt/mxe/usr/lib/gcc/i686-w64-mingw32.static/5.4.0/libstdc++.a
45f8c5d50a68aa9919ee3602a4e3f5b2bd0333bc8d781d7852b2b6121c8ba27b  /opt/mxe/usr/lib/gcc/i686-w64-mingw32.static/5.4.0/libstdc++.a
$ touch src/gcc.mk
$ make gcc
[build]     gcc                    i686-w64-mingw32.static
[done]      gcc                    i686-w64-mingw32.static                                 2709412 KiB    7m6.608s
$ sha256sum /opt/mxe/usr/lib/gcc/i686-w64-mingw32.static/5.4.0/libstdc++.a
6870b84f8e17aec4b5cf23cfe9c2e87e40d9cf59772a92707152361b6ebc1eb4  /opt/mxe/usr/lib/gcc/i686-w64-mingw32.static/5.4.0/libstdc++.a
# consistent with docker builds

So, AFAICS when building with:

exactly the same kernel
exactly the same GCC sources
exactly the same host binaries

then depending on whether running in a container or not we get a consistent but different libstdc++.a. This kind of issue is not detected with a simple reprotest build, as it only tests variations within a fixed build environment.
This is quite worrisome, I intend to use a container to control my build environment, but I can't guarantee that the container technology will be exactly the same 5 years from now. All my setup is simple and available for inspection at https://git.savannah.gnu.org/cgit/freedink.git/tree/autobuild/freedink-w32-snapshot/. I'd very much welcome enlightenment

28 March 2017

Sylvain Beucler: Practical basics of reproducible builds 2

Let's review what we learned so far:

compiler version need to be identical and recorded
build options and their order needs to be identical and recorder
build path needs to be identical and recorded
(otherwise debug symbols - and BuildIDs - change)
diffoscope helps checking for differences in build output

We stopped when compiling a PE .exe produced a varying output.
It turns out that PE carries a build date timestamp. The spec says that bound DLLs timestamps are refered to in the "Delay-Load Directory Table". Maybe that's also the date Windows displays when a system-wide DLL is about to be replaced, too.
Build timestamps looks unused in .exe files though. Anyway, Stephen Kitt pointed out (thanks!) that Debian's MinGW linker binutils-mingw-w64 has an upstream-pending patch that sets the timestamp to SOURCE_DATE_EPOCH if set. Alternatively, one can pass -Wl,--no-insert-timestamp to set it to 0 (though see caveats below):

$ i686-w64-mingw32.static-gcc -Wl,--no-insert-timestamp hello.c -o hello.exe 
$ md5sum hello.exe 
298f98d74e6e913628a8b74514eddcb2  hello.exe
$ /opt/mxe/usr/bin/i686-w64-mingw32.static-gcc -Wl,--no-insert-timestamp hello.c -o hello.exe 
$ md5sum hello.exe 
298f98d74e6e913628a8b74514eddcb2  hello.exe

If we don't care about debug symbols, unlike with ELF, stripped PE binaries look stable too!

$ cd repro/
$ i686-w64-mingw32.static-gcc hello.c -o hello.exe && i686-w64-mingw32.static-strip hello.exe
$ md5sum hello.exe 
6e07736bf8a59e5397c16e799699168d  hello.exe
$ i686-w64-mingw32.static-gcc hello.c -o hello.exe && i686-w64-mingw32.static-strip hello.exe
$ md5sum hello.exe 
6e07736bf8a59e5397c16e799699168d  hello.exe
$ cd ..
$ cp -a repro repro2/
$ cd repro2/
$ i686-w64-mingw32.static-gcc hello.c -o hello.exe && i686-w64-mingw32.static-strip hello.exe
$ md5sum hello.exe 
6e07736bf8a59e5397c16e799699168d  hello.exe

Now that we have the main executable covered, what about the dependencies?
Let's see how well MXE compiles SDL2:

$ cd /opt/mxe/
$ cp -a ./usr/i686-w64-mingw32.static/lib/libSDL2.a /tmp
$ rm -rf * && git checkout .
$ make sdl2
$ md5sum ./usr/i686-w64-mingw32.static/lib/libSDL2.a /tmp/libSDL2.a 
68909ab13181b1283bd1970a56d41482  ./usr/i686-w64-mingw32.static/lib/libSDL2.a
68909ab13181b1283bd1970a56d41482  /tmp/libSDL2.a

Neat - what about another build directory?

$ cd /usr/srx/mxe
$ make sdl2
$ md5sum usr/i686-w64-mingw32.static/lib/libSDL2.a /tmp/libSDL2.a 
c6c368323927e2ae7adab7ee2a7223e9  usr/i686-w64-mingw32.static/lib/libSDL2.a
68909ab13181b1283bd1970a56d41482  /tmp/libSDL2.a
$ ls -l ./usr/i686-w64-mingw32.static/lib/libSDL2.a /tmp/libSDL2.a 
-rw-r--r-- 1 me me 5861536 mars  23 21:04 /tmp/libSDL2.a
-rw-r--r-- 1 me me 5862488 mars  25 19:46 ./usr/i686-w64-mingw32.static/lib/libSDL2.a

Well that was expected.
But what about the filesystem order?
With such an automated build, could potential variations in the order of files go undetected?
Would the output be different on another filesystem format (ext4 vs. btrfs...)? It was a good opportunity to test the disorderfs fuse-based tool.
And while I'm at it, check if reprotest is easy enough to use (the manpage is scary).
Let's redo our basic tests with it - basic usage is actually very simple:

$ apt-get install reprotest disorderfs faketime
$ reprotest 'make hello' 'hello'
...
will vary: environment
will vary: fileordering
will vary: home
will vary: kernel
will vary: locales
will vary: exec_path
will vary: time
will vary: timezone
will vary: umask
...
--- /tmp/tmpk5uipdle/control_artifact/
+++ /tmp/tmpk5uipdle/experiment_artifact/
    --- /tmp/tmpk5uipdle/control_artifact/hello
  +++ /tmp/tmpk5uipdle/experiment_artifact/hello
  stat  
    @@ -1,8 +1,8 @@
     
       Size: 8632       Blocks: 24         IO Block: 4096   regular file
     Links: 1
    -Access: (0755/-rwxr-xr-x)  Uid: ( 1000/      me)   Gid: ( 1000/      me)
    +Access: (0775/-rwxrwxr-x)  Uid: ( 1000/      me)   Gid: ( 1000/      me)
     
     Modify: 1970-01-01 00:00:00.000000000 +0000
     
      Birth: -
# => OK except for permissions
$ reprotest 'make hello && chmod 755 hello' 'hello'
=======================
Reproduction successful
=======================
No differences in hello
c8f63b73265e69ab3b9d44dcee0ef1d2815cdf71df3c59635a2770e21cf462ec  hello
$ reprotest 'make hello CFLAGS="-g -O2"' 'hello'
# => lots of differences, as expected

Now let's apply to the MXE build.
We keep the same build path, and also avoid using linux32 (because MXE would then recompile all the host compiler tools for 32-bit):

$ reprotest --dont-vary build_path,kernel 'touch src/sdl2.mk && make sdl2 && cp -a usr/i686-w64-mingw32.static/lib/libSDL2.a .' 'libSDL2.a'
=======================
Reproduction successful
=======================
No differences in libSDL2.a
d9a39785fbeee5a3ac278be489ac7bf3b99b5f1f7f3e27ebf3f8c60fe25086b5  libSDL2.a

That checks!
What about a full MXE environment?

$ reprotest --dont-vary build_path,kernel 'make clean && make sdl2 sdl2_gfx sdl2_image sdl2_mixer sdl2_ttf libzip gettext nsis' 'usr'
# => changes in installation dates
# => timestamps in .exe files (dbus, ...)
# => libicu doesn't look reproducible (derb.exe, genbrk.exe, genccode.exe...)
# => apparently ar timestamp variations in libaclui

Most libraries look reproducible enough.
ar differences may go away at FreeDink link time since I'm aiming at a static build. Let's try! First let's see how FreeDink behaves with stable dependencies.
We can compile with -Wl,--no-insert-timestamp and strip the binaries in a first step.
There are various issues (timestamps, permissions) but first let's check the executables themselves:

$ cd freedink/
$ reprotest --dont-vary build_path 'mkdir cross-woe-32/ && cd cross-woe-32/ && export PATH=/opt/mxe/usr/bin:$PATH && LDFLAGS='-Wl,--no-insert-timestamp' ../configure --host=i686-w64-mingw32.static --enable-static && make -j$(nproc) && make install-strip DESTDIR=$(pwd)/destdir' 'cross-woe-32/destdir/usr/local/bin'
# => executables are identical!
# Same again, just to make sure
$ reprotest --dont-vary build_path 'mkdir cross-woe-32/ && cd cross-woe-32/ && export PATH=/opt/mxe/usr/bin:$PATH && LDFLAGS='-Wl,--no-insert-timestamp' ../configure --host=i686-w64-mingw32.static --enable-static && make -j$(nproc) && make install-strip DESTDIR=$(pwd)/destdir' 'cross-woe-32/destdir/usr/local/bin'
    --- /tmp/tmp2yw0sn4_/control_artifact/bin/freedink.exe
  +++ /tmp/tmp2yw0sn4_/experiment_artifact/bin/freedink.exe
    @@ -2,20 +2,20 @@
     00000010: b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
     00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
     00000030: 0000 0000 0000 0000 0000 0000 8000 0000  ................
     00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468  ........!..L.!Th
     00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f  is program canno
     00000060: 7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS 
     00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000  mode....$.......
    -00000080: 5045 0000 4c01 0a00 e534 0735 0000 0000  PE..L....4.5....
    +00000080: 5045 0000 4c01 0a00 0000 0000 0000 0000  PE..L...........
     00000090: 0000 0000 e000 0e03 0b01 0219 00f2 3400  ..............4.
     000000a0: 0022 4e00 0050 3b00 c014 0000 0010 0000  ."N..P;.........
     000000b0: 0010 3500 0000 4000 0010 0000 0002 0000  ..5...@.........
     000000c0: 0400 0000 0100 0000 0400 0000 0000 0000  ................
    -000000d0: 00e0 8900 0004 0000 7662 4e00 0200 0000  ........vbN.....
    +000000d0: 00e0 8900 0004 0000 89f8 4e00 0200 0000  ..........N.....
     000000e0: 0000 2000 0010 0000 0000 1000 0010 0000  .. .............
     000000f0: 0000 0000 1000 0000 00a0 8700 b552 0000  .............R..
     00000100: 0000 8800 d02d 0000 0050 8800 5006 0000  .....-...P..P...
     00000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
     00000120: 0060 8800 4477 0100 0000 0000 0000 0000  . ..Dw..........
     00000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
     00000140: 0440 8800 1800 0000 0000 0000 0000 0000  .@..............
  stat  
      @@ -1,8 +1,8 @@
       
         Size: 5121536       Blocks: 10008      IO Block: 4096   regular file
       Links: 1
       Access: (0755/-rwxr-xr-x)  Uid: ( 1000/      me)   Gid: ( 1000/      me)
       
      -Modify: 2017-03-26 01:26:35.233841833 +0000
      +Modify: 2017-03-26 01:27:01.829592505 +0000
       
        Birth: -

Gah...
AFAIU there is something random in the linking phase, and sometimes the timestamp is removed, sometimes it's not.
Not very easy to track but I believe I reproduced it with the "hello" example:

# With MXE:
$ reprotest 'i686-w64-mingw32.static-gcc hello.c -I /opt/mxe/usr/i686-w64-mingw32.static/include -I/opt/mxe/usr/i686-w64-mingw32.static/include/SDL2 -L/opt/mxe/usr/i686-w64-mingw32.static/lib -lmingw32 -Dmain=SDL_main -lSDL2main -lSDL2 -lSDL2main -Wl,--no-insert-timestamp -luser32 -lgdi32 -lwinmm -limm32 -lole32 -loleaut32 -lshell32 -lversion -o hello && chmod 700 hello' 'hello'
# => different
# => maybe because it imports the build timestamp from -lSDL2main
# With Debian's MinGW (but without SOURCE_DATE_EPOCH):
$ reprotest 'i686-w64-mingw32-gcc hello.c -I /opt/mxe/usr/i686-w64-mingw32.static/include -I/opt/mxe/usr/i686-w64-mingw32.static/include/SDL2 -L/opt/mxe/usr/i686-w64-mingw32.static/lib -lmingw32 -Dmain=SDL_main -lSDL2main -lSDL2 -lSDL2main -Wl,--no-insert-timestamp -luser32 -lgdi32 -lwinmm -limm32 -lole32 -loleaut32 -lshell32 -lversion -o hello && chmod 700 hello' 'hello'
=======================
Reproduction successful
=======================
No differences in hello
0b2d99dc51e2ad68ad040d90405ed953a006c6e58599beb304f0c2164c7b83a2  hello
# Let's remove -Dmain=SDL_main and let our main() have precedence over the one in -lSDL2main:
$ reprotest 'i686-w64-mingw32.static-gcc hello.c -I /opt/mxe/usr/i686-w64-mingw32.static/include -I/opt/mxe/usr/i686-w64-mingw32.static/include/SDL2 -L/opt/mxe/usr/i686-w64-mingw32.static/lib -lmingw32 -lSDL2main -lSDL2 -lSDL2main -Wl,--no-insert-timestamp -luser32 -lgdi32 -lwinmm -limm32 -lole32 -loleaut32 -lshell32 -lversion -o hello && chmod 700 hello' 'hello'
=======================
Reproduction successful
=======================
No differences in hello
6c05f75eec1904d58be222cc83055d078b4c3be8b7f185c7d3a08b9a83a2ef8d  hello
$ LANG=C i686-w64-mingw32.static-ld --version  # MXE
GNU ld (GNU Binutils) 2.25.1
Copyright (C) 2014 Free Software Foundation, Inc.
$ LANG=C i686-w64-mingw32-ld --version  # Debian
GNU ld (GNU Binutils) 2.27.90.20161231
Copyright (C) 2016 Free Software Foundation, Inc.

It looks like there is a random behavior in binutils 2.25, coupled with SDL2's wrapping of my main(). So FreeDink is nearly reproducible, except for this build timestamp issue that pops up in all kind of situations. In the worse case I can zero it out, or patch MXE's binutils until they upgrade. More importantly, what if I recompile FreeDink and the dependencies twice?

$ (cd /opt/mxe/ && make clean && make sdl2 sdl2_gfx sdl2_image sdl2_mixer sdl2_ttf glm libzip gettext nsis)
$ (mkdir cross-woe-32/ && cd cross-woe-32/ \
  && export PATH=/opt/mxe/usr/bin:$PATH \
  && LDFLAGS="-Wl,--no-insert-timestamp" ../configure --host=i686-w64-mingw32.static --enable-static \
  && make V=1 -j$(nproc) \
  && make install-strip DESTDIR=$(pwd)/destdir)
$ mv cross-woe-32/ cross-woe-32-1/
# Same again...
$ mv cross-woe-32/ cross-woe-32-2/
$ diff -ru cross-woe-32-1/destdir/ cross-woe-32-2/destdir/
[nothing]

Yay!
I could not reproduce the build timestamp issue in the stripped binaries, though it was still varying in the unstripped src/freedinkedit.exe.

I mentioned there was other changes noticed by diffoscope.

Changes in file timestamps.

That one is interesting.
Could be ignored, but we want to generate an identical binary package/archive too, right?
That's where archive meta-data matters.
make INSTALL="$(which install) install -p" could help for static files, but not generated ones.
The doc suggests clamping all files to SOURCE_DATE_EPOCH - i.e. all generated files will have their date set at that timestamp:

$ export SOURCE_DATE_EPOCH=$(date +%s) \
  && reprotest --dont-vary build_path \
  'make ... && find destdir/ -newermt "@$ SOURCE_DATE_EPOCH " -print0   xargs -0r touch --no-dereference --date="@$ SOURCE_DATE_EPOCH "' 'cross-woe-32/destdir/'

Changes in directory permissions

Caused by varying umask.
I attempted to mitigate the issue by playing with make install MKDIR_P="mkdir -p -m 755" (1).
However even mkdir -p -m ... does not set permissions for intermediate directories.
Maybe it's better to set and record the umask...

So, aside from minor issues such as BuildIDs and build timestamps, the toolchain is pretty stable as of now.
The issue is more about fixing and recording the build environment.
Which is probably the next challenge

21 June 2016

Reproducible builds folks: Reproducible builds: week 60 in Stretch cycle

What happened in the Reproducible Builds effort between June 12th and June 18th 2016: Media coverage

Sune Vuorela blogged about making Qt documentation reproducible while spending good times in the Alps.

GSoC and Outreachy updates Weekly reports by our participants:

Toolchain fixes

texlive-bin/2016.20160513.41080-3 has been uploaded to unstable, featuring support for FORCE_SOURCE_DATE. See the last post for details on it.
doxygen/1.4.4-1 has been uploaded to unstable, fixing #822197 (upstream bug), which caused some generated html file to contain unreproducible memory addresses of Python objects used at build time.
debhelper/9.20160618 has been uploaded to unstable, fixing #824490, which instructs ant to not save the username of the build user in the generated files. Original patch by Emmanuel Bourg.
HW42 reported a long-known (although only internally) bug in our dpkg-buildinfo. this particular bug doesn't affect our current infrastructure, but it's a blocker for having .buildinfo support merged upstream.
epydoc/3.0.1+dfsg-13 and 3.0.1+dfsg-14 have been uploaded by Kenneth J. Pronovici which fixes nondeterministic ordering issues in generated documentation and removes memory addresses. Original patches (#825968 and #827416) by Sascha Steinbiss.

With this upload of texlive-bin we decided to stop keeping our patched fork of as most of the patches for SOURCE_DATE_EPOCH support had been integrated upstream already, and the last one (making FORCE_SOURCE_DATE default to 1) had been refused. So, we are now going to let the archive be rebuilt against unstable's texlive-bin and see how many packages will become unreproducible with this change; once enough data will be collected we will ponder whether FORCE_SOURCE_DATE should be exported by helper tools (such as debhelper) or manually exported by every package that needs it. (For those wondering: we still recommend to follow SOURCE_DATE_EPOCH always and don't recommend other projects to implement FORCE_SOURCE_DATE ) With the drop of texlive-bin we now have only three modified packages in our experimental repository. Reproducible work in other projects

Ed Maste sent a patch to have ELF Tool Chain's elfcopy support SOURCE_DATE_EPOCH.
Ed Maste changed FreeBSD's ar(1) to have a reproducible output by default when invoked with -s.
Ed Maste merged changes from NetBSD's makefs to FreeBSD's to add a command line option for setting the timestamp.
Ed Maste reported on FreeBSD package reproducibility details from the investigation for his BSDCan talk, including diffoscope results for the non-reproducible packages.
Holger Levsen spent some time thinking and documenting how to store package notes and issues in a multi-distribution friendly manner, so that we can share these issues and notes between reproducible efforts across different projects. Thoughts we had about this topic during the Athens meeting last December are included in the updated README.

Packages fixed The following 12 packages have become reproducible due to changes in their build dependencies: django-floppyforms flask-restful hy jets3t kombu llvm-toolchain-3.8 moap python-bottle python-debtcollector python-django-debug-toolbar python-osprofiler stevedore The following packages have become reproducible after being fixed:

adios/1.9.0-10 by Alastair McKinstry.
airstrike/0.99+1.0pre6a-8 by Markus Koschany, original patch by Reiner Herrmann.
apt-dater/1.0.3-1 by Patrick Matth i, original patch by Chris Lamb.
bitlbee/3.4.2-1 by Jelmer Vernoo .
dar/2.5.5-1 by Laszlo Boszormenyi.
fastjet/3.0.6+dfsg-2 by Mattia Rizzolo, original patch by Maria Valentina Marin.
libretro-beetle-pce-fast/0.9.38.7+git20160609-1 by S rgio Benjamim, original patch by Reiner Herrmann.
libretro-beetle-psx/0.9.38.6+git20151019-2 by S rgio Benjamim, original patch by Reiner Herrmann.
mx/1.99.4-1 by Ying-Chun Liu.
python-coverage/4.1+dfsg.1-1 by Ben Finney.
shiro/1.2.5-1 by Tony Mancill, original patch by Chris Lamb.
splix/2.0.0+svn315-5 by Didier Raboud.
u-boot/2016.07~rc1+dfsg1-3 by Vagrant Cascadian, debugging and patch by HW42, patches submitted upstream.

Some uploads have fixed some reproducibility issues, but not all of them:

gcc-mingw-w64/18 by Stephen Kitt.
gnuplot/5.0.3+dfsg3-6 by Anton Gladky, original patch by Alexis Bienven e.

Uploads with reproducibility fixes that currently fail to build:

ruby2.3/2.3.1-3 by Christian Hofstaedtler, avoids unreproducible rbconfig.rb files by always using bash for building.

Patches submitted that have not made their way to the archive yet:

#827109 against asciijump by Reiner Herrmann: sort source files for deterministic linking order.
#827112 against boswars by Reiner Herrmann: sort source files for deterministic linking order.
#827114 against overgod by Reiner Herrmann: use C locale for sorting source files.
#827115 against netpbm by Alexis Bienven e: honour SOURCE_DATE_EPOCH while generating output.
#827124 against funguloids by Reiner Herrmann: use C locale for sorting files.
#827145 against scummvm by Reiner Herrmann: don't embed extra fields in zip archive and build with proper host architecture.
#827150 against netpanzer by Reiner Herrmann: sort source files for deterministic linking order.
#827172 against reaver by Alexis Bienven e: sort object files for deterministic linking order.
#827187 against latex2html by Alexis Bienven e: iterate deterministic over Perl hashes; honour SOURCE_DATE_EPOCH for output; strip username from output; sort index keys.
#827313 against cherrypy3 by Sascha Steinbiss: prevent memory addresses in output.
#827361 against matplotlib by Alexis Bienven e: honour SOURCE_DATE_EPOCH in output and sort keys while iterating over dict.
#827382 against dwarfutils by Reiner Herrmann: fix array size, which caused memory from outside a table to be embedded into output.
#827384 against skytools3 by Sascha Steinbiss: use stable sorting order and remove timestamps from documentation.
#827419 against ldaptor by Sascha Steinbiss: sort list of input files and prevent home directory from leaking into documentation.
#827546 against git-buildpackage by Sascha Steinbiss: replace timestamps in documentation with changelog date; prevent temporary paths in documentation.
#827572 against xprobe by Reiner Herrmann: sort list of object files in static library archives.

Package reviews 36 reviews have been added, 12 have been updated and 31 have been removed in this week. 17 FTBFS bugs have been reported by Chris Lamb, Santiago Vila and Dominic Hargreaves. diffoscope development Satyam worked on argument completion (#826711) for diffoscope. strip-nondeterminism development Mattia Rizzolo uploaded strip-nondeterminism 0.019-1~bpo8+1 to jessie-backports. reprotest development Ceridwen filed an Intent To Package (ITP) bug for reprotest as #827293. tests.reproducible-builds.org

Mattia Rizzolo uploaded pbuilder 0.225 to unstable, providing built-in support for eatmydata. We're planning to use it in armhf and i386 builders where we don't build in tmpfs, to increase the build speed some more.
Valery Young reworked the appearance of the package page, hopefully making them more intuitive and usable. In the process she changed the script generating them to use a real templating system, thus improving maintenance for the future.
Holger adjusted the scheduler to reschedule packages in state 'depwait' after two days instead of three.
Mattia added the bug title next to the bug numbers in the notes.

Misc. This week's edition was written by Mattia Rizzolo, Reiner Herrmann, Ed Maste and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.

15 June 2016

Reproducible builds folks: Reproducible builds: week 59 in Stretch cycle

What happened in the Reproducible Builds effort between June 5th and June 11th 2016: Media coverage Ed Maste gave a talk at BSDCan 2016 on reproducible builds (slides, video). GSoC and Outreachy updates Weekly reports by our participants:

Scarlett Clark worked on making some packages reproducible, focusing on KDE backend and utility programs.
Ceridwen published an initial design for the interface for reprotest, including a discussion on different types of build variations and the difficulties of specifying certain types of variations.
Valerie Young improved documentation for building our tests website, began migrating Debian-specific pages into a new namespace, and planned future work around its navigation.

Documentation update - Ximin Luo proposed a modification to our SOURCE_DATE_EPOCH spec explaining FORCE_SOURCE_DATE. Some upstream build tools (e.g. TeX, see below) have expressed a desire to control which cases of embedded timestamps should obey SOURCE_DATE_EPOCH. They were not convinced by our arguments on why this is a bad idea, so we agreed on an environment variable FORCE_SOURCE_DATE for them to implement their desired behaviour - named generically, so that at least we can set it centrally. For more details, see the text just linked. However, we strongly urge most build tools not to use this, and instead obey SOURCE_DATE_EPOCH unconditionally in all cases. Toolchain fixes

TeX Live 2016 released with SOURCE_DATE_EPOCH support for all engines except LuaTeX and original TeX.
Continued discussion (alternative archive) with TeX upstream, about SOURCE_DATE_EPOCH corner cases, eventually resulting in the FORCE_SOURCE_DATE proposal from above.
gcc-5/5.4.0-4 by Matthias Klose now avoids storing -fdebug-prefix-map in DW_AT_producer, thanks to original patch by Daniel Kahn Gillmor.
sphinx/1.4.3-1 by Dmitry Shachnev now drops Debian-specific patches relating to SOURCE_DATE_EPOCH applied upstream, original patch by Alexis Bienven e.
asciidoctor/1.5.4-2 by C dric Boutillier now supports SOURCE_DATE_EPOCH, thanks to original patch by Alexis Bienven e.
dh-python/1.5.4-2 by Piotr O arowski now behaves better in some cases, thanks to original patch by Chris Lamb.

Packages fixed The following 16 packages have become reproducible due to changes in their build-dependencies: apertium-dan-nor apertium-swe-nor asterisk-prompt-fr-armelle blktrace canl-c code-saturne coinor-symphony dsc-statistics frobby libphp-jpgraph paje.app proxycheck pybit spip tircd xbs The following 5 packages are new in Debian and appear to be reproducible so far: golang-github-bowery-prompt golang-github-pkg-errors golang-gopkg-dancannon-gorethink.v2 libtask-kensho-perl sspace The following packages had older versions which were reproducible, and their latest versions are now reproducible again after being fixed:

excellent-bifurcation/0.0.20071015-8 by Vincent Cheng, original patch by Reiner Herrmann.
gnurobbo/0.68+dfsg-2 by Stephen Kitt, original patch by Reiner Herrmann.

The following packages have become reproducible after being fixed:

gdbm/1.8.3-14 by Matthias Klose, original patch by J r my Bobbio.
miceamaze/4.2.1-3 by Sarah COUDERT, original patch by Reiner Herrmann.
netcdf/1:4.4.1~rc2-1~exp3 by Bas Couwenberg.
osmo-bts/0.4.0-2 by Ruben Undheim.
pd-hcs/0.1-3 by IOhannes m zm lnig.
pd-hid/0.7-2 by IOhannes m zm lnig.
python-certbot/0.8.0-1 by Harlan Lieberman-Berg, original patch by Chris Lamb.
python-csb/1.2.3+dfsg-3 by Sascha Steinbiss.
python-osprofiler/1.3.0-2 by Thomas Goirand.
usb-modeswitch-data/20160112-3 by Didier Raboud, original patch by intrigeri.

Some uploads have fixed some reproducibility issues, but not all of them:

bzr/2.7.0-7 by Jelmer Vernoo .
clanlib/1.0~svn3827-5 by Stephen Kitt, original patch by Chris Lamb.
dwarfutils/20160507+git20160523.9086738-1 by Fabian Wolff.
fakeroot/1.20.2-2 by Clint Adams, original patch.
fastqtl/2.184+dfsg-2 by Dylan A ssi, original patch by Chris Lamb.
gnuplot/5.0.3+dfsg3-3 by Anton Gladky.
lazarus/1.6+dfsg-3 by Paul Gevers.
python-pygit2/0.24.0-3 by Ond ej Nov .

Patches submitted that have not made their way to the archive yet:

#806331 against xz-utils by Ximin Luo: make the selected POSIX shell stable accross build environments
#806494 against gnupg by intrigeri: Make man pages not embed a build-time dependent timestamp
#806945 against bash by Reiner Herrmann and Ximin Luo: Use the system man2html, and set PGRP_PIPE unconditionally.
#825857 against python-setuptools by Anton Gladky: sort libs in native_libs.txt
#826408 against brainparty by Reiner Herrmann: Sort object files for deterministic linking order
#826416 against blockout2 by Reiner Herrmann: Sort the list of source files
#826418 against xgalaga++ by Reiner Herrmann: Sort source files to get a deterministic linking order
#826423 against kraptor by Reiner Herrmann: Sort source files for deterministic linking order
#826431 against traceroute by Reiner Herrmann: Sort lists of libraries/source/object files
#826544 against doc-debian by intrigeri: make the created files stable regardless of the locale
#826676 against python-openstackclient by Chris Lamb: make the build reproducible
#826677 against cadencii by Chris Lamb: make the build reproducible
#826760 against dctrl-tools by Reiner Herrmann: Sort object files for deterministic linking order
#826951 against slicot by Alexis Bienven e: please make the build reproducible (fileordering)
#826982 against hoichess by Reiner Herrmann: Sort object files for deterministic linking order

Package reviews 68 reviews have been added, 19 have been updated and 28 have been removed in this week. New and updated issues:

26 FTBFS bugs have been reported by Chris Lamb, 1 by Santiago Vila and 1 by Sascha Steinbiss. diffoscope development

Mattia Rizzolo uploaded diffoscope/54 to jessie-backports.

strip-nondeterminism development

Mattia uploaded strip-nondeterminism/0.018-1 to jessie-backports, to support a debhelper backport.
Andrew Ayer uploaded strip-nondeterminism/0.018-2 fixing #826700, a packaging improvement for Multi-Arch to ease cross-build situations.
2 days later Andrew released strip-nondeterminism/0.019; now strip-nondeterminism is able to:
- recursively normalize JAR files embedded within JAR files (#823917)
- clamp the timestamp, the same way tar >=1.28-2.2 can (for now available only for gzip archives)

disorderfs development

Andrew Ayer released disorderfs/0.4.3, fixing a issue with umask handling (#826891)

tests.reproducible-builds.org

Valerie Young namespaced the Debian-specific pages to /debian/ namespace, with redirects to for the previous URLs.
Holger Levsen improved the reliability of build jobs: the availability of both build nodes (for a given build) is now being tested when a build job is started, to better cope when one of the 25 build nodes go down for some reason.
Ximin Luo improved the index of identified issues to include the total popcon scores of each issue, which is now also used for sorting that page.

Misc. Steven Chamberlain submitted a patch to FreeBSD's makefs to allow reproducible builds of the kfreebsd installer. Ed Maste committed a patch to FreeBSD's binutils to enable determinstic archives by default in GNU ar. Helmut Grohne experimented with cross+native reproductions of dash with some success, using rebootstrap. This week's edition was written by Ximin Luo, Chris Lamb, Holger Levsen, Mattia Rizzolo and reviewed by a bunch of Reproducible builds folks on IRC.

14 March 2016

Lunar: Reproducible builds: week 46 in Stretch cycle

What happened in the reproducible builds effort between March 6th and March 12th:

Packages fixed The following packages have become reproducible due to changes in their build dependencies: dfc, gap-openmath, gnubik, gplanarity, iirish, iitalian, monajat, openimageio, plexus-digest, ruby-fssm, vdr-plugin-dvd, vdr-plugin-spider. The following packages became reproducible after getting fixed:

adduser/3.114 by Niels Thykier.

bsdmainutils/9.0.7 by Michael Meskes.

criu/2.0-1 by Salvatore Bonaccorso.

genometools/1.5.8+ds-2 by Sascha Steinbiss.

gfs2-utils/3.1.8-1 uploaded by Bastian Blank, fix by Christoph Berg.

gmerlin/1.2.0~dfsg+1-5 by IOhannes m zm lnig.

heroes/0.21-14 by Stephen Kitt.

kmc/2.3+dfsg-3 by Sascha Steinbiss.

polyml/5.6-3 by James Clarke.

sed/4.2.2-7.1 by Niels Thykier.

snpomatic/1.0-3 by Sascha Steinbiss.

tantan/13-4 by Sascha Steinbiss.

Some uploads fixed some reproducibility issues, but not all of them:

apg/2.2.3.dfsg.1-3 uploaded by Marc Haber, original patch by Chris Lamb.

elastix/4.8-4 uploaded by Gert Wollny, reported by akira.

Patches submitted which have not made their way to the archive yet:

#817979 on modernizr by Sascha Steinbiss: sort list of files included in `feature-detects.js`.

#818027 on snapper by Sascha Steinbiss: always use `/bin/sh` as shell.

tests.reproducible-builds.org Always use all cores on `armhf` builders. (h01ger) Improve the look of Debian dashboard. (h01ger)

Package reviews 118 reviews have been removed, 114 added and 15 updated in the previous week. 15 FTBFS have been filled by Chris Lamb. New issues: xmlto_txt_output_locale_specific.

Misc. Lunar seeks new maintainers for diffoscope, several mailing lists, and these very weekly reports.

18 October 2015

Lunar: Reproducible builds: week 25 in Stretch cycle

What happened in the reproducible builds effort this week: Toolchain fixes

Scott Kitterman uploaded python3-defaults/3.4.3-7 which changes py3versions to list versions in a consistent order. Issue reported by Santiago Vila with a tentative patch by Chris Lamb. Sadly, it appears the problem is not entirely solved.
Martin Pitt uploaded init-system-helpers/1.24 which makes the order of unit files in maintainer scripts stable. Original patch by Reiner Herrmann.
Niko Tyni uploaded libextutils-xsbuilder-perl/0.28-3 which makes the generated XS code reproducible.

Niko Tyni wrote a new patch adding support for SOURCE_DATE_EPOCH in Pod::Man. This would complement or replace the previously implemented POD_MAN_DATE environment variable in a more generic way. Niko Tyni proposed a fix to prevent mtime variation in directories due to debhelper usage of cp --parents -p. Packages fixed The following 119 packages became reproducible due to changes in their build dependencies: aac-tactics, aafigure, apgdiff, bin-prot, boxbackup, calendar, camlmix, cconv, cdist, cl-asdf, cli-common, cluster-glue, cppo, cvs, esdl, ess, faucc, fauhdlc, fbcat, flex-old, freetennis, ftgl, gap, ghc, git-cola, globus-authz-callout-error, globus-authz, globus-callout, globus-common, globus-ftp-client, globus-ftp-control, globus-gass-cache, globus-gass-copy, globus-gass-transfer, globus-gram-client, globus-gram-job-manager-callout-error, globus-gram-protocol, globus-gridmap-callout-error, globus-gsi-callback, globus-gsi-cert-utils, globus-gsi-credential, globus-gsi-openssl-error, globus-gsi-proxy-core, globus-gsi-proxy-ssl, globus-gsi-sysconfig, globus-gss-assist, globus-gssapi-error, globus-gssapi-gsi, globus-net-manager, globus-openssl-module, globus-rsl, globus-scheduler-event-generator, globus-xio-gridftp-driver, globus-xio-gsi-driver, globus-xio, gnome-control-center, grml2usb, grub, guilt, hgview, htmlcxx, hwloc, imms, kde-l10n, keystone, kimwitu++, kimwitu-doc, kmod, krb5, laby, ledger, libcrypto++, libopendbx, libsyncml, libwps, lprng-doc, madwimax, maria, mediawiki-math, menhir, misery, monotone-viz, morse, mpfr4, obus, ocaml-csv, ocaml-reins, ocamldsort, ocp-indent, openscenegraph, opensp, optcomp, opus, otags, pa-bench, pa-ounit, pa-test, parmap, pcaputils, perl-cross-debian, prooftree, pyfits, pywavelets, pywbem, rpy, signify, siscone, swtchart, tipa, typerep, tyxml, unison2.32.52, unison2.40.102, unison, uuidm, variantslib, zipios++, zlibc, zope-maildrophost. The following packages became reproducible after getting fixed:

autoconf2.13/2.13-67 uploaded by Ben Pfaff, original patch by Santiago Vila.
ding/1.8-3 by Roland Rosenfeld.
dropbear/2015.68-1 by Guilhem Moulin. First set of patches (#777324, #793006) by Chris Lamb and akira.
nvram-wakeup/1.1-3 by Tobias Grimm.
original-awk/2012-12-20-5 by Santiago Vila.
resiprocate/1:1.10.0-1 uploaded by Daniel Pocock, patch by Reiner Herrmann merged upstream.
sbuild/0.66.0-5 by Johannes Schauer, reported by Jakub Wilk.
scribus/1.4.5+dfsg1-4 by Mattia Rizzolo.
sgmltools-lite/3.0.3.0.cvs.20010909-19 by Santiago Vila.
unicode-data/8.0-2 uploaded by Alastair McKinstry, original patch by Esa Peuha.
xmoto/0.5.11+dfsg-3 by Stephen Kitt.

Packages which could not be tested:

mp4h/1.3.1-11 by Axel Beckert (shared memory issue on reproducible.debian.net).
nvidia-graphics-drivers-legacy-304xx/304.128-5 by Andreas Beckmann (non-free).

Some uploads fixed some reproducibility issues but not all of them:

libvirt/1.2.20-1 by Guido G nther.
libgpars-groovy-java/1.2.1-4 by Emmanuel Bourg.

Patches submitted which have not made their way to the archive yet:

#801520 on libapache2-mod-perl2 by Niko Tyni: sort the list of files used to build the documentation.
#801523 on perl by Niko Tyni: sort the list of input files in PPPort_xs.PL. Forwarded upstream.
#801864 on ncurses by Esa Peuha: use C locale when sorting the list of keys.
#802042 on libchado-perl by Niko Tyni: sort keys in installed configuration file.

Lunar reported that test strings depend on default character encoding of the build system in ongl. reproducible.debian.net The 189 packages composing the Arch Linux core repository are now being tested. No packages are currently reproducible, but most of the time the difference is limited to metadata. This has already gained some interest in the Arch Linux community. An explicit log message is now visible when a build has been killed due to the 12 hours timeout. (h01ger) Remote build setup has been made more robust and self maintenance has been further improved. (h01ger) The minimum age for rescheduling of already tested amd64 packages has been lowered from 14 to 7 days, thanks to the increase of hardware resources sponsored by ProfitBricks last week. (h01ger) diffoscope development diffoscope version 37 has been released on October 15th. It adds support for two new file formats (CBFS images and Debian .dsc files). After proposing the required changes to TLSH, fuzzy hashes are now computed incrementally. This will avoid reading entire files in memory which caused problems for large packages. New tests have been added for the command-line interface. More character encoding issues have been fixed. Malformed md5sums will now be compared as binary files instead of making diffoscope crash amongst several other minor fixes. Version 38 was released two days later to fix the versioned dependency on python3-tlsh. strip-nondeterminism development strip-nondeterminism version 0.013-1 has been uploaded to the archive. It fixes an issue with nonconformant PNG files with trailing garbage reported by Roland Rosenfeld. disorderfs development disorderfs version 0.4.1-1 is a stop-gap release that will disable lock propagation, unless --share-locks=yes is specified, as it still is affected by unidentified issues. Documentation update Lunar has been busy creating a proper website for reproducible-builds.org that would be a common location for news, documentation, and tools for all free software projects working on reproducible builds. It's not yet ready to be published, but it's surely getting there. Homepage of the future reproducible-builds.org website

Homepage of the future reproducible-builds.org website

Who's involved? page of the future reproducible-builds.org website

Package reviews 103 reviews have been removed, 394 added and 29 updated this week. 72 FTBFS issues were reported by Chris West and Niko Tyni. New issues: random_order_in_static_libraries, random_order_in_md5sums.

14 October 2015

Lunar: Reproducible builds: week 24 in Stretch cycle

What happened in the reproducible builds effort this week: Toolchain fixes

Niels Thykier uploaded debhelper/9.20151004 which exports SOURCE_DATE_EPOCH when running dh_auto_* (patch by Dhole). dh now also calls dh_strip_nondeterminism during build (patch by Andrew Ayer). The only remaining change regarding reproducibility in the custom debhelper is related to mtimes in data.tar which might be fixed directly in dpkg instead.
Niels Thykier made another upload of debhelper/9.20151005 the next day to sort Build IDs added by dh_strip in control files.

Scott Kitterman fixed an issue with non-deterministic Depends generated by dh-python identified by Santiago Vila and Chris Lamb. Lunar updated the patch against dpkg which makes the order of files in control.tar.gz deterministic using the new --sort=name option available in GNU Tar 1.28. josch released sbuild version 0.66.0-1 with several fixes and improvements. The most notable one for reproducible builds is the new --build-path option and $build_path configuration variable added by akira which allows to explicitly chose a given build path. Reiner Herrmann wrote a new patch for dh-systemd to sort the list of unit files in the generated maintainer scripts. Packages fixed The following packages became reproducible due to changes in their build dependencies: aoeui, apron, camlmix, cudf, findlib, glpk-java, hawtjni, haxe, java-atk-wrapper, llvm-py, misery, mtasc, ocamldsort, optcomp, spamoracle. The following packages became reproducible after getting fixed:

classified-ads/0.08-1 uploaded by Antti J rvinen, fix merged upstream, original patch by Reiner Herrmann.
criu/1.7-3 uploaded by Salvatore Bonaccorso, original patch by Chris Lamb.
doomsday/1.15.4-1 by Michael Gilbert.
ejabberd/15.07-1~exp1 by Philipp Huebner.
libxbean-java/4.4-1 by Emmanuel Bourg.
markdown/1.0.1-8 uploaded by Matt Kraai, original patches by Chris Lamb (#776925) and akira (#793701).
nedit/1:5.6a-3 by Paul Gevers.
nvidia-settings/340.93-1 uploaded by Andreas Beckmann, original patch by Lunar.
ocaml/4.02.3-2 by St phane Glondu.
polygen/1.0.6.ds2-14 uploaded by Mehdi Dogguy, original patch by Chris Lamb.
stsci.distutils/0.3.7-4 by Aurelien Jarno.
vdr/2.2.0-4 by Tobias Grimm.
vdr-plugin-xineliboutput/1.1.0+cvs20150907-3 by Tobias Grimm.
w3c-markup-validator/1.3+dfsg-3 by Santiago Vila.
xcolorsel/1.1a-19 by Santiago Vila.
xmoto/0.5.11+dfsg-3 by Stephen Kitt.

Some uploads fixed some reproducibility issues but not all of them:

ognl/2.7.3-6 by Emmanuel Bourg.
enblend-enfuse/4.1.4+dfsg-2 by Andreas Metzler.

Untested

nvidia-xconfig/340.93-1 by Andreas Beckmann.
nvidia-settings-legacy-304xx/304.128-1 by Andreas Beckmann.

Patches submitted which have not made their way to the archive yet:

#801212 on unicode-data by Esa Peuha: set TZ=UTC when calling unzip.

reproducible.debian.net ProfitBricks once again increased their support for reproducible builds in Debian and in other free software projects by adding 58 new cores and 138 GiB of RAM to the already existing setup. Two new amd64 build nodes and 16 new amd64 build jobs have been added which doubles the build capacity per day and allows us to spot many kind of problems earlier. The size of the tmpfs where builds are performed has also been increased from 70 to 200 GiB on all amd64 build nodes. Huge thanks! When examining a package, a link now points to a table listing all previous recorded tests for the same package. (Mattia) The menu on the package pages has also been improved. (h01ger) Packages in the depwait state are now rescheduled automatically after five days. (h01ger) Links to documentation and other projects being tested have been made more visible on the landing page. (h01ger) To reduce noise on the team IRC channel five different types of notifications have been turned into mail notifications. The remaining ones have been shortened and the status changes have been limited to unstable and experimental. (h01ger) Maintainer notifications about status changes in a package will only be sent out once per day, and not on each status change. (h01ger) diffoscope development Some more experiments of concurrent processing have been made. None were good and reliable enough to be shared, though. Package reviews 48 reviews have been removed, 189 added and 23 updated this week. 9 FTBFS bugs were reported by Chris Lamb. Misc. h01ger met with Levente Polyak to discuss testing Arch Linux on Debian continuous test system with an easily extensible framework. The idea is to also allow testing of other distributions, and provide a nice package based view like the one for Debian.

6 September 2015

Lunar: Reproducible builds: week 19 in Stretch cycle

What happened in the reproducible builds effort this week: Toolchain fixes Dmitry Shachnev uploaded sphinx/1.3.1-6 with improved patches from Val Lorentz. Chris Lamb submitted a patch for ibus-table which makes the output of ibus-table-createdb deterministic. Niko Tyni wrote a patch to make libmodule-build-perl linking order deterministic. Santiago Vila has been leading discussions on the best way to fix timestamps coming from Gettext POT files. Packages fixed The following 35 packages became reproducible due to changes in their build dependencies: apache-log4j2, dctrl-tools, dms, gitit, gnubik, isrcsubmit, mailutils, normaliz, oaklisp, octave-fpl, octave-specfun, octave-vrml, opencolorio, openvdb, pescetti, php-guzzlehttp, proofgeneral, pyblosxom, pyopencl, pyqi, python-expyriment, python-flask-httpauth, python-mzml, python-simpy, python-tidylib, reactive-streams, scmxx, shared-mime-info, sikuli, siproxd, srtp, tachyon, tcltk-defaults, urjtag, velvet. The following packages became reproducible after getting fixed:

binutils-m68hc1x/1:2.18-7 by Santiago Vila.
boa-constructor/0.6.1-15 by Santiago Vila.
brian/1.4.1-3 by Yaroslav Halchenko.
criticalmass/1:1.0.0-3 by Santiago Vila.
cvs-buildpackage/5.25 by Santiago Vila.
fcrackzip/1.0-6 uploaded by Adam Borowski, original patch by Reiner Herrmann.
filters/2.54 prepared by Joey Hess, fixed by Marius Gavrilescu.
fsvs/1.2.6-2 by Santiago Vila.
fte/0.50.2b6-6 by Santiago Vila.
gcc-mingw-w64/15.7 by Stephen Kitt.
ircd-hybrid/1:8.2.8+dfsg.1-1 by Dominic Hargreaves.
leveldb/1.18-3 uploaded by Laszlo Boszormenyi, patch by Reiner Herrmann.
libavg/1.8.1-2 uploaded by Dimitri John Ledkov, original patch by Reiner Herrmann.
lynx-cur/2.8.9dev6-4 uploaded by Axel Beckert, patch by Reiner Herrmann.
maildir-utils/0.9.12-3 by Norbert Preining
pd-iemnet/0.2-1 by IOhannes m zm lnig.
photopc/3.05-8 by Santiago Vila.
postgresql-plproxy/2.6-1 uploaded by Christoph Berg, report by Dhole.
prometheus-pushgateway/0.2.0+ds-2 uploaded by Mart n Ferrari, original patch by Chris Lamb.
shelxle/1.0.740-1 uploaded by Daniel Leidert, fixed upstream.
sigil/0.8.7+dfsg-2 by Mattia Rizzolo.
sks-ecc/0.93-5 by Santiago Vila.
smartlist/3.15-25 by Santiago Vila.
snd/11.7-4 by Santiago Vila.
solarwolf/1.5-2.1 by Graham Inggs.
sphinx/1.3.1-6 uploaded by Dmitry Shachnev, patches by Val Lorentz.
tla/1.3.5+dfsg1-2 by Santiago Vila.
zapping/0.10~cvs6-10 by Santiago Vila.

The package is not in yet in unstable, but linux/4.2-1~exp1 is now reproducible! Kudos to Ben Hutchings, and most fixes are already merged upstream. Some uploads fixed some reproducibility issues but not all of them:

bochs/2.6-3 by Santiago Vila.
oolite/1.82-1 by Nicolas Boulenguez.
openjdk-7/7u85-2.6.1-1 uploaded by Matthias Klose, original patch by Emmanuel Bourg.
python-dtcwt/0.10.1+dfsg1-2 uploaded by Ghislain Antony Vaillant, original patch by Chris Lamb.

Patches submitted which have not made their way to the archive yet:

#797432 on torus-trooper by Reiner Herrmann: set locale to C when sorting source file list.
#797437 on flow-tools by Chris Lamb: use pre-defined hostname and date of the latest debian/changelog entry in build string.
#797505 on cloudprint by Chris Lamb: remove embedded .pyc files.
#797506 on comix by Chris Lamb: remove embedded .pyc files.
#797508 on litl by Chris Lamb: remove date from documentation generated with LaTeX.
#797518 on gyoto by Chris Lamb: set date in documentation generated with LaTeX to the latest debian/changelog entry.
#797539 on cadabra by Chris Lamb: use date of the latest debian/changelog entry as build time.
#797543 on xotcl by Chris Lamb: sort source list in Makefile.
#797579 on ferret-vis by Chris Lamb: use date of the latest debian/changelog entry as build time.
#797711 on libkinosearch1-perl by Niko Tyni: sort source list in Build.PL.
#797871 on xbae by Chris Lamb: use date of the latest debian/changelog entry as build time.

reproducible.debian.net Some bugs that prevented packages to build successfully in the remote builders have been fixed. (h01ger) Two more amd64 build jobs have been removed from the Jenkins host in favor of six more on the new remote nodes. (h01ger) The munin graphs currently looks fine, so more amd64 jobs will probably be added in the next week. diffoscope development Version 32 of diffoscope has been released on September 3rd with the following new features:

A new --fuzzy-threshold option to specify the TLSH score used as cut-off for fuzzy matching. Specifying 0 will disable fuzzy-matching entirely. Suggested by Jakub Wilk.
A new --new-file option to treat absent files as empty. This make diffoscope a great tool to look at the content of an archive at once by comparing it with a non-existent file (example). Suggested by Jakub Wilk.
Comparisons of symlinks and devices given on the command line is now possible.
Default values are displayed in --help.

It also fixes many bugs. Head over to the changelog for the full list. Version 33 was released the day after to fix a bug introduced in the packaging. Documentation update Chris Lamb blessed the SOURCE_DATE_EPOCH specification with the version number 1.0 . Lunar documented how the .file assembler directive can help with random filenames in debug symbols. Package reviews 235 reviews have been removed, 84 added and 277 updated this week. 29 new FTBFS bugs were filled by Chris Lamb, Chris West (Faux), Daniel Stender, and Niko Tyni. New issues identified this week: random_order_in_ibus_table_createdb_output, random_order_in_antlr_output, nondetermistic_link_order_in_module_build, and timestamps_in_tex_documents. Misc. Thanks to Dhole and Thomas Vincent, the talk held at DebConf15 now has subtitles! Void Linux started to merge changes to make packages produced by xbps reproducible.

1 September 2015

Lunar: Reproducible builds: week 18 in Stretch cycle

What happened in the reproducible builds effort this week: Toolchain fixes

Bdale Garbee uploaded tar/1.28-1 which includes the --clamp-mtime option. Patch by Lunar.

Aur lien Jarno uploaded glibc/2.21-0experimental1 which will fix the issue were locales-all did not behave exactly like locales despite having it in the Provides field. Lunar rebased the pu/reproducible_builds branch for dpkg on top of the released 1.18.2. This made visible an issue with udebs and automatically generated debug packages. The summary from the meeting at DebConf15 between ftpmasters, dpkg mainatainers and reproducible builds folks has been posted to the revelant mailing lists. Packages fixed The following 70 packages became reproducible due to changes in their build dependencies: activemq-activeio, async-http-client, classworlds, clirr, compress-lzf, dbus-c++, felix-bundlerepository, felix-framework, felix-gogo-command, felix-gogo-runtime, felix-gogo-shell, felix-main, felix-shell-tui, felix-shell, findbugs-bcel, gco, gdebi, gecode, geronimo-ejb-3.2-spec, git-repair, gmetric4j, gs-collections, hawtbuf, hawtdispatch, jack-tools, jackson-dataformat-cbor, jackson-dataformat-yaml, jackson-module-jaxb-annotations, jmxetric, json-simple, kryo-serializers, lhapdf, libccrtp, libclaw, libcommoncpp2, libftdi1, libjboss-marshalling-java, libmimic, libphysfs, libxstream-java, limereg, maven-debian-helper, maven-filtering, maven-invoker, mochiweb, mongo-java-driver, mqtt-client, netty-3.9, openhft-chronicle-queue, openhft-compiler, openhft-lang, pavucontrol, plexus-ant-factory, plexus-archiver, plexus-bsh-factory, plexus-cdc, plexus-classworlds2, plexus-component-metadata, plexus-container-default, plexus-io, pytone, scolasync, sisu-ioc, snappy-java, spatial4j-0.4, tika, treeline, wss4j, xtalk, zshdb. The following packages became reproducible after getting fixed:

apr/1.5.2-2 by Stefan Fritsch.
binutils-m68hc1x/1:2.18-6 by Santiago Vila.
buxon/0.0.5-5 uploaded by Santiago Vila, original patch by Chris Lamb.
cdtool/2.1.8-release-3 by Santiago Vila.
check/0.10.0-1 by Tobias Frost.
ffe/0.3.4-2 by Santiago Vila.
flowscan-cuflow/1.7-9 by Santiago Vila.
gmt/5.1.2+dfsg1-2 by Bas Couwenberg.
gtkspellmm/3.0.3+dfsg-2 by Philip Rinn.
htp/1.19-2 uploaded by Santiago Vila, original patch by Chris Lamb.
igerman98/20131206-6 by Roland Rosenfeld.
intlfonts/1.2.1-9 uploaded by Santiago Vila, original patch by Chris Lamb.
irda-utils/0.9.18-14 uploaded by Santiago Vila, original patch by Chris Lamb.
jackd2/1.9.10+20150825git1ed50c92~dfsg-1 uploaded by Adrian Knoth, original patch by Chris Lamb.
jove/4.16.0.73-4 by Cord Beermann.
jquery/1.11.3+dfsg-1 uploaded by Antonio Terceiro, original patch by Reiner Herrmann.
libapache2-authcookie-perl/3.22-3 by Niko Tyni.
libaqbanking/5.6.1beta-2 fixed and uploaded by Micha Lenk.
libcitygml/1.4.3-1 by Bas Couwenberg with a fixed new upstream release.
libevhtp/1.2.10-3 by Vincent Bernat.
libgnome2-perl/1.046-2 by Niko Tyni.
libmarc-charset-perl/1.35-2 by Niko Tyni.
libtime-y2038-perl/20100403-5 by Niko Tyni.
libxray-absorption-perl/3.0.1-3 uploaded by gregor herrmann, original patch by Niko Tyno.
lpc21isp/1.97-2 by Agustin Henze.
luakit/2012.09.13-r1-6 by Santiago Vila, also with a patch from akira.
moarvm/2015.07-1 by Daniel Dehennin with a fixed new upstream release.
mosquitto/1.4.3-1 by Roger A. Light.
ngircd/22.1-2 by Christoph Biedl.
nn/6.7.3-10 uploaded by Cord Beermann, original patch by Chris Lamb.
owncloud-client/2.0.0~rc1+dfsg-1 by Sandro Knau .
postfix-gld/1.7-7 uploaded by Santiago Vila, patches for gzip by Chris Lamb and mtimes by akira.
pppconfig/2.3.22 by Santiago Vila.
prometheus/0.15.1+ds-2 by Mart n Ferrari.
python-xlrd/0.9.4-1 by Vincent Bernat.
recode/3.6-22 by Santiago Vila.
ruby-rmagick/2.15.4-1 by Antonio Terceiro.
scite/3.6.0-1 by Antonio Valentino.
smartlist/3.15-25 by Santiago Vila.
tar/1.28-1 uploaded by Bdale Garbee, original patch by Reiner Herrman.
transmissionrpc/0.11-2 uploaded by Vincent Bernat, original patch by Juan Picca.
uruk/20150810-1 uploaded by Joost van Baal-Ili , original patch by Lunar.
webassets/3:0.11-2 uploaded by Agustin Henze, original patch by Reiner Herrmann.
xfig/1:3.2.5.c-5 by Roland Rosenfeld.
xfonts-bolkhov/1.1.20001007-8 by Santiago Vila.

Some uploads fixed some reproducibility issues but not all of them:

cvs-buildpackage/5.24 uploaded by Santiago Vila, original patch by Chris Lamb.
gcc-mingw-w64/15.5 by Stephen Kitt.
vtk6/6.2.0+dfsg1-4 by Anton Gladky.

Patches submitted which have not made their way to the archive yet:

#797027 on zyne by Chris Lamb: switch to pybuild to get rid of .pyc files.
#797180 on python-doit by Chris Lamb: sort output when creating completion script for bash and zsh.
#797211 on apt-dater by Chris Lamb: fix implementation of SOURCE_DATE_EPOCH.
#797215 on getdns by Chris Lamb: fix call to dpkg-parsechangelog in debian/rules.
#797254 on splint by Chris Lamb: support SOURCE_DATE_EPOCH for version string.
#797296 on shiro by Chris Lamb: remove username from build string.
#797408 on splitpatch by Reiner Herrmann: use SOURCE_DATE_EPOCH to set manpage date.
#797410 on eigenbase-farrago by Reiner Herrmann: sets the comment style to scm-safe which tells ResourceGen that no timestamps should be included.
#797415 on apparmor by Reiner Herrmann: sorting with the locale set to C. CAPABILITIES
#797419 on resiprocate by Reiner Herrmann: set the embedded hostname to a static value.
#797427 on jam by Reiner Herrmann: sorting with the locale set to C.
#797430 on ii-esu by Reiner Herrmann: sort source list using C locale.
#797431 on tatan by Reiner Herrmann: sort source list using C locale.

Chris Lamb also noticed that binaries shipped with libsilo-bin did not work. Documentation update Chris Lamb and Ximin Luo assembled a proper specification for SOURCE_DATE_EPOCH in the hope to convince more upstreams to adopt it. Thanks to Holger it is published under a non-Debian domain name. Lunar documented easiest way to solve issues with file ordering and timestamps in tarballs that came with tar/1.28-1. Some examples on how to use SOURCE_DATE_EPOCH have been improved to support systems without GNU date. reproducible.debian.net armhf is finally being tested, which also means the remote building of Debian packages finally works! This paves the way to perform the tests on even more architectures and doing variations on CPU and date. Some packages even produce the same binary Arch:all packages on different architectures (1, 2). (h01ger) Tests for FreeBSD are finally running. (h01ger) As it seems the gcc5 transition has cooled off, we schedule sid more often than testing again on amd64. (h01ger) disorderfs has been built and installed on all build nodes (amd64 and armhf). One issue related to permissions for root and unpriviliged users needs to be solved before disorderfs can be used on reproducible.debian.net. (h01ger) strip-nondeterminism Version 0.011-1 has been released on August 29th. The new version updates dh_strip_nondeterminism to match recent changes in debhelper. (Andrew Ayer) disorderfs disorderfs, the new FUSE filesystem to ease testing of filesystem-related variations, is now almost ready to be used. Version 0.2.0 adds support for extended attributes. Since then Andrew Ayer also added support to reverse directory entries instead of shuffling them, and arbitrary padding to the number of blocks used by files. Package reviews 142 reviews have been removed, 48 added and 259 updated this week. Santiago Vila renamed the not_using_dh_builddeb issue into varying_mtimes_in_data_tar_gz_or_control_tar_gz to align better with other tag names. New issue identified this week: random_order_in_python_doit_completion. 37 FTBFS issues have been reported by Chris West (Faux) and Chris Lamb. Misc. h01ger gave a talk at FrOSCon on August 23rd. Recordings are already online. These reports are being reviewed and enhanced every week by many people hanging out on #debian-reproducible. Huge thanks!

22 June 2015

Lunar: Reproducible builds: week 8 in Stretch cycle

What happened about the reproducible builds effort this week: Toolchain fixes

Brendan O'Dea uploaded help2man/1.47.1 which adds support setting SOURCE_DATE_EPOCH for the date for the generated pages.
Emmanuel Bourg uploaded maven-debian-helper/1.6.12 which sets the locale to en_US when generating the javadoc.
Emmanuel Bourg uploaded javatools/0.51 which sets the locale to en_US when generating the javadoc.
Joachim Breitner uploaded haskell-devscripts/0.9.10 which will always run sorts in LC_ALL=C.

Andreas Henriksson has improved Johannes Schauer initial patch for pbuilder adding support for build profiles. Packages fixed The following 12 packages became reproducible due to changes in their build dependencies: collabtive, eric, file-rc, form-history-control, freehep-chartableconverter-plugin , jenkins-winstone, junit, librelaxng-datatype-java, libwildmagic, lightbeam, puppet-lint, tabble. The following packages became reproducible after getting fixed:

acorn/0.12.0-1 uploaded by Bas Couwenberg, original patch by Reiner Herrmann.
avarice/2.13+svn347-3 by Tobias Frost.
br.ispell/3.0~beta4-19 by Agustin Martin Domingo.
cpp-netlib/0.11.1+dfsg1-3 by Ximin Luo.
device3dfx/2013.08.08-3 by Guillem Jover.
dnsmasq/2.73-1 uploaded by Simon Kelley, original patch by Chris Lamb.
eigen3/3.2.5-4 by Anton Gladky.
eo-spell/3.0~beta4-19 by Agustin Martin Domingo.
espa-nol/3.0~beta4-19 by Agustin Martin Domingo.
firejail/0.9.26-1 by Reiner Herrmann.
gcc-mingw-w64/15.2 by Stephen Kitt.
geoip-database/20150616-1 uploaded by Patrick Matth i, original patch by Reiner Herrmann.
ikiwiki-hosting/0.20150614 by Simon McVittie.
inkscape/0.91-5 by Mattia Rizzolo.
jtreg/4.1-b12-1 by Emmanuel Bourg.
libfile-scan-perl/1.43-3 uploaded by gregor herrmann, original patch by Niko Tyno.
libgpiv/0.6.1-4.2 by akira.
libnet-twitter-lite-perl/0.12006-4 by Niko Tyni.
mingw-w64/4.0.2-5 by Stephen Kitt.
oslo.messaging/1.8.3-3 uploaded by Thomas Goirand, original patch by Juan Picca.
seabios/1.8.2-1 by Michael Tokarev. Suggested fix by Lunar based on recent upstream changes.
thuban/1.2.2-7 uploaded by Bas Couwenberg, original patch by Reiner Herrmann.
tiptop/2.2-3 by Tomasz Buchert.
ucl/1.03+repack-3 by Robert Luberda.

Some uploads fixed some reproducibility issues but not all of them:

amsynth/1.5.1-2 uploaded by Alessio Treglia, original patch by Dhole.
brickos/0.9.0.dfsg-12 uploaded by Michael Tautschnig, original patch by akira.
cucumber/2.0.0-1 by C dric Boutillier; currently FTBFS.
netbeans/8.0.2+dfsg1-2 by Markus Koschany.
pyopencl/2015.1-2 uploaded by Tomasz Rybak, original patch by Tomasz Rybak.

Patches submitted which have not made their way to the archive yet:

#788747 on 0xffff by Dhole: allow embedded timestamp to be set externally and set it to the time of the debian/changelog.
#788752 on analog by Dhole: allow embedded timestamp to be set externally and set it to the time of the debian/changelog.
#788757 on jacktrip by akira: remove $datetime from the documentation footer.
#788868 on apophenia by akira: remove $date from the documentation footer.
#788920 on orthanc by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
#788955 on rivet by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
#789040 on liblo by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
#789049 on mpqc by akira: remove $datetime from the documentation footer.
#789071 on libxkbcommon by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
#789073 on libxr by akira: remove $datetime from the documentation footer.
#789076 on lvtk by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
#789087 on lmdb by akira: pass HTML_TIMESTAMP=NO to Doxygen.
#789184 on openigtlink by akira: remove $datetime from the documentation footer.
#789264 on openscenegraph by akira: pass HTML_TIMESTAMP=NO to Doxygen.
#789308 on trigger-rally-data by Mattia Rizzolo: call dh_fixperms even when overriding dh_fixperms.
#789396 on libsidplayfp by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
#789399 on psocksxx by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
#789405 on qdjango by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
#789406 on qof by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
#789428 on qsapecng by akira: pass HTML_TIMESTAMP=NO to Doxygen.

reproducible.debian.net Bugs with the ftbfs usertag are now visible on the bug graphs. This explain the recent spike. (h01ger) Andreas Beckmann suggested a way to test building packages using the funny paths that one can get when they contain the full Debian package version string. debbindiff development Lunar started an important refactoring introducing abstactions for containers and files in order to make file type identification more flexible, enabling fuzzy matching, and allowing parallel processing. Documentation update Ximin Luo detailed the proposal to standardize environment variables to pass a reference source date to tools that needs one (e.g. documentation generator). Package reviews 41 obsolete reviews have been removed, 168 added and 36 updated this week. Some more issues affecting packages failing to build from source have been identified. Meetings Minutes have been posted for Tuesday June 16th meeting. The next meeting is scheduled Tuesday June 23rd at 17:00 UTC. Presentations Lunar presented the project in French during Pas Sage en Seine in Paris. Video and slides are available.

20 June 2015

Lunar: Reproducible builds: week 5 in Stretch cycle

What happened about the reproducible builds effort for this week: Toolchain fixes Uploads that should help other packages:

Stephen Kitt uploaded mingw-w64/4.0.2-2 which avoids inserting timestamps in PE binaries, and specify dlltool's temp prefix so it generates reproducible files.
Stephen Kitt uploaded binutils-mingw-w64/6.1 which fixed dlltool to initialize its output's .idata$6 section, avoiding random data ending up there.

Patch submitted for toolchain issues:

#787159 on openjdk-7 by Emmanuel Bourg: sort the annotations and enums in package-tree.html produced by javadoc.
#787250 on python-qt4 by Reiner Herrmann: sort imported modules to get reproducible output.
#787251 on pyqt5 by Reiner Herrmann: sort imported modules to get reproducible output.

Some discussions have been started in Debian and with upstream:

ocaml using random intermediate filenames (Daniel Kahn Gillmor)
Timestamps embedded in docbook called by pkg-kde-tools or kdoctools5 (Daniel Kahn Gillmor)
Should --no-insert-timestamps be the default in binutils-mingw-w64? (Stephen Kitt)
Make PDF ID field deterministic in PDFTeX (Nicolas Boulenguez)
Add --deterministic option to Tar? (Lunar)
Undeterministic output from GCC with -flto -ffat-lto-objects (Lunar)

Packages fixed The following 8 packages became reproducible due to changes in their build dependencies: access-modifier-checker, apache-log4j2, jenkins-xstream, libsdl-perl, maven-shared-incremental, ruby-pygments.rb, ruby-wikicloth, uimaj. The following packages became reproducible after getting fixed:

debianutils/4.5.1 uploaded by Clint Adams, original patch by Lunar.
exifprobe/2.0.1-5 by Joao Eriberto Mota Filho.
gdb-mingw-w64/10 by Stephen Kitt.
iceweasel/38.0.1-5 by Mike Hommey.
liblingua-en-tagger-perl/0.25-1 uploaded by Axel Beckert, original patch by Reiner Herrmann.
liboro-java/2.0.8a-10 by Emmanuel Bourg.
mingw-w64/4.0.2-3 by Stephen Kitt.
minidlna/1.1.4+dfsg-4 by Alexander GQ Gerasiov.
miredo/1.2.6-3 by Tomasz Buchert.
mpv/0.9.2-1 uploaded by Alessandro Ghedini, original patch by Lunar.
nspr/2:4.10.8-2 by Mike Hommey.
openstack-doc-tools/0.24-2 uploaded by Thomas Goirand, original patch by Reiner Herrmann.
osgearth/2.5.0+dfsg-3 uploaded by Bas Couwenberg, original patch by Reiner Herrmann.
pyexiv2/0.3.2-8 by Michal iha .
python-netaddr/0.7.14-1 by Vincent Bernat.
ruby-extlib/0.9.16-1 by C dric Boutillier.
sane-backends/1.0.24-12 by J rg Frings-F rst.
sed/4.2.2-6 uploaded by Clint Adams, original patch.
sextractor/2.19.5+dfsg-3 by Ole Streicher.
swarp/2.38.0+dfsg-2 by Ole Streicher.
tiptop/2.2-3 by Tomasz Buchert.
tomcat7/7.0.62-1 by Emmanuel Bourg.
tomcat8/8.0.23-1 by Emmanuel Bourg.
xapian-omega/1.2.21-1 by Olly Betts, also fixed upstream.
y-u-no-validate/2013052401-3 by Jakub Wilk.

Some uploads fixed some reproducibility issues but not all of them:

389-admin/1.1.38-1 uploaded by Timo Aaltonen, original patch by Chris Lamb.
alt-ergo/0.99.1+dfsg1-3 uploaded by Ralf Treinen, original patch by Juan Picca and Jakub Wilk.
deets/0.2.1-2 uploaded by Clint Adams, original patch by Chris Lamb.
fpc/2.6.4+dfsg-5 by Paul Gevers.
inspircd/2.0.20-1 by Guillaume Delacour.
libparse-debianchangelog-perl/1.2.0-3 by intrigeri.
luakit/2012.09.13-r1-4 uploaded by Clint Adams, original patch by Chris Lamb.
mod-authn-webid/0~20110301-3 uploaded by Clint Adams, original patch by Chris Lamb.
powerline/2.1.4-1 uploaded by Jerome Charaoui, reported by akira, fixed upstream.
svtplay-dl/0.10.2015.05.24-1 by Olof Johansson.

Patches submitted which did not make their way to the archive yet:

#777308 on dhcp-helper by Dhole: fix mtimes of packaged files.
#786927 on flowscan by Dhole: remove timestamps from gzip files and fix mtimes of packaged files.
#786959 on python3.5 by Lunar: set build date of binary and documentation to the time of latest debian/changelog entry, prevent gzip from storing a timestamp.
#786965 on python3.4 by Lunar: same as python3.5.
#786978 on python2.7 by Lunar: same as python3.5.
#787122 on xtrlock by Dhole: fix mtimes of packaged files.
#787123 on rsync by Dhole: remove timestamps from gzip files and fix mtimes of packaged files.
#787125 on pachi by Dhole: fix mtimes of packaged files.
#787126 on nis by Dhole: remove timestamps from gzip files and fix mtimes of packaged files.
#787206 on librpc-xml-perl by Reiner Herrmann: remove timestamps from generated code.
#787265 on libwx-perl by Reiner Herrmann: produce sorted output.
#787303 on dos2unix by Juan Picca: set manpage date to the time of latest entry in debian/changelog.
#787327 on vim by Reiner Herrmann: remove usage of __DATE__ and __TIME__ macros.

Discussions that have been started:

gst-plugins-base1.0 embeds current timestamp in .rodata of all objects (Daniel Kahn Gillmor)

reproducible.debian.net Holger Levsen added two new package sets: pkg-javascript-devel and pkg-php-pear. The list of packages with and without notes are now sorted by age of the latest build. Mattia Rizzolo added support for email notifications so that maintainers can be warned when a package becomes unreproducible. Please ask Mattia or Holger or in the #debian-reproducible IRC channel if you want to be notified for your packages! strip-nondeterminism development Andrew Ayer fixed the gzip handler so that it skip adding a predetermined timestamp when there was none. Documentation update Lunar added documentation about mtimes of file extracted using unzip being timezone dependent. He also wrote a short example on how to test reproducibility. Stephen Kitt updated the documentation about timestamps in PE binaries. Documentation and scripts to perform weekly reports were published by Lunar. Package reviews 50 obsolete reviews have been removed, 51 added and 29 updated this week. Thanks Chris West and Mathieu Bridon amongst others. New identified issues:

Misc. Lunar will be talking (in French) about reproducible builds at Pas Sage en Seine on June 19th, at 15:00 in Paris. Meeting will happen this Wednesday, 19:00 UTC.

15 June 2015

Lunar: Reproducible builds: week 7 in Stretch cycle

What happened about the reproducible builds effort for this week: Presentations On June 7th, Reiner Herrmann presented the project at the Gulaschprogrammiernacht 15 in Karlsruhe, Germany. Video and audio recordings in German are available, and so are the slides in English. Toolchain fixes

Joachim Breitner uploaded ghc/7.8.4-9 which uses a hash of the command line instead of the pid when calculating a random directory name.
Lunar uploaded mozilla-devscripts/0.42 which now properly sets the timezone. Patch by Reiner Herrmann.
Dmitry Shachnev uploaded python-qt4/4.11.4+dfsg-1 which now outputs the list of imported module in a stable order. The issue has been fixed upstream. Original patch by Reiner Herrmann.
Norbert Preining uploaded tex-common/6.00 which tries to ensure reproducible builds in files generated by dh_installtex.
Barry Warsaw uploaded wheel/0.24.0-2 which makes the output deterministic. Barry has submitted the fixes upstream based on patches by Reiner Herrman.

Daniel Kahn Gillmor's report on help2man started a discussion with Brendan O'Dea and Ximin Luo about standardizing a common environment variable that would provide a replacement for an embedded build date. After various proposals and research by Ximin about date handling in several programming languages, the best solution seems to define SOURCE_DATE_EPOCH with a value suitable for gmtime(3).

Martin Borgert wondered if Sphinx could be changed in a way that would avoid having to tweak debian/rules in packages using it to produce HTML documentation.

Daniel Kahn Gillmor opened a new report about icont producing unreproducible binaries. Packages fixed The following 32 packages became reproducible due to changes in their build dependencies: agda, alex, c2hs, clutter-1.0, colorediffs-extension, cpphs, darcs-monitor, dispmua, haskell-curl, haskell-glfw, haskell-glib, haskell-gluraw, haskell-glut, haskell-gnutls, haskell-gsasl, haskell-hfuse, haskell-hledger-interest, haskell-hslua, haskell-hsqml, haskell-hssyck, haskell-libxml-sax, haskell-openglraw, haskell-readline, haskell-terminfo, haskell-x11, jarjar-maven-plugin, kxml2, libcgi-struct-xs-perl, libobject-id-perl, maven-docck-plugin, parboiled, pegdown. The following packages became reproducible after getting fixed:

acorn/0.12.0-1 by Bas Couwenberg, original patch by Reiner Herrmann.
cabal-debian/4.17.4-3 by Joachim Breitner.
coin3/3.1.4~abc9f50-9 by Anton Gladky.
deets/0.2.1-4 by Clint Adams.
elinks/0.12~pre6-8 by Moritz Muehlenhoff.
fiona/1.5.1-1 uploaded by Johan Van de Wauw, original patch by Juan Picca.
gcc-mingw-w64/15.2 by Stephen Kitt.
glance/2015.1.0-2 uploaded by Thomas Goirand, original patch by Juan Picca.
hamlib/1.2.15.3-3 uploaded by Colin Tuckley, original patch by akira.
ikiwiki/3.20150610 by Simon McVittie, Joey Hess and Daniel Kahn Gillmor. Cheers!
lava-dispatcher/2015.06-1 by Neil Williams.
libur-perl/0.430-3 by gregor herrmann, fix suggested by Niko Tyni.
lrzsz/0.12.21-8 uploaded by Martin A. Godisch, original patch by Dhole.
makehuman/1.0.2-9 uploaded by Muammar El Khatib, original patch by Juan Picca.
murano/2015.1.0-4 uploaded by Thomas Goirand, original patch by Juan Picca.
ocl-icd/2.2.7-2 by Vincent Danjean.
oslo-config/1:1.9.3-2 uploaded by Thomas Goirand, original patch by Juan Picca.
piuparts/0.64 by Holger Levsen.
posh/0.12.5 by Clint Adams.
python-glance-store/0.4.0-3 uploaded by Thomas Goirand, original patch by Juan Picca.
python-osprofiler/0.3.0-2 uploaded by Thomas Goirand, original patch by Juan Picca.
wheel/0.24.0-2 uploaded by Barry Warsaw, original patch by Reiner Herrman.
xfonts-nexus/0.0.2-17 uploaded by Simon Horman, original patch by Chris Lamb.
zec/0.12-4 by Clint Adams.
zomg/0.8-2 by Clint Adams.

Some uploads fixed some reproducibility issues but not all of them:

brickos/0.9.0.dfsg-11 uploaded by Michael Tautschnig, original patch by akira.
colobot/0.1.5-1 uploaded by Didier Raboud, original patch by akira.
pyopencl/2015.1-1) by Tomasz Rybak.
rockdodger/1.0.0-2 uploaded by Martin A. Godisch, original patch by Chris Lamb.
salt/2014.7.2+ds-1) by Joe Healy.
wmpuzzle/0.5.2-2 uploaded by Martin A. Godisch, original patch by Chris Lamb.
wmwork/0.2.6-2 uploaded by Martin A. Godisch, original patch by Chris Lamb.

Patches submitted which did not make their way to the archive yet:

#776618 on dactyl by Reiner Herrmann: use UTC when computing the build date.
#787996 on cloop by Dhole: set --mtime when creating source tarball.
#787997 on scotch by Dhole: removes extra timestamps from gzip headers.
#787998 on perdition by Dhole: removes extra timestamps from gzip headers.
#787999 on libwebcam by Dhole: removes extra timestamps from gzip headers.
#788000 on libranlip by Dhole: strip extra timestamps from gzip headers, fix mtimes of packaged files.
#788001 on libf2c2 by Dhole: fix mtimes of packages files.
#788010 on givaro by akira: set HTML_TIMESTAMP to NO in Doxygen configuration file.
#788012 on geis by akira: set HTML_TIMESTAMP to NO in Doxygen configuration file.
#788122 on libfile-scan-perl by Niko Tyni: sort hash keys in Makefile.PL.
#788238 on kfreebsd-10 by Steven Chamberlain: fix mtimes in source tarball.
#788246 on pyepr by Juan Picca: set documentation date for Sphinx.
#788247 on grapefruit by Juan Picca: set documentation date for Sphinx.
#788249 on pastescript by Juan Picca: set documentation date for Sphinx.
#788275 on geoip-database by Reiner Herrmann: sets the embedded timestamp to the date from the latest changelog entry and normalizes the used timezone to UTC..
#788336 on irrlicht by akira: removes $datetime from the file footer.html. Now fixed upstream..
#788393 on brian by Juan Picca: set documentation date for Sphinx.
#788402 on linop by Juan Picca: set documentation date for Sphinx.
#788403 on pyevolve by Juan Picca: set documentation date for Sphinx.
#788406 on argvalidate by Juan Picca: set documentation date for Sphinx.
#788467 on astroquery by Juan Picca: set documentation date for Sphinx.
#788476 on mpi4py by Juan Picca: set documentation date for Sphinx.
#788477 on musicbrainzngs by Juan Picca: set documentation date for Sphinx.
#788480 on oslo.messaging by Juan Picca: set documentation date for Sphinx.
#788486 on pyopencl by Juan Picca: set documentation date for Sphinx.
#788487 on python-amqp by Juan Picca: set documentation date for Sphinx.
#788501 on python-fudge by Juan Picca: set documentation date for Sphinx.
#788504 on python-psutil by Juan Picca: set documentation date for Sphinx.
#788505 on python-pypump by Juan Picca: set documentation date for Sphinx.
#788507 on python-repoze.tm2 by Juan Picca: set documentation date for Sphinx.
#788592 on python-repoze.what by Juan Picca: set documentation date for Sphinx.
#788593 on python-scrapy by Juan Picca: set documentation date for Sphinx.
#788593 on python-scrapy by Juan Picca: set documentation date for Sphinx.
#788594 on pywavelets by Juan Picca: set documentation date for Sphinx.
#788595 on sahara by Juan Picca: set documentation date for Sphinx.
#788596 on simplejson by Juan Picca: set documentation date for Sphinx.
#788597 on waitress by Juan Picca: set documentation date for Sphinx.
#788598 on transmissionrpc by Juan Picca: set documentation date for Sphinx.
#788599 on wtforms by Juan Picca: set documentation date for Sphinx.
#788618 on rumor by Holger Levsen: set TZ to UTC when building the documentation.
#788722 on thuban by Reiner Herrmann: set the date embedded in man pages to the changelog date.

reproducible.debian.net A new variation to better notice when a package captures the environment has been introduced. (h01ger) The test on Debian packages works by building the package twice in a short time frame. But sometimes, a mirror push can happen between the first and the second build, resulting in a package built in a different build environment. This situation is now properly detected and will run a third build automatically. (h01ger) OpenWrt, the distribution specialized in embedded devices like small routers, is now being tested for reproducibility. The situation looks very good for their packages which seems mostly affected by timestamps in the tarball. System images will require more work on debbindiff to be better understood. (h01ger) debbindiff development Reiner Herrmann added support for decompling Java .class file and .ipk package files (used by OpenWrt). This is now available in version 22 released on 2015-06-14. Documentation update Stephen Kitt documented the new --insert-timestamp available since binutils-mingw-w64 version 6.2 available to insert a ready-made date in PE binaries built with mingw-w64. Package reviews 195 obsolete reviews have been removed, 65 added and 126 updated this week. New identified issues:

Misc. Holger Levsen reported an issue with the locales-all package that Provides: locales but is actually missing some of the files provided by locales. Coreboot upstream has been quick to react after the announcement of the tests set up the week before. Patrick Georgi has fixed all issues in a couple of days and all Coreboot images are now reproducible (without a payload). SeaBIOS is one of the most frequently used payload on PC hardware and can now be made reproducible too. Paul Kocialkowski wrote to the mailing list asking for help on getting U-Boot tested for reproducibility. Lunar had a chat with maintainers of Open Build Service to better understand the difference between their system and what we are doing for Debian.

17 May 2015

Lunar: Reproducible builds: week 3 in Stretch cycle

What happened about the reproducible builds effort for this week: Toolchain fixes

Stephen Kitt uploaded binutils-mingw-w64/6 which enabled deterministic archives.
Daniel Stender uploaded gamera/3.4.2-1 which removed timestamps from the documentation generator output.
Emmanuel Bourg uploaded maven-archiver/2.6-2 which formatted the date in pom.properties with the UTC timezone.
Dmitry Shachnev uploaded python-qt4/4.11.3+dfsg-2 which removes timestamps from generated files. Original patch by Reiner Herrmann.

Tomasz Buchert submitted a patch to fix the currently overzealous package-contains-timestamped-gzip warning. Daniel Kahn Gillmor identified #588746 as a source of unreproducibility for packages using python-support. Packages fixed The following 57 packages became reproducible due to changes in their build dependencies: antlr-maven-plugin, aspectj-maven-plugin, build-helper-maven-plugin, clirr-maven-plugin, clojure-maven-plugin, cobertura-maven-plugin, coinor-ipopt, disruptor, doxia-maven-plugin, exec-maven-plugin, gcc-arm-none-eabi, greekocr4gamera, haskell-swish, jarjar-maven-plugin, javacc-maven-plugin, jetty8, latexml, libcgi-application-perl, libnet-ssleay-perl, libtest-yaml-valid-perl, libwiki-toolkit-perl, libwww-csrf-perl, mate-menu, maven-antrun-extended-plugin, maven-antrun-plugin, maven-archiver, maven-bundle-plugin, maven-clean-plugin, maven-compiler-plugin, maven-ear-plugin, maven-install-plugin, maven-invoker-plugin, maven-jar-plugin, maven-javadoc-plugin, maven-processor-plugin, maven-project-info-reports-plugin, maven-replacer-plugin, maven-resources-plugin, maven-shade-plugin, maven-site-plugin, maven-source-plugin, maven-stapler-plugin, modello-maven-plugin1.4, modello-maven-plugin, munge-maven-plugin, ocaml-bitstring, ocr4gamera, plexus-maven-plugin, properties-maven-plugin, ruby-magic, ruby-mocha, sisu-maven-plugin, syncache, vdk2, wvstreams, xml-maven-plugin, xmlbeans-maven-plugin. The following packages became reproducible after getting fixed:

cgal/4.6-3 by Joachim Reichel.
cmake/3.2.2-1 by Felix Geyer.
dbus/1.8.16-2 by Simon McVittie.
dialog/1.2-20150513-1 by Santiago Vila.
dmaths/3.5.2.5+dfsg1-1 by Innocent De Marchi.
faad2/2.8.0~cvs20150510-1 by Fabian Greffrath.
fence-agents/4.0.18-1 by Christoph Berg.
gamera/3.4.2-1 uploaded by Daniel Stender, original patch by Reiner Herrmann.
hello-traditional/2.10-3 by Santiago Vila.
libapache2-mod-perl2/2.0.9~rc1-1 uploaded by Niko Tyni, fixed upstream.
libdbix-fulltextsearch-perl/0.73-11 uploaded by Dominic Hargreaves, original patch by Chris Lamb.
libjpeg-turbo/1:1.4.0-7 uploaded by Ond ej Sur , original patch by Reiner Herrmann.
libtime-format-perl/1.12-2 by gregor herrmann.
libx11-keyboard-perl/1.4-5 by gregor herrmann.
mailman/1:2.1.20-1 uploaded by Thijs Kinkhorst, original patch by Lunar.
miscfiles/1.4.2.dfsg.1-10 uploaded by Robert Luberda, original patch by Chris Lamb.
mkvtoolnix/7.9.0-1 uploaded by Christian Marillat, fixed upstream.
mozilla-dom-inspector/1:2.0.15-1 by David Pr vot.
nano/2.3.99pre3-1 uploaded by Jordi Mallach, original patch by Lunar.
ndiswrapper/1.59-3 uploaded by Julian Andres Klode, original patch by Chris Lamb.
original-awk/2012-12-20-3 uploaded by Santiago Vila, original patch by Chris Lamb.
procmail/3.22-25 uploaded by Santiago Vila, original patch by Lunar.
pxz/4.999.99~beta4+gitae80846-2 by Holger Levsen.
python-tuskarclient/0.1.17-2 uploaded by Thomas Goirand, original patch by Reiner Herrmann.
routino/2.7.3-2 by Bas Couwenberg.
scantailor/0.9.11.1-3 by Daniel Stender.
serverstats/0.8.2-11 prepared by Bjoern Boschman, original patch and upload by Chris Lamb.
sysstat/11.1.3-1 by Robert Luberda.
t-prot/3.4-3 by Axel Beckert.
wmsystemtray/1.4+git20150508-1 by Doug Torrance.
yafc/1.3.6-1 uploaded by Sebastian Ramacher, fixed upstream

Some uploads fixed some reproducibility issues but not all of them:

allegro4.4/2:4.4.2-6 uploaded by Andreas R nnquist, original patch by Chris Lamb.
base-files/9.1 uploaded by Santiago Vila, original patch by Lunar, follow-up patch submitted to fix umask-related variations.
castle-game-engine/5.1.1-2 by Paul Gevers.
device3dfx/2013.08.08-2 uploaded by Guillem Jover, original patch by Chris Lamb.
gettext/0.19.4-1 by Santiago Vila.
sendmail/8.14.9-1 by Andreas Beckmann.
smartlist/3.15-24 Santiago Vila Use gzip -n to stop recording current time. Closes: #777445.
uruk/20150401-1 uploaded by Joost van Baal-Ili , original patch by Chris Lamb.

Ben Hutchings also improved and merged several changes submitted by Lunar to linux. Currently untested because in contrib:

Dmitry Smirnov uploaded fheroes2-pkg/0+svn20150122r3274-2-2.

reproducible.debian.net

Thanks to the reproducible-build team for running a buildd from hell. gregor herrmann

Mattia Rizzolo modified the script added last week to reschedule a package from Alioth, a reason can now be optionally specified. Holger Levsen splitted the package sets page so each set now has its own page. He also added new sets for Java packages, Haskell packages, Ruby packages, debian-installer packages, Go packages, and OCaml packages. Reiner Herrmann added locales-all to the set of packages installed in the build environment as its needed to properly identify variations due to the current locale. Holger Levsen improved the scheduling so new uploads get tested sooner. He also changed the .json output that is used by tracker.debian.org to lists FTBFS issues again but only for issues unrelated to the toolchain or our test setup. Amongst many other small fixes and additions, the graph colors should now be more friendly to red-colorblind people. The fix for pbuilder given in #677666 by Tim Landscheidt is now used. This fixed several FTBFS for OCaml packages. Work on rebuilding with different CPU has continued, a kvm-on-kvm build host has been set been set up for this purpose. debbindiff development Version 19 of debbindiff included a fix for a regression when handling info files. Version 20 fixes a bug when diffing files with many differences toward a last line with no newlines. It also now uses the proper encoding when writing the text output to a pipe, and detects info files better. Documentation update Thanks to Santiago Vila, the unneeded -depth option used with find when fixing mtimes has been removed from the examples. Package reviews 113 obsolete reviews have been removed this week while 77 has been added.

Lunar: Reproducible builds: week 2 in Stretch cycle

What happened about the reproducible builds effort for this week: Media coverage Debian's effort on reproducible builds has been covered in the June 2015 issue of Linux Magazin in Germany.

Article about reproducible builds in Linux Magazin June 2015

Toolchain fixes

gregor herrmann uploaded libextutils-depends-perl/0.404-1 which makes its output deterministic.
Christian Hofstaedtler uploaded yard/0.8.7.4-2 which will not write timestamps in the generated documentation. Original patch by Chris Lamb, does not write timestamps in the generated documentation anymore.
Emmanuel Bourg uploaded maven-plugin-tools/3.3-2 which removes the date from the plugin descriptor. Patch by Reiner Herrmann.
Emmanuel Bourg uploaded maven-archiver/2.6-1 which now uses the date set in the DEB_CHANGELOG_DATETIME environment variable for the timestamp in the pom.properties file embedded in the jar files. Original patch by Chris West.
Nicolas Boulenguez uploaded dh-ada-library/6.4 which will warn against non deterministic ALI for sources newer than changelog.

josch rebased the experimental version of debhelper on 9.20150507. Packages fixed The following 515 packages became reproducible due to changes of their build dependencies: airport-utils, airspy-host, all-in-one-sidebar, ampache, aptfs, arpack, asciio, aspell-kk, asused, balance, batmand, binutils-avr, bioperl, bpm-tools, c2050, cakephp-instaweb, carton, cbp2make, checkbot, checksecurity, chemeq, chronicle, cube2-data, cucumber, darkstat, debci, desktop-file-utils, dh-linktree, django-pagination, dosbox, eekboek, emboss-explorer, encfs, exabgp, fbasics, fife, fonts-lexi-saebom, gdnsd, glances, gnome-clocks, gunicorn, haproxy, haskell-aws, haskell-base-unicode-symbols, haskell-base64-bytestring, haskell-basic-prelude, haskell-binary-shared, haskell-binary, haskell-bitarray, haskell-bool-extras, haskell-boolean, haskell-boomerang, haskell-bytestring-lexing, haskell-bytestring-mmap, haskell-config-value, haskell-mueval, haskell-tasty-kat, itk3, jnr-constants, jshon, kalternatives, kdepim-runtime, kdevplatform, kwalletcli, lemonldap-ng, libalgorithm-combinatorics-perl, libalgorithm-diff-xs-perl, libany-uri-escape-perl, libanyevent-http-scopedclient-perl, libanyevent-perl, libanyevent-processor-perl, libapache-session-wrapper-perl, libapache-sessionx-perl, libapp-options-perl, libarch-perl, libarchive-peek-perl, libaudio-flac-header-perl, libaudio-wav-perl, libaudio-wma-perl, libauth-yubikey-decrypter-perl, libauthen-krb5-simple-perl, libauthen-simple-perl, libautobox-dump-perl, libb-keywords-perl, libbarcode-code128-perl, libbio-das-lite-perl, libbio-mage-perl, libbrowser-open-perl, libbusiness-creditcard-perl, libbusiness-edifact-interchange-perl, libbusiness-isbn-data-perl, libbusiness-tax-vat-validation-perl, libcache-historical-perl, libcache-memcached-perl, libcairo-gobject-perl, libcarp-always-perl, libcarp-fix-1-25-perl, libcatalyst-action-serialize-data-serializer-perl, libcatalyst-controller-formbuilder-perl, libcatalyst-dispatchtype-regex-perl, libcatalyst-plugin-authentication-perl, libcatalyst-plugin-authorization-acl-perl, libcatalyst-plugin-session-store-cache-perl, libcatalyst-plugin-session-store-fastmmap-perl, libcatalyst-plugin-static-simple-perl, libcatalyst-view-gd-perl, libcgi-application-dispatch-perl, libcgi-application-plugin-authentication-perl, libcgi-application-plugin-logdispatch-perl, libcgi-application-plugin-session-perl, libcgi-application-server-perl, libcgi-compile-perl, libcgi-xmlform-perl, libclass-accessor-classy-perl, libclass-accessor-lvalue-perl, libclass-accessor-perl, libclass-c3-adopt-next-perl, libclass-dbi-plugin-type-perl, libclass-field-perl, libclass-handle-perl, libclass-load-perl, libclass-ooorno-perl, libclass-prototyped-perl, libclass-returnvalue-perl, libclass-singleton-perl, libclass-std-fast-perl, libclone-perl, libconfig-auto-perl, libconfig-jfdi-perl, libconfig-simple-perl, libconvert-basen-perl, libconvert-ber-perl, libcpan-checksums-perl, libcpanplus-dist-build-perl, libcriticism-perl, libcrypt-cracklib-perl, libcrypt-dh-gmp-perl, libcrypt-mysql-perl, libcrypt-passwdmd5-perl, libcrypt-simple-perl, libcss-packer-perl, libcss-tiny-perl, libcurses-widgets-perl, libdaemon-control-perl, libdancer-plugin-database-perl, libdancer-session-cookie-perl, libdancer2-plugin-database-perl, libdata-format-html-perl, libdata-uuid-libuuid-perl, libdata-validate-domain-perl, libdate-jd-perl, libdate-simple-perl, libdatetime-astro-sunrise-perl, libdatetime-event-cron-perl, libdatetime-format-dbi-perl, libdatetime-format-epoch-perl, libdatetime-format-mail-perl, libdatetime-tiny-perl, libdatrie, libdb-file-lock-perl, libdbd-firebird-perl, libdbix-abstract-perl, libdbix-class-datetime-epoch-perl, libdbix-class-dynamicdefault-perl, libdbix-class-introspectablem2m-perl, libdbix-class-timestamp-perl, libdbix-connector-perl, libdbix-oo-perl, libdbix-searchbuilder-perl, libdbix-xml-rdb-perl, libdevel-stacktrace-ashtml-perl, libdigest-hmac-perl, libdist-zilla-plugin-emailnotify-perl, libemail-date-format-perl, libemail-mime-perl, libemail-received-perl, libemail-sender-perl, libemail-simple-perl, libencode-detect-perl, libexporter-tidy-perl, libextutils-cchecker-perl, libextutils-installpaths-perl, libextutils-libbuilder-perl, libextutils-makemaker-cpanfile-perl, libextutils-typemap-perl, libfile-counterfile-perl, libfile-pushd-perl, libfile-read-perl, libfile-touch-perl, libfile-type-perl, libfinance-bank-ie-permanenttsb-perl, libfont-freetype-perl, libfrontier-rpc-perl, libgd-securityimage-perl, libgeo-coordinates-utm-perl, libgit-pureperl-perl, libgnome2-canvas-perl, libgnome2-wnck-perl, libgraph-readwrite-perl, libgraphics-colornames-www-perl, libgssapi-perl, libgtk2-appindicator-perl, libgtk2-gladexml-simple-perl, libgtk2-notify-perl, libhash-asobject-perl, libhash-moreutils-perl, libhtml-calendarmonthsimple-perl, libhtml-display-perl, libhtml-fillinform-perl, libhtml-form-perl, libhtml-formhandler-model-dbic-perl, libhtml-html5-entities-perl, libhtml-linkextractor-perl, libhtml-tableextract-perl, libhtml-widget-perl, libhtml-widgets-selectlayers-perl, libhtml-wikiconverter-mediawiki-perl, libhttp-async-perl, libhttp-body-perl, libhttp-date-perl, libimage-imlib2-perl, libimdb-film-perl, libimport-into-perl, libindirect-perl, libio-bufferedselect-perl, libio-compress-lzma-perl, libio-compress-perl, libio-handle-util-perl, libio-interface-perl, libio-multiplex-perl, libio-socket-inet6-perl, libipc-system-simple-perl, libiptables-chainmgr-perl, libjoda-time-java, libjsr305-java, libkiokudb-perl, liblemonldap-ng-cli-perl, liblexical-var-perl, liblingua-en-fathom-perl, liblinux-dvb-perl, liblocales-perl, liblog-dispatch-configurator-any-perl, liblog-log4perl-perl, liblog-report-lexicon-perl, liblwp-mediatypes-perl, liblwp-protocol-https-perl, liblwpx-paranoidagent-perl, libmail-sendeasy-perl, libmarc-xml-perl, libmason-plugin-routersimple-perl, libmasonx-processdir-perl, libmath-base85-perl, libmath-basecalc-perl, libmath-basecnv-perl, libmath-bigint-perl, libmath-convexhull-perl, libmath-gmp-perl, libmath-gradient-perl, libmath-random-isaac-perl, libmath-random-oo-perl, libmath-random-tt800-perl, libmath-tamuanova-perl, libmemoize-expirelru-perl, libmemoize-memcached-perl, libmime-base32-perl, libmime-lite-tt-perl, libmixin-extrafields-param-perl, libmock-quick-perl, libmodule-cpanfile-perl, libmodule-load-conditional-perl, libmodule-starter-pbp-perl, libmodule-util-perl, libmodule-versions-report-perl, libmongodbx-class-perl, libmoo-perl, libmoosex-app-cmd-perl, libmoosex-attributehelpers-perl, libmoosex-blessed-reconstruct-perl, libmoosex-insideout-perl, libmoosex-relatedclassroles-perl, libmoosex-role-timer-perl, libmoosex-role-withoverloading-perl, libmoosex-storage-perl, libmoosex-types-common-perl, libmoosex-types-uri-perl, libmoox-singleton-perl, libmoox-types-mooselike-numeric-perl, libmousex-foreign-perl, libmp3-tag-perl, libmysql-diff-perl, libnamespace-clean-perl, libnet-bonjour-perl, libnet-cli-interact-perl, libnet-daap-dmap-perl, libnet-dbus-glib-perl, libnet-dns-perl, libnet-frame-perl, libnet-google-authsub-perl, libnet-https-any-perl, libnet-https-nb-perl, libnet-idn-encode-perl, libnet-idn-nameprep-perl, libnet-imap-client-perl, libnet-irc-perl, libnet-mac-vendor-perl, libnet-openid-server-perl, libnet-smtp-ssl-perl, libnet-smtp-tls-perl, libnet-smtpauth-perl, libnet-snpp-perl, libnet-sslglue-perl, libnet-telnet-perl, libnhgri-blastall-perl, libnumber-range-perl, libobject-signature-perl, libogg-vorbis-header-pureperl-perl, libopenoffice-oodoc-perl, libparse-cpan-packages-perl, libparse-debian-packages-perl, libparse-fixedlength-perl, libparse-syslog-perl, libparse-win32registry-perl, libpdf-create-perl, libpdf-report-perl, libperl-destruct-level-perl, libperl-metrics-simple-perl, libperl-minimumversion-perl, libperl6-slurp-perl, libpgobject-simple-perl, libplack-middleware-fixmissingbodyinredirect-perl, libplack-test-externalserver-perl, libplucene-perl, libpod-tests-perl, libpoe-component-client-ping-perl, libpoe-component-jabber-perl, libpoe-component-resolver-perl, libpoe-component-server-soap-perl, libpoe-component-syndicator-perl, libposix-strftime-compiler-perl, libposix-strptime-perl, libpostscript-simple-perl, libproc-processtable-perl, libprotocol-osc-perl, librcs-perl, libreadonly-xs-perl, libreturn-multilevel-perl, librivescript-perl, librouter-simple-perl, librrd-simple-perl, libsafe-isa-perl, libscope-guard-perl, libsemver-perl, libset-tiny-perl, libsharyanto-file-util-perl, libshell-command-perl, libsnmp-info-perl, libsoap-lite-perl, libstat-lsmode-perl, libstatistics-online-perl, libstring-compare-constanttime-perl, libstring-format-perl, libstring-toidentifier-en-perl, libstring-tt-perl, libsub-recursive-perl, libsvg-tt-graph-perl, libsvn-notify-perl, libswish-api-common-perl, libtap-formatter-junit-perl, libtap-harness-archive-perl, libtemplate-plugin-number-format-perl, libtemplate-plugin-yaml-perl, libtemplate-tiny-perl, libtenjin-perl, libterm-visual-perl, libtest-block-perl, libtest-carp-perl, libtest-classapi-perl, libtest-cmd-perl, libtest-consistentversion-perl, libtest-data-perl, libtest-databaserow-perl, libtest-differences-perl, libtest-file-sharedir-perl, libtest-hasversion-perl, libtest-kwalitee-perl, libtest-lectrotest-perl, libtest-module-used-perl, libtest-object-perl, libtest-perl-critic-perl, libtest-pod-coverage-perl, libtest-script-perl, libtest-script-run-perl, libtest-spelling-perl, libtest-strict-perl, libtest-synopsis-perl, libtest-trap-perl, libtest-unit-perl, libtest-utf8-perl, libtest-without-module-perl, libtest-www-selenium-perl, libtest-xml-simple-perl, libtest-yaml-perl, libtex-encode-perl, libtext-bibtex-perl, libtext-csv-encoded-perl, libtext-csv-perl, libtext-dhcpleases-perl, libtext-diff-perl, libtext-quoted-perl, libtext-trac-perl, libtext-vfile-asdata-perl, libthai, libthread-conveyor-perl, libthread-sigmask-perl, libtie-cphash-perl, libtie-ical-perl, libtime-stopwatch-perl, libtk-dirselect-perl, libtk-pod-perl, libtorrent, libturpial, libunicode-japanese-perl, libunicode-maputf8-perl, libunicode-stringprep-perl, libuniversal-isa-perl, libuniversal-moniker-perl, liburi-encode-perl, libvi-quickfix-perl, libvideo-capture-v4l-perl, libvideo-fourcc-info-perl, libwiki-toolkit-plugin-rss-reader-perl, libwww-mechanize-formfiller-perl, libwww-mechanize-gzip-perl, libwww-mechanize-perl, libwww-opensearch-perl, libx11-freedesktop-desktopentry-perl, libxc, libxml-dtdparser-perl, libxml-easy-perl, libxml-handler-trees-perl, libxml-libxml-iterator-perl, libxml-libxslt-perl, libxml-rss-perl, libxml-validator-schema-perl, libxml-xpathengine-perl, libxml-xql-perl, llvm-py, madbomber, makefs, mdpress, media-player-info, meta-kde-telepathy, metamonger, mmm-mode, mupen64plus-audio-sdl, mupen64plus-rsp-hle, mupen64plus-ui-console, mupen64plus-video-z64, mussort, newpid, node-formidable, node-github-url-from-git, node-transformers, nsnake, odin, otcl, parsley, pax, pcsc-perl, pd-purepd, pen, prank, proj, proot, puppet-module-puppetlabs-postgresql, python-async, python-pysnmp4, qrencode, r-bioc-graph, r-bioc-hypergraph, r-bioc-iranges, r-bioc-xvector, r-cran-pscl, rbenv, rlinetd, rs, ruby-ascii85, ruby-cutest, ruby-ejs, ruby-factory-girl, ruby-hdfeos5, ruby-kpeg, ruby-libxml, ruby-password, ruby-zip-zip, sdl-sound1.2, stterm, systemd, taktuk, tcc, tryton-modules-account-invoice, ttf-summersby, tupi, tuxpuck, unknown-horizons, unsafe-mock, vcheck, versiontools, vim-addon-manager, vlfeat, vsearch, xacobeo, xen-tools, yubikey-personalization-gui, yubikey-personalization. The following packages became reproducible after getting fixed:

cwirc/2.0.0-8 uploaded by Colin Tuckley, original patch by Reiner Herrmann.
darkplaces/0~20140513+svn12208-1 by Simon McVittie.
exactimage/0.9.1-4 by Sven Eckelmann.
gnupg/1.4.19-1 by Daniel Kahn Gillmor.
httpunit/1.7+dfsg-11 by Emmanuel Bourg.
hy/0.10.1-2 uploaded by Tianon Gravi, original patch by Reiner Herrmann.
ioquake3/1.36+u20150412+dfsg1-2 by Simon McVittie, original patch by Reiner Herrmann.
kiwi/1.9.22-3 by Jelmer Vernooij.
lava-server/2015.05-1 uploaded by Neil Williams, original patch by Reiner Herrmann.
libelixirfm-perl/1.1.976-4 uploaded by gregor herrmann, original patch by Chris Lamb.
littler/0.2.3-2 by Dirk Eddelbuettel.
mednafen/0.9.38.1-1 by Stephen Kitt.
nftables/0.4-4 by Arturo Borrero Gonzalez.
ntdb/1.0-7 by Jelmer Vernooij.
onioncat/0.2.2+svn566-1 by intrigeri.
openarena/0.8.8-13 by Simon McVittie.
openarena-085-data/0.8.5split-6 by Simon McVittie.
openarena-088-data/0.8.8-3 by Simon McVittie.
openarena-data/0.8.5split-6 by Simon McVittie.
openarena-maps/0.8.5split-6 by Simon McVittie.
openarena-players/0.8.5split-6 by Simon McVittie.
openarena-players-mature/0.8.5split-6 by Simon McVittie.
openarena-textures/0.8.5split-6 by Simon McVittie.
pybik/2.0-1 by B. Clausius.
python-xmp-toolkit/2.0.1+git20140309.5437b0a-1 by Daniel Stender.
quakespasm/0.90.0-3 by Stephen Kitt.
traceroute/1:2.0.21-1 uploaded by Laszlo Boszormenyi, original patch by Lunar.
unar/1.8.1-4 uploaded by Matt Kraai, original patch by Lunar.
websvn/2.3.3-1.3 uploaded by Thijs Kinkhorst, original patch by Chris Lamb.
xd/3.23.01-2 uploaded by Frank B. Brokken, original patch by Chris Lamb.

Some uploads fixed some reproducibility issues but not all of them:

ada-reference-manual/1:2012.2-5 by Nicolas Boulenguez.
apparmor/2.9.2-2 by intrigeri.
argyll/1.7.0+repack-1 by J rg Frings-F rst.
lava-dispatcher/2015.05-1 by Neil Williams.
libaunit/3.7.1-2 by Nicolas Boulenguez.
libflorist/2014-2 by Nicolas Boulenguez.
mailcrypt/3.5.9-8 uploaded by Barak A. Pearlmutter, original patch by Chris Lamb.
openchange/1:2.2-7 by Jelmer Vernooij.
sane-backends/1.0.24-11 by J rg Frings-F rst timestamps in .dvi and .ps
tomcat6/6.0.41-4 by Emmanuel Bourg.
tomcat7/7.0.61-1 by Emmanuel Bourg; currently FTBFS.
tomcat8/8.0.22-2 by Emmanuel Bourg.

Patches submitted which did not make their way to the archive yet:

#784541 on yasm by Lunar: remove build date from version strings.
#784694 on smcroute by Micha Lenk: remove build date from version string.
#784672 on gnumeric by Daniel Kahn Gillmor: remove timestamps in embedded gzip'ed data in shared library.
#774347 on sed by Lunar: fix permissions before creating the package.
#784352 on icebreaker by Reiner Herrmann: use UTC timezone when calculating version date.
#784325 on kde-workspace by Lunar: make the output of kdm confproc.pl stable.
#784602 on monkeysign by Daniel Kahn Gillmor: use time of debian/changelog entry when generating documentation.
#784723 on alot by Juan Picca: pass time of debian/changelog entry to Sphinx.
#784538 on file-rc by Lunar: use sed instead of grep+mv to keep correct file permissions.
#784335 on libapache2-mod-perl2 by Lunar: set PERL_HASH_SEED=0 during configure to make the generated .c and .h files stable.
#784267 on mpv by Lunar: pass --disable-build-date to ./configure.
#784793 on bugs-everywhere by Daniel Kahn Gillmor: use time of debian/changelog entry as build date.
#784318 on gnome-desktop3 by Lunar: use time of debian/chanelog entry as build date.
#774504 on debianutils by Lunar: fix file permissions.

reproducible.debian.net Alioth now hosts a script that can be used to redo builds and test for a package. This was preliminary done manually through requests over the IRC channel. This should reduce the number of interruptions for jenkins' maintainers The graph of the oldest build per day has been fixed. Maintainance scripts will not error out when they are no files to remove. Holger Levsen started work on being able to test variations of CPU features and build date (as in build in another month of 1984) by using virtual machines. debbindiff development Version 18 has been released. It will uses proper comparators for pk3 and info files. Tar member names are now assumed to be UTF-8 encoded. The limit for the maximum number of different lines has been removed. Let's see on reproducible.debian.net how it goes for pathological cases. It's now possible to specify both --html and --text output. When neither of them is specified, the default will be to print a text report on the standard output (thanks to Paul Wise for the suggestion). Documentation update Nicolas Boulenguez investigated Ada libraries. Package reviews 451 obsolete reviews have been removed and 156 added this week. New identified issues: running kernel version getting captured, random filenames in GHC debug symbols, and timestamps in headers generated by qdbusxml2cpp. Misc. Holger Levsen went to re:publica and talked about reproducible builds to developers and users there. Holger also had a chance to meet FreeBSD developers and discuss the status of FreeBSD. Investigations have started on how it could be made part of our current test system. Laurent Guerby gave Lunar access to systems in the GCC Compile Farm. Hopefully access to these powerful machines will help to fix packages for GCC, Iceweasel, and similar packages requiring long build times.

4 May 2015

Lunar: Reproducible builds: first week in Stretch cycle

Debian Jessie has been released on April 25th, 2015. This has opened the Stretch development cycle. Reactions to the idea of making Debian build reproducibly have been pretty enthusiastic. As the pace is now likely to be even faster, let's see if we can keep everyone up-to-date on the developments. Before the release of Jessie The story goes back a long way but a formal announcement to the project has only been sent in February 2015. Since then, too much work has happened to make a complete report, but to give some highlights:

New variations are now tested: umask, kernel version, domain name, and timezone. We might only be missing CPU type and current date now.
Many improvements to the test system on jenkins.debian.net and the pages showing the results.
Now not only packages from unstable are tested but also those in testing and experimental.
When rescheduling packages for testing, the build products can be kept and the IRC channel gets a notification when its over.
binutils version 2.25-6 is now built with the --enable-deterministic-archives flag. Making ar, strip and others create deterministic static libraries.
Number of identified issues has grown from about 80 to 123 today.

Lunar did a pretty improvised lightning talk during the Mini-DebConf in Lyon. This past week It seems changes were pilling behind the curtains given the amount of activity that happened in just one week. Toolchain fixes

Niels Thykier uploaded debhelper/9.20150501 which includes fixes to dh_makeshlibs (#774100), dh_icons (#774102), dh_usrlocal (#775020). Patches written by Lunar.
Helmut Grohne uploaded doxygen/1.8.9.1-3 which will not generate timestamps in HTML by default. Kudos to akira for bringing the issue upstream.
Kenneth J. Pronovici uploaded epydoc/3.0.1+dfsg-6 adding a --no-include-build-time option. Patch by Jelmer Vernooij.
David Pr vot uploaded php-apigen/2.8.1+dfsg-2 which now has reproducible output.
C dric Boutillier uploaded ruby-prawn/2.0.1+dfsg-1 which now produce a deterministic output when using gradients. Patch by Lunar.
Jelmer Vernooij uploaded samba/2:4.1.17+dfsg-4 which contains a patch by Matthieu Patou making the output of pidl (from libparse-pidl-perl) reproducible.
Dmitry Shachnev uploaded sphinx/1.3.1-1 in experimental which should produce deterministic output. The original patch from Chris Lamb has inspired the upstream fix.
gregor herrmann uploaded libextutils-depends-perl/0.404-1 which makes ExtUtils::Depends output deterministic. Original patch by Reiner Herrmann.
Niko Tyni uploaded perl/5.20.2-4 which makes the output of Pod::Man reproducible. Nice team work visible on #780259.

We also rebased the experimental version of debhelper twice to merge the latest set of changes. Lunar submitted a patch to add a -creation-date to genisoimage. Reiner Herrmann opened #783938 to request making -notimestamp the default behavior for javadoc. Juan Picca submitted a patch to add a --use-date flag to texi2html. Packages fixed The following packages became reproducible due to changes of their build dependencies: apport, batctl, cil, commons-math3, devscripts, disruptor, ehcache, ftphs, gtk2hs-buildtools, haskell-abstract-deque, haskell-abstract-par, haskell-acid-state, haskell-adjunctions, haskell-aeson, haskell-aeson-pretty, haskell-alut, haskell-ansi-terminal, haskell-async, haskell-attoparsec, haskell-augeas, haskell-auto-update, haskell-binary-conduit, haskell-hscurses, jsch, ledgersmb, libapache2-mod-auth-mellon, libarchive-tar-wrapper-perl, libbusiness-onlinepayment-payflowpro-perl, libcapture-tiny-perl, libchi-perl, libcommons-codec-java, libconfig-model-itself-perl, libconfig-model-tester-perl, libcpan-perl-releases-perl, libcrypt-unixcrypt-perl, libdatetime-timezone-perl, libdbd-firebird-perl, libdbix-class-resultset-recursiveupdate-perl, libdbix-profile-perl, libdevel-cover-perl, libdevel-ptkdb-perl, libfile-tail-perl, libfinance-quote-perl, libformat-human-bytes-perl, libgtk2-perl, libhibernate-validator-java, libimage-exiftool-perl, libjson-perl, liblinux-prctl-perl, liblog-any-perl, libmail-imapclient-perl, libmocked-perl, libmodule-build-xsutil-perl, libmodule-extractuse-perl, libmodule-signature-perl, libmoosex-simpleconfig-perl, libmoox-handlesvia-perl, libnet-frame-layer-ipv6-perl, libnet-openssh-perl, libnumber-format-perl, libobject-id-perl, libpackage-pkg-perl, libpdf-fdf-simple-perl, libpod-webserver-perl, libpoe-component-pubsub-perl, libregexp-grammars-perl, libreply-perl, libscalar-defer-perl, libsereal-encoder-perl, libspreadsheet-read-perl, libspring-java, libsql-abstract-more-perl, libsvn-class-perl, libtemplate-plugin-gravatar-perl, libterm-progressbar-perl, libterm-shellui-perl, libtest-dir-perl, libtest-log4perl-perl, libtext-context-eitherside-perl, libtime-warp-perl, libtree-simple-perl, libwww-shorten-simple-perl, libwx-perl-processstream-perl, libxml-filter-xslt-perl, libxml-writer-string-perl, libyaml-tiny-perl, mupen64plus-core, nmap, openssl, pkg-perl-tools, quodlibet, r-cran-rjags, r-cran-rjson, r-cran-sn, r-cran-statmod, ruby-nokogiri, sezpoz, skksearch, slurm-llnl, stellarium. The following packages became reproducible after getting fixed:

berkeley-abc/1.01+20141105hg5b5af75+dfsg-3 uploaded by Ruben Undheim, original patch by Johann Klammer.
binutils/2.25-7 by Matthias Klose.
bitmap-mule/8.5+0.20030825.0433-16 uploaded by Tatsuya Kinoshita, original patch by Chris Lamb.
blobby/1.0-2 by Felix Geyer.
codelite/7.0+dfsg-2 by James Cowgill.
conkeror/1.0~~pre-1+git150409-1 by Axel Beckert.
convmv/1.15-1 by Christian Perrier.
cpl/6.6~b-1 by Ole Streicher.
deheader/1.1-2 by Reiner Herrmann.
dict-foldoc/20150318-1 uploaded by Iustin Pop, original patch by Chris Lamb.
ding/1.8-1 by Roland Rosenfeld.
doc-rfc/20150425-1 by Iustin Pop.
doxygen/1.8.9.1-3 by Helmut Grohne.
eureka/1.07-1 by Fabian Greffrath.
eximdoc4/4.85-2 uploaded by Andreas Metzler, original patch by Chris Lamb.
flashproxy/1.7-3 by Ximin Luo.
heimdal/1.6~rc2+dfsg-10 by Jelmer Vernooij.
init-system-helpers/1.23 by Martin Pitt original patch by Lunar.
ldb/2:1.1.20-2 by Jelmer Vernooij.
libalien-wxwidgets-perl/0.67+dfsg-1 uploaded by gregor herrmann, original patch by Chris Lamb.
libcairo-perl/1.105-1 by intrigeri.
libclass-methodmaker-perl/2.24-1 uploaded by gregor herrmann, original patch by Chris Lamb.
libcommon-sense-perl/3.73-3 uploaded by gregor herrmann, original patch by Chris Lamb.
libelixirfm-perl/1.1.976-4 uploaded by gregor herrmann, original patch by Chris Lamb.
libgnome2-perl/1.045-3 by intrigeri.
libjs-jcrop/0.9.12+dfsg-2 uploaded by David Pr vot, original patch by Chris Lamb.
liblas/1.8.0-2 by Bas Couwenberg.
libopengl-perl/0.6704+dfsg-1 uploaded by gregor herrmann, original patch by Chris Lamb.
libparse-recdescent-perl/1.967009+dfsg-2 uploaded by gregor herrmann, original patch by Reiner Herrmann.
librasterlite/1.1g-5 by Bas Couwenberg.
libterm-size-perl-perl/0.029-2 uploaded by gregor herrmann, original patch by Chris Lamb.
libvdpau/1.1-1 by Andreas Beckmann.
libxml-sax-expatxs-perl/1.33-2 uploaded by gregor herrmann, original patch by Chris Lamb.
lynx-cur/2.8.9dev4-2 by Axel Beckert.
mapcache/1.2.1-3 by Bas Couwenberg.
mdbtools/0.7.1-4 by Jean-Michel Nirgal Vourg re.
mopidy uploaded by Stein Magnus Jodal, fixed by upstream.
objenesis/2.1-1 by Markus Koschany.
opendkim/2.10.1-2 uploaded by Scott Kitterman, original patch by Reiner Herrmann.
pktools/2.6.3-1 by Bas Couwenberg.
posh/0.12.4 uploaded by Clint Adams, original patch by Chris Lamb.
prboom-plus/2:2.5.1.4~svn4425+dfsg1-1 by Fabian Greffrath.
qlandkartegt/1.8.1+ds-1 by Bas Couwenberg.
readosm/1.0.0d-1~exp2 by Bas Couwenberg.
robocode/1.9.2.4-1 by Markus Koschany.
ruby-prawn/2.0.1+dfsg-1 uploaded by C dric Boutillier, original patch by Lunar.
sane-backends/1.0.25+git20150425-1 by J rg Frings-F rst.
scoop/0.7.1-3 by Daniel Stender.
springlobby/0.218-1 by Markus Koschany.
subvertpy/0.9.2-1 by Jelmer Vernooij.
t-prot/3.4-2 by Axel Beckert.
talloc/2.1.2-3 by Jelmer Vernooij.
tdb/1.3.4-2 by Jelmer Vernooij, patch now applied by upstream.
tk-html3/3.0~fossil20110109-5 by Ole Streicher.
tox/1.9.2-2 uploaded by Barry Warsaw original patch by Reiner Herrmann.
trove3/3.0.3-2 by Erich Schubert.
txt2man/1.5.6-2 uploaded by Joao Eriberto Mota Filho, initial patch by Jonathan Wiltshire.
units/2.11-2 by Stephen Kitt.
win32-loader/0.7.10 upload by Didier Raboud, original patch by Lunar.
zec/0.12-3 uploaded by Clint Adams, original patch by Chris Lamb.
zomg/0.8-1 uploaded by Clint Adams, original patch by Chris Lamb.

Some uploads fixed some reproducibility issues but not all of them:

ada-reference-manual/1:2012.2-4 by Nicolas Boulenguez.
adacontrol/1.16r11-3 by Nicolas Boulenguez.
aspectj/1.8.5-1 by Emmanuel Bourg.
binutils-m68hc1x/1:2.18-4 uploaded by Riku Voipio, original patch by Chris Lamb.
debianutils/4.5) uploaded by Clint Adams, original patch by Lunar.
ioquake3/1.36+u20150412+dfsg1-1 by Simon McVittie.
libsdl1.2/1.2.15-11 uploaded by Manuel A. Fernandez Montecelo, original patch by Chris Lamb; currently FTBFS.
libsdl2/2.0.2+dfsg1-7 by Manuel A. Fernandez Montecelo, original patch by Chris Lamb; currently FTBFS.
nedit/1:5.6a-2 by Paul Gevers.
openarena-085-data/0.8.5split-4 by Simon McVittie.
openarena-data/0.8.5split-4 by Simon McVittie.
openarena/0.8.8-12 by Simon McVittie.
openchange/1:2.2-6 by Jelmer Vernooij.
puredata/0.46.6-1 by IOhannes m zm lnig.
pyexiv2/0.3.2-8 by Michal iha ; currently FTBFS.
quakespasm/0.90.0-2 by Stephen Kitt.
sed/4.2.2-5 by Clint Adams, patch by Lunar.
v4l2loopback/0.8.0-5 uploaded by IOhannes m zm lnig, original patch by Chris Lamb.
vim/2:7.4.712-1 uploaded by James McCoy, original patch by Reiner Herrmann.
zookeeper/3.4.6-4 by Emmanuel Bourg.

Patches submitted which did not make their way to the archive yet:

#783882 on jodconverter by Reiner Herrmann: tell javadoc to stop writing timestamps.
#783885 on bind9 by Reiner Herrmann: pass -DNO_VERSION_DATE to build system.
#783688 on serverstats by Chris Lamb: fix permissions.
#783453 on cdbackup by Chris Lamb: remove build date from version string in binary.
#783478 on texi2html by Juan Picca: pass --use-date to texi2html.
#783933 on imagemagick by Reiner Herrmann: remove timestamps from PNG and use deterministic package build date.
#783515 on memtest86+ by Lunar: fix embedded mtimes and pass -creation-date to genisoimage.
#783558 on websvn by Chris Lamb: fix permissions.

Improvements to reproducible.debian.net Mattia Rizzolo has been working on compressing logs using gzip to save disk space. The web server would uncompress them on-the-fly for clients which does not accept gzip content. Mattia Rizzolo worked on a new page listing various breakage: missing or bad debbindiff output, missing build logs, unavailable build dependencies. Holger Levsen added a new execution environment to run debbindiff using dependencies from testing. This is required for packages built with GHC as the compiler only understands interfaces built by the same version. debbindiff development Version 17 has been uploaded to unstable. It now supports comparing ISO9660 images, dictzip files and should compare identical files much faster. Documentation update Various small updates and fixes to the pages about PDF produced by LaTeX, DVI produced by LaTeX, static libraries, Javadoc, PE binaries, and Epydoc. Package reviews Known issues have been tagged when known to be deterministic as some might unfortunately not show up on every single build. For example, two new issues have been identified by building with one timezone in April and one in May. RD and help2man add current month and year to the documentation they are producing. 1162 packages have been removed and 774 have been added in the past week. Most of them are the work of proper automated investigation done by Chris West. Summer of code Finally, we learned that both akira and Dhole were accepted for this Google Summer of Code. Let's welcome them! They have until May 25th before coding officialy begins. Now is the good time to help them feel more comfortable by sharing all these little bits of knowledge on how Debian works.

9 May 2011

Evgeni Golov: playing sick games (RC-bugs 2011/18)

I ve been a little sick the last days and decided to be productive instead of just drinking tea all the time.The result are some (10) squashed bugs from pkg-games, and one long standing nmu.adonthell#624998 LP#765984
FTBFS: py_adonthell_wrap.cc:27357:44: error: taking address of temporary [-fpermissive]
Patch by Peter De Wachter, I just had to sign and upload.alex4#624884
FTBFS: stat.h:106:22: error: expected identifier or ( before [' token
Include defs.h *after* particle.h, thus not redifining __unused from glibc's bits/stat.hfenix#554286 LP#770962
FTBFS with binutils-gold
Fixed since 0.92a.dfsg1-6, bug closed. Found different FTBFS though, fix uploaded as -9.freeciv#554411
FTBFS with binutils-gold
Closed after verifying that it is fixed since at least 2.2.1 as upstream wrote.kball#624978
FTBFS: src/gamemenu.cpp:224:52: error: 'mkdir' was not declared in this scope
Include sys/stat.h in 06_homedir_game.patch and 07_homedir_editor.patch.kiki-the-nano-bot#625047 LP#770970
FTBFS: ../src/../SWIG/KikiPy_wrap.cpp:13045:63: error: taking address of temporary [-fpermissive]
Patch by Peter De Wachter, I just had to sign and upload.late#624937 LP#770857
FTBFS: ball.h:113:19: error: NULL was not declared in this scope
Include stddef.h in ball.h to define NULL.libclaw#625038 #624919 LP#770805
FTBFS: avl_base.hpp:137:15: error: ptrdiff_t does not name a type
Patch by Julien Jorge, I just had to sign and upload.liquidwar#555468
FTBFS with binutils-gold
Patch by Stephen Kitt, I just had to sign and upload.lordsawar#555564
FTBFS with binutils-gold
Closed after verifying that it is fixed since at least 0.1.8xnecview#621392
FTBFS on armel: expected identifier before numeric constant
R0 is already taken as a register name on armel, rename xnecview s constant to DEFFAULTR0. (Patch basically stolen from Ubuntu)

Search Results: "Stephen Kitt"

17 April 2017

28 March 2017

21 June 2016

15 June 2016

14 March 2016

tests.reproducible-builds.org Always use all cores on armhf builders. (h01ger) Improve the look of Debian dashboard. (h01ger)

Package reviews 118 reviews have been removed, 114 added and 15 updated in the previous week. 15 FTBFS have been filled by Chris Lamb. New issues: xmlto_txt_output_locale_specific.

Misc. Lunar seeks new maintainers for diffoscope, several mailing lists, and these very weekly reports.

18 October 2015

14 October 2015

6 September 2015

1 September 2015

22 June 2015

20 June 2015

15 June 2015

17 May 2015

4 May 2015

9 May 2011

tests.reproducible-builds.org Always use all cores on `armhf` builders. (h01ger) Improve the look of Debian dashboard. (h01ger)