What happened in the Reproducible Builds effort between Sunday July 31 and Saturday August 6 2016: Toolchain development and fixes

• dpkg/1.18.10 by Guillem Jover.
  • Generate reproducible source tarballs by using the new GNU tar --clamp-mtime option
  • Enable fixdebugpath build flag feature by default, original patch by Mattia Rizzolo.
• cython/0.24.1-1 by Yaroslav Halchenko.
  • Fix a file ordering issue, original patch by Chris Lamb.
• Chris Lamb and Thomas Schmidt worked on some patches to make reproducible ISO images.
• Johannes Schauer continued the discussion on #763822 regarding dak and buildinfo files.
• Johannes Schauer continued the discussion on #774415 regarding srebuild and debrebuild.

Packages fixed and bugs filed The following 24 packages have become reproducible - in our current test setup - due to changes in their build-dependencies: alglib aspcud boomaga fcl flute haskell-hopenpgp indigo italc kst ktexteditor libgroove libjson-rpc-cpp libqes luminance-hdr openscenegraph palabos petri-foo pgagent sisl srm-ifce vera++ visp x42-plugins zbackup The following packages have become reproducible after being fixed:

• cvs2svn/2.4.0-3 by Laszlo Boszormenyi, original patch by Chris Lamb.
• dapl/2.1.8-2 by 2.1.8-1 by Ana Beatriz Guerrero Lopez, original patch by Chris Lamb.
• fonts-noto/20160116-3 by Vasudev Kamath, original patch by Chris Lamb.
• fortunes-bg/1.3 by Anton Zinoviev, original patch by Chris Lamb.
• fsvs/1.2.7-1 by Reiner Herrmann.
• infernal/1.1.2-1 by Sascha Steinbiss.
• libitpp/4.3.1-7 by Kumar Appaiah, original patch by Eduard Sanou.
• libtar/1.2.20-6 by Magnus Holmgren.
• libterralib/4.3.0+dfsg.2-9 by Alastair McKinstry, original patch by Eduard Sanou.
• mknbi/1.4.4-12 Ralf Treinen, original patch by Chris Lamb.
• node-iscroll/5.2.0+dfsg1-1 by Balint Reczey.
• octave-communications/1.2.1-2 by Rafael Laboissiere.
• python-mkdocs/0.15.3-5 by Brian May, original patch by Chris Lamb.
• remake/4.1+dbg1.1+dfsg-1 by Yaroslav Halchenko, original patch by Reiner Herrmann.
• sa-exim/4.2.1-16 by Magnus Holmgren.
• seqan/1.4.2+dfsg-1 by Andreas Tille, original patch by Chris Lamb.
• sbuild/0.70.0-1 by Johannes Schauer, #825991 from Aurelien Jarno.
• trscripts/1.18 by Anton Zinoviev, original patch by Chris Lamb.
• ui-auto/1.2.9-1 by Stephan S rken.
• ui-utilcpp/1.8.5-1 by Stephan S rken.
• xfonts-cronyx/2.3.8-8 by Anton Zinoviev, original patch by Chris Lamb.

The following newly-uploaded packages appear to be reproducible now, for reasons we were not able to figure out. (Relevant changelogs did not mention reproducible builds.)

• libitext-java/2.1.7-1 by Emmanuel Bourg.
• lice/1:4.2.5i-2 by Kurt Roeckx.
• pgbackrest/1.04-1 by Adrian Vondendriesch.
• pxlib/0.6.7-1 by Uwe Steinmann.
• runit/2.1.2-5 by Dmitry Bogatov.
• ssvnc/1.0.29-3 by Magnus Holmgren.
• syncthing/0.14.3+dfsg1-3 by Alexandre Viau.
• tachyon/0.99~b6+dsx-5 by Jerome Benoit.
• tor/0.2.8.6-2 by Peter Palfrader.

Some uploads have addressed some reproducibility issues, but not all of them:

• apg/2.2.3.dfsg.1-4 by Marc Haber, original patch by Daniel Shahaf.
• atheme-services/7.2.6-1 by Antoine Beaupr .
• gradle-debian-helper/1.3 by Emmanuel Bourg
• hyperscan/4.2.0-2 by Robert Haist, original patch by Eduard Sanou
• kodi by Balint Reczey, original patch by Lukas Rechberger
• python-dtcwt/0.11.0-2 by Ghislain Antony Vaillant.
• sollya/5.0+ds-3 by Jerome Benoit.
• supercat/0.5.5-4.1 by Craig Sanders, original patch by Maria Valentina Marin, original patch by Chris Lamb.

Patches submitted that have not made their way to the archive yet:

• #833070 against wget by Reiner Herrmann.
• #833088 against xine-lib-1.2 by Daniel Shahaf.
• #833162 against qemu by Daniel Shahaf.
• #833176 against trafficserver by Reiner Herrmann.
• #833179 against openldap by Daniel Shahaf.
• #833340 against mini-buildd by Chris Lamb.
• #833379 against hardinfo by Chris Lamb.
• #833380 against roaraudio by Chris Lamb.
• #833395 against emacspeak by Chris Lamb.
• #833399 against wims by Chris Lamb.
• #833408 against amora-server by Chris Lamb.
• #833437 against mp4h by Chris Lamb.
• #833438 against rest2web by Chris Lamb.
• #833439 against forkstat by Chris Lamb.
• #833440 against wmweather+ by Chris Lamb.
• #833441 against rc by Chris Lamb.
• #833443 against vit by Chris Lamb.
• #833444 against openhackware by Chris Lamb.
• #833445 against pd-pdstring by Chris Lamb.
• #833472 against aghermann by Daniel Shahaf.
• #833581 against xshisen by Chris Lamb.
• #833594 against fizmo by Chris Lamb.
• #833610 against ara by Chris Lamb.
• #833611 against fntsample by Chris Lamb.
• #833612 against nsnake by Chris Lamb.

Package reviews and QA These are reviews of reproduciblity issues of Debian packages. 276 package reviews have been added, 172 have been updated and 44 have been removed in this week.

• New issues:
  • unknown_ada_issue
  • timestamps_in_documentation_generated_by_phpdox
• Updated issues:
  • randomness_in_documentation_generated_by_sphinx

7 FTBFS bugs have been reported by Chris Lamb. Reproducibility tools

• diffoscope/56~bpo8+1 uploaded to jessie-backports by Mattia Rizzolo
• strip-nondeterminism/0.022-1~bpo8+1 uploaded to jessie-backports by Mattia Rizzolo

Test infrastructure For testing the impact of allowing variations of the buildpath (which up until now we required to be identical for reproducible rebuilds), Reiner Herrmann contribed a patch which enabled build path variations on testing/i386. This is possible now since dpkg 1.18.10 enables the --fixdebugpath build flag feature by default, which should result in reproducible builds (for C code) even with varying paths. So far we haven't had many results due to disturbances in our build network in the last days, but it seems this would mean roughly between 5-15% additional unreproducible packages - compared to what we see now. We'll keep you updated on the numbers (and problems with compilers and common frameworks) as we find them. lynxis continued work to test LEDE and OpenWrt on two different hosts, to include date variation in the tests. Mattia and Holger worked on the (mass) deployment scripts, so that the - for space reasons - only jenkins.debian.net GIT clone resides in ~jenkins-adm/ and not anymore in Holger's homedir, so that soon Mattia (and possibly others!) will be able to fully maintain this setup, while Holger is doing siesta. Miscellaneous Chris, dkg, h01ger and Ximin attended a Core Infrastricture Initiative summit meeting in New York City, to discuss and promote this Reproducible Builds project. The CII was set up in the wake of the Heartbleed SSL vulnerability to support software projects that are critical to the functioning of the internet. This week's edition was written by Ximin Luo and Holger Levsen and reviewed by a bunch of Reproducible Builds folks on IRC.

This month I've worked on the following things for Debian: To begin with that, I've set up a Debhelper sequencer script for dh-buildinfo¹, this add-on now can be used with dh $@ --with buildinfo in deb/rules instead of having to explicitly call it somewhere in an override. Debops I've set up initial Debian packages of Debops², a collection of fine crafted Ansible roles and playbooks especially for Debian servers, shipped with a couple of convenience and wrapper scripts in Python³. There are two binary packages, one for the toolset (debops), and the other for the playbooks and roles of the project (debops-playbooks). The application is easy to use, just initialize a new project with debops-init foo and add your server(s) to foo/ansible/inventory/hosts belonging to groups representing services and things you want to employ on them. Like the group [debops_gitlab] automatically installs a complete running Gitlab setup on one or a multitude of servers in the same run with the debops command⁴. Use other groups like [debops_mariadb_server] accordingly in the same host inventory. Ansible runs agent less, so you don't have to prepare freshly setup servers with nothing special to use that tool randomly (like on localhost). The list of things you could deploy with Debops is quite amazing and you've got dozens of services at your hand. The new packages are currently in experimental because they need some more fine tuning, like there are a couple of minor error messages which recently occur using it, but it works well. The (early staged) documentation unfortunately couldn't be packaged because of the scattered resp. collective nature of the project (all parts have their own Github repositories)⁵, and also how to generate the upstream tarball remains a bit of a challenge (currently, it's the outcome of debops-init)⁶. I'll have this package in unstable soon. More info on Debops is coming up, then. Hashicorp's Packer I'm very glad to announce that Packer⁷ is ready being available in unstable, and the two year old RFP bug could be finally closed⁸. It's another great and much convenient devops tool which does a lot of different things in an automated fashion using only a single "one-argument" CLI tool in combination with a couple of lines in a configuration script (thanks to Yaroslav Halchenko for the tip). Packer helps creating machine images for different platforms. This is like when you use e.g. Debian installations in a Qemu box for testing or development purposes. Instead of setting up a new virtual machine manually like installing Debian on another computer this process could be automated with Packer, like I've written about in this blog entry here⁹. You just need a template containing instructions for the included Qemu-builder and a preseeding script for the Debian installer, and there you go drinking your coffee while Packer does all the work for you: downloading the installation ISO image, creating the new virtual harddrive, booting the emulator, running the whole installation process automatically like answering questions, selecting things, rebooting without ISO image to complete the installation etc. A couple of minutes and you have a new pre-baked virtual machine image like from a vendoring machine, a fresh one everytime you need it. Packer¹⁰ supports a number of builders for different target platforms (desktop virtualization solutions as much as public cloud providers and private cloud software), can build in parallel, and also the full range of common provisioners can be employed in the process to equip the newly installed OSs. Vagrant boxes could be generated by one of the included postprocessors. I'll write more on Packer here on this blog, soon. There were more then two dozens of packages missing to complete Packer¹¹, which is the achievement of combined forces within the pkg-go group. Much thanks esp. to Alexandre Viau who have worked on the most of the needed new packages. Thanks also to the FTP-masters which were always very quick in reviewing the Go packages, so that it could be proceeded to build and package the sub dependent new ones always consecutively. Squirrel3 I've didn't had the most work with it and just sponsored this for Fabian Wolff, but want to highlight here that there's a new package of Squirrel¹² now available in Debian¹³. Squirrel is a lightweight scripting language, somewhat comparable to Lua. It's fully object-oriented and highly embeddable, it's used in a lot of commerical computer games under the hood for implementing intelligence for bots next to other things¹⁴, but also for the Internet of Things (it's embedded in hardware from Electric Imp). Squirrel functions could be called from C++¹⁵. I've filed an ITP bug for Squirrel already in 2011 (#651195), but always something else got in the way, and it ended up being an RFP. I'm really glad that it got picked up and completed. misc There were a couple of uploads on updated upstream tarballs and for fixing bugs, namely afl/2.10b-1 and 2.11b-1, python-afl/0.5.3-1, pyutilib/5.3.2-1, pyomo/4.3.11327-1, libvigraimpex/1.10.0+git20160211.167be93dfsg-2 (fix of #820429, thanks for Tobias Frost), and gamera/3.4.2+svn1454-1. For the pkg-go group, I've set up a new package of github-mitchellh-ioprogress (which is needed by the official DigitalOcean CLI tool doctl, now RFP #807956 instead of ITP due to the lack of time - again facing a lot of missing packages), and provided a little patch for dh-make-golang updating some standards¹⁶. For Packer I've also updated azure-go-autorest and azure-sdk as team upload (#821938, #821832), but it came out that the project which is currently under heavy development towards a new official release broke a lot in the past weeks (and no Git branching have been used), so that Packer as a matter of fact needed a vendored snapshot, although there have been only a couple of commits in between. Docker-registry hat the same problem with the new package of azure-sdk/2.1.1~beta1, so that it needed to be fixed, too (#822146). By the way, the tool ratt¹⁷ comes very handy for automatically test building down all reverse dependencies, not only for Go packages (thanks to Tianon Gravi for the tip). Finally, I've posted the needed reverse depencies as RFP bugs for Terraform¹⁸ (again quite a lot), Vuls¹⁹, and cve-dictionary²⁰, which is needed for Vuls. I'll let them rest a while waiting to get picked up before working anything down.

This month I've worked on the these things for Debian: To begin with that, I've set up a Debhelper sequencer script for dh-buildinfo¹, this add-on now can be used with dh $@ --with buildinfo in deb/rules instead of having to explicitly call it somewhere in an override. Debops I've set up initial Debian packages of Debops², a collection of fine crafted Ansible roles and playbooks especially for Debian servers (servers which run on Debian), which are shipped with a couple of helper and wrapper scripts in Python³. There are two binary packages, one for the toolset (debops), and the other for the playbooks and roles of the project (debops-playbooks). The application is easy to use, just initialize a new project with debops-init foo and add your server(s) to foo/ansible/inventory/hosts belonging to groups representing services and things you want to employ on them. For example, the group [debops_gitlab] automatically installs a complete running Gitlab setup on one or a multitude of servers in the same run with the debops command⁴. Other groups like [debops_mariadb_server] could be used accordingly in the same host inventory. Ansible works without agent, so you don't have to prepare freshly setup servers with nothing special to use that tool randomly (like on localhost). The list of things you could deploy with Debops is quite amazing and dozens of services are at hand. The new Debian packages are currently in experimental because they need some more fine tuning, e.g. there are a couple of minor error messages which recently occur using it, but it works well. The (early staged) documentation unfortunately couldn't be packaged because of the scattered resp. collective nature of the project (all parts have their own Github repositories)⁵, and also how to generate the upstream tarball remains a bit of a challenge (currently, it's the outcome of debops-init)⁶. I'll have this package in unstable soon. More info on Debops is coming up, then. HashiCorp's Packer I'm very glad to announce that Packer⁷ is ready being available in unstable, and the RFP bug could be finally closed after I've taken it over⁸. It's another great and much convenient devops tool which does a lot of different things in an automated fashion using only a single "one-argument" CLI tool in combination with a couple of lines in a configuration script (thanks to Yaroslav Halchenko for the tip). Packer helps creating machine images for different platforms. This is like when you use e.g. Debian installations in a Qemu box for testing or development purposes. Instead of setting up a new virtual machine manually the same way as installing Debian on another computer this process can be completely automated with Packer, like I've written about in this blog entry here⁹. You just need a template which contains instructions for the included Qemu builder and a preseeding script for the Debian installer, and there you go drinking your coffee while Packer does all the work: download the ISO image for installation, create the new virtual harddrive, boot the emulator, run the whole installation process automatically like with answering questions, selecting things, reboot without ISO image to complete the installation etc. A couple of minutes and you have a new pre-baked virtual machine image like from a vendoring machine, another fresh one could be created anytime. Packer¹⁰ supports a number of builders for different target platforms (desktop virtualization solutions as much as public cloud providers and private cloud software), can build in parallel, and also the full range of common provisioners can be employed in the process to equip the newly installed OSs with services and programs. Vagrant boxes could be generated by one of the included postprocessors. I'll write more on Packer here on this blog, soon. There were more then two dozens of packages missing to complete Packer¹¹, which is the achievement of combined forces within the pkg-go group. Much thanks esp. to Alexandre Viau who have worked on the most of the needed new packages. Thanks also to the FTP masters which were always very quick in reviewing the Go packages, so that it could be proceeded to build and package the sub dependent new ones always consecutively. Squirrel3 I've didn't had the major work of that and just sponsored this for Fabian Wolff, but want to highlight here that there's a new package of Squirrel¹² now available in Debian¹³. Squirrel is a lightweight scripting language, somewhat comparable to Lua. It's fully object-oriented and highly embeddable, it's used in a lot of commerical computer games under the hood for implementing intelligence for bots next to other things¹⁴, but also for the Internet of Things (it's embedded in hardware from Electric Imp). Squirrel functions could be called from C++¹⁵. I've filed an ITP bug for Squirrel already in 2011 (#651195), but always something else had a higher priority, and it ended up being an RFP. I'm really glad that it got picked up and completed quickly afterwards. misc There were a couple of uploads on updated upstream tarballs and for fixing bugs, namely afl/2.10b-1 and 2.11b-1, python-afl/0.5.3-1, pyutilib/5.3.2-1, pyomo/4.3.11327-1, libvigraimpex/1.10.0+git20160211.167be93dfsg-2 (fix of #820429, thanks to Tobias Frost), and gamera/3.4.2+svn1454-1. For the pkg-go group, I've set up a new package of github-mitchellh-ioprogress (which is needed by the official DigitalOcean CLI tool doctl, now RFP #807956 instead of ITP due to the lack of time, again a lot of missing packages are missing for that), and provided a little patch for dh-make-golang updating some standards¹⁶. For Packer I've also updated azure-go-autorest and azure-sdk as team upload (#821938, #821832), but it came out that the project which is currently under heavy development towards a new official release broke a lot in the past weeks (no Git branching have been used), so that Packer as a matter of fact needed a vendored snapshot, although there have been only a couple of commits in between. Docker-registry has the same problem with the new package of azure-sdk/2.1.1~beta1, so that it needed to be fixed, too (#822146). By the way, the tool ratt¹⁷ comes very handy for automatically test building down all reverse dependencies, not only for Go packages (thanks to Tianon Gravi for the tip). Finally, I've posted the needed reverse depencies as RFP bugs for Terraform¹⁸ (again quite a lot), Vuls¹⁹, and cve-dictionary²⁰, which is needed for Vuls. I'll let them rest a while waiting to get picked up before working anything down.

What happened in the reproducible builds effort between February 14th and February 20th 2016:

Toolchain fixes Yaroslav Halchenko uploaded cython/0.23.4+git4-g7eed8d8-1 which makes its output deterministic. Original patch by Chris Lamb. Didier Raboud uploaded pyppd/1.0.2-3 to experimental which now serialize PPD deterministically. Lunar submitted two patches for lcms to add a way for clients to set the creation date/time in profile headers and initialize all bytes when writing named colors.

Packages fixed The following packages have become reproducible due to changes in their build dependencies: dbconfig-common, dctrl-tools, dvdwizard, ekg2, expeyes, galternatives, gpodder, icewm, latex-mk, libiio, lives, navit, po4a, tasksel, tilda, vdr-plugin-infosatepg, xaos. The following packages became reproducible after getting fixed:

• calendarserver/7.0+dfsg-1 uploaded by Rahul Amaram, issue fixed upstream, obsolete patch by Esa Peuha.
• charybdis/3.5.0-1 uploaded by Antoine Beaupr , fixed upstream.
• cpio/2.11+dfsg-5 uploaded by Anibal Monsalve Salazar, patch by Lunar.
• fdroidserver/0.6.0-1 uploaded by Hans-Christoph Steiner, original patch by Reiner Herrmann.
• filter/2.6.3+ds1-2 by Axel Beckert.
• foxyproxy/4.5.5-debian-1 uploaded by David Pr vot, patch by Dhole.
• fpga-icestorm/0~20151006git103e6fd-3 by Ruben Undheim.
• gutenprint/5.2.11~pre1-1 uploaded by Didier Raboud, fixed upstream.
• juce/4.1.0+repack-2 by IOhannes m zm lnig.
• libjxp-java/1.6.1-6 by Emmanuel Bourg.
• libpgm/5.2.122~dfsg-2 uploaded by Laszlo Boszormenyi, patch by Lunar.
• modello/1.8.3-2 by Emmanuel Bourg.
• python-hypothesis/3.0.2-1 by Tristan Seligmann, fixed upstream.
• tcsh/6.18.01-4 uploaded by Thomas Lange, original patch by Reiner Herrmann.

Some uploads fixed some reproducibility issues, but not all of them:

• astroquery/0.3.1+dfsg-1 uploaded by Vincent Prat, original patch by Juan Picca.
• vtk-dicom/0.7.4-1 by Gert Wollny.

Unknown status:

• tomcat7/7.0.68-1 by Emmanuel Bourg (test suite fails in test environment).

Patches submitted which have not made their way to the archive yet:

• #814840 on tor by Petter Reinholdtsen: use the UTC timezone when calling asciidoc.
• #815082 on arachne-pnr by Dhole: use the C locale to format the changelog date.
• #815192 on manpages-de by Reiner Herrmann: tell grep to always treat the input as text so that it works with non-UTF-8 locales.
• #815193 on razorqt by Reiner Herrmann: tell grep to always treat the input as text so that it works with non-UTF-8 locales.
• #815250 on jacal by Reiner Herrmann: use the C locale to format the build date.
• #815252 on colord by Lunar: remove extra timestamps when generating CMF and spectra and implement support for SOURCE_DATE_EPOCH.

reproducible.debian.net Two new package sets have been added: freedombox and freedombox_build-depends. (h01ger)

diffoscope development diffoscope version 49 was released on February 17th. It continues to improve handling of debug symbols for ELF files. Their content will now be compared separately to make them more readable. The search for matching debug packages is more efficient by looking only for .deb files in the same parent directory. Alongside more bug fixes, support for ICC profiles has been added, and libarchive is now also used to read metadata for ar archives.

strip-nondeterminism development Reiner Herrmann added support to normalize Gettext .mo files.

Package reviews 170 reviews have been removed, 172 added and 54 updated in the previous week. 34 new FTBFS bugs have been opened by Chris Lamb, h01ger and Reiner Herrmann. New issues added this week: lxqt_translate_desktop_binary_file_matched_under_certain_locales, timestamps_in_manpages_generated_by_autogen. Improvements to the prebuilder script: avoid ccache, skip disorderfs hook if device nodes cannot be created, compatibility with grsec trusted path execution (Reiner Herrmann), code cleanup (Esa Peuha).

Misc. Steven Chamberlain highlighted reproducibility problems due to differences in how Linux and FreeBSD handle permissions for symlinks. Some possible ways forward have been discussed on the reproducible-builds mailing list. Bernhard M. Wiedemann reported on some reproducibility tests made on OpenSuse mentioning the growing support for SOURCE_DATE_EPOCH. If you are eligible for Outreachy or Google Summer of Code, consider spending the summer working on reproducible builds!

What happened in the reproducible builds effort between February 7th and February 13th 2016:

Toolchain fixes

• James McCoy uploaded devscripts/2.16.1 which makes dcmd supports .buildinfo files. Original patch by josch.
• Lisandro Dami n Nicanor P rez Meyer uploaded qt4-x11/4:4.8.7+dfsg-6 which make files created by qch reproducible by using a fixed date instead of the current time. Original patch by Dhole.

Norbert Preining rejected the patch submitted by Reiner Herrmann to make the CreationDate not appear in comments of DVI / PS files produced by TeX. He also mentioned that some timestamps can be replaced by using the -output-comment option and that the next version of pdftex will have patches inspired by reproducible build to mitigate the effects (see SOURCE_DATE_EPOCH patches) .

Packages fixed The following packages have become reproducible due to changes in their build dependencies: abntex, apt-dpkg-ref, arduino, c++-annotations, cfi, chaksem, clif, cppreference-doc, dejagnu, derivations, ecasound, fdutils, gnash, gnu-standards, gnuift, gsequencer, gss, gstreamer0.10, gstreamer1.0, harden-doc, haskell98-report, iproute2, java-policy, libbluray, libmodbus, lizardfs, mclibs, moon-buggy, nurpawiki, php-sasl, shishi, stealth, xmltex, xsom. The following packages became reproducible after getting fixed:

• adblock-plus/2.7.1+dfsg-1 uploaded by David Pr vot, original patch by Dhole.
• gyoto/1.0.2-2 uploaded by Thibaut Paumard, original patch by Chris Lamb.
• libosmocore/0.9.0-4 by Ruben Undheim.
• libsyncml/0.5.4-2.3 uploaded by Mattia Rizzolo, original patch by akira.
• ltsp/5.5.6-2 by Vagrant Cascadian.
• mira/4.9.5-5 by Michael R. Crusoe.
• pagekite/0.5.8a-1 uploaded by Petter Reinholdtsen, original patch by Chris Lamb.
• plexus-containers/1.0~beta3.0.7-8 by Emmanuel Bourg.
• propellor/2.15.4-1 by Sean Whitton.
• salmon/0.4.2+ds1-2 uploaded by Michael R. Crusoe, original patch by Chris Lamb.
• wmii-doc/1:1-15 by Reiner Herrmann.

Some uploads fixed some reproducibility issues, but not all of them:

• dipy/0.10.1-1 uploaded by Yaroslav Halchenko, original patch by Juna Picca.
• suomi-malaga/2.0-1 uploaded by Timo Jyrinki, original patch by Chris Lamb.
• west-chamber/20100405+svn20111107.r124-7 by Ying-Chun Liu, original patch by Chris Lamb.

Patches submitted which have not made their way to the archive yet:

• #813944 on cvm by Reiner Herrmann: remove gzip headers, fix permissions of some directories and the order of the md5sums.
• #814019 on latexdiff by Reiner Herrmann: remove the current build date from documentation.
• #814214 on rocksdb by Chris Lamb: add support for SOURCE_DATE_EPOCH.

reproducible.debian.net A new armhf build node has been added (thanks to Vagrant Cascadian) and integrated into the Jenkins setup for 4 new armhf builder jobs. (h01ger) All packages for Debian testing (Stretch) have been tested on armhf in just 42 days. It took 114 days to get the same point for unstable back when the armhf test infrastructure was much smaller. Package sets have been enabled for testing on armhf. (h01ger) Packages producing architecture-independent ( Arch:all ) binary packages together with architecture dependent packages targeted for specific architectures will now only be tested on matching architectures. (Steven Chamberlain, h01ger) As the Jenkins setup is now made of 252 different jobs, the overview has been split into 11 different smalller views. (h01ger)

Package reviews 222 reviews have been removed, 110 added and 50 updated in the previous week. 35 FTBFS reports were made by Chris Lamb, Danny Edel, and Niko Tyni.

Misc. The recordings of Ludovic Court s' talk at FOSDEM 16 about reproducible builds and GNU Guix is now available. One can also have a look at slides from Fabian Keil's talk about ElecrtroBSD and Baptiste Daroussin's talk about FreeBSD packages.

What happened in the reproducible builds effort between December 6th and December 12th: Toolchain fixes

• Steven Chamberlain uploaded makefs/20100306-6 which adds a -T flag which will clamp superblock and file timestamps to a given time in epoch format.
• Emmanuel Bourg uploaded maven-debian-helper/2.0~exp3 which disable the timestamps and set the locale to en_US when generating the javadoc.

Reiner Herrmann rebased our experimental version of doxygen on version 1.8.9.1-6. Chris Lamb submitted a patch to make the manpages generated by ruby-ronn reproducible by using the locale-agnostic %Y-%m-%d for the dates. Daniel Kahn Gillmor took another shot at the issue of source path captured in DWARF symbols. A patch has been sent for review by GCC upstream to add the ability to read an environment variable with -fdebug-prefix-map. Packages fixed The following 24 packages have become reproducible due to changes in their build dependencies: gkeyfile-sharp, gprbuild, graphmonkey, gthumb, haskell-yi-language, ion, jackson-databind, jackson-dataformat-smile, jackson-dataformat-xml, jnr-ffi, libcommons-net-java, libproxy, maven-shared-utils, monodevelop-database, mydumper, ndesk-dbus, nini, notify-sharp, pixz, protozero, python-rtslib-fb, slurm-llnl, taglib-sharp, tomboy-latex. The following packages became reproducible after getting fixed:

• canl-java/2.1.1-4 by Mattias Ellert.
• codonw/1.4.4-2 by Sascha Steinbiss.
• cpl-plugin-amber/3.5.1+dfsg-4 by Ole Streicher.
• cpl-plugin-visir/3.5.1+dfsg-4 by Ole Streicher.
• flightcrew/0.7.2+dfsg-6 by Mattia Rizzolo.
• git-annex/5.20151208-1 uploaded by Richard Hartmann, fix by Joey Hess.
• gnudatalanguage/0.9.5-5 uploaded by Axel Beckert, fix by Ole Streicher.
• gramps/4.2.1~dfsg-2 by Ross Gammon.
• jglobus/2.1.0-3 by Mattias Ellert.
• kbtin/1.0.16-1 by Adam Borowski, also reported by Chris Lamb.
• lava-tool/0.14-1 by Neil Williams.
• logbook/0.12.3-1 by Agustin Henze.
• ltrsift/1.0.2-5 by Sascha Steinbiss.
• maven-war-plugin/2.2-1 by Emmanuel Bourg.
• relion/1.4+dfsg-1 by Roland Fehrenbacher.
• u-boot/2015.10+dfsg1-4 by Vagrant Cascadian.
• voms-api-java/3.0.5-3 by Mattias Ellert.
• voms-clients-java/3.0.6-3 by Mattias Ellert.
• xgalaga/2.1.1.0-5 by Markus Koschany.

Some uploads fixed some reproducibility issues, but not all of them:

• aptitude/0.7.5-1 by Manuel A. Fernandez Montecelo.
• asc/2.6.1.0-1 by Markus Koschany.
• grib-api/1.14.3-2 by Enrico Zini.
• jacal/1b9-6 uploaded by Barak A. Pearlmutter, original patch by Chris Lamb.

These uploads might have fixed reproducibility issues but could not be tested yet:

• ncbi-tools6/6.1.20120620-9 by Aaron M. Ucko; currently FTBFS.
• vowpal-wabbit/8.1.1-1 uploaded by Yaroslav Halchenko, original patch by Chris Lamb; currently FTBFS.

Patches submitted which have not made their way to the archive yet:

• #807159 on monit by Chris Lamb: add support for setting the build date using SOURCE_DATE_EPOCH (already fixed upstream).
• #807161 on suomi-malaga by Chris Lamb: add support for setting the build date using SOURCE_DATE_EPOCH.
• #807475 on glance by Chris Lamb: stop recording the number of CPUs on the build system.
• #807605 on guiqwt by Chris Lamb: add support for setting the copyright year using SOURCE_DATE_EPOCH.

reproducible.debian.net Files created with diffoscope now have diffoscope in their name instead debbindiff. (h01ger) Hostnames of first and second build node are now recorded and shown in the build history. (Mattia Rizzolo) Exchanges have started with F-Droid developers to better understand what would be required to test F-Droid applications. (h01ger) A first small set of Fedora 23 packages is now also being tested while development on a new framework for testing RPMs in general has begun. A new Jenkins job has been added to set up to mock, the build system used by Fedora. Another new job takes care of testing RPMs from Fedora 23 on x86_64. So far only 151 packages from the buildsys-build group are tested (currently all unreproducible), but the plan is to build all 17,000 source packages in Fedora 23 and rawhide. The page presenting the results should also soon be improved. (h01ger, Dhiru Kholia) For Arch Linux, all 2223 packages from the extra repository will also be tested from now on. Packages in extra" are tested every four weeks, while those from core every week. Statistics are now displayed alongside the results. (h01ger) jenkins.debian.net has been updated to jenkins-job-builder version 1.3.0. Many job configurations have been simplified and refactored using features of the new version. This was another milestone for the jenkins.debian.org migration. (Phil Hands, h01ger) diffoscope development Chris Lamb announced try.diffoscope.org: an online service that runs diffoscope on user provided files. Improvements are welcome. The application is licensed under the AGPLv3. On diffoscope itself, most pending patches have now been merged. Expect a release soon! Most of the code implementing parallel processing has been polished. Sadly, unpacking archive is CPU-bound in most cases, so the current thread-only implementation does not offer much gain on big packages. More work is still require to also add concurrent processes. Documentation update Ximin Luo has started to write a specification for buildinfo files that could become a larger platform than the limited set of features that were thought so far for Debian .buildinfo. Package reviews 113 reviews have been removed, 111 added and 56 updated in the previous week. 42 new FTBFS bugs were opened by Chris Lamb and Niko Tyni. New issues identified this week: timestamps_in_documentation_generated_by_docbook_dbtimestamp, timestamps_in_sym_l_files_generated_by_malaga, timestamps_in_edj_files_generated_by_edje_cc. Misc. Chris Lamb presented reproducible builds at skroutz.gr.

What happened in the reproducible builds effort this week: Toolchain fixes Dmitry Shachnev uploaded sphinx/1.3.1-6 with improved patches from Val Lorentz. Chris Lamb submitted a patch for ibus-table which makes the output of ibus-table-createdb deterministic. Niko Tyni wrote a patch to make libmodule-build-perl linking order deterministic. Santiago Vila has been leading discussions on the best way to fix timestamps coming from Gettext POT files. Packages fixed The following 35 packages became reproducible due to changes in their build dependencies: apache-log4j2, dctrl-tools, dms, gitit, gnubik, isrcsubmit, mailutils, normaliz, oaklisp, octave-fpl, octave-specfun, octave-vrml, opencolorio, openvdb, pescetti, php-guzzlehttp, proofgeneral, pyblosxom, pyopencl, pyqi, python-expyriment, python-flask-httpauth, python-mzml, python-simpy, python-tidylib, reactive-streams, scmxx, shared-mime-info, sikuli, siproxd, srtp, tachyon, tcltk-defaults, urjtag, velvet. The following packages became reproducible after getting fixed:

• binutils-m68hc1x/1:2.18-7 by Santiago Vila.
• boa-constructor/0.6.1-15 by Santiago Vila.
• brian/1.4.1-3 by Yaroslav Halchenko.
• criticalmass/1:1.0.0-3 by Santiago Vila.
• cvs-buildpackage/5.25 by Santiago Vila.
• fcrackzip/1.0-6 uploaded by Adam Borowski, original patch by Reiner Herrmann.
• filters/2.54 prepared by Joey Hess, fixed by Marius Gavrilescu.
• fsvs/1.2.6-2 by Santiago Vila.
• fte/0.50.2b6-6 by Santiago Vila.
• gcc-mingw-w64/15.7 by Stephen Kitt.
• ircd-hybrid/1:8.2.8+dfsg.1-1 by Dominic Hargreaves.
• leveldb/1.18-3 uploaded by Laszlo Boszormenyi, patch by Reiner Herrmann.
• libavg/1.8.1-2 uploaded by Dimitri John Ledkov, original patch by Reiner Herrmann.
• lynx-cur/2.8.9dev6-4 uploaded by Axel Beckert, patch by Reiner Herrmann.
• maildir-utils/0.9.12-3 by Norbert Preining
• pd-iemnet/0.2-1 by IOhannes m zm lnig.
• photopc/3.05-8 by Santiago Vila.
• postgresql-plproxy/2.6-1 uploaded by Christoph Berg, report by Dhole.
• prometheus-pushgateway/0.2.0+ds-2 uploaded by Mart n Ferrari, original patch by Chris Lamb.
• shelxle/1.0.740-1 uploaded by Daniel Leidert, fixed upstream.
• sigil/0.8.7+dfsg-2 by Mattia Rizzolo.
• sks-ecc/0.93-5 by Santiago Vila.
• smartlist/3.15-25 by Santiago Vila.
• snd/11.7-4 by Santiago Vila.
• solarwolf/1.5-2.1 by Graham Inggs.
• sphinx/1.3.1-6 uploaded by Dmitry Shachnev, patches by Val Lorentz.
• tla/1.3.5+dfsg1-2 by Santiago Vila.
• zapping/0.10~cvs6-10 by Santiago Vila.

The package is not in yet in unstable, but linux/4.2-1~exp1 is now reproducible! Kudos to Ben Hutchings, and most fixes are already merged upstream. Some uploads fixed some reproducibility issues but not all of them:

• bochs/2.6-3 by Santiago Vila.
• oolite/1.82-1 by Nicolas Boulenguez.
• openjdk-7/7u85-2.6.1-1 uploaded by Matthias Klose, original patch by Emmanuel Bourg.
• python-dtcwt/0.10.1+dfsg1-2 uploaded by Ghislain Antony Vaillant, original patch by Chris Lamb.

Patches submitted which have not made their way to the archive yet:

• #797432 on torus-trooper by Reiner Herrmann: set locale to C when sorting source file list.
• #797437 on flow-tools by Chris Lamb: use pre-defined hostname and date of the latest debian/changelog entry in build string.
• #797505 on cloudprint by Chris Lamb: remove embedded .pyc files.
• #797506 on comix by Chris Lamb: remove embedded .pyc files.
• #797508 on litl by Chris Lamb: remove date from documentation generated with LaTeX.
• #797518 on gyoto by Chris Lamb: set date in documentation generated with LaTeX to the latest debian/changelog entry.
• #797539 on cadabra by Chris Lamb: use date of the latest debian/changelog entry as build time.
• #797543 on xotcl by Chris Lamb: sort source list in Makefile.
• #797579 on ferret-vis by Chris Lamb: use date of the latest debian/changelog entry as build time.
• #797711 on libkinosearch1-perl by Niko Tyni: sort source list in Build.PL.
• #797871 on xbae by Chris Lamb: use date of the latest debian/changelog entry as build time.

reproducible.debian.net Some bugs that prevented packages to build successfully in the remote builders have been fixed. (h01ger) Two more amd64 build jobs have been removed from the Jenkins host in favor of six more on the new remote nodes. (h01ger) The munin graphs currently looks fine, so more amd64 jobs will probably be added in the next week. diffoscope development Version 32 of diffoscope has been released on September 3rd with the following new features:

• A new --fuzzy-threshold option to specify the TLSH score used as cut-off for fuzzy matching. Specifying 0 will disable fuzzy-matching entirely. Suggested by Jakub Wilk.
• A new --new-file option to treat absent files as empty. This make diffoscope a great tool to look at the content of an archive at once by comparing it with a non-existent file (example). Suggested by Jakub Wilk.
• Comparisons of symlinks and devices given on the command line is now possible.
• Default values are displayed in --help.

It also fixes many bugs. Head over to the changelog for the full list. Version 33 was released the day after to fix a bug introduced in the packaging. Documentation update Chris Lamb blessed the SOURCE_DATE_EPOCH specification with the version number 1.0 . Lunar documented how the .file assembler directive can help with random filenames in debug symbols. Package reviews 235 reviews have been removed, 84 added and 277 updated this week. 29 new FTBFS bugs were filled by Chris Lamb, Chris West (Faux), Daniel Stender, and Niko Tyni. New issues identified this week: random_order_in_ibus_table_createdb_output, random_order_in_antlr_output, nondetermistic_link_order_in_module_build, and timestamps_in_tex_documents. Misc. Thanks to Dhole and Thomas Vincent, the talk held at DebConf15 now has subtitles! Void Linux started to merge changes to make packages produced by xbps reproducible.

A good amount of the Debian reproducible builds team had the chance to enjoy face-to-face interactions during DebConf15.

Names in red and blue were all present at DebConf15

Hugging people with whom one has been working tirelessly for months gives a lot of warm-fuzzy feelings. Several recorded and hallway discussions paved the way to solve the remaining issues to get reproducible builds part of Debian proper. Both talks from the Debian Project Leader and the release team mentioned the effort as important for the future of Debian. A forty-five minutes talk presented the state of the reproducible builds effort. It was then followed by an hour long roundtable to discuss current blockers regarding dpkg, .buildinfo and their integration in the archive. Toolchain fixes

• Kenneth J. Pronovici uploaded epydoc/3.0.1+dfsg-12 which makes class and modules ordering predictable (#795835) and fixes __repr__ so memory addresses don't appear in docs (#795826). Patches by Val Lorentz.
• Sergei Golovan uploaded erlang/1:18.0-dfsg-2 which adds support for SOURCE_DATE_EPOCH to erlc. Patch by Chris West (Faux) and Chris Lamb.
• Dmitry Shachnev uploaded sphinx/1.3.1-5 which make grammar, inventory, and JavaScript locales generation deterministic. Original patch by Val Lorentz.
• St phane Glondu uploaded ocaml/4.02.3-2 to experimental, making startup files and native packed libraries deterministic. The patch adds deterministic .file to the assembler output.
• Enrico Tassi uploaded lua-ldoc/1.4.3-3 which now pass the -d option to txt2man and add the --date option to override the current date.

Reiner Herrmann submitted a patch to make rdfind sort the processed files before doing any operation. Chris Lamb proposed a new patch for wheel implementing support for SOURCE_DATE_EPOCH instead of the custom WHEEL_FORCE_TIMESTAMP. akira sent one making man2html SOURCE_DATE_EPOCH aware.

• #796330 on d-shlibs by Reiner Herrmann: sort with LC_ALL set to C.

St phane Glondu reported that dpkg-source would not respect tarball permissions when unpacking under a umask of 002. After hours of iterative testing during the DebConf workshop, Sandro Knau created a test case showing how pdflatex output can be non-deterministic with some PNG files. Packages fixed The following 65 packages became reproducible due to changes in their build dependencies: alacarte, arbtt, bullet, ccfits, commons-daemon, crack-attack, d-conf, ejabberd-contrib, erlang-bear, erlang-cherly, erlang-cowlib, erlang-folsom, erlang-goldrush, erlang-ibrowse, erlang-jiffy, erlang-lager, erlang-lhttpc, erlang-meck, erlang-p1-cache-tab, erlang-p1-iconv, erlang-p1-logger, erlang-p1-mysql, erlang-p1-pam, erlang-p1-pgsql, erlang-p1-sip, erlang-p1-stringprep, erlang-p1-stun, erlang-p1-tls, erlang-p1-utils, erlang-p1-xml, erlang-p1-yaml, erlang-p1-zlib, erlang-ranch, erlang-redis-client, erlang-uuid, freecontact, givaro, glade, gnome-shell, gupnp, gvfs, htseq, jags, jana, knot, libconfig, libkolab, libmatio, libvsqlitepp, mpmath, octave-zenity, openigtlink, paman, pisa, pynifti, qof, ruby-blankslate, ruby-xml-simple, timingframework, trace-cmd, tsung, wings3d, xdg-user-dirs, xz-utils, zpspell. The following packages became reproducible after getting fixed:

• apr/1.5.2-3 by Stefan Fritsch.
• aprx/2.08.svn593+dfsg-2 uploaded by Colin Tuckley, original patch by Chris Lamb.
• blkreplay/1.0-3 uploaded by Andrew Shadura, patch by Dhole.
• cal3d/0.11.0-6 uploaded by Manuel A. Fernandez Montecelo, patch by akira.
• cgsi-gsoap/1.3.8-1 by Mattias Ellert.
• eyefiserver/2.4+dfsg-1 by Jean-Michel Vourg re.
• gnujump/1.0.8-3 uploaded by Evgeni Golov, original patch by Chris Lamb.
• hkgerman/1:2-29 by Roland Rosenfeld.
• jove/4.16.0.73-4 by Cord Beermann.
• libevhtp/1.2.10-3 by Vincent Bernat.
• libmkdoc-xml-perl/0.75-4 uploaded by gregor herrmann, original patch by Niko Tyni.
• libparse-debianchangelog-perl/1.2.0-6 by Niko Tyni.
• librostlab-blast/1.0.1-5 uploaded by Andreas Tille, original patch by Chris Lamb.
• libxray-absorption-perl/3.0.1-3 uploaded by gregor herrmann, original patch by Niko Tyni.
• lua-penlight/1.3.2-2 by Enrico Tassi.
• mosquitto/1.4.3-1 by Roger A. Light.
• nagios-plugins-contrib/15.20150818 by Jan Wagner and Bernd Zeimetz.
• nn/6.7.3-10 uploaded by Cord Beermann, original patch by Chris Lamb.
• pybik/2.1-1 by B. Clausius.
• pyepr/0.9.3-1 uploaded by Antonio Valentino, original patch by Juan Picca.
• python-xlrd/0.9.4-1 by Vincent Bernat.
• transmissionrpc/0.11-2 uploaded by Vincent Bernat, original patch by Juan Picca.
• unoconv/0.7-1.1 sponsored by Vincent Bernat, fix by Dhole.
• vim-latexsuite/20141116.812-1 uploaded by Johann Felix Soden, original patch by Chris Lamb.
• volk/1.0.2-2 by A. Maitland Bottoms.
• xbmc/2:13.2+dfsg1-5 by Balint Reczey.
• xdotool/1:3.20150503.1-2 uploaded by Daniel Kahn Gillmor, initial patch by Chris Lamb.
• xfig/1:3.2.5.c-5 by Roland Rosenfeld.
• xfireworks/1.3-10 uploaded by Yukiharu YABUKI, original patch by Chris Lamb.
• xul-ext-monkeysphere/0.8-2 uploaded by Daniel Kahn Gillmor, original patch by Dhole.

Uploads that might have fixed reproducibility issues:

• brian/1.4.1-3 uploaded by Yaroslav Halchenko, original patch by Juan Picca.
• opennebula/4.12.3+dfsg-1 by Dmitry Smirnov.
• pcsx2/1.3.1-1008-g9f291a6+dfsg-1 by Miguel A. Col n V lez.
• webassets/3:0.11-1 uploaded by Agustin Henze, original patch by Reiner Herrmann.

Some uploads fixed some reproducibility issues but not all of them:

• apache2/2.4.16-3 uploaded by Stefan Fritsch, original patch by Jean-Michel Vourg re.
• gerris/20131206+dfsg-6 uploaded by Anton Gladky, original patch by Reiner Herrmann.
• kodi/15.1+dfsg1-1 by Balint Reczey.
• zshdb/0.05+git20101031-4 uploaded by Iain R. Learmonth, original patch by Chris Lamb.

Patches submitted which have not made their way to the archive yet:

• #795861 on fakeroot by Val Lorentz: set the mtime of all files to the time of the last debian/changelog entry.
• #795870 on fatresize by Chris Lamb: set build date to the time of the latest debian/changelog entry.
• #795945 on projectl by Reiner Herrmann: sort with LC_ALL set to C.
• #795977 on dahdi-tools by Dhole: set the timezone to UTC before calling asciidoc.
• #795981 on x11proto-input by Dhole: set the timezone to UTC before calling asciidoc.
• #795983 on dbusada by Dhole: set the timezone to UTC before calling asciidoc.
• #795984 on postgresql-plproxy by Dhole: set the timezone to UTC before calling asciidoc.
• #795985 on xorg by Dhole: set the timezone to UTC before calling asciidoc.
• #795987 on pngcheck by Dhole: set the date in the man pages to the latest debian/changelog entry.
• #795997 on python-babel by Val Lorentz: make build timestamp independent from the timezone and remove the name of the build system locale from the documentation.
• #796092 on a7xpg by Reiner Herrmann: sort with LC_ALL set to C.
• #796212 on bittornado by Chris Lamb: remove umask-varying permissions.
• #796251 on liblucy-perl by Niko Tyni: generate lib/Lucy.xs in a deterministic order.
• #796271 on tcsh by Reiner Herrmann: sort with LC_ALL set to C.
• #796275 on hspell by Reiner Herrmann: remove timestamp from aff files generated by mk_he_affix.
• #796324 on fftw3 by Reiner Herrmann: remove date from documentation files.
• #796335 on nasm by Val Lorentz: remove extra timestamps from the build system.
• #796360 on libical by Chris Lamb: removes randomess caused Perl in generated icalderivedvalue.c.
• #796375 on wcd by Dhole: set the date in the man pages to the latest debian/changelog entry.
• #796376 on mapivi by Dhole: set the date in the man pages to the latest debian/changelog entry.
• #796527 on vserver-debiantools by Dhole: set the date in the man pages to the latest debian/changelog entry.

St phane Glondu reported two issues regarding embedded build date in omake and cduce. Aur lien Jarno submitted a fix for the breakage of make-dfsg test suite. As binutils now creates deterministic libraries by default, Aur lien's patch makes use of a wrapper to give the U flag to ar. Reiner Herrmann reported an issue with pound which embeds random dhparams in its code during the build. Better solutions are yet to be found. reproducible.debian.net Package pages on reproducible.debian.net now have a new layout improving readability designed by Mattia Rizzolo, h01ger, and Ulrike. The navigation is now on the left as vertical space is more valuable nowadays. armhf is now enabled on all pages except the dashboard. Actual tests on armhf are expected to start shortly. (Mattia Rizzolo, h01ger) The limit on how many packages people can schedule using the reschedule script on Alioth has been bumped to 200. (h01ger) mod_rewrite is now used instead of JavaScript for the form in the dashboard. (h01ger) Following the rename of the software, debbindiff has mostly been replaced by either diffoscope or differences in generated HTML and IRC notification output. Connections to UDD have been made more robust. (Mattia Rizzolo) diffoscope development diffoscope version 31 was released on August 21^st. This version improves fuzzy-matching by using the tlsh algorithm instead of ssdeep. New command line options are available: --max-diff-input-lines and --max-diff-block-lines to override limits on diff input and output (Reiner Herrmann), --debugger to dump the user into pdb in case of crashes (Mattia Rizzolo). jar archives should now be detected properly (Reiner Herrman). Several general code cleanups were also done by Chris Lamb. strip-nondeterminism development Andrew Ayer released strip-nondeterminism version 0.010-1. Java properties file in jar should now be detected more accurately. A missing dependency spotted by St phane Glondu has been added. Testing directory ordering issues: disorderfs During the reproducible builds workshop at DebConf, participants identified that we were still short of a good way to test variations on filesystem behaviors (e.g. file ordering or disk usage). Andrew Ayer took a couple of hours to create disorderfs. Based on FUSE, disorderfs in an overlay filesystem that will mount the content of a directory at another location. For this first version, it will make the order in which files appear in a directory random. Documentation update Dhole documented how to implement support for SOURCE_DATE_EPOCH in Python, bash, Makefiles, CMake, and C. Chris Lamb started to convert the wiki page describing SOURCE_DATE_EPOCH into a Freedesktop-like specification in the hope that it will convince more upstream to adopt it. Package reviews 44 reviews have been removed, 192 added and 77 updated this week. New issues identified this week: locale_dependent_order_in_devlibs_depends, randomness_in_ocaml_startup_files, randomness_in_ocaml_packed_libraries, randomness_in_ocaml_custom_executables, undeterministic_symlinking_by_rdfind, random_build_path_by_golang_compiler, and images_in_pdf_generated_by_latex. 117 new FTBFS bugs have been reported by Chris Lamb, Chris West (Faux), and Niko Tyni. Misc. Some reproducibility issues might face us very late. Chris Lamb noticed that the test suite for python-pykmip was now failing because its test certificates have expired. Let's hope no packages are hiding a certificate valid for 10 years somewhere in their source! Pictures courtesy and copyright of Debian's own paparazzi: Aigars Mahinovs.

What happened about the reproducible builds effort this week: Toolchain fixes Norbert Preining uploaded texinfo/6.0.0.dfsg.1-2 which makes texinfo indices reproducible. Original patch by Chris Lamb. Lunar submitted recently rebased patches to make the file order of files inside .deb stable. akira filled #789843 to make tex4ht stop printing timestamps in its HTML output by default. Dhole wrote a patch for xutils-dev to prevent timestamps when creating gzip compresed files. Reiner Herrmann sent a follow-up patch for wheel to use UTC as timezone when outputing timestamps. Mattia Rizzolo started a discussion regarding the failure to build from source of subversion when -Wdate-time is added to CPPFLAGS which happens when asking dpkg-buildflags to use the reproducible profile. SWIG errors out because it doesn't recognize the aforementioned flag. Trying to get the .buildinfo specification to more definitive state, Lunar started a discussion on storing the checksums of the binary package used in dpkg status database. akira discovered while proposing a fix for simgrid that CMake internal command to create tarballs would record a timestamp in the gzip header. A way to prevent it is to use the GZIP environment variable to ask gzip not to store timestamps, but this will soon become unsupported. It's up for discussion if the best place to fix the problem would be to fix it for all CMake users at once. Infrastructure-related work Andreas Henriksson did a delayed NMU upload of pbuilder which adds minimal support for build profiles and includes several fixes from Mattia Rizzolo affecting reproducibility tests. Neils Thykier uploaded lintian which both raises the severity of package-contains-timestamped-gzip and avoids false positives for this tag (thanks to Tomasz Buchert). Petter Reinholdtsen filled #789761 suggesting that how-can-i-help should prompt its users about fixing reproducibility issues. Packages fixed The following packages became reproducible due to changes in their build dependencies: autorun4linuxcd, libwildmagic, lifelines, plexus-i18n, texlive-base, texlive-extra, texlive-lang. The following packages became reproducible after getting fixed:

• 0xffff/6.1-3 uploaded by Sebastian Reichel, original patch by Dhole.
• fusionforge/6.0-1 uploaded by Roland Mas and fixed upstream.
• geis/2.2.17-1 uploaded by Stephen M. Webb, original patch by akira.
• gramadoir/0.7-3 uploaded by Alastair McKinstry, original patch by Chris Lamb.
• ht/2.1.0-1 by Anton Gladky.
• ispell-fo/0.4.2-8 by Agustin Martin Domingo.
• ispell-gl/0.5-42 by Agustin Martin Domingo.
• libosmium by Bas Couwenberg.
• maven-dependency-analyzer/1.4-1 by Emmanuel Bourg.
• migrate/0.9.6-2 uploaded by Thomas Goirand, original patch by Juan Picca.
• mustache-java/0.8.17-3 by Miguel Landaeta.
• myspell-pt-br/20131030-6 by Agustin Martin Domingo.
• myspell.pt/20091013-9 by Agustin Martin Domingo.
• nss-wrapper/1.0.3-3 by Jakub Wilk.
• osmcoastline by Bas Couwenberg.
• osmium-tool/1.0.1-2 uploaded by Bas Couwenberg, original patch by Chris Lamb.
• python-gmpy2/2.0.5-1 by Martin Kelly.
• python-pathlib/1.0.1-2 uploaded by Frank Brehm, original patch by Reiner Herrmann
• python-pysaml2/2.4.0-2 uploaded by Thomas Goirand, original patch by Juan Picca.
• python-pysqlite2 uploaded by Joel Rosdahl, original patch by Juan Picca.
• python-scrapy/1.0.0-1 uploaded by Yaroslav Halchenko, original patch by Juan Picca.
• softcatala-spell/0.20111230b-9 by Agustin Martin Domingo.
• tempest/4-2 uploaded by Thomas Goirand, original patch by Juan Picca.
• tiptop/2.2-3 by Tomasz Buchert.
• ucl/1.03+repack-3 by Robert Luberda.
• welcome2l/3.04-26 by Robert Luberda.
• xuxen-eu-spell/0.4.20081029-11 by Agustin Martin Domingo.
• y-u-no-validate/2013052401-4 uploaded by Jakub Wilk, original patch by Chris Lamb.

Some uploads fixed some reproducibility issues but not all of them:

• camitk/3.4.0-2 by Emmanuel Promayon.
• mariadb-10.0/10.0.20-1 by Otto Kek l inen.
• mathjax-docs/2.5+20150518-1 uploaded by Dmitry Shachnev, original patch by Juan Picca.
• wxwidgets3.0/3.0.2-2 by Olly Betts.

Untested uploaded as they are not in main:

• nvidia-persistenced/352.21-1 by Andreas Beckmann.
• nvidia-modprobe/349.16-1 by Andreas Beckmann.

Patches submitted which have not made their way to the archive yet:

• #789648 on apt-dater by Dhole: allow the build date to be set externally and set it to the time of the latest debian/changelog entry.
• #789715 on simgrid by akira: fix doxygen and patch CMakeLists.txt to give GZIP=-n for tar.
• #789728 on aegisub by Juan Picca: get rid of __DATE__ and __TIME__ macros.
• #789747 on dipy by Juan Picca: set documentation date for Sphinx.
• #789748 on jansson by Juan Picca: set documentation date for Sphinx.
• #789799 on tmexpand by Chris Lamb: remove timestamps, hostname and username from the build output.
• #789804 on libevocosm by Chris Lamb: removes generated files which include extra information about the build environment.
• #789963 on qrfcview by Dhole: removes the timestamps from the the generated PNG icon.
• #789965 on xtel by Dhole: removes extra timestamps from compressed files by gzip and from the PNG icon.
• #790010 on simbody by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790023 on stx-btree by akira: pass HTML_TIMESTAMP=NO to Doxygen.
• #790034 on siscone by akira: removes $datetime from footer.html used by Doxygen.
• #790035 on thepeg by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790072 on libxray-spacegroup-perl by Chris Lamb: set $Storable::canonical = 1 to make space_groups.db.PL output deterministic.
• #790074 on visp by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790081 on wfmath by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790082 on wreport by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790088 on yudit by Chris Lamb: removes timestamps from the build system by passing a static comment.
• #790122 on clblas by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790133 on dcmtk by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790139 on glfw3 by akira: patch for Doxygen timestamps further improved by James Cowgill by removing $datetime from the footer.
• #790228 on gtkspellmm by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790232 on ucblogo by Reiner Herrmann: set LC_ALL to C before sorting.
• #790235 on basemap by Juan Picca: set documentation date for Sphinx.
• #790258 on guymager by Reiner Herrmann: use the date from the latest debian/changelog as build date
• #790309 on pelican by Chris Lamb: removes useless (and unreproducible) tests.

debbindiff development debbindiff/23 includes a few bugfixes by Helmut Grohne that result in a significant speedup (especially on larger files). It used to exhibit the quadratic time string concatenation antipattern. Version 24 was released on June 23rd in a hurry to fix an undefined variable introduced in the previous version. (Reiner Herrmann) debbindiff now has a test suite! It is written using the PyTest framework (thanks Isis Lovecruft for the suggestion). The current focus has been on the comparators, and we are now at 93% of code coverage for these modules. Several problems were identified and fixed in the process: paths appearing in output of javap, readelf, objdump, zipinfo, unsqusahfs; useless MD5 checksum and last modified date in javap output; bad handling of charsets in PO files; the destination path for gzip compressed files not ending in .gz; only metadata of cpio archives were actually compared. stat output was further trimmed to make directory comparison more useful. Having the test suite enabled a refactoring of how comparators were written, switching from a forest of differences to a single tree. This helped removing dust from the oldest parts of the code. Together with some other small changes, version 25 was released on June 27th. A follow up release was made the next day to fix a hole in the test suite and the resulting unidentified leftover from the comparator refactoring. (Lunar) Documentation update Ximin Luo improved code examples for some proposed environment variables for reference timestamps. Dhole added an example on how to fix timestamps C pre-processor macros by adding a way to set the build date externally. akira documented her fix for tex4ht timestamps. Package reviews 94 obsolete reviews have been removed, 330 added and 153 updated this week. Hats off for Chris West (Faux) who investigated many fail to build from source issues and reported the relevant bugs. Slight improvements were made to the scripts for editing the review database, edit-notes and clean-notes. (Mattia Rizzolo) Meetings A meeting was held on June 23rd. Minutes are available. The next meeting will happen on Tuesday 2015-07-07 at 17:00 UTC. Misc. The Linux Foundation announced that it was funding the work of Lunar and h01ger on reproducible builds in Debian and other distributions. This was further relayed in a Bits from Debian blog post.

I've been sadly neglecting this script, but tonight I finally found some time to catch up on all the suggestions and bug reports that Guido G nther has been letting me know about (and I greatly appreciate that!). This version merges in all the good ideas people have had. This version removes the -i and -I flags passed to dpkg-source when the package format is 3.0, since with 3.0 packages, dpkg-source both already ignores Git files by default and ignores various other things that were not included in the pattern. It also offers much better configuration methods for the ignore patterns, which git-pbuilder was overriding. So that's all skipped now for 3.0 packages. git-pbuilder still passes in the ignore flags for 1.0 packages, since they don't ignore Git files by default. The environment variable BUILDER can now be set to choose the builder, which is still cowbuilder by default. The other supported option is qemubuilder, and for it git-pbuilder selects an appropriate configuration file. Additional flags for the builder can be set in the GIT_PBUILDER_OPTIONS environment variable and will be passed along. There are also a few more minor fixes: better documentation, always printing out what we're doing at the start of a run, and preserving the exit status of pdebuild and exiting with the same status. These changes are based on work by Guido G nther, Yaroslav Halchenko, and Beno t Knecht. You can get the latest version from my scripts page.

Debian 6.0 squeeze will be the first GNU/Linux distribution release ever to offer comprehensive support for magnetic resonance imaging (MRI) based neuroimaging research. It comes with up-to-date software for structural image analysis (e.g. ants), diffusion imaging and tractography (e.g. mrtrix), stimulus delivery (e.g. psychopy), MRI sequence development (e.g. odin), as well as a number of versatile data processing and analysis suites (e.g. nipype). Moreover, this release will have built-in support for all major neuroimaging data formats.

Please see the Debian Science and Debian Med task pages for a comprehensive list of included software and the NeuroDebian webpage for further information.

NeuroDebian at the Society for Neuroscience meeting 2010

The NeuroDebian team will run a Debian booth at the Society for Neuroscience meeting (SfN2010) that will take place November 13-17 in San Diego, USA. The annual meeting of the Society for Neuroscience is one of the largest neuroscience conferences in the world, with over 30,000 attendees. Researchers, clinicians, and leading experts discuss the latest findings about the brain, nervous system, and related disorders.

If you are a Debian enthusiast (developer, contributor, evangelist) and reside near San Diego (or have time and funds for travel/lounge), or already planing to attend SfN 2010, please help us to make the Debian booth at SfN shine. Please contact the NeuroDebian team at team@neuro.debian.net

If you are going to SfN2010, come talk to us at booth #3815.

Contributed by: Michael Hanke and Yaroslav Halchenko

Science and Math Track at DebConf10 This year's DebConf10 (which is great, by the way) at Columbia University, New York will feature Tracks for the first time. We had a Community Outreach track on Debian Day (to be continued by more awesome talks over the rest of the week), a Java track on Monday and an Enterprise track yesterday. Tomorrow, Thursday afternoon, the S cience and Math track (which I am organizing) will take place in the Interschool lab on level 7 of Schapiro Center. The Track will start at 14:00 with a short welcome from me, followed by presentations of debian-science by Sylvestre Ledru and debian-math by David Bremner. At 15:00, Michael Hanke and Yaroslav Halchenko will present their talk on "Debian as the ultimate platform for neuroimaging research". This will be followed at 16:00 by three mini-talks on "New developments in Science Packaging". Adam C. Powell, IV will talk about MPI, Sylvestre Ledru will present linear algebra implementations in Debian and finally Michael Hanke and Yaroslav Halchenko will discuss the citation/reference infrastructure. At the end of track, the annual debian-science round-table will happen at 17:00, where David Bremner (mathematics), Michael Hanke (neuro-debian), Sylvestre Ledru (debian- science/pkg-scicomp), Adam C. Powell, IV (debian- science/pkg-scicomp) and myself (debichem) will discuss matters about cross-field debian-science and math related topics. If afterwards there are still outstanding matters to be discussed, we can schedule ad-hoc sessions for science or math matters on Friday or Saturday. See you at the science track tomorrow!