About a month later than I probably should have posted it, here s a recap of my Free Software activities in 2021. For previous years see 2019 + 2020. Again, this year had fewer contributions than I d like thanks to continuing fatigue about the state of the world, and trying to work on separation between work and leisure while working from home. I ve made some effort to improve that balance but it s still a work in progress.
AUTO_ZRELADDR (there keeps being efforts to add some support for this via devicetree, but unfortunately it gets shot down every time), and the final one is a hack to turn off the LCD backlight by treating it as an LED (actually supporting the LCD properly is on my TODO list).
Here is my monthly update covering what I have been doing in the free software world in September 2017 (previous month):
reproducible-check is our script to determine which packages actually installed on your system are reproducible or not.
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.
disorderfs is our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues.
Lintian is a static analysis tool for Debian packages, reporting on various errors, omissions and general quality-assurance issues to maintainers.
I've previously written about my exploits with Lintian as well as authoring a short tutorial on how to write your own Lintian check.
Anyway, I recently uploaded version 2.5.53 about two months since previous release. The biggest changes you may notice are supporting the latest version of the Debian Policy as well the addition of checks to encourage the migration to Python 3.
Thanks to all who contributed patches, code review and bug reports to this release. The full changelog is as follows:
lintian (2.5.53) unstable; urgency=medium
The "we are all Perl developers now" release.
* Summary of tag changes:
+ Added:
- alternatively-build-depends-on-python-sphinx-and-python3-sphinx
- build-depends-on-python-sphinx-only
- dependency-on-python-version-marked-for-end-of-life
- maintainer-script-interpreter
- missing-call-to-dpkg-maintscript-helper
- node-package-install-in-nodejs-rootdir
- override-file-in-wrong-package
- package-installs-java-bytecode
- python-foo-but-no-python3-foo
- script-needs-depends-on-sensible-utils
- script-uses-deprecated-nodejs-location
- transitional-package-should-be-oldlibs-optional
- unnecessary-testsuite-autopkgtest-header
- vcs-browser-links-to-empty-view
+ Removed:
- debug-package-should-be-priority-extra
- missing-classpath
- transitional-package-should-be-oldlibs-extra
* checks/apache2.pm:
+ [CL] Fix an apache2-unparsable-dependency false positive by allowing
periods (".") in dependency names. (Closes: #873701)
* checks/binaries.pm:
+ [CL] Apply patches from Guillem Jover & Boud Roukema to improve the
description of the binary-file-built-without-LFS-support tag.
(Closes: #874078)
* checks/changes. pm,desc :
+ [CL] Ignore DFSG-repacked packages when checking for upstream
source tarball signatures as they will never match by definition.
(Closes: #871957)
+ [CL] Downgrade severity of orig-tarball-missing-upstream-signature
from "E:" to "W:" as many common tools do not make including the
signatures easy enough right now. (Closes: #870722, #870069)
+ [CL] Expand the explanation of the
orig-tarball-missing-upstream-signature tag to include the location
of where dpkg-source will look. Thanks to Theodore Ts'o for the
suggestion.
* checks/copyright-file.pm:
+ [CL] Address a number of issues in copyright-year-in-future:
- Prevent false positives in port numbers, email addresses, ISO
standard numbers and matching specific and general street
addresses. (Closes: #869788)
- Match all violating years in a line, not just the first (eg.
"2000-2107").
- Ignore meta copyright statements such as "Original Author". Thanks
to Thorsten Alteholz for the bug report. (Closes: #873323)
- Expand testsuite.
* checks/cruft. pm,desc :
+ [CL] Downgrade severity of file-contains-fixme-placeholder
tag from "important" (ie. "E:") to "wishlist" (ie. "I:").
Thanks to Gregor Herrmann for the suggestion.
+ [CL] Apply patch from Alex Muntada (alexm) to use "substr" instead
of "substring" in mentions-deprecated-usr-lib-perl5-directory's
description. (Closes: #871767)
+ [CL] Don't check copyright_hints file for FIXME placeholders.
(Closes: #872843)
+ [CL] Don't match quoted "FIXME" variants as they are almost always
deliberate. Thanks to Adrian Bunk for the report. (Closes: #870199)
+ [CL] Avoid false positives in missing source checks for "CSS Browser
Selector". (Closes: #874381)
* checks/debhelper.pm:
+ [CL] Prevent a false positive of
missing-build-dependency-for-dh_-command that can be exposed by
following the advice for the recently added
useless-autoreconf-build-depends tag. (Closes: #869541)
* checks/debian-readme. pm,desc :
+ [CL] Ensure readme-debian-contains-debmake-template also checks
for templates "Automatically generated by debmake".
* checks/description. desc,pm :
+ [CL] Clarify explanation of description-starts-with-leading-spaces
tag. Thanks to Taylor Kline for the report
and patch. (Closes: #849622)
+ [NT] Skip capitalization-error-in-description-synopsis for
auto-generated packages (such as dbgsym packages).
* checks/fields. desc,pm :
+ [CL] Ensure that python3-foo packages have "Section: python", not
just python2-foo. (Closes: #870272)
+ [RG] Do no longer require debug packages to be priority extra.
+ [BR] Use Lintian::Data for name/section mapping
+ [CL] Check for packages including "?rev=0&sc=0" in Vcs-Browser.
(Closes: #681713)
+ [NT] Transitional packages should now be "oldlibs/optional" rather
than "oldlibs/extra". The related tag has been renamed accordingly.
* checks/filename-length.pm:
+ [NT] Skip the check on auto-generated binary packages (such as
dbgsym packages).
* checks/files. pm,desc :
+ [BR] Avoid privacy-breach-generic false positives for legal.xml.
+ [BR] Detect install of node package under /usr/lib/nodejs/[^/]*$
+ [CL] Check for packages shipping compiled Java class files. Thanks
Carn Draug . (Closes: #873211)
+ [BR] Privacy breach is no longer experimental.
* checks/init.d.desc:
+ [RG] Do not recommend a versioned dependency on lsb-base in
init.d-script-needs-depends-on-lsb-base. (Closes: #847144)
* checks/java.pm:
+ [CL] Additionally consider .cljc files as code to avoid false-
positive codeless-jar warnings. (Closes: #870649)
+ [CL] Drop problematic missing-classpath check. (Closes: #857123)
* checks/menu-format.desc:
+ [CL] Prevent false positives in desktop-entry-lacks-keywords-entry
for "Link" and "Directory" .desktop files. (Closes: #873702)
* checks/python. pm,desc :
+ [CL] Split out Python checks from "scripts" check to a new, source
check of type "source".
+ [CL] Check for python-foo without corresponding python3-foo packages
to assist in Python 2.x deprecation. (Closes: #870681)
+ [CL] Check for packages that Build-Depend on python-sphinx only.
(Closes: #870730)
+ [CL] Check for packages that alternatively Build-Depend on the
Python 2 and Python 3 versions of Sphinx. (Closes: #870758)
+ [CL] Check for binary packages that depend on Python 2.x.
(Closes: #870822)
* checks/scripts.pm:
+ [CL] Correct false positives in
unconditional-use-of-dpkg-statoverride by detecting "if !" as a
valid shell prefix. (Closes: #869587)
+ [CL] Check for missing calls to dpkg-maintscript-helper(1) in
maintainer scripts. (Closes: #872042)
+ [CL] Check for packages using sensible-utils without declaring a
dependency after its split from debianutils. (Closes: #872611)
+ [CL] Warn about scripts using "nodejs" as an interpreter now that
nodejs provides /usr/bin/node. (Closes: #873096)
+ [BR] Add a statistic tag giving interpreter.
* checks/testsuite. desc,pm :
+ [CL] Remove recommendations to add a "Testsuite: autopkgtest" field
to debian/control as it is added when needed by dpkg-source(1)
since dpkg 1.17.1. (Closes: #865531)
+ [CL] Warn if we see an unnecessary "Testsuite: autopkgtest" header
in debian/control.
+ [NT] Recognise "autopkgtest-pkg-go" as a valid test suite.
+ [CL] Recognise "autopkgtest-pkg-elpa" as a valid test suite.
(Closes: #873458)
+ [CL] Recognise "autopkgtest-pkg-octave" as a valid test suite.
(Closes: #875985)
+ [CL] Update the description of unknown-testsuite to reflect that
"autopkgtest" is not the only valid value; the referenced URL
is out-of-date (filed as #876008). (Closes: #876003)
* data/binaries/embedded-libs:
+ [RG] Detect embedded copies of heimdal, libgxps, libquicktime,
libsass, libytnef, and taglib.
+ [RG] Use an additional string to detect embedded copies of
openjpeg2. (Closes: #762956)
* data/fields/name_section_mappings:
+ [BR] node- package section is javascript.
+ [CL] Apply patch from Guillem Jover to add more section mappings.
(Closes: #874121)
* data/fields/obsolete-packages:
+ [MR] Add dh-systemd. (Closes: #872076)
* data/fields/perl-provides:
+ [CL] Refresh perl provides.
* data/fields/virtual-packages:
+ [CL] Update data file from archive. This fixes a false positive for
"bacula-director". (Closes: #835120)
* data/files/obsolete-paths:
+ [CL] Add note to /etc/bash_completion.d entry regarding stricter
filename requirements. (Closes: #814599)
* data/files/privacy-breaker-websites:
+ [BR] Detect custom donation logos like apache.
+ [BR] Detect generic counter website.
* data/standards-version/release-dates:
+ [CL] Add 4.0.1 and 4.1.0 as known standards versions.
(Closes: #875509)
* debian/control:
+ [CL] Mention Debian Policy v4.1.0 in the description.
+ [CL] Add myself to Uploaders.
+ [CL] Drop unnecessary "Testsuite: autopkgtest"; this is implied from
debian/tests/control existing.
* commands/info.pm:
+ [CL] Add a --list-tags option to print all tags Lintian knows about.
Thanks to Rajendra Gokhale for the suggestion. (Closes: #779675)
* commands/lintian.pm:
+ [CL] Apply patch from Maia Everett to avoid British spelling when
using en_US locale. (Closes: #868897)
* lib/Lintian/Check.pm:
+ [CL] Stop emitting maintainer,uploader -address-causes-mail-loops
for @packages.debian.org addresses. (Closes: #871575)
* lib/Lintian/Collect/Binary.pm:
+ [NT] Introduce an "auto-generated" argument for "is_pkg_class".
* lib/Lintian/Data.pm:
+ [CL] Modify Lintian::Data's "all" to always return keys in insertion
order, dropping dependency on libtie-ixhash-perl.
* helpers/coll/objdump-info-helper:
+ [CL] Apply patch from Steve Langasek to accommodate binutils 2.29
outputting symbols in a different format on ppc64el.
(Closes: #869750)
* t/tests/fields-perl-provides/tags:
+ [CL] Update expected output to match new Perl provides.
* t/tests/files-privacybreach/*:
+ [CL] Add explicit test for packages including external fonts via
the Google Font API. Thanks to Ian Jackson for the report.
(Closes: #873434)
+ [CL] Add explicit test for packages including external fonts via
the Typekit API via <script/> HTML tags.
* t/tests/*/desc:
+ [CL] Add missing entries in "Test-For" fields to make
development/testing workflow less error-prone.
* private/generate-tag-summary:
+ [CL] git-describe(1) will usually emit 7 hexadecimal digits as the
abbreviated object name, However, as this can be user-dependent,
pass --abbrev=0 to ensure it does not vary between systems. This
also means we do not need to strip it ourselves.
* private/refresh-*:
+ [CL] Use deb.debian.org as the default mirror.
+ [CL] Update locations of Contents-<arch> files; they are now
namespaced by distribution (eg. "main").
-- Chris Lamb <lamby@debian.org> Wed, 20 Sep 2017 09:25:06 +0100
This probably won't mean much to people outside the UK, I'm
guessing. Sorry! :-)
The
Crystal Maze was an awesome fun game show on TV in the UK in the
1990s. Teams would travel through differently-themed zones, taking on
challenges to earn crystals for later rewards in the Crystal Dome. I
really enojyed it, as did just about everybody my age that I know
of...
A group have started up a
new Crystal Maze attraction
in London and Manchester, giving some of us a chance of indulging our
nostalgia directly in a replica of the show's
setup! Neil NcGovern booked a
load of tickets and arranged for a large group of people to go along
this weekend.
It was amazing! (Sorry!) I ended up captaining one of the 4
teams, and our team ("Failure is always an option!") scored highest in
the final game - catching bits of gold foil flying around in the
Dome. It was really, really fun and I'd heartily recommend it to other
folks who like action games and puzzle solving.
I just missed the biting scorn of the original show
presenter, Richard
O'Brien, but our "Maze Master" Boudica was great fun and got us
all pumped up and working together.
This probably won't mean much to people outside the UK, I'm
guessing. Sorry! :-)
The
Crystal Maze was an awesome fun game show on TV in the UK in the
1990s. Teams would travel through differently-themed zones, taking on
challenges to earn crystals for later rewards in the Crystal Dome. I
really enojyed it, as did just about everybody my age that I know
of...
A group have started up a
new Crystal Maze attraction
in London and Manchester, giving some of us a chance of indulging our
nostalgia directly in a replica of the show's
setup! Neil NcGovern booked a
load of tickets and arranged for a large group of people to go along
this weekend.
It was amazing! (Sorry!) I ended up captaining one of the 4
teams, and our team ("Failure is always an option!") scored highest in
the final game - catching bits of gold foil flying around in the
Dome. It was really, really fun and I'd heartily recommend it to other
folks who like action games and puzzle solving.
I just missed the biting scorn of the original show
presenter, Richard
O'Brien, but our "Maze Master" Boudica was great fun and got us
all pumped up and working together.
DebConf16 Group Photo by Jurie Senekal.
The demo that probably drew the most attention was from my friend Georg who demoed some LulzBot Mini 3D Printers. They really seem to love Debian which is great!At #Debconf? Join the #HetznerSA #Supermariobros challenge and stand a chance to win a case of #Leagueofbeers pic.twitter.com/DpkOj6wmZb HetznerSA Careers (@HetznerCareers) July 2, 2016
LulzBot Mini #3Dprinters were on the scene at @DebConf Open Festival in South Africa. We re powered by @debian! pic.twitter.com/AOBS64ZtiJ LulzBot (@lulzbot3D) July 13, 2016DebConf (6 August to 12 August) If I try to write up all my thoughts and feeling about DC16, I ll never get this post finished. Instead, here as some tweets from DebConf that other have written:
@o0karen0o delivering today s #DebConf16 keynote pic.twitter.com/hG1wD5MBhH Michael Banck (@mbanck) July 3, 2016
Great to see Sicelo Mhlongo speaking about issues using @debian in Swaziland #debconf16 pic.twitter.com/U6z7HA8zd5 Neil McGovern (@nmcgovern) July 7, 2016
What happened at #DebConf16 yesterday? Sandstorm Principles talking about the freedom to choose #software #sandbox pic.twitter.com/ltYaw3dAmP Obsidian Systems (@obsidianza) July 5, 2016
All @DebConf end with similar feelings: we re an incredible crowd working together for a incredibly important cause. https://t.co/DYuUWT5eKt Didier Raboud (@OdyX_) July 9, 2016
My congratulations to the #DebConf video team. As usual, they are doing an amazing work at #DebConf16Day Trip We had 3 day trips:
Marcelo Santana (@mgsantana) July 8, 2016
DebConf16 Orga Team.
At DebConf 16 I was working on a systemd backport for Debian/jessie. Results are officially available via the Debian archive now.
In Debian jessie we have systemd v215 (which originally dates back to 2014-07-03 upstream-wise, plus changes + fixes from pkg-systemd folks of course). Now via Debian backports you have the option to update systemd to a very recent version: v230. If you have jessie-backports enabled it s just an apt install systemd -t jessie-backports away. For the upstream changes between v215 and v230 see upstream s NEWS file for list of changes.
(Actually the systemd backport is available since 2016-07-19 for amd64, arm64 + armhf, though for mips, mipsel, powerpc, ppc64el + s390x we had to fight against GCC ICEs when compiling on/for Debian/jessie and for i386 architecture the systemd test-suite identified broken O_TMPFILE permission handling.)
Thanks to the Alexander Wirt from the backports team for accepting my backport, thanks to intrigeri for the related apparmor backport, Guus Sliepen for the related ifupdown backport and Didier Raboud for the related usb-modeswitch/usb-modeswitch-data backports. Thanks to everyone testing my systemd backport and reporting feedback. Thanks a lot to Felipe Sateler and Martin Pitt for reviews, feedback and cooperation. And special thanks to Michael Biebl for all his feedback, reviews and help with the systemd backport from its very beginnings until the latest upload.
PS: I cannot stress this enough how fantastic Debian s pkg-systemd team is. Responsive, friendly, helpful, dedicated and skilled folks, thanks folks!
FORCE_SOURCE_DATE. See the last post
for details on it.ant to not save the username of the build user in the
generated files. Original patch by Emmanuel Bourg.texlive-bin we decided to stop keeping our patched fork of
as most of the patches for SOURCE_DATE_EPOCH support had been integrated
upstream already, and the last one (making FORCE_SOURCE_DATE default to 1)
had been refused. So, we are now going to let the archive be rebuilt against
unstable's texlive-bin and see how many packages will become unreproducible
with this change; once enough data will be collected we will ponder whether
FORCE_SOURCE_DATE should be exported by helper tools (such as debhelper) or
manually exported by every package that needs it.
(For those wondering: we still recommend to follow SOURCE_DATE_EPOCH always
and don't recommend other projects to implement FORCE_SOURCE_DATE )
With the drop of texlive-bin we now have only three modified packages in our
experimental repository.
Reproducible work in other projects
SOURCE_DATE_EPOCH.ar(1) to have a reproducible output by default when invoked with -s.SOURCE_DATE_EPOCH while generating output.SOURCE_DATE_EPOCH for output; strip username from output; sort index keys.SOURCE_DATE_EPOCH in output and sort keys while iterating over dict.reprotest, including a
discussion on different types of build variations and the difficulties of
specifying certain types of variations.SOURCE_DATE_EPOCH spec explaining FORCE_SOURCE_DATE.
Some upstream build tools (e.g. TeX, see below) have expressed a desire to
control which cases of embedded timestamps should obey SOURCE_DATE_EPOCH.
They were not convinced by our arguments on why this is a bad idea, so we
agreed on an environment variable FORCE_SOURCE_DATE for them to implement
their desired behaviour - named generically, so that at least we can set it
centrally. For more details, see the text just linked. However, we strongly
urge most build tools not to use this, and instead obey SOURCE_DATE_EPOCH
unconditionally in all cases.
Toolchain fixes
SOURCE_DATE_EPOCH support for all engines except LuaTeX and original TeX.SOURCE_DATE_EPOCH corner cases, eventually
resulting in the FORCE_SOURCE_DATE proposal from above.-fdebug-prefix-map in DW_AT_producer, thanks to original patch by
Daniel Kahn Gillmor.SOURCE_DATE_EPOCH applied upstream, original patch by Alexis
Bienven e.SOURCE_DATE_EPOCH, thanks to original patch by Alexis Bienven e.
What happened in the reproducible
builds effort between February 28th and March 5th:
debian/changelog.--clamp-mtime option to Tar on Savannah's bug tracker.
Lunar rebased our experimental dpkg on top of the current master branch. Changes in the test infrastructure are required before uploading a new version to our experimental repository.
Reiner Herrmann rebased our custom texlive-bin against the latest uploaded version.
printf instead of echo which is shell-independent.printf instead of echo which is shell-independent.GRKERNSEC_RANDSTRUCT which will prevent reproducible builds with the current packaging.
Build-Depends-Arch and Build-Conflicts-Arch. (Mattia Rizzolo, h01ger)
New package sets have been added for Subgraph OS, which is based on Debian Stretch: packages and build dependencies. (h01ger)
Two new armhf build nodes have been added (thanks Vagrant Cascadian) and integrated in our Jenkins setup with 8 new armhf builder jobs. (h01ger)
POT-Creation-Date field in GNU Gettext .mo files. (Reiner Herrmann) Several improvements to the packages metadata have also been made. (h01ger, Ben Finney)
SOURCE_DATE_EPOCH in rpm, Florian Festi opened a discussion on the rpm-ecosystem mailing list about reproducible builds.
On March 4th, Lunar gave an overview of the general reproducible builds effort at the Internet Freedom Festival in Valencia.
What happened in the reproducible
builds effort between February 21th and February 27th:
.debs.
Chris Lamb submitted another patch to improve reproducibility of files generated by cython.
/bin/sh between
bash and dash. (Reiner Herrmann)
.deb md5sums files will not be hidden anymore.
Version 51 uploaded the next day re-added test data missing from the previous tarball.
diffoscope is looking for a new primary maintainer.
What happened in the reproducible
builds effort between February
14th and February 20th 2016:
asciidoc.C locale to format the changelog date.C locale to format the build date.SOURCE_DATE_EPOCH..deb files in the same parent directory. Alongside more bug fixes, support for ICC profiles has been added, and libarchive is now also used to read metadata for ar archives.
.mo files.
ccache, skip disorderfs hook if device nodes cannot be created, compatibility with grsec trusted path execution (Reiner Herrmann), code cleanup (Esa Peuha).
What happened in the reproducible
builds effort between January 10th and January 16th:
data.tar are reproducible, with the patches, dpkg-deb uses the --clamp-mtime option added in tar/1.28-1 when available. An updated package has been uploaded to the experimental repository. This removed the need for a modified debhelper as all required changes for reproducibility have been merged or are now covered by dpkg.
armhf build system, allowing to run 6 more armhf builder jobs, right there. (h01ger)
Stop requiring a modified debhelper and adapt to the latest dpkg experimental version by providing a predetermined identifier for the .buildinfo filename. (Mattia Rizzolo, h01ger)
New X.509 certificates were set up for jenkins.debian.net and reproducible.debian.net using Let's Encrypt!. Thanks to GlobalSign for providing certificates for the last year free of charge. (h01ger)
What happened in the reproducible
builds effort this week:
Toolchain fixes
SOURCE_DATE_EPOCH.requires.txt files reproducible. The patch has been forwarded upstream.
Chris also understood why the she-bang in some Python scripts kept being undeterministic: setuptools as called by dh-python could skip re-installing the scripts if the build had been too fast (under one second). #804339 offers a patch fixing the issue by passing --force to setup.py install.
#804141 reported on gettext asks for support of SOURCE_DATE_EPOCH in gettextize. Santiago Vila pointed out that it doesn't felt appropriate as gettextize is supposed to be an interactive tool. The problem reported seems to be in avahi build system instead.
Packages fixed
The following packages became reproducible due to changes in their
build dependencies:
celestia,
dsdo,
fonts-taml-tscu,
fte,
hkgerman,
ifrench-gut,
ispell-czech,
maven-assembly-plugin,
maven-project-info-reports-plugin,
python-avro,
ruby-compass,
signond,
thepeg,
wagon2,
xjdic.
The following packages became reproducible after getting fixed:
__DATE__ and __TIME__ macros.-info 0 to latex2html..ppc). (Paul Gevers)
The homepage is now available using HTTPS, thanks to Let's Encrypt!.
Work has been done to be able to publish diffoscope on the Python Package Index (also known as PyPI): the tlsh module is now optional, compatibility with python-magic has been added, and the fallback code to handle RPM has been fixed.
Documentation update
Reiner Herrmann, Paul Gevers, Niko Tyni, opi, and Dhole offered various fixes and wording improvements to the reproducible-builds.org. A mailing-list is now available to receive change notifications.
NixOS, Guix, and Baserock are featured as projects working on reproducible builds.
Package reviews
70 reviews have been removed, 74 added and 17 updated this week.
Chris Lamb opened 22 new fail to build from source bugs.
New issues this week:
randomness_in_ocaml_provides,
randomness_in_qdoc_page_id,
randomness_in_python_setuptools_requires_txt,
gettext_creates_ChangeLog_files_and_entries_with_current_date.
Misc.
h01ger and Chris Lamb presented Beyond reproducible builds at the MiniDebConf in Cambridge on November 8th. They gave an overview of where we stand and the changes in user tools, infrastructure, and development practices that we might want to see happening. Feedback on these thoughts are welcome. Slides are already available, and the video should be online soon.
At the same event, a meeting happened with some members of the release team to discuss the best strategy regarding releases and reproducibility. Minutes have been posted on the Debian reproducible-builds mailing-list.
Time for a quick recap of the beginning of the Stretch release cycle
as far as the Debian Installer is concerned:
linux
finally managed to get into shape and fit for migration to
testing, which unblocked the way for an debian-installer
upload.block-udeb on all packages.systemd (implementation of
Proposal v2: enable stateless persistant network interface names)
found its way into testing a bit before that, so I ve had my
share of last-minute fun anyway! Indeed, that resulted in installer
system and installed system having different views on interface
naming. Thankfully I was approached by Michael Biebl right before
my final tests (and debian-installer upload) so there was little
head scratching involved. Commits were already in the master
branch so a little plan was proposed in
Fixing udev-udeb vs. net.ifnames for Stretch Alpha 1. This was implemented in two shots, given the
extra round trip
due to having dropped a binary package in the meanwhile and due to
dak s complaining about it.dak copy-installer to get installer files from unstable to
testing, and urgent to get the source into testing as well
(see
request),
I ve asked Steve McIntyre to start building images through debian-cd. As
expected, some troubles were run into, but they were swiftly fixed!debian-installer corner of the website:
news entry,
errata, and
homepage.block-udeb.
(Credit: rferran on openclipart)
What happened about the reproducible
builds effort for this week:
Presentations
On June 7th, Reiner Herrmann
presented the project at the
Gulaschprogrammiernacht 15 in Karlsruhe, Germany.
Video and audio
recordings
in German are available, and so are the slides in
English.
Toolchain fixes
dh_installtex.SOURCE_DATE_EPOCH with a value suitable for gmtime(3).
debian/rules in packages using it to produce HTML documentation.--mtime when creating source tarball.HTML_TIMESTAMP to NO in Doxygen configuration file.HTML_TIMESTAMP to NO in Doxygen configuration file.Makefile.PL.debbindiff to be better understood. (h01ger)
debbindiff development
Reiner Herrmann added support for decompling Java .class file and .ipk package files (used by OpenWrt). This is now available in version 22 released on 2015-06-14.
Documentation update
Stephen Kitt
documented
the new --insert-timestamp available since
binutils-mingw-w64 version 6.2
available to insert a ready-made date in PE binaries built with
mingw-w64.
Package reviews
195 obsolete
reviews have
been removed, 65 added and 126 updated this week.
New identified issues:
Provides: locales but is actually missing some of the files provided by locales.
Coreboot upstream has been quick to react after the
announcement
of the tests set up the week
before. Patrick Georgi has fixed all issues in a couple of days and all
Coreboot images are now reproducible (without a payload).
SeaBIOS is one of the most frequently used payload
on PC hardware and can now be made
reproducible
too.
Paul Kocialkowski wrote to the mailing
list
asking for help on getting U-Boot tested for
reproducibility.
Lunar had a chat with maintainers of Open Build
Service to better
understand the difference between their system and what we are doing for
Debian.
Debian Jessie has been released on April 25th, 2015. This has opened the
Stretch development cycle. Reactions to the idea of making Debian
build reproducibly have
been pretty enthusiastic. As the pace is now likely to be even faster,
let's see if we can keep everyone up-to-date on the developments.
Before the release of Jessie
The story goes back a long
way
but a formal announcement to the
project
has only been sent in February 2015.
Since then, too much work has happened to make a complete report, but
to give some highlights:
unstable are tested but also those in testing
and experimental.--enable-deterministic-archives flag. Making ar, strip and
others create deterministic static
libraries.dh_makeshlibs
(#774100), dh_icons
(#774102), dh_usrlocal
(#775020). Patches written
by Lunar.--no-include-build-time option.
Patch by Jelmer
Vernooij.pidl
(from libparse-pidl-perl) reproducible.-creation-date to genisoimage.
Reiner Herrmann opened #783938 to
request making -notimestamp the default behavior for javadoc.
Juan Picca submitted a patch to add a
--use-date flag to texi2html.
Packages fixed
The following packages became reproducible due to changes of their
build dependencies:
apport,
batctl,
cil,
commons-math3,
devscripts,
disruptor,
ehcache,
ftphs,
gtk2hs-buildtools,
haskell-abstract-deque,
haskell-abstract-par,
haskell-acid-state,
haskell-adjunctions,
haskell-aeson,
haskell-aeson-pretty,
haskell-alut,
haskell-ansi-terminal,
haskell-async,
haskell-attoparsec,
haskell-augeas,
haskell-auto-update,
haskell-binary-conduit,
haskell-hscurses,
jsch,
ledgersmb,
libapache2-mod-auth-mellon,
libarchive-tar-wrapper-perl,
libbusiness-onlinepayment-payflowpro-perl,
libcapture-tiny-perl,
libchi-perl,
libcommons-codec-java,
libconfig-model-itself-perl,
libconfig-model-tester-perl,
libcpan-perl-releases-perl,
libcrypt-unixcrypt-perl,
libdatetime-timezone-perl,
libdbd-firebird-perl,
libdbix-class-resultset-recursiveupdate-perl,
libdbix-profile-perl,
libdevel-cover-perl,
libdevel-ptkdb-perl,
libfile-tail-perl,
libfinance-quote-perl,
libformat-human-bytes-perl,
libgtk2-perl,
libhibernate-validator-java,
libimage-exiftool-perl,
libjson-perl,
liblinux-prctl-perl,
liblog-any-perl,
libmail-imapclient-perl,
libmocked-perl,
libmodule-build-xsutil-perl,
libmodule-extractuse-perl,
libmodule-signature-perl,
libmoosex-simpleconfig-perl,
libmoox-handlesvia-perl,
libnet-frame-layer-ipv6-perl,
libnet-openssh-perl,
libnumber-format-perl,
libobject-id-perl,
libpackage-pkg-perl,
libpdf-fdf-simple-perl,
libpod-webserver-perl,
libpoe-component-pubsub-perl,
libregexp-grammars-perl,
libreply-perl,
libscalar-defer-perl,
libsereal-encoder-perl,
libspreadsheet-read-perl,
libspring-java,
libsql-abstract-more-perl,
libsvn-class-perl,
libtemplate-plugin-gravatar-perl,
libterm-progressbar-perl,
libterm-shellui-perl,
libtest-dir-perl,
libtest-log4perl-perl,
libtext-context-eitherside-perl,
libtime-warp-perl,
libtree-simple-perl,
libwww-shorten-simple-perl,
libwx-perl-processstream-perl,
libxml-filter-xslt-perl,
libxml-writer-string-perl,
libyaml-tiny-perl,
mupen64plus-core,
nmap,
openssl,
pkg-perl-tools,
quodlibet,
r-cran-rjags,
r-cran-rjson,
r-cran-sn,
r-cran-statmod,
ruby-nokogiri,
sezpoz,
skksearch,
slurm-llnl,
stellarium.
The following packages became reproducible after getting fixed:
-DNO_VERSION_DATE to build system.--use-date to texi2html.-creation-date to
genisoimage.debbindiff output, missing build logs, unavailable build
dependencies.
Holger Levsen added a new execution environment to run debbindiff using
dependencies from testing. This is required for packages built with
GHC as the compiler only understands interfaces built by the same
version.
debbindiff development
Version 17 has been uploaded to unstable. It now supports comparing
ISO9660 images, dictzip files and should compare identical files much
faster.
Documentation update
Various small updates and fixes to the pages about
PDF produced by LaTeX,
DVI produced by
LaTeX,
static
libraries,
Javadoc,
PE
binaries,
and Epydoc.
Package reviews
Known issues have been tagged when known to be deterministic as some
might unfortunately not show up on every single build.
For example, two new issues have been identified by building with one
timezone in April and one in May. RD
and help2man add current month and
year to the documentation they are producing.
1162 packages have been removed and 774 have been added in
the past week. Most of them are the work of proper automated
investigation done by Chris West.
Summer of code
Finally, we learned that both akira and Dhole were accepted for
this Google Summer of
Code.
Let's welcome them!
They have until May 25th before coding officialy begins. Now is the good time
to help them feel more comfortable by sharing all these little bits of
knowledge on how Debian works.
When we setup Freexian s offer to bring together funding from multiple companies in order to sponsor the work of multiple developers on Debian LTS, one of the rules that I imposed is that all paid contributors must provide a public monthly report of their paid work.
While the LTS project officially started in June, the first month where contributors were actually paid has been July. Freexian sponsored Thorsten Alteholz and Holger Levsen for 10.5 hours each in July and for 16.5 hours each in August. Here are their reports:
It s worth noting that Freexian sponsored Holger s work to fix the security tracker to support squeeze-lts. It s my belief that using the money of our sponsors to make it easier for everybody to contribute to Debian LTS is money well spent.
As evidenced by the progress bar on Freexian s offer page, we have not yet reached our minimal goal of funding the equivalent of a half-time position. And it shows in the results, the dla-needed.txt still shows around 30 open issues. This is slightly better than the state two months ago but we can improve a lot on the average time to push out a security update
To have an idea of the relative importance of the contributions of the paid developers, I counted the number of uploads made by Thorsten and Holger since July: of 40 updates, they took care of 19 of them, so about the half.
I also looked at the other contributors: Rapha l Geissert stands out with 9 updates (I believe that he is contracted by lectricit de France for doing this) and most of the other contributors look like regular Debian maintainers taking care of their own packages (Paul Gevers with cacti, Christoph Berg with postgresql, Peter Palfrader with tor, Didier Raboud with cups, Kurt Roeckx with openssl, Balint Reczey with wireshark) except Matt Palmer and Luciano Bello who (likely) are benevolent members of the LTS team.
There are multiple things to learn here:
One comment Liked this article? Click here. My blog is Flattr-enabled.
Next.