Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In November, 239.25 work hours have been dispatched among 13 paid contributors. Their reports are available:

• Abhijith PA did 12.0h (out of 12h assigned).
• Adrian Bunk did 13h (out of 22.75h assigned and 19.5h from October) and gave back 6.5h, thus carrying over 22.75h to December.
• Ben Hutchings did 11.5h (out of 16h assigned and 4.5h from October), thus carrying over 9h to December.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did 22.75h (out of 22.75h assigned).
• Holger Levsen did 8.0h coordinating/managing the LTS team.
• Markus Koschany did 12h (out of 22.75h assigned), thus carrying over 10.75h to December.
• Ola Lundqvist did 1h (out of 12h assigned), thus carrying over 11h to December.
• Roberto C. S nchez did 20.5h (out of 22.75h assigned), thus carrying over 2.25h to December.
• Sylvain Beucler did 22.75h (out of 22.75h assigned).
• Thorsten Alteholz did 22.75h (out of 22.75h assigned).
• Utkarsh Gupta did 22.75h (out of 22.75h assigned).

Evolution of the situation In November we held the last LTS team meeting for 2020 on IRC, with the next one coming up at the end of January.
We announced a new formalized initiative for Funding Debian projects with money from Freexian s LTS service.
Finally, we would like to remark once again that we are constantly looking for new contributors. Please contact Holger if you are interested! We re also glad to welcome two new sponsors, Moxa, a device manufacturer, and a French research lab (Institut des Sciences Cognitives Marc Jeannerod). The security tracker currently lists 37 packages with a known CVE and the dla-needed.txt file has 40 packages needing an update. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
• TOSHIBA (for 63 months)
• GitHub (for 53 months)
• Civil Infrastructure Platform (CIP) (for 31 months)
• Gold sponsors:
• Blablacar (for 78 months)
• Roche Diagnostics International AG (for 74 months)
• Linode (for 68 months)
• Babiel GmbH (for 57 months)
• Plat Home (for 56 months)
• University of Oxford (for 13 months)
• Silver sponsors:
• The Positive Internet Company (for 79 months)
• Domeneshop AS (for 78 months)
• Nantes M tropole (for 72 months)
• Univention GmbH (for 64 months)
• Universit Jean Monnet de St Etienne (for 64 months)
• Ribbon Communications, Inc. (for 58 months)
• Exonet B.V. (for 47 months)
• Leibniz Rechenzentrum (for 41 months)
• CINECA (for 31 months)
• Minist re de l Europe et des Affaires trang res (for 25 months)
• Cloudways Ltd (for 14 months)
• Dinahosting SL (for 12 months)
• Platform.sh (for 7 months)
• Bauer Xcel Media Deutschland KG (for 6 months)
• Moxa Intelligence Co., Ltd.
• Bronze sponsors:
• Seznam.cz, a.s. (for 79 months)
• Evolix (for 78 months)
• Linuxhotel GmbH (for 76 months)
• Intevation GmbH (for 75 months)
• Daevel SARL (for 74 months)
• Bitfolk LTD (for 73 months)
• Megaspace Internet Services GmbH (for 73 months)
• Greenbone Networks GmbH (for 72 months)
• NUMLOG (for 72 months)
• WinGo AG (for 71 months)
• Ecole Centrale de Nantes LHEEA (for 68 months)
• Entr ouvert (for 63 months)
• Adfinis AG (for 60 months)
• Tesorion (for 55 months)
• GNI MEDIA (for 54 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 54 months)
• Bearstech (for 46 months)
• LiHAS (for 46 months)
• People Doc (for 42 months)
• Catalyst IT Ltd (for 40 months)
• Supagro (for 36 months)
• Demarcq SAS (for 34 months)
• Universit Grenoble Alpes (for 21 months)
• TouchWeb SAS (for 12 months)
• SPiN AG (for 9 months)
• CoreFiling (for 5 months)
• Institut des sciences cognitives Marc Jeannerod

One comment Liked this article? Click here. My blog is Flattr-enabled.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In October, 221.50 work hours have been dispatched among 13 paid contributors. Their reports are available:

• Abhijith PA did 16.0h (out of 14h assigned and 2h from September).
• Adrian Bunk did 7h (out of 20.75h assigned and 5.75h from September), thus carrying over 19.5h to November.
• Ben Hutchings did 11.5h (out of 6.25h assigned and 9.75h from September), thus carrying over 4.5h to November.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did 20.75h (out of 20.75h assigned).
• Holger Levsen did 7.0h coordinating/managing the LTS team.
• Markus Koschany did 20.75h (out of 20.75h assigned).
• Mike Gabriel gave back the 8h he was assigned. See below
• Ola Lundqvist did 10.5h (out of 8h assigned and 2.5h from September).
• Roberto C. S nchez did 13.5h (out of 20.75h assigned) and gave back 7.25h to the pool.
• Sylvain Beucler did 20.75h (out of 20.75h assigned).
• Thorsten Alteholz did 20.75h (out of 20.75h assigned).
• Utkarsh Gupta did 20.75h (out of 20.75h assigned).

Evolution of the situation October was a regular LTS month with a LTS team meeting done via video chat thus there s no log to be shared. After more than five years of contributing to LTS (and ELTS), Mike Gabriel announced that he founded a new company called Frei(e) Software GmbH and thus would leave us to concentrate on this new endeavor. Best of luck with that, Mike! So, once again, this is a good moment to remind that we are constantly looking for new contributors. Please contact Holger if you are interested! The security tracker currently lists 42 packages with a known CVE and the dla-needed.txt file has 39 packages needing an update. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
• TOSHIBA (for 62 months)
• GitHub (for 52 months)
• Civil Infrastructure Platform (CIP) (for 30 months)
• Gold sponsors:
• Blablacar (for 77 months)
• Roche Diagnostics International AG (for 73 months)
• Linode (for 67 months)
• Babiel GmbH (for 56 months)
• Plat Home (for 55 months)
• University of Oxford (for 12 months)
• Silver sponsors:
• The Positive Internet Company (for 78 months)
• Domeneshop AS (for 77 months)
• Nantes M tropole (for 71 months)
• Univention GmbH (for 63 months)
• Universit Jean Monnet de St Etienne (for 63 months)
• Ribbon Communications, Inc. (for 57 months)
• Exonet B.V. (for 46 months)
• Leibniz Rechenzentrum (for 40 months)
• CINECA (for 30 months)
• Minist re de l Europe et des Affaires trang res (for 24 months)
• Cloudways Ltd (for 13 months)
• Dinahosting SL (for 11 months)
• Platform.sh (for 6 months)
• Bauer Xcel Media Deutschland KG (for 5 months)
• Bronze sponsors:
• Seznam.cz, a.s. (for 78 months)
• Evolix (for 77 months)
• Linuxhotel GmbH (for 75 months)
• Intevation GmbH (for 74 months)
• Daevel SARL (for 73 months)
• Bitfolk LTD (for 72 months)
• Megaspace Internet Services GmbH (for 72 months)
• Greenbone Networks GmbH (for 71 months)
• NUMLOG (for 71 months)
• WinGo AG (for 70 months)
• Ecole Centrale de Nantes LHEEA (for 66 months)
• Entr ouvert (for 62 months)
• Adfinis AG (for 59 months)
• Tesorion (for 54 months)
• GNI MEDIA (for 53 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 53 months)
• Bearstech (for 45 months)
• LiHAS (for 45 months)
• People Doc (for 41 months)
• Catalyst IT Ltd (for 39 months)
• Supagro (for 35 months)
• Demarcq SAS (for 33 months)
• Universit Grenoble Alpes (for 19 months)
• TouchWeb SAS (for 11 months)
• SPiN AG (for 8 months)
• CoreFiling (for 4 months)

No comment Liked this article? Click here. My blog is Flattr-enabled.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In September, 208.25 work hours have been dispatched among 13 paid contributors. Their reports are available:

• Abhijith PA did 12.0h (out of 14h assigned), thus carrying over 2h to October.
• Adrian Bunk did 14h (out of 19.75h assigned), thus carrying over 5.75h to October.
• Ben Hutchings did 8.25h (out of 16h assigned and 9.75h from August), but gave back 7.75h, thus carrying over 9.75h to October.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did 19.75h (out of 19.75h assigned).
• Holger Levsen did 5h coordinating/managing the LTS team.
• Markus Koschany did 31.75h (out of 19.75h assigned and 12h from August).
• Ola Lundqvist did 9.5h (out of 12h from August), thus carrying 2.5h to October.
• Roberto C. S nchez did 19.75h (out of 19.75h assigned).
• Sylvain Beucler did 19.75h (out of 19.75h assigned).
• Thorsten Alteholz did 19.75h (out of 19.75h assigned).
• Utkarsh Gupta did 8.75h (out of 19.75h assigned), while he already anticipated the remaining 11h in August.

Evolution of the situation September was a regular LTS month with an IRC meeting. The security tracker currently lists 45 packages with a known CVE and the dla-needed.txt file has 48 packages needing an update. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
• TOSHIBA (for 61 months)
• GitHub (for 51 months)
• Civil Infrastructure Platform (CIP) (for 28 months)
• Gold sponsors:
• Blablacar (for 76 months)
• Roche Diagnostics International AG (for 71 months)
• Linode (for 66 months)
• Babiel GmbH (for 55 months)
• Plat Home (for 54 months)
• University of Oxford (for 10 months)
• Silver sponsors:
• The Positive Internet Company (for 77 months)
• Domeneshop AS (for 76 months)
• Nantes M tropole (for 70 months)
• Univention GmbH (for 62 months)
• Universit Jean Monnet de St Etienne (for 62 months)
• Ribbon Communications, Inc. (for 55 months)
• Exonet B.V. (for 45 months)
• Leibniz Rechenzentrum (for 39 months)
• CINECA (for 29 months)
• Minist re de l Europe et des Affaires trang res (for 23 months)
• Cloudways Ltd (for 12 months)
• Dinahosting SL (for 10 months)
• Bauer Xcel Media Deutschland KG (for 4 months)
• Platform.sh (for 4 months)
• Bronze sponsors:
• Seznam.cz, a.s. (for 77 months)
• Evolix (for 76 months)
• Linuxhotel GmbH (for 74 months)
• Intevation GmbH (for 73 months)
• Daevel SARL (for 72 months)
• Bitfolk LTD (for 71 months)
• Megaspace Internet Services GmbH (for 71 months)
• Greenbone Networks GmbH (for 70 months)
• NUMLOG (for 70 months)
• WinGo AG (for 69 months)
• Ecole Centrale de Nantes LHEEA (for 65 months)
• Entr ouvert (for 60 months)
• Adfinis AG (for 58 months)
• GNI MEDIA (for 52 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 52 months)
• Tesorion (for 52 months)
• Bearstech (for 44 months)
• LiHAS (for 44 months)
• People Doc (for 40 months)
• Catalyst IT Ltd (for 38 months)
• Supagro (for 34 months)
• Demarcq SAS (for 32 months)
• Universit Grenoble Alpes (for 18 months)
• TouchWeb SAS (for 10 months)
• SPiN AG (for 7 months)
• CoreFiling (for 3 months)

No comment Liked this article? Click here. My blog is Flattr-enabled.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In August, 237.25 work hours have been dispatched among 14 paid contributors. Their reports are available:

• Abhijith PA did 10.0h (out of 10h assigned).
• Adrian Bunk did 31h (out of 21.75h assigned and 9.25h from July).
• Ben Hutchings did 6.25h (out of 16h assigned), thus carrying over 9.75h to September.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did 21.75h (out of 21.75h assigned).
• Holger Levsen did 7h coordinating/managing the LTS team.
• Markus Koschany did 20h (out of 21.75h assigned and 10.25h from July), thus carrying over 12h to September.
• Mike Gabriel did 16.0h (out of 8h assigned and 8h from July).
• Ola Lundqvist did 6.9h (out of 8h assigned and 16h from July), and gave back 5.1h, thus carrying over 12h to September.
• Roberto C. S nchez did 21.75h (out of 21.75h assigned).
• Sylvain Beucler did 21.75h (out of 21.75h assigned).
• Thorsten Alteholz did 21.75h (out of 21.75h assigned).
• Utkarsh Gupta did 32.75h (out of 21.75h assigned and anticipating 11h from September).

Evolution of the situation August was a regular LTS month once again, even though it was only our 2nd month with Stretch LTS.
At the end of August some of us participated in DebConf 20 online where we held our monthly team meeting. A video is available.
As of now this video is also the only public resource about the LTS survey we held in July, though a written summary is expected to be released soon. The security tracker currently lists 56 packages with a known CVE and the dla-needed.txt file has 55 packages needing an update. Thanks to our sponsors Sponsors that recently joined are in bold.

• Platinum sponsors:
• TOSHIBA (for 60 months)
• GitHub (for 50 months)
• Civil Infrastructure Platform (CIP) (for 27 months)
• Gold sponsors:
• Blablacar (for 75 months)
• Roche Diagnostics International AG (for 70 months)
• Linode (for 65 months)
• Babiel GmbH (for 54 months)
• Plat Home (for 53 months)
• University of Oxford (for 9 months)
• Silver sponsors:
• The Positive Internet Company (for 76 months)
• Domeneshop AS (for 75 months)
• Nantes M tropole (for 69 months)
• Univention GmbH (for 61 months)
• Universit Jean Monnet de St Etienne (for 61 months)
• Ribbon Communications, Inc. (for 54 months)
• Exonet B.V. (for 44 months)
• Leibniz Rechenzentrum (for 38 months)
• CINECA (for 28 months)
• Minist re de l Europe et des Affaires trang res (for 22 months)
• Cloudways Ltd (for 11 months)
• Dinahosting SL (for 9 months)
• Bauer Xcel Media Deutschland KG (for 3 months)
• Platform.sh (for 3 months)
• Bronze sponsors:
• Seznam.cz, a.s. (for 76 months)
• Evolix (for 75 months)
• Linuxhotel GmbH (for 73 months)
• Intevation GmbH (for 72 months)
• Daevel SARL (for 71 months)
• Bitfolk LTD (for 70 months)
• Megaspace Internet Services GmbH (for 70 months)
• Greenbone Networks GmbH (for 69 months)
• NUMLOG (for 69 months)
• WinGo AG (for 68 months)
• Ecole Centrale de Nantes LHEEA (for 64 months)
• Entr ouvert (for 59 months)
• Adfinis AG (for 57 months)
• GNI MEDIA (for 51 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 51 months)
• Tesorion (for 51 months)
• Bearstech (for 43 months)
• LiHAS (for 43 months)
• People Doc (for 39 months)
• Catalyst IT Ltd (for 37 months)
• Supagro (for 33 months)
• Demarcq SAS (for 31 months)
• Universit Grenoble Alpes (for 17 months)
• TouchWeb SAS (for 9 months)
• SPiN AG (for 6 months)
• CoreFiling

No comment Liked this article? Click here. My blog is Flattr-enabled.

Like each month, albeit a bit later due to vacation, here comes a report about the work of paid contributors to Debian LTS. Individual reports In July, 249.25 work hours have been dispatched among 14 paid contributors. Their reports are available:

• Abhijith PA did 18.0h (out of 14h assigned and 6h from June), and gave back 2h to the pool.
• Adrian Bunk did 16.0h (out of 25.25h assigned), thus carrying over 9.25h to August.
• Ben Hutchings did 5h (out of 20h assigned), and gave back the remaining 15h.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did 60h (out of 5.75h assigned and 54.25h from June).
• Holger Levsen spent 10h (out of 10h assigned) for managing LTS and ELTS contributors.
• Markus Koschany did 15h (out of 25.25h assigned), thus carrying over 10.25h to August.
• Mike Gabriel did nothing (out of 8h assigned), thus is carrying over 8h for August.
• Ola Lundqvist did 3h (out of 12h assigned and 7h from June), thus carrying over 16h to August.
• Roberto C. S nchez did 26.5h (out of 25.25h assigned and 1.25h from June).
• Sylvain Beucler did 25.25h (out of 25.25h assigned).
• Thorsten Alteholz did 25.25h (out of 25.25h assigned).
• Utkarsh Gupta did 25.25h (out of 25.25h assigned).

Evolution of the situation July was our first month of Stretch LTS! Given this is our fourth LTS release we anticipated a smooth transition and it seems everything indeed went very well. Many thanks to the members of the Debian ftpmaster-, security, release- and publicity- teams who helped us make this happen!
Stretch LTS begun on July 18th 2020 after the 13th and final Stretch point release. and is currently scheduled to end on June 30th 2022. Last month, we asked you to participate in a survey and we got 1764 submissions, which is pretty awesome. Thank you very much for participating!. Right now we are still busy crunching the results, but we already shared some early analysis during the Debconf LTS bof this week. The security tracker currently lists 54 packages with a known CVE and the dla-needed.txt file has 52 packages needing an update. Thanks to our sponsors New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 59 months)
• GitHub (for 50 months)
• Civil Infrastructure Platform (CIP) (for 27 months)
• Gold sponsors:
• Blablacar (for 74 months)
• Roche Diagnostics International AG (for 70 months)
• Linode (for 64 months)
• Babiel GmbH (for 53 months)
• Plat Home (for 53 months)
• University of Oxford (for 9 months)
• Silver sponsors:
• The Positive Internet Company (for 75 months)
• Domeneshop AS (for 74 months)
• Nantes M tropole (for 68 months)
• Univention GmbH (for 60 months)
• Universit Jean Monnet de St Etienne (for 60 months)
• Ribbon Communications, Inc. (for 54 months)
• Exonet B.V. (for 44 months)
• Leibniz Rechenzentrum (for 38 months)
• CINECA (for 27 months)
• Minist re de l Europe et des Affaires trang res (for 21 months)
• Cloudways Ltd (for 11 months)
• Dinahosting SL (for 9 months)
• Bauer Xcel Media Deutschland KG (for 3 months)
• Platform.sh (for 3 months)
• Bronze sponsors:
• Evolix (for 75 months)
• Seznam.cz, a.s. (for 75 months)
• Linuxhotel GmbH (for 72 months)
• Intevation GmbH (for 71 months)
• Daevel SARL (for 70 months)
• Bitfolk LTD (for 69 months)
• Megaspace Internet Services GmbH (for 69 months)
• Greenbone Networks GmbH (for 68 months)
• NUMLOG (for 68 months)
• WinGo AG (for 68 months)
• Ecole Centrale de Nantes LHEEA (for 64 months)
• Entr ouvert (for 59 months)
• Adfinis AG (for 56 months)
• GNI MEDIA (for 51 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 51 months)
• Tesorion (for 51 months)
• Bearstech (for 42 months)
• LiHAS (for 42 months)
• People Doc (for 39 months)
• Catalyst IT Ltd (for 37 months)
• Supagro (for 32 months)
• Demarcq SAS (for 31 months)
• Universit Grenoble Alpes (for 17 months)
• TouchWeb SAS (for 9 months)
• SPiN AG (for 6 months)
• CoreFiling

No comment Liked this article? Click here. My blog is Flattr-enabled.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In May, 198 work hours have been dispatched among 14 paid contributors. Their reports are available:

• Abhijith PA did 18.0h (out of 14h assigned and 4h from April).
• Anton Gladky gave back the assigned 10h and declared himself inactive.
• Ben Hutchings did 19.75h (out of 17.25h assigned and 2.5h from April).
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 17.25h (out of 17.25h assigned).
• Dylan A ssi gave back the assigned 6h and declared himself inactive.
• Emilio Pozuelo Monfort did not manage to work LTS in May and now reported 5h work in April (out of 17.25h assigned plus 46h from April), thus is carrying over 58.25h for June.
• Markus Koschany did 25.0h (out of 17.25h assigned and 56h from April), thus carrying over 48.25h to June.
• Mike Gabriel did 14.50h (out of 8h assigned and 6.5h from April).
• Ola Lundqvist did 11.5h (out of 12h assigned and 7h from April), thus carrying over 7.5h to June.
• Roberto C. S nchez did 17.25h (out of 17.25h assigned).
• Sylvain Beucler did 17.25h (out of 17.25h assigned).
• Thorsten Alteholz did 17.25h (out of 17.25h assigned).
• Utkarsh Gupta did 17.25h (out of 17.25h assigned).

Evolution of the situation In May 2020 we had our second (virtual) contributors meeting on IRC, Logs and minutes are available online. Then we also moved our ToDo from the Debian wiki to the issue tracker on salsa.debian.org.
Sadly three contributors went inactive in May: Adrian Bunk, Anton Gladky and Dylan A ssi. And while there are currently still enough active contributors to shoulder the existing work, we like to use this opportunity that we are always looking for new contributors. Please mail Holger if you are interested.
Finally, we like to remind you for a last time, that the end of Jessie LTS is coming in less than a month!
In case you missed it (or missed to act), please read this post about keeping Debian 8 Jessie alive for longer than 5 years. If you expect to have Debian 8 servers/devices running after June 30th 2020, and would like to have security updates for them, please get in touch with Freexian. The security tracker currently lists 6 packages with a known CVE and the dla-needed.txt file has 30 packages needing an update. Thanks to our sponsors New sponsors are in bold. With the upcoming start of Jessie ELTS, we are welcoming a few new sponsors and others should join soon.

• Platinum sponsors:
• TOSHIBA (for 57 months)
• GitHub (for 47 months)
• Civil Infrastructure Platform (CIP) (for 25 months)
• Gold sponsors:
• Blablacar (for 72 months)
• Roche Diagnostics International AG (for 68 months)
• Linode (for 62 months)
• Babiel GmbH (for 51 months)
• Plat Home (for 50 months)
• University of Oxford (for 7 months)
• Silver sponsors:
• The Positive Internet Company (for 73 months)
• Domeneshop AS (for 72 months)
• Nantes M tropole (for 66 months)
• Univention GmbH (for 58 months)
• Universit Jean Monnet de St Etienne (for 58 months)
• Ribbon Communications, Inc. (for 52 months)
• Exonet B.V. (for 41 months)
• Leibniz Rechenzentrum (for 36 months)
• CINECA (for 25 months)
• Minist re de l Europe et des Affaires trang res (for 19 months)
• Cloudways Ltd (for 8 months)
• Dinahosting SL (for 6 months)
• Platform.sh
• Bauer Xcel Media Deutschland KG
• Bronze sponsors:
• Evolix (for 73 months)
• Seznam.cz, a.s. (for 73 months)
• MyTux (for 72 months)
• Linuxhotel GmbH (for 70 months)
• Intevation GmbH (for 69 months)
• Daevel SARL (for 68 months)
• Bitfolk LTD (for 67 months)
• Megaspace Internet Services GmbH (for 67 months)
• Greenbone Networks GmbH (for 66 months)
• NUMLOG (for 66 months)
• WinGo AG (for 65 months)
• Ecole Centrale de Nantes LHEEA (for 62 months)
• Sig-I/O (for 59 months)
• Entr ouvert (for 57 months)
• Adfinis AG (for 54 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 49 months)
• Tesorion (for 49 months)
• GNI MEDIA (for 48 months)
• Bearstech (for 40 months)
• LiHAS (for 40 months)
• People Doc (for 36 months)
• Catalyst IT Ltd (for 35 months)
• Supagro (for 30 months)
• Demarcq SAS (for 29 months)
• Universit Grenoble Alpes (for 15 months)
• TouchWeb SAS (for 7 months)
• SPiN AG (for 3 months)

No comment Liked this article? Click here. My blog is Flattr-enabled.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In April, 284.5 work hours have been dispatched among 14 paid contributors. Their reports are available:

• Abhijith PA did 10.0h (out of 14h assigned), thus carrying over 4h to May.
• Adrian Bunk did nothing (out of 28.75h assigned), thus is carrying over 28.75h for May.
• Ben Hutchings did 26h (out of 20h assigned and 8.5h from March), thus carrying over 2.5h to May.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Dylan A ssi did 6h (out of 6h assigned).
• Emilio Pozuelo Monfort did not report back about their work so we assume they did nothing (out of 28.75h assigned plus 17.25h from March), thus is carrying over 46h for May.
• Markus Koschany did 11.5h (out of 28.75h assigned and 38.75h from March), thus carrying over 56h to May.
• Mike Gabriel did 1.5h (out of 8h assigned), thus carrying over 6.5h to May.
• Ola Lundqvist did 13.5h (out of 12h assigned and 8.5h from March), thus carrying over 7h to May.
• Roberto C. S nchez did 28.75h (out of 28.75h assigned).
• Sylvain Beucler did 28.75h (out of 28.75h assigned).
• Thorsten Alteholz did 28.75h (out of 28.75h assigned).
• Utkarsh Gupta did 24h (out of 24h assigned).

Evolution of the situation In April we dispatched more hours than ever and another was new too, we had our first (virtual) contributors meeting on IRC! Logs and minutes are available and we plan to continue doing IRC meetings every other month.
Sadly one contributor decided to go inactive in April, Hugo Lefeuvre.
Finally, we like to remind you, that the end of Jessie LTS is coming in less than two months!
In case you missed it (or missed to act), please read this post about keeping Debian 8 Jessie alive for longer than 5 years. If you expect to have Debian 8 servers/devices running after June 30th 2020, and would like to have security updates for them, please get in touch with Freexian. The security tracker currently lists 4 packages with a known CVE and the dla-needed.txt file has 25 packages needing an update. Thanks to our sponsors New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 56 months)
• GitHub (for 46 months)
• Civil Infrastructure Platform (CIP) (for 24 months)
• Gold sponsors:
• Blablacar (for 71 months)
• Roche Diagnostics International AG (for 67 months)
• Linode (for 61 months)
• Babiel GmbH (for 50 months)
• Plat Home (for 49 months)
• University of Oxford (for 6 months)
• Silver sponsors:
• The Positive Internet Company (for 72 months)
• Domeneshop AS (for 71 months)
• Nantes M tropole (for 65 months)
• Univention GmbH (for 57 months)
• Universit Jean Monnet de St Etienne (for 57 months)
• Ribbon Communications, Inc. (for 51 months)
• Exonet B.V. (for 40 months)
• Leibniz Rechenzentrum (for 34 months)
• CINECA (for 24 months)
• Minist re de l Europe et des Affaires trang res (for 18 months)
• Cloudways Ltd (for 7 months)
• Dinahosting SL (for 5 months)
• Bronze sponsors:
• Seznam.cz, a.s. (for 72 months)
• Evolix (for 71 months)
• MyTux (for 71 months)
• Linuxhotel GmbH (for 69 months)
• Intevation GmbH (for 68 months)
• Daevel SARL (for 67 months)
• Bitfolk LTD (for 66 months)
• Megaspace Internet Services GmbH (for 66 months)
• Greenbone Networks GmbH (for 65 months)
• NUMLOG (for 65 months)
• WinGo AG (for 64 months)
• Ecole Centrale de Nantes LHEEA (for 61 months)
• Sig-I/O (for 58 months)
• Entr ouvert (for 56 months)
• Adfinis SyGroup AG (for 53 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 48 months)
• Tesorion (for 48 months)
• GNI MEDIA (for 47 months)
• Bearstech (for 39 months)
• LiHAS (for 39 months)
• People Doc (for 35 months)
• Catalyst IT Ltd (for 33 months)
• Supagro (for 29 months)
• Demarcq SAS (for 27 months)
• Universit Grenoble Alpes (for 14 months)
• TouchWeb SAS (for 6 months)
• SPiN AG

No comment Liked this article? Click here. My blog is Flattr-enabled.

Here's what happened in the Reproducible Builds effort between Sunday November 5 and Saturday November 11 2017: Upcoming events On November 17th Chris Lamb will present at Open Compliance Summit, Yokohama, Japan on how reproducible builds ensures the long-term sustainability of technology infrastructure. We plan to hold an assembly at 34C3 - hope to see you there! LEDE CI tests Thanks to the work of lynxis, Mattia and h01ger, we're now testing all LEDE packages in our setup. This is our first result for the ar71xx target: "502 (100.0%) out of 502 built images and 4932 (94.8%) out of 5200 built packages were reproducible in our test setup." - see below for details how this was achieved. Bootstrapping and Diverse Double Compilation As a follow-up of a discussion on bootstrapping compilers we had on the Berlin summit, Bernhard and Ximin worked on a Proof of Concept for Diverse Double Compilation of tinycc (aka tcc). Ximin Luo did a successful diverse-double compilation of tinycc git HEAD using gcc-7.2.0, clang-4.0.1, icc-18.0.0 and pgcc-17.10-0 (pgcc needs to triple-compile it). More variations are planned for the future, with the eventual aim to reproduce the same binaries cross-distro, and extend it to test GCC itself. Packages reviewed and fixed, and bugs filed Patches filed upstream:

• Bernhard M. Wiedemann:
  • clang - ASLR affects objective-C binaries.
• Chris Lamb:
  • nbsphinx (merged) - Random UUIDs used as element selectors.
  • stardicter (merged) - SOURCE_DATE_EPOCH support.
  • stetl - Build path in documentation.

Patches filed in Debian:

• Bernhard M. Wiedemann:
  • #881231 filed against chasen - Uninitialized memory from struct padding written into data files.
• Adrian Bunk:
  • #881453 filed against primesieve - FTBFS.
• Chris Lamb:
  • #881089 filed against stardicter - (merged) SOURCE_DATE_EPOCH.
  • #881094 filed against nbsphinx - random UUIDs.
  • #881157 filed against designate - build path.
  • #881217 filed against python-stetl - build path.
  • #881258 filed against sphinx-intl - drop date.
  • #881259 filed against soundmodem - build path.
  • #881262 filed against node-module-deps - build path.
  • #881474 filed against phatch - random memory address.
• Daniel Kahn Gillmor:
  • #881152 filed against npth - build path.

Patches filed in OpenSUSE:

• Bernhard M. Wiedemann:
  • i4l-base (merged) - Uninitialized memory written to output.

Reviews of unreproducible packages 73 package reviews have been added, 88 have been updated and 40 have been removed in this week, adding to our knowledge about identified issues. 4 issue types have been updated:

• Add randomness_in_files_generated_by_pinyin_gen_binary_files.
• Add build_path_captured_in_assembly_objects.
• Add timestamps_in_ifo_files_generated_by_python_stardicter.
• Update timestamps_in_source_generated_by_rcc.

Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

• Adrian Bunk (69)
• Andreas Beckmann (3)
• Dmitry Shachnev (1)
• Graham Inggs (1)

diffoscope development Mattia Rizzolo uploaded version 88~bpo9+1 to stretch-backports. reprotest development

• Ximin Luo:
  • build: add comment that util-linux confirmed bug in nsenter, awaiting fix.
  • Make --print-sudoers work for --env-build as well.

reproducible-website development

• Holger Levsen:
  • rws3: add OTF as sponsor
  • rws3: add F-Droid, riot-os.org
• Chris Lamb:
  • Move the "contribute" page from the Debian wiki to /contribute/ on our main website.
• Eitan Adler:
  • Fix typo in FreeBSD mailing list.

theunreproduciblepackage development

• Bernhard M. Wiedemann:
  • aslr: document per-process workaround
  • aslr: add examples

tests.reproducible-builds.org in detail

• Mattia Rizzolo:
  • reproducible archlinux: enable debugging mode
  • reproducible archlinux: don't use hidden files for the package lists
  • reproducible fedora: don't use hidden files for the package lists
  • udd-query: move from public-udd-mirror.xvm.mit.edu to udd-mirror.debian.net
  • udd-query: remove the temporary file with a trap in case this script is called with the wrong argument, and in case of failures, etc, the temporary file would be left around otherwise
  • reproducible debian: schroot-create: drop the reproducible gpg keyring into /etc/apt/trusted.gpg.d/ instead of using apt-key add
  • reproducible debian: setup_pbuilder: drop the reproducible gpg keyring into /etc/apt/trusted.gpg.d/ instead of using apt-key add
  • reprodocible debian: setup_pbuilder: stop installing gnupg2 in our chroot, not needed anymore now
  • Mattia also merged and deployed some commits from others this week.
• Alexander 'lynxis' Couzens
  • reproducible_lede: use correct place/variable to save results: Results on remote nodes are expected to be under $TMPDIR, which defined by openwrt_build. RESULTSDIR is undefined on the remote node
  • reproducible_lede: enable building all packages again, after it was disabled to improve the debug speed.
  • reproducible_lede: correct given path for node_cleanup_tmpdirs & node_save_logs- reproducible_lede: enable CONFIG_BUILDBOT to reduce inodes while building.
• kpcyrd:
  • reproducible-archlinux: try porting abs to asp
  • reproducible-archlinux: explicitly sync packages
  • reproducible-archlinux: use sudo for pacman
• Hans-Christoph Steiner:
  • reproducible fdroid: point jenkins to canonical URL
  • reproducible_fdroid: separate testsuite into its own job
  • reproducible fdroid: sync upstream script names with jenkins.debian.net, make things self-documenting by reusing the same names everywhere.
  • reproducible_fdroid_test: make script executable
• Chris Lamb:
  • Move some IRC announcements to #debian-reproducible-changes.
• Holger Levsen:
  • reproducible LEDE: try to deal gracefully with problems and report
  • as usual, Holger merged many of the above commits and deployed them.

Misc. This week's edition was written by Ximin Luo, Bernhard M. Wiedemann, Chris Lamb and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

First day of the videoteam autumn sprint! Well, I say first day, but in reality it's more day 0. Even though most of us have arrived in Cambridge already, we are still missing a few people. Last year we decided to sprint in Paris because most of our video gear is stocked there. This year, we instead chose to sprint a few days before the Cambridge Mini-Debconf to help record the conference afterwards. Since some of us arrived very late and the ones who did arrive early are still mostly jet lagged (that includes me), I'll use this post to introduce the space we'll be working from this week and our general plan for the sprint. House Party After some deliberations, we decided to rent a house for a week in Cambridge: finding a work space to accommodate us and all our gear proved difficult and we decided mixing accommodation and work would be a good idea. I've only been here for a few hours, but I have to say I'm pretty impressed by the airbnb we got. Last time I checked (it seems every time I do, some new room magically appears), I counted 5 bedrooms, 6 beds, 5 toilets and 3 shower rooms. Heck, there's even a solarium and a training room with weights and a punching bag on the first floor. Having a whole house to ourselves also means we have access to a functional kitchen. I'd really like to cook at least a few meals during the week. There's also a cat! It's not the house's cat per say, but it's been hanging out around the house for most of the day and makes cute faces trying to convince us to let it come inside. Nice try cat. Nice try. Here are some glamour professional photos of what the place looks like on a perfect summer day, just for the kick of it: Of course, reality has trouble matching all the post-processing filters. Plan for the week Now on a more serious note; apart from enjoying the beautiful city of Cambridge, here's what the team plans to do this week: tumbleweed Stefano wants to continue refactoring our ansible setup. A lot of things have been added in the last year, but some of it are hacks we should remove and implement correctly. highvoltage Jonathan won't be able to come to Cambridge, but plans to work remotely, mainly on our desktop/xfce session implementation. Another pile of hacks waiting to be cleaned! ivodd Ivo has been working a lot of the pre-ansible part of our installation and plans to continue working on that. At the moment, creating an installation USB key is pretty complicated and he wants to make that simpler. olasd Nicolas completely reimplemented our streaming setup for DC17 and wants to continue working on that. More specifically, he wants to write scripts to automatically setup and teardown - via API calls - the distributed streaming network we now use. Finding a way to push TLS certificates to those mirrors, adding a live stream viewer on video.debconf.org and adding a viewer to our archive are also things he wants to look at. pollo For my part, I plan to catch up with all the commits in our ansible repository I missed since last year's sprint and work on documentation. It would be very nice if we could have a static website describing our work so that others (at mini-debconfs for examples) could replicate it easily. If I have time, I'll also try to document all the ansible roles we have written. Stay tuned for more daily reports!

Here's what happened in the Reproducible Builds effort between Sunday October 29 and Saturday November 4 2017: Past events

• From October 31st November 2nd we held the 3rd Reproducible Builds summit in Berlin, Germany. A full, in-depth report will be posted in the next week or so.

Upcoming events

• On November 8th Jonathan Bustillos Osornio (jathan) will present at CubaConf Havana.
• On November 17th Chris Lamb will present at Open Compliance Summit, Yokohama, Japan on how reproducible builds ensures the long-term sustainability of technology infrastructure.

Reproducible work in other projects

• Alan Pope linked to the status of "asset recording" in SnapCraft, a concept related to .buildinfo files.

Packages reviewed and fixed, and bugs filed

• Chris Lamb:
  • #880714 filed against cappuccino.
  • #880803 filed against python-kafka.
  • #880804 filed against debci.
  • #880827 filed against roundcube.
• Steve Langasek:
  • #880550 filed against g2.
• Juro:
  • curl (SOURCE_DATE_EPOCH)
  • OpenSSL (SOURCE_DATE_EPOCH)
• Bernhard M. Wiedemann:
  • openSUSE/ant (use SOURCE_DATE_EPOCH)
  • openSUSE/mariadb (drop INFO_BIN)
  • openSUSE/libsmbios (drop embedded build log)

Reviews of unreproducible packages 7 package reviews have been added, 43 have been updated and 47 have been removed in this week, adding to our knowledge about identified issues. Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

• Adrian Bunk (44)
• Andreas Moog (1)
• Lucas Nussbaum (7)
• Steve Langasek (1)

Documentation updates

• Ulrike Uhlig:
  • Add documentation about system images.
• Holger Levsen:
  • List all speakers of the DebConf17
  • Add news about the Berlin event
• Chris Lamb:
  • Add recent talks to resources.html.
  • Clarify link to full definition.
  • Cachebust CSS files.
• Bernhard M. Wiedemann:
  • Fix openSUSE website link

diffoscope development Version 88 was uploaded to unstable by Mattia Rizzolo. It included contributions (already covered by posts of the previous weeks) from:

• Mattia Rizzolo
  • tests/comparators/dtb: compatibility with version 1.4.5. (Closes: #880279)
• Chris Lamb
  • comparators:
    • binwalk: improve names in output of "internal" members. #877525
    • Omit misleading "any of" prefix when only complaining about one module in ImportError messages.
  • Don't crash on malformed "md5sums" files. (Closes: #877473)
  • tests/comparators:
    • ps: ps2ascii > 9.21 now varies on timezone, so skip this test for now.
    • dtby: only parse the version number, not any "-dirty" suffix.
  • debian/watch: Use HTTPS URI.
• Ximin Luo
  • comparators:
    • utils/file: Diff container metadata centrally. This fixes a last remaining bug in fuzzy-matching across containers. (Closes: #797759)
    • Fix all the affected comparators after the above change.
• Holger Levsen
  • Bump Standards-Version to 4.1.1, no changes needed.

strip-nondeterminism development Version 0.040-1 was uploaded to unstable by Mattia Rizzolo. It included contributions already covered by posts of the previous weeks, as well as new ones from:

• Mattia Rizzolo:
  • Declare that strip-nondeterminism doesn't need root to build
  • Add my key to debian/upstream/signing-key.asc m disorderfs development

---

Version 0.5.2-2 was uploaded to unstable by Holger Levsen. It included contributions already covered by posts of the previous weeks, as well as new ones from:

• Chris Lamb:
  • Add a reproducible builds example, highlighting the non-intuitive recommendation to sort instead of shuffle.
  • Add myself to AUTHORS.
  • debian/watch: Use HTTPS URI.
• Holger Levsen:
  • debian/control: use /git/ instead of /cgit/ URL for Vcs-Browser
  • debian/compat: Bump to compat level 10 & raise build-depends to debhelper >= 10.2.5~.
  • debian/control: Bump Standards-Version to 4.1.1.

reprotest development

• Ximin Luo:
  • Mention certificate expiry errors in documentation as a potential issue with faketime

buildinfo.debian.net development

• Chris Lamb:
  • Support UID filtering
  • Add initial "by-hash" API endpoint.

tests.reproducible-builds.org

• Mattia Rizzolo:
  • archlinux: enable schroot building on pb4 as well
  • archlinux: don't install the deprecated abs tool
  • archlinux: try to re-enable one schroot creation job
• lynxis
  • lede: replace TMPDIR -> RESULTSDIR
  • lede: openwrt_get_banner(): use locals instead of globals
  • lede: add newline to $CONFIG
  • lede: show git log -1 in jenkins log
• Holger Levsen:
  • lede: add very simple landing page
• Juliana Oliveira Rodrigues
  • archlinux: adds pacman-git dependencies
• kpcyrd
  • archlinux: disable signature verification when running in the future
  • archlinux: use pacman-git until the next release
  • archlinux: make pacman fail less early
  • archlinux: use sudo to prepare chroot
  • archlinux: remove -rf for regular file
  • archlinux: avoid possible TOCTOU issue
  • archlinux: Try to fix tar extraction
  • archlinux: fix sha1sums parsing

Misc. This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Here's what happened in the Reproducible Builds effort between Sunday October 22 and Saturday October 28 2017: Past Events

• On Tuesday 24th October, Chris Lamb presented at All Things Open 2017 in Raleigh, NC, USA.
• On Wednesday 25th October, Holger Levsen presented at the Open Source Summit Europe in Prague, Czech Republic.
• On Saturday 28th October, Chris Lamb presented at freenode.live in Bristol, UK.

Upcoming/current events

• From October 31st November 2nd we will be holding the 3rd Reproducible Builds summit in Berlin, Germany.
• On November 8th Jonathan Bustillos Osornio (jathan) will present at CubaConf Havana.

Documentation updates Bernhard Wiedemann started The Unreproducible Package which "is meant as a practical way to demonstrate the various ways that software can break reproducible builds using just low level primitives without requiring external existing programs that implement these primitives themselves. It is structured so that one subdirectory demonstrates one class of issues in some variants observed in the wild." Reproducible work in other projects Hush, a fork of ZCash, opened an issue into reproducible builds. A new tag was added to lintian (lint checker for Debian packages) to ensure that changelog entry timestamps are strictly increasing. This avoids certain real-world issues with identical timestamps, documented in Debian #843773. Packages reviewed and fixed, and bugs filed Patches sent upstream:

• Bernhard M. Wiedemann:
  • gtranslator, embedded build timestamps
  • libgda, embedded build timestamps
  • mariadb, embedded build timestamps
  • nim, embedded build timestamps

Debian bug reports:

• Chris Lamb:
  • #879569 filed against argagg.
  • #879913 filed against sdlgfx.
  • #879914 filed against fmtlib.

Reviews of unreproducible packages 14 package reviews have been added, 35 have been updated and 28 have been removed in this week, adding to our knowledge about identified issues. 1 issue type has been updated:

• Add nondeterministic_ordering_in_documentation_generated_by_doxygen.

Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

• Adrian Bunk (4)

strip-nondeterminism development Version 0.040-1 was uploaded to unstable by Mattia Rizzolo. It included contributions already covered by posts of the previous weeks, as well as new ones from:

• Mattia Rizzolo:
  • png.pm: Don't open the original file in write mode

reprotest development Development continued in git:

• Ximin Luo:
  • New features:
    • Support a domain_host variation.
    • Support a --print-sudoers feature.
  • Documentation:
    • Note some caveats about the existing git versions as a self-reminder not to release it yet.
    • Updates about our assumptions and rearrange sudo into its own section.
  • Bug fixes:
    • main: When dropping privs, make sure the user can still move in theroot.
    • tests: fix, need to preserve env for su
    • build: Don't fail when the build produces a broken symlink
    • main, presets: Properly drop privs when running the build. (Closes: #877813)
  • Code quality:
    • Improve logging to try to get to the bottom of the jenkins failures
    • Tweak tests to avoid some build dependencies
    • build: Name temporary directories after reprotest not autopkgtest

buildinfo.debian.net development Development continued in git:

• Chris Lamb:
  • New features:
    • Add API endpoint to fetch specific .buildinfo files for a certain package/version/architecture, and optimise it. (Closes: #25)
  • Bug fixes:
    • Always show SHA256, regardless of viewport size. (Closes: #27)
    • Actually filter by source package

reproducible-website development

• Holger Levsen:
  • RWS3 Berlin 2017:
    • Add CoyIM, Arch Linux, LEDE, LEAP, subuser.org, Bazel, coreboot.
    • Make some sponsors visible.
    • Add short paragraph explaining that registration is mandatory.

Misc. This week's edition was written by Ximin Luo, Chris Lamb, Bernhard M. Wiedemann and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Here's what happened in the Reproducible Builds effort between Sunday October 15 and Saturday October 21 2017:

• The Tails project published a report on how they made their ISO images reproducible.
• dpkg 1.19.0 was uploaded, including support for:
  • Ordering the "unused substitution" warnings to prevent superfluous differences between logs of package builds on the Reproducible Builds test framework. (#870221)
  • A new Build-Kernel-Version field in .buildinfo files that can be generated with a new dpkg-genbuildinfo --always-include-kernel option. (#873937)

Past events

• On Saturday 21st October, Holger Levsen presented at All Systems Go! in Berlin, Germany on reproducible builds. A video recording is available already.

Upcoming events

• On Tuesday 24th October, Chris Lamb will present at All Things Open 2017 in Raleigh, NC, USA.
• On Wednesday 25th October, Holger Levsen will present at the Open Source Summit Europe in Prague, Czech Republic.
• On Saturday 28th October, Chris Lamb will present at freenode.live in Bristol, UK.
• From October 31st November 2nd we will be holding the 3rd Reproducible Builds summit in Berlin, Germany. If you are working in the field of reproducible builds, you should definitely attend. Please see our public invitation mail and contact us if you have any questions.

New York University sessions A three week session will be held at New York University to work on reproducibilty issues in conjunction with the reproducible builds community. Students from the Application Security course will be working for two weeks to work on the reproducible builds effort.

• On Tuesday 24th Oct Ed Maste from FreeBSD will be presenting some reproducible builds work for students.
• On From Tuesday 24th of October to Monday 7th of November students will work on fixing reproducibility issues brought up by the community. A milestone presentation will be held by Santiago Torres-Arias and Preston Moore.
• On Tuesday 7th November Holger Levsen will join the NYU team to wrap up the work.

Packages reviewed and fixed, and bugs filed

• Adrian Bunk:
  • #878883 filed against stoken.
  • #878896 filed against liquidsoap.
  • #878980 filed against belenios.
  • #879042 filed against tuxpaint-config.
  • #879223 filed against websockify.
• Chris Lamb:
  • #878707 filed against python-amqp (randomness in documentation).
  • #878708 filed against geographiclib (build paths).
  • #879169 filed against live-build (timestamps).
• Gilles Filippini:
  • #878818 filed against ovito.

The following reproducible builds-related NMUs were accepted:

• Chris Lamb:
  • gerstensaft (#777414)
  • miniupnpd (#860266)
  • rest2web (#833438)

Patches sent upstream:

• Bernhard M. Wiedemann:
  • singularity (tar+gz)
  • redis (date)
  • tbb (date)
  • nested (sort)
  • nested (date)

Reviews of unreproducible packages 41 package reviews have been added, 119 have been updated and 54 have been removed in this week, adding to our knowledge about identified issues. 2 issue types were removed as they were fixed:

• too_much_input_for_diff
• docbook_to_man_one_byte_delta

Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

• Aaron M. Ucko (1)
• Adrian Bunk (49)
• Anthony DeRobertis (1)
• Daniel Schepler (1)
• Gilles Filippini (1)
• James Cowgill (1)
• Matthias Klose (1)
• Matthias Klumpp (1)
• Nobuhiro Iwamatsu (1)

diffoscope development

• Ximin Luo:
  • Tentative support for for parallel diffs

strip-nondeterminism development Version 0.039-1 was uploaded to unstable by Chris Lamb. It included contributions already covered by posts of the previous weeks, including:

• Chris Lamb:
  • Clojure considers the .class file to be stale if it shares the same timestamp of the .clj. We thus adjust the timestamps of the .clj to always be younger. (#877418)
  • dh_strip_nondeterminism: Log which handler processed a file. (#876140)
  • bin/strip-nondeterminism: Print a warning in --verbose mode if no canonical time specified.
  • Use HTTPS URI in debian/watch.

reprotest development

• Ximin Luo:
  • Hopefully fix the autopkgtest tests
• Santiago Torres-Arias:
  • An Arch Linux User Repository package for reprotest has been created.]

tests.reproducible-builds.org

• Holger Levsen:
  • Install rustc on Jenkins for the reproducible-html-build-path-prefix-map-spec job.
• Mattia Rizzolo:
  • health_check: Include the running kernel version when reporting multiple kernel installed in /boot.

Website updates

• Holger Levsen:
  • Berlin 2017:
    • add Qubes OS to participating projects
    • Add NetBSD and EdgeBSD to participating projects
    • Add repeatr.io to participating projects
    • Add disclaimer why only so few projects are listed
    • Add link to Google maps and name the 2nd next subway station on a different line
    • Add first 4 participating projects

Misc. This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Santiago Torres & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Here's what happened in the Reproducible Builds effort between Sunday October 8 and Saturday October 14 2017: Upcoming events

• On Saturday 21st October, Holger Levsen will present at All Systems Go! in Berlin, Germany on reproducible builds.
• On Tuesday 24th October, Chris Lamb will present at All Things Open 2017 in Raleigh, NC, USA on reproducible builds.
• On Wednesday 25th October, Holger Levsen will present at the Open Source Summit Europe in Prague, Czech Republic on reproducible builds.
• From October 31st - November 2nd we will be holding the 3rd Reproducible Builds summit in Berlin. If you are working in the field of reproducible builds, you should totally be there. Please contact us if you have any questions! Quoting from the public invitation mail:

  These dates are inclusive, ie. the summit will be 3 full days from "9 to 5".
  Best arrive on Monday October 30th and leave on the evening of Thursday, 3rd
  at the earliest.
  Meeting content
  ===============
  The exact content of the meeting is going to be shaped by the
  participants, but here are the main goals:
   - Update & exchange about the status of reproducible builds in various
     projects.
   - Establish spaces for more strategic and long-term thinking than is possible
     in virtual channels.
   - Improve collaboration both between and inside projects.
   - Expand the scope and reach of reproducible builds to more projects.
   - Brainstorming / Designing several things, eg:
    - designing tools enabling end-users to get the most benefits from
      reproducible builds.
    - design of back-ends needed for that.
   - Work together and hack on solutions.
  There will be a huge variety of topics to be discussed. To give a few
  examples:
  - continuing design and development work on .buildinfo infrastructure
  - build-path issues everywhere
  - future directions for diffoscope, reprotest & strip-nondeterminism
  - reproducing signed artifacts such as RPMs
  - discussing formats and tools we can share
  - sharing proposals for standards and documentation helpful to spreading the
    reproducible effort
  - and many many more.
  Please think about what you want discuss, brainstorm & learn about at this
  meeting!
  Schedule
  ========
  Preliminary schedule for the three days:
  9:00 Welcome and breakfast
  9:30 Meeting starts
  12:30 Lunch
  17:00 End of the official schedule
  Gunner and Beatrice from Aspiration will help running the meeting. We will
  collect your input in subsequent emails to make the best of everyone's time.
  Feel free to start thinking about what you want to achieve there. We will also
  adjust topics as the meeting goes.
  Please note that we are very likely to spend large parts of the meeting away
  from laptops and closer to post-it notes. So make sure you've answered any
  critical emails *before* Tuesday morning! :)
  

Reproducible work in other projects Pierre Pronchery reported that that he has built the foundations for doing more reproducibility work in NetBSD. Packages fixed Upstream bugs and patches:

• Bernhard M. Wiedemann:
  • qutim used RANDOM which is unpredictable and unreproducible.
  • dpdk used locale-dependent sort.

Reproducibility non-maintainer uploads in Debian:

• Chris Lamb:
  • mailfront for bugs #777431 & #847020.
  • plib-doc for bugs #778971 & #557676.
  • ipsvd for bugs #777417 & #846890.
• Holger Levsen
  • keyutils for bug #828681.

QA fixes in Debian:

• Adrian Bunk:
  • #878329 filed against sonic-visualiser.
  • #878333 filed against tree-puzzle.

Reviews of unreproducible packages 6 package reviews have been added, 30 have been updated and 37 have been removed in this week, adding to our knowledge about identified issues. Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

• Adrian Bunk (40)
• Eric Valette (1)
• Markus Koschany (1)

diffoscope development

• Ximin Luo:
  • Containers: diff the metadata of containers in one central location in the code, so that deep-diff works between all combinations of different container types. This lets us finally close #797759.
  • Tests: add a complete set of cases to test all pairs of container types.
• Chris Lamb:
  • Temporarily skip the test for ps2ascii(1) in ghostscript > 9.21 which now outputs text in a slightly different format.
  • UI wording improvements.

reprotest development Version 0.7.3 was uploaded to unstable by Ximin Luo. It included contributions already covered by posts of the previous weeks, as well as new ones:

• Ximin Luo:
  • Add a --env-build option for testing builds under different sets of environment variables. This is meant to help the discussion over at #876055 about how we should deal with different types of environment variables in a stricter definition of reproducibility.
  • UI and logging tweaks and improvements.
  • Simplify the _shell_ast module and merge it into shell_syn.

Misc. This week's edition was written by Ximin Luo, Chris Lamb and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Here's what happened in the Reproducible Builds effort between Sunday October 1 and Saturday October 7 2017: Media coverage

• Bernhard sent another report about the status of Reproducible openSUSE. They currently they are at 478 unreproducible and 11,111 reproducible packages out of 11,821, so also at 93%!
• Holger attempted to get a Reproducible Builds devroom at FOSDEM 2018 but sadly this proposal was not accepted.

Documentation updates

• Christoph Berg created a wiki page about Openjade generated timestamps from DSSSL stylesheets.

Packages reviewed and fixed, and bugs filed

• Bernhard M. Wiedemann:
  • LiE uninitialized memory (need to find upstream)
  • chrony date (merged)
• Chris Lamb:
  • #877375 filed against polygen.
  • #877381 filed against plr.
  • #877384 filed against rcs.
  • #877928 filed against cadvisor.
• jathan:
  • #877470 filed against bsh.

Reviews of unreproducible packages 32 package reviews have been added, 46 have been updated and 62 have been removed in this week, adding to our knowledge about identified issues. Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

• Adrian Bunk (27)

diffoscope development

• Chris Lamb:
  • Don't crash on malformed md5sums files. (Closes: #877473)
  • Improve names in output of "internal" binwalk members. (Closes: #877525)
• Mattia Rizzolo:
  • Fix test compatibility with dtb version 1.4.5

strip-nondeterminism development Rob Browning noticed that strip-nondeterminism was causing serious performance regressions in the Clojure programming language within Debian. After some discussion, Chris Lamb also posted a query to debian-devel in case there were any other programming languages that might be suffering from the same problem.

• Chris Lamb:
  • jar.pm: Clojure considers the .class file to be stale if it shares the same timestamp of the .clj. We thus adjust the timestamps of the .clj to always be younger.. (Closes: #877418)
  • jar.pm, zip.pm: Allow $options member_normalizer callback to support specifying the timestamp.
  • zip.pm: Ensure that we don't try and write an old timestamp; Archive::Zip will do this anyway, just noisily.
  • zip.pm: Calculate the target canonical time in just one place.
  • bin/strip-nondeterminism: Print a warning in --verbose mode if no canonical time specified.
  • jar.pm: Update comment to reflect that NTFS/FAT has a 2s timestamp granularity.
  • jar.pm: s/NTFS/FAT/. Thanks to James Ross.

reprotest development Versions 0.7.1 and 0.7.2 were uploaded to unstable by Ximin Luo:

• New features:
  • Add a --auto-build option to try to determine which specific variations cause unreproducibility.
  • Add a --source-pattern option to restrict copying of source_root, and set this automatically in our presets.
• Usability improvements:
  • Improve error messages in some common scenarios.
    • Fiving a source_root or build_command that doesn't exist
    • Using reprotest with default settings after not installing Recommends
  • Output hashes after a successful --auto-build.
  • Print a warning message if we reproduced successfully but didn't vary everything.
• Fix varying both umask and user_group at the same time.
• Have dpkg-source extract to different build dir if varying the build-path.
• Pass --exclude-directory-metadata to diffoscope(1) by default as this is the majority use-case.
• Various bug fixes to get the basic dsc+schroot example working.

It included contributions already covered by posts of the previous weeks, as well as new ones from:

• Ximin Luo:
  • main: Add a --env-build option for testing different env vars
  • Don't output spurious warnings in tests
  • Add some more notes on the remaining variations
  • Fix the help text for virtual servers

tests.reproducible-builds.org

• Mattia Rizzolo:
  • Re-deploy odxu4a after being reinstalled and renamed from odxu4.
• Vagrant Cascadian:
  • Rename armhf host odxu4 to odxu4a

Misc. This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Here's what happened in the Reproducible Builds effort between Sunday September 24 and Saturday September 30 2017: Development and fixes in key packages Kai Harries did an initial packaging of the Nix package manager for Debian. You can track his progress in #877019. Uploads in Debian:

• Chris Lamb:
  • shadow/1:4.5-1 fixing #857803.
• Holger Levsen:
  • font-uralic/0.0.20040829-6 fixing #854362. (NMU)
  • mpack/1.6-8.2 fixing #777376. (NMU)

Packages reviewed and fixed, and bugs filed Patches sent upstream:

• Bernhard M. Wiedemann:
  • python-numpy build timestamp; merged
  • python-marshmallow build timestamp; merged
  • python-astropy-helpers build timestamp; merged
  • oprofile build timestamp
  • libheimdal build timestamp, hostname, username; upstream exploring alternative fixes
  • openSUSE/Qt hash table seed
  • libkolabxml/xsd ASLR memory location differences; no patch

Reproducible bugs (with patches) filed in Debian:

• Chris Lamb:
  • #877375 filed against polygen.
  • #877381 filed against plr.
  • #877384 filed against rcs.
• Daniel Schepler:
  • #876672 filed against e2fsprogs.
• Vagrant Cascadian:
  • #876657 filed against device-tree-compiler and uploaded 1.4.4-1 with the patch applied.

QA bugs filed in Debian:

• Adrian Bunk:
  • #876641 filed against pcb.
  • #876685 filed against mssh.
  • #876776 filed against fityk.
  • #876845 filed against webkit2-sharp.
  • #876870 filed against apertium-en-es.
  • #877021 filed against breathe.
  • #877031 filed against sextractor.
  • #877054 filed against hypre.
  • #877063 filed against libitpp.
  • #877065 filed against alglib.
  • #877211 filed against ipmiutil.

Reviews of unreproducible packages 103 package reviews have been added, 153 have been updated and 78 have been removed in this week, adding to our knowledge about identified issues. Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

• Adrian Bunk (177)
• Andreas Beckmann (2)
• Daniel Schepler (1)

diffoscope development Mattia Rizzolo uploaded version 87 to stretch-backports.

• Holger Levsen:
  • Bump standards version to 4.1.1, no changes needed.

strip-nondeterminism development

• Holger Levsen:
  • Bump Standards-Version to 4.1.1, no changes needed.

reprotest development

• Ximin Luo:
  • New features:
    • Add a --env-build option for testing different env vars. (In-progress, requires the python-rstr package awaiting entry into Debian.)
    • Add a --source-pattern option to restrict copying of source_root.
  • Usability improvements:
    • Improve error messages in some common scenarios.
    • Output hashes after a successful --auto-build.
    • Print a warning message if we reproduced successfully but didn't vary everything.
    • Update examples in documentation.
  • Have dpkg-source extract to different build dir iff varying the build-path.
  • Pass --debug to diffoscope if verbosity >= 2.
  • Pass --exclude-directory-metadata to diffoscope(1) by default.
  • Much refactoring to support the other work and several minor bug fixes.
• Holger Levsen:
  • Bump standards version to 4.1.1, no changes needed.

tests.reproducible-builds.org

• Holger Levsen:
  • Fix scheduler to not send empty scheduling notifications in the rare cases nothing has been scheduled.
  • Fix colors in 'amount of packages build each day on $ARCH' graphs.

reproducible-website development

• Holger Levsen:
  • Fix up HTML syntax
  • Announce that RWS3 will happen at Betahaus, Berlin

Misc. This week's edition was written by Ximin Luo, Bernhard M. Wiedemann, Holger Levsen and Chris Lamb & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Here's what happened in the Reproducible Builds effort between Sunday September 17th and Saturday September 23rd 2017: Media coverage

• Christos Zoulas gave a talk entitled Reproducible builds on NetBSD at EuroBSDCon 2017

Reproducible work in other packages

• Paul Eggert reported that TZ=UTC is not a portable setting for the TZ environment variable.

Packages reviewed and fixed, and bugs filed

• Adrian Bunk:
  • #876615 filed against librsvg.
• Bernhard M. Wiedemann:
  • varnish (random IDs)
  • make (sort)
  • nautilus-dropbox (extended date)
  • fontforge (date)
  • votca-csg (merged, date)
  • freeipmi (merged, date)
  • libmypaint (merged, sort)
  • doomsday (merged, sort)
  • asciidoc (help make release with SOURCE_DATE_EPOCH patch)

Reviews of unreproducible packages 1 package reviews was added, 49 have been updated and 54 have been removed in this week, adding to our knowledge about identified issues. One issue type was updated:

• gtk_doc_api_index_full (fixed upstream: #779090)

Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

• Adrian Bunk (56)
• Bas Couwenberg (1)
• Helmut Grohne (1)
• Nobuhiro Iwamatsu (2)

diffoscope development Version 87 was uploaded to unstable by Mattia Rizzolo. It included contributions from:

• Ximin Luo:
  • comparators/*:
    • Add a test for fallback_recognizes and improve the behaviour
    • Add a fallback_recognizes to work around file(1) #876316. (Closes: #875272)
    • If --force-details then don't skip files with identical md5sums either
    • Add a --force-details flag for debugging
  • presenters.html:
    • Restore the previous more-detailed comment
    • Don't show pointer-cursor when jQuery is disabled
    • Prune all descendants properly (Closes: #875281)
  • difference.py:
    • Also copy self._comment properly, compare self._visuals in equals()
    • In fmap/map_lines, don't forget about self._visuals
    • Use diff_split_lines everywhere
  • tests:
    • Add case for #875281
    • Make test_md5sums less brittle
    • Update test_deb for new string
  • readers: Convert bytes to str in the right place
  • config: Force-set a value if it must be < another and it was not set on purpose (Closes: #875451)
  • Bump minimum Python version to 3.5 as we use syntax introduced by PEP 448
• Chris Lamb:
  • Print a debugging message if we are reading diff from stdin.
  • Compare types with identity not equality.
  • diffoscope.presenters.html: Use logging.py's lazy argument interpolation.
  • debian/control: Bump Standards-Version to 4.1.0.
• Mattia Rizzolo:
  • debian/rules: Place "before" commands before "after" commands.

strip-nondeterminism development

• Chris Lamb:
  • Log which handler procesed a file. (Closes: #876140)
  • Bump Standards-Version to 4.1.0.

reprotest development Version 0.7 was uploaded to unstable by Ximin Luo:

• Ximin Luo:
  • Push use of UNIX return codes to the edges of the program
  • Add a --auto-build option to determine which variations cause unreproducibility
  • Allow umask and user_group to both vary at the same time
  • Generate build names in main instead of build, guard against dupes
  • Pull traceback-printing stuff out of the core code
  • More refactoring, make check() contain only logic that would be changed in an auto-detector
  • Split check() into a coroutine producer and consumer, prepares auto-detection

tests.reproducible-builds.org Vagrant Cascadian and Holger Levsen:

• Re-add and armhf build node that had been disabled due to performance issues, but works linux 4.14-rc1 now! #876212

Holger Levsen:

• Use botch from stretch to fix the jenkins job which create the package sets. (botch is currently uninstallable in sid and from pre-stretch-release times we used a sid schroot to install and use botch.)

Misc. This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Lintian is a static analysis tool for Debian packages, reporting on various errors, omissions and general quality-assurance issues to maintainers. I've previously written about my exploits with Lintian as well as authoring a short tutorial on how to write your own Lintian check. Anyway, I recently uploaded version 2.5.53 about two months since previous release. The biggest changes you may notice are supporting the latest version of the Debian Policy as well the addition of checks to encourage the migration to Python 3. Thanks to all who contributed patches, code review and bug reports to this release. The full changelog is as follows:

lintian (2.5.53) unstable; urgency=medium
  The "we are all Perl developers now" release.
  * Summary of tag changes:
    + Added:
      - alternatively-build-depends-on-python-sphinx-and-python3-sphinx
      - build-depends-on-python-sphinx-only
      - dependency-on-python-version-marked-for-end-of-life
      - maintainer-script-interpreter
      - missing-call-to-dpkg-maintscript-helper
      - node-package-install-in-nodejs-rootdir
      - override-file-in-wrong-package
      - package-installs-java-bytecode
      - python-foo-but-no-python3-foo
      - script-needs-depends-on-sensible-utils
      - script-uses-deprecated-nodejs-location
      - transitional-package-should-be-oldlibs-optional
      - unnecessary-testsuite-autopkgtest-header
      - vcs-browser-links-to-empty-view
    + Removed:
      - debug-package-should-be-priority-extra
      - missing-classpath
      - transitional-package-should-be-oldlibs-extra
  * checks/apache2.pm:
    + [CL] Fix an apache2-unparsable-dependency false positive by allowing
      periods (".") in dependency names.  (Closes: #873701)
  * checks/binaries.pm:
    + [CL] Apply patches from Guillem Jover & Boud Roukema to improve the
      description of the binary-file-built-without-LFS-support tag.
      (Closes: #874078)
  * checks/changes. pm,desc :
    + [CL] Ignore DFSG-repacked packages when checking for upstream
      source tarball signatures as they will never match by definition.
      (Closes: #871957)
    + [CL] Downgrade severity of orig-tarball-missing-upstream-signature
      from "E:" to "W:" as many common tools do not make including the
      signatures easy enough right now.  (Closes: #870722, #870069)
    + [CL] Expand the explanation of the
      orig-tarball-missing-upstream-signature tag to include the location
      of where dpkg-source will look. Thanks to Theodore Ts'o for the
      suggestion.
  * checks/copyright-file.pm:
    + [CL] Address a number of issues in copyright-year-in-future:
      - Prevent false positives in port numbers, email addresses, ISO
        standard numbers and matching specific and general street
        addresses.  (Closes: #869788)
      - Match all violating years in a line, not just the first (eg.
        "2000-2107").
      - Ignore meta copyright statements such as "Original Author". Thanks
        to Thorsten Alteholz for the bug report.  (Closes: #873323)
      - Expand testsuite.
  * checks/cruft. pm,desc :
    + [CL] Downgrade severity of file-contains-fixme-placeholder
      tag from "important" (ie. "E:") to "wishlist" (ie. "I:").
      Thanks to Gregor Herrmann for the suggestion.
    + [CL] Apply patch from Alex Muntada (alexm) to use "substr" instead
      of "substring" in mentions-deprecated-usr-lib-perl5-directory's
      description.  (Closes: #871767)
    + [CL] Don't check copyright_hints file for FIXME placeholders.
      (Closes: #872843)
    + [CL] Don't match quoted "FIXME" variants as they are almost always
      deliberate. Thanks to Adrian Bunk for the report.  (Closes: #870199)
    + [CL] Avoid false positives in missing source checks for "CSS Browser
      Selector".  (Closes: #874381)
  * checks/debhelper.pm:
    + [CL] Prevent a false positive of
      missing-build-dependency-for-dh_-command that can be exposed by
      following the advice for the recently added
      useless-autoreconf-build-depends tag.  (Closes: #869541)
  * checks/debian-readme. pm,desc :
    + [CL] Ensure readme-debian-contains-debmake-template also checks
      for templates "Automatically generated by debmake".
  * checks/description. desc,pm :
    + [CL] Clarify explanation of description-starts-with-leading-spaces
      tag. Thanks to Taylor Kline  for the report
      and patch.  (Closes: #849622)
    + [NT] Skip capitalization-error-in-description-synopsis for
      auto-generated packages (such as dbgsym packages).
  * checks/fields. desc,pm :
    + [CL] Ensure that python3-foo packages have "Section: python", not
      just python2-foo.  (Closes: #870272)
    + [RG] Do no longer require debug packages to be priority extra.
    + [BR] Use Lintian::Data for name/section mapping
    + [CL] Check for packages including "?rev=0&sc=0" in Vcs-Browser.
      (Closes: #681713)
    + [NT] Transitional packages should now be "oldlibs/optional" rather
      than "oldlibs/extra".  The related tag has been renamed accordingly.
  * checks/filename-length.pm:
    + [NT] Skip the check on auto-generated binary packages (such as
      dbgsym packages).
  * checks/files. pm,desc :
    + [BR] Avoid privacy-breach-generic false positives for legal.xml.
    + [BR] Detect install of node package under /usr/lib/nodejs/[^/]*$
    + [CL] Check for packages shipping compiled Java class files. Thanks
      Carn  Draug .  (Closes: #873211)
    + [BR] Privacy breach is no longer experimental.
  * checks/init.d.desc:
    + [RG] Do not recommend a versioned dependency on lsb-base in
      init.d-script-needs-depends-on-lsb-base.  (Closes: #847144)
  * checks/java.pm:
    + [CL] Additionally consider .cljc files as code to avoid false-
      positive codeless-jar warnings.  (Closes: #870649)
    + [CL] Drop problematic missing-classpath check.  (Closes: #857123)
  * checks/menu-format.desc:
    + [CL] Prevent false positives in desktop-entry-lacks-keywords-entry
      for "Link" and "Directory" .desktop files.  (Closes: #873702)
  * checks/python. pm,desc :
    + [CL] Split out Python checks from "scripts" check to a new, source
      check of type "source".
    + [CL] Check for python-foo without corresponding python3-foo packages
      to assist in Python 2.x deprecation.  (Closes: #870681)
    + [CL] Check for packages that Build-Depend on python-sphinx only.
      (Closes: #870730)
    + [CL] Check for packages that alternatively Build-Depend on the
      Python 2 and Python 3 versions of Sphinx.  (Closes: #870758)
    + [CL] Check for binary packages that depend on Python 2.x.
      (Closes: #870822)
  * checks/scripts.pm:
    + [CL] Correct false positives in
      unconditional-use-of-dpkg-statoverride by detecting "if !" as a
      valid shell prefix.  (Closes: #869587)
    + [CL] Check for missing calls to dpkg-maintscript-helper(1) in
      maintainer scripts.  (Closes: #872042)
    + [CL] Check for packages using sensible-utils without declaring a
      dependency after its split from debianutils.  (Closes: #872611)
    + [CL] Warn about scripts using "nodejs" as an interpreter now that
      nodejs provides /usr/bin/node.  (Closes: #873096)
    + [BR] Add a statistic tag giving interpreter.
  * checks/testsuite. desc,pm :
    + [CL] Remove recommendations to add a "Testsuite: autopkgtest" field
      to debian/control as it is added when needed by dpkg-source(1)
      since dpkg 1.17.1.  (Closes: #865531)
    + [CL] Warn if we see an unnecessary "Testsuite: autopkgtest" header
      in debian/control.
    + [NT] Recognise "autopkgtest-pkg-go" as a valid test suite.
    + [CL] Recognise "autopkgtest-pkg-elpa" as a valid test suite.
      (Closes: #873458)
    + [CL] Recognise "autopkgtest-pkg-octave" as a valid test suite.
      (Closes: #875985)
    + [CL] Update the description of unknown-testsuite to reflect that
      "autopkgtest" is not the only valid value; the referenced URL
      is out-of-date (filed as #876008).  (Closes: #876003)
  * data/binaries/embedded-libs:
    + [RG] Detect embedded copies of heimdal, libgxps, libquicktime,
      libsass, libytnef, and taglib.
    + [RG] Use an additional string to detect embedded copies of
      openjpeg2.  (Closes: #762956)
  * data/fields/name_section_mappings:
    + [BR] node- package section is javascript.
    + [CL] Apply patch from Guillem Jover to add more section mappings.
      (Closes: #874121)
  * data/fields/obsolete-packages:
    + [MR] Add dh-systemd.  (Closes: #872076)
  * data/fields/perl-provides:
    + [CL] Refresh perl provides.
  * data/fields/virtual-packages:
    + [CL] Update data file from archive. This fixes a false positive for
      "bacula-director".  (Closes: #835120)
  * data/files/obsolete-paths:
    + [CL] Add note to /etc/bash_completion.d entry regarding stricter
      filename requirements.  (Closes: #814599)
  * data/files/privacy-breaker-websites:
    + [BR] Detect custom donation logos like apache.
    + [BR] Detect generic counter website.
  * data/standards-version/release-dates:
    + [CL] Add 4.0.1 and 4.1.0 as known standards versions.
      (Closes: #875509)
  * debian/control:
    + [CL] Mention Debian Policy v4.1.0 in the description.
    + [CL] Add myself to Uploaders.
    + [CL] Drop unnecessary "Testsuite: autopkgtest"; this is implied from
      debian/tests/control existing.
  * commands/info.pm:
    + [CL] Add a --list-tags option to print all tags Lintian knows about.
      Thanks to Rajendra Gokhale for the suggestion.  (Closes: #779675)
  * commands/lintian.pm:
    + [CL] Apply patch from Maia Everett to avoid British spelling when
      using en_US locale.  (Closes: #868897)
  * lib/Lintian/Check.pm:
    + [CL] Stop emitting  maintainer,uploader -address-causes-mail-loops
      for @packages.debian.org addresses.  (Closes: #871575)
  * lib/Lintian/Collect/Binary.pm:
    + [NT] Introduce an "auto-generated" argument for "is_pkg_class".
  * lib/Lintian/Data.pm:
    + [CL] Modify Lintian::Data's "all" to always return keys in insertion
      order, dropping dependency on libtie-ixhash-perl.
  * helpers/coll/objdump-info-helper:
    + [CL] Apply patch from Steve Langasek to accommodate binutils 2.29
      outputting symbols in a different format on ppc64el.
      (Closes: #869750)
  * t/tests/fields-perl-provides/tags:
    + [CL] Update expected output to match new Perl provides.
  * t/tests/files-privacybreach/*:
    + [CL] Add explicit test for packages including external fonts via
      the Google Font API. Thanks to Ian Jackson for the report.
      (Closes: #873434)
    + [CL] Add explicit test for packages including external fonts via
      the Typekit API via <script/> HTML tags.
  * t/tests/*/desc:
    + [CL] Add missing entries in "Test-For" fields to make
      development/testing workflow less error-prone.
  * private/generate-tag-summary:
    + [CL] git-describe(1) will usually emit 7 hexadecimal digits as the
      abbreviated object name,  However, as this can be user-dependent,
      pass --abbrev=0 to ensure it does not vary between systems.  This
      also means we do not need to strip it ourselves.
  * private/refresh-*:
    + [CL] Use deb.debian.org as the default mirror.
    + [CL] Update locations of Contents-<arch> files; they are now
      namespaced by distribution (eg. "main").
 -- Chris Lamb <lamby@debian.org>  Wed, 20 Sep 2017 09:25:06 +0100

Here's what happened in the Reproducible Builds effort between Sunday September 3 and Saturday September 9 2017: Media coverage

• isdebianreproducibleyet.com was released and subsequently updated.

GSoC and Outreachy updates Debian will participate in this year's Outreachy initiative and the Reproducible Builds is soliciting mentors and students to join this round. For more background please see the following mailing list posts: 1, 2 & 3. Reproduciblity work in Debian

• Chris Lamb filed #874102 filed against texlive-bin to incorporate a proposed upstream change to fix reproducibility issues in generated PDF files.

In addition, the following NMUs were accepted:

• fastforward (#776972) (lamby)
• dtc-xen (#777322) (lamby)
• dhcpping (#777320) (lamby)
• vimoutliner (#776369) (lamby)

Reproduciblity work in other projects

• The Linux kernel announced support for the randstruct GCC plugin.
• "Please make the output of gio-querymodules deterministic" was merged upstream. (lamby)

Patches sent upstream:

• Bernhard M. Wiedemann:
  • gcin: (merged) Uninitialized stack memory
  • html5-parser (merged): Sorting
  • gromacs (merged): Date
  • crawl (merged): Date
  • GCompris-gtk: Date
  • heimdal: Date, hostname
• Chris Lamb:
  • Numpy (#872459) (PR #9652) build path (merged)

Packages reviewed and fixed, and bugs filed

• Adrian Bunk:
  • #874186 filed against svgpp.

Reviews of unreproducible packages 3 package reviews have been added, 2 have been updated and 2 have been removed in this week, adding to our knowledge about identified issues. Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

• Adrian Bunk (15)

diffoscope development Development continued in git, including the following contributions:

• Chris Lamb:
  • Add support for "binwalking" to find (eg.) concatenated CPIO archives. (Closes: #820631)
  • Loosen matching of file(1)'s output to ensure we correctly also match TTF files under file 5.32.
  • Check we identify all CPIO fixtures in tests
  • Make failing a some flake8 tests cause the testsuite to fail. (Currently just "undefined name")
  • Countless style fixups, eg. remove unused imports, removing blank lines from end of flies, etc.
  • Compare None using identity, not equality.
  • diffoscope.diff: Correct reference to self.buf.
  • comparators.utils.file: Correct reference to path_apparent_size.
• Juliana Rodrigues:
  • Sip html_visuals test if 'sng' binary is not available
• Mattia Rizzolo:
  • Numerous PEP8 fixes (eg. E122, E302, E713, etc.)

Mattia Rizzolo also uploaded the version 86 released last week to stretch-backports. reprotest development

• Santiago Torres:
  • Correct string formatting in get_all_servers
• Ximin Luo:
  • Heavy refactoring towards supporting running more than 2 builds
  • Rename append_command to append_to_build_command

tests.reproducible-builds.org

• h01ger:
  • Don't update the stretch package sets anymore
  • Update URL for Tails packages list
  • Disabled the OpenWrt at the request of lynxis as they were broken; if no-one shows up to fix them, we'll probably remove them in the future, as all current development happens within LEDE.
  • Renewed the Let's Encrypt SSL certificates.
• Mattia Rizzolo:
  • Avoid stale temporary files from reproducible_build.sh
  • Avoid removing the temporary directory twice
  • Fix IRC notifications when somebody asks for artifacts
  • Simplify 'if' conditions

Misc. This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Here's what happened in the Reproducible Builds effort between Sunday August 27 and Saturday September 2 2017: Talks and presentations Holger Levsen talked about our progress and our still-far goals at BornHack 2017 (Video). Toolchain development and fixes The Debian FTP archive will now reject changelogs where different entries have the same timestamps. UDD now uses reproducible-tracker.json (~25MB) which ignores our tests for Debian unstable, instead of our full set of results in reproducible.json. Our tests for Debian unstable uses a stricter definition of "reproducible" than what was recently added to Debian policy, and these stricter tests are currently more unreliable. Packages reviewed and fixed, and bugs filed Patches sent upstream:

• Bernhard M. Wiedemann:
  • File ordering:
    • klee-uclibc: sort
    • libdnet: sort
    • libinvm-cim: sort
    • libinvm-cli: sort
  • Embedded build-date timestamps:
    • robinhood: SOURCE_DATE_EPOCH support
    • ceph/rocksdb: SOURCE_DATE_EPOCH support
    • hylafax: use changelog modtime
    • gnucash: use changelog modtime
  • Warzone2100, merged: omit timestamps, sort file lists
• Chris Lamb:
  • glib2.0: sort file lists
  • (old) xorg, merged: SOURCE_DATE_EPOCH support

Debian bugs filed:

• Adrian Bunk:
  • #873608 filed against uhd.
  • #874186 filed against svgpp.
• Chris Lamb:
  • #873625 filed against glib2.0, filed upstream.
  • #874102 filed against texlive-bin.

Debian packages NMU-uploaded:

• Chris Lamb:
  • bittornado/0.3.18-10.3 from #796212
  • cgilib/0.6-1.1 from #776935
  • dict-gazetteer2k/1.0.0-5.4 from #776376
  • dict-moby-thesaurus/1.0-6.4 from #776375
  • dtaus/0.9-1.1 from #777321
  • wily/0.13.41-7.3 from #777360

Reviews of unreproducible packages 25 package reviews have been added, 50 have been updated and 86 have been removed in this week, adding to our knowledge about identified issues. Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

• Adrian Bunk (46)
• Mart n Ferrari (1)
• Steve Langasek (1)

diffoscope development Version 86 was uploaded to unstable by Mattia Rizzolo. It included previous weeks' contributions from:

• Mattia Rizzolo
  • tests/binary: skip a test if the 'distro' module is not available.
  • Some code quality and style improvements.
• Guangyuan Yang
  • tests/iso9660: support both cdrtools' genisoimage's versions of isoinfo.
• Chris Lamb
  • comparators/xml: Use name attribute over path to avoid leaking comparison full path in output.
  • Tidy diffoscope.progress a little.
• Ximin Luo
  • Add a --tool-prefix-binutils CLI flag. Closes: #869868
  • On non-GNU systems, prefer some tools that start with "g". Closes: #871029
  • presenters/html: Don't traverse children whose parents were already limited. Closes: #871413
• Santiago Torres-Arias
  • diffoscope.progress: Support the new fork of python-progressbar. Closes: #873157

reprotest development Development continued in git with contributions from:

• Ximin Luo:
  • Add -v/--verbose which is a bit more popular.
  • Make it possible to omit "auto" when building packages.
  • Refactor how the config file works, in preparation for new features.
  • chown -h for security.

Misc. This week's edition was written by Ximin Luo, Chris Lamb, Bernhard M. Wiedemann and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Here's what happened in the Reproducible Builds effort between Sunday August 20 and Saturday August 26 2017: Debian development

• "Packages should build reproducibly" was released in Debian Policy 4.1.0.0. For more background please see last week's post.
• A patch by Chris Lamb to make Dpkg::Substvars warnings output deterministic was merged by Guillem Jover. This helps the Reproducible Builds effort as it removes unnecessary differences in logs of two package builds. (#870221)

Packages reviewed and fixed, and bugs filed Forwarded upstream:

• Debian bug #872728 filed against desktop-file-utils. Filed upstream. (lamby, via a reproducibility issue in Tails).
• Debian bug #872729 filed against gtk+2.0. Filed upstream. (lamby, via a reproducibility issue in Tails).
• sawfish:
  • SOURCE_DATE_EPOCH
  • .tar.gz (merged)
  • Sorting (merged)
• librep:
  • SOURCE_DATE_EPOCH (merged)
  • Sorting (merged)
• zstd (merged) sort
• lirc (solved)
• autogen (tar.gz)

Accepted repoducibility NMUs in Debian:

• Chris Lamb:
  • jsmath-fonts (for bug #792319).
  • xvier (for bug #777330).
• Mattia Rizzolo:
  • aewan (for bug #842864).

Other issues:

• Adrian Bunk:
  • #872675 filed against pdp.
  • #872678 filed against gem.
  • #872860 filed against csound.
  • #872918 filed against sketch.
• Dmitry Shachnev:
  • #872992 filed against pytest-qt.

Reviews of unreproducible packages 16 package reviews have been added, 38 have been updated and 48 have been removed in this week, adding to our knowledge about identified issues. 2 issue types have been updated:

• Add new captures_build_dir_in_qmake_prl_files toolchain issue (Chris Lamb)
• Remove ftbfs_uninvestigated_big_packages (Mattia Rizzolo)

Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by:

• Adrian Bunk (37)
• Dmitry Shachnev (1)
• James Cowgill (1)

diffoscope development

• Chris Lamb:
  • Tidy diffoscope.progress a little.
• Santiago Torres-Arias:
  • diffoscope.progress: Support the new fork of python-progressbar. (#873157)

disorderfs development Version 0.5.2-1 was uploaded to unstable by Ximin Luo. It included contributions from:

• Ximin Luo:
  • Add -q,--quiet CLI option
  • Update to latest Standards-Version; no changes required
  • Update debian/changelog
  • Update NEWS
  • Adopt as team maintenance
  • Add my signing key only
  • Add instructions for Debian release
• Holger Levsen:
  • Add myself to uploaders
  • Move package to 'optional' section

reprotest development

• Ximin Luo:
  • Don't vary user_group in the tests - it's not usually possible in automated builders
  • Default verbosity to 0 and silence disorderfs if set
  • Add the ability to vary the user. (#872412)
  • Add TODO

Misc. This week's edition was written in alphabetical order by Bernhard M. Wiedemann, Chris Lamb, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.