We re excited to announce the details of our upcoming 2024 Linux Display Next Hackfest in the beautiful city of A Coru a, Spain! This year s hackfest will be hosted by Igalia and will take place from May 14th to 16th. It will be a gathering of minds from a diverse range of companies and open source projects, all coming together to share, learn, and collaborate outside the traditional conference format.

Who s Joining the Fun? We re excited to welcome participants from various backgrounds, including:

GPU hardware vendors;

Linux distributions;

Linux desktop environments and compositors;

Color experts, researchers and enthusiasts;

This diverse mix of backgrounds are represented by developers from several companies working on the Linux display stack: AMD, Arm, BlueSystems, Bootlin, Collabora, Google, GravityXR, Igalia, Intel, LittleCMS, Qualcomm, Raspberry Pi, RedHat, SUSE, and System76. It ll ensure a dynamic exchange of perspectives and foster collaboration across the Linux Display community. Please take a look at the list of participants for more info.

What s on the Agenda? The beauty of the hackfest is that the agenda is driven by participants! As this is a hybrid event, we decided to improve the experience for remote participants by creating a dedicated space for them to propose topics and some introductory talks in advance. From those inputs, we defined a schedule that reflects the collective interests of the group, but is still open for amendments and new proposals. Find the schedule details in the official event webpage. Expect discussions on:

KMS Color/HDR

Proposal with new DRM object type:

Brief presentation of GPU-vendor features;

Status update of plane color management pipeline per vendor on Linux;

HDR/Color Use-cases:

HDR gainmap images and how should we think about HDR;

Google/ChromeOS GFX view about HDR/per-plane color management, VKMS and lessons learned;

Post-blending Color Pipeline.

Color/HDR testing/CI

VKMS status update;

Chamelium boards, video capture.

Wayland protocols

color-management protocol status update;

color-representation and video playback.

Display control

HDR signalling status update;

backlight status update;

EDID and DDC/CI.

Strategy for video and gaming use-cases

Multi-plane support in compositors

Underlay, overlay, or mixed strategy for video and gaming use-cases;

KMS Plane UAPI to simplify the plane arrangement problem;

Shared plane arrangement algorithm desired.

HDR video and hardware overlay

Frame timing and VRR

Frame timing:

Limitations of uAPI;

Current user space solutions;

Brainstorm better uAPI;

Cursor/overlay plane updates with VRR;

KMS commit and buffer-readiness deadlines;

Power Saving vs Color/Latency

ABM (adaptive backlight management);

PSR1 latencies;

Power optimization vs color accuracy/latency requirements.

Content-Adaptive Scaling & Sharpening

Content-Adaptive Scalers on display hardware;

New drm_colorop for content adaptive scaling;

Proprietary algorithms.

Display Mux

Laptop muxes for switching of the embedded panel between the integrated GPU and the discrete GPU;

Seamless/atomic hand-off between drivers on Linux desktops.

Real time scheduling & async KMS API

Potential benefits: lower latency input feedback, better VRR handling, buffer synchronization, etc.

Issues around async uAPI usage and async-call handling.

In-person, but also geographically-distributed event This year Linux Display Next hackfest is a hybrid event, hosted onsite at the Igalia offices and available for remote attendance. In-person participants will find an environment for networking and brainstorming in our inspiring and collaborative office space. Additionally, A Coru a itself is a gem waiting to be explored, with stunning beaches, good food, and historical sites.

Semi-structured structure: how the 2024 Linux Display Next Hackfest will work

Agenda: Participants proposed the topics and talks for discussing in sessions.

Interactive Sessions: Discussions, workshops, introductory talks and brainstorming sessions lasting around 1h30. There is always a starting point for discussions and new ideas will emerge in real time.

Immersive experience: We will have coffee-breaks between sessions and lunch time at the office for all in-person participants. Lunches and coffee-breaks are sponsored by Igalia. This will keep us sharing knowledge and in continuous interaction.

Spaces for all group sizes: In-person participants will find different room sizes that match various group sizes at Igalia HQ. Besides that, there will be some devices for showcasing and real-time demonstrations.

Sponsorship Igalia sponsors lunches and coffee-breaks on hackfest days, Tuesday s dinner, and the social event on Thursday afternoon for in-person participants. We can t wait to welcome hackfest attendees to A Coru a! Stay tuned for further details and outcomes of this unconventional and unique experience.

The eleventh release of the qlcal package arrivied at CRAN today. qlcal delivers the calendaring parts of QuantLib. It is provided (for the R package) as a set of included files, so the package is self-contained and does not depend on an external QuantLib library (which can be demanding to build). qlcal covers over sixty country / market calendars and can compute holiday lists, its complement (i.e. business day lists) and much more. Examples are in the README at the repository, the package page, and course at the CRAN package page. This releases synchronizes qlcal with the QuantLib release 1.34 and contains more updates to 2024 calendars.

Changes in version 0.0.11 (2024-04-27)

Synchronized with QuantLib 1.34

Calendar updates for Brazil, India, Singapore, South Africa, Thailand, United States

Minor continuous integration update

Courtesy of my CRANberries, there is a diffstat report for this release. See the project page and package documentation for more details, and more examples. If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

I previously wrote a blog post titled Considering Convergence [1] about the possible ways of using a phone as a laptop. While I still believe what I wrote there I m now considering the possibility of ease of movement of work in progress as a way of addressing some of the same issues. Currently the expected use is that if you have web pages open on Chrome on Android it s possible to instruct Chrome on the desktop to open the same page if both instances of Chrome are signed in to the same GMail account. It s also possible to view the Chrome history with CTRL-H, select tabs from other devices and load things that were loaded on other devices some time ago. This is very minimal support for moving work between devices and I think we can do better. Firstly for web browsing the Chrome functionality is barely adequate. It requires having a heavyweight login process on all browsers that includes sharing stored passwords etc which isn t desirable. There are many cases where moving work is desired without sharing such things, one example is using a personal device to research something for work. Also the Chrome method of sending web pages is slow and unreliable and the viewing history method gets all closed tabs when the common case is get the currently open tabs from one browser window without wanting the dozens of web pages that turned out not to be interesting and were closed. This could be done with browser plugins to allow functionality similar to KDE Connect for sending tabs and also the option of emailing a list of URLs or a JSON file that could be processed by a browser plugin on the receiving end. I can send email between my home and work addresses faster than the Chrome share to another device function can send a URL. For documents we need a way of transferring files. One possibility is to go the Chromebook route and have it all stored on the web. This means that you rely on a web based document editing system and the FOSS versions are difficult to manage. Using Google Docs or Sharepoint for everything is not something I consider an acceptable option. Also for laptop use being able to run without Internet access is a good thing. There are a range of distributed filesystems that have been used for various purposes. I don t think any of them cater to the use case of having a phone/laptop and a desktop PC (or maybe multiple PCs) using the same files. For a technical user it would be an option to have a script that connects to a peer system (IE another computer with the same accounts and access control decisions) and rsync a directory of working files and the shell history, and then opens a shell with the HISTFILE variable, current directory, and optionally some user environment variables set to match. But this wouldn t be the most convenient thing even for technical users. For programs that are integrated into the desktop environment it s possible for them to be restarted on login if they were active when the user logged out. The session tracking for that has about 1/4 the functionality needed for requesting a list of open files from the application, closing the application, transferring the files, and opening it somewhere else. I think that this would be a good feature to add to the XDG setup. The model of having programs and data attached to one computer or one network server that terminals of some sort connect to worked well when computers were big and expensive. But computers continue to get smaller and cheaper so we need to think of a document based use of computers to allow things to be easily transferred as convenient. With convenience being important so the hacks of rsync scripts that can work for technical users won t work for most people.

The diffoscope maintainers are pleased to announce the release of diffoscope version 265. This version includes the following changes:

[ Chris Lamb ]
* Ensure that tests with ">=" version constraints actually print the
  corresponding tool name. (Closes: reproducible-builds/diffoscope#370)
* Prevent odt2txt tests from always being skipped due to an impossibly new
  version requirement. (Closes: reproducible-builds/diffoscope#369)
* Avoid nested parens-in-parens when printing "skipping " messages
  in the testsuite.

You find out more by visiting the project homepage.

Posted on January 9, 2024

Tags: debian, free software, life

I wanted to report this issue in chromiums issue tracker, but it gave me:

Something went wrong, please try again later.

Ok, then at least let me reply to this askubuntu question. But my attempt to signup with my launchpad account gave me:

Launchpad Login Failed. Please try logging in again.

I refrain from commenting on this to not violate some code of conduct. So this is what I wanted to write:

GTK file chooser image preview size should be configurable The file chooser that appears when uploading a file (e.g. an image to Google Fotos) learned to show a preview in issue 15500. The preview image size is hard coded to 256x512 in kPreviewWidth and kPreviewHeight in ui/gtk/select_file_dialog_linux_gtk.cc. Please make the size configurable. On high DPI screens the images are too small to be of much use.

Yes, I should not use chromium anymore.

Years ago, at what I think I remember was DebConf 15, I hacked for a while on debhelper to write build-ids to debian binary control files, so that the build-id (more specifically, the ELF note .note.gnu.build-id) wound up in the Debian apt archive metadata. I ve always thought this was super cool, and seeing as how Michael Stapelberg blogged some great pointers around the ecosystem, including the fancy new debuginfod service, and the find-dbgsym-packages helper, which uses these same headers, I don t think I m the only one. At work I ve been using a lot of rust, specifically, async rust using tokio. To try and work on my style, and to dig deeper into the how and why of the decisions made in these frameworks, I ve decided to hack up a project that I ve wanted to do ever since 2015 write a debug filesystem. Let s get to it.

Back to the Future Time to admit something. I really love Plan 9. It s just so good. So many ideas from Plan 9 are just so prescient, and everything just feels right. Not just right like, feels good like, correct. The bit that I ve always liked the most is 9p, the network protocol for serving a filesystem over a network. This leads to all sorts of fun programs, like the Plan 9 ftp client being a 9p server you mount the ftp server and access files like any other files. It s kinda like if fuse were more fully a part of how the operating system worked, but fuse is all running client-side. With 9p there s a single client, and different servers that you can connect to, which may be backed by a hard drive, remote resources over something like SFTP, FTP, HTTP or even purely synthetic. The interesting (maybe sad?) part here is that 9p wound up outliving Plan 9 in terms of adoption 9p is in all sorts of places folks don t usually expect. For instance, the Windows Subsystem for Linux uses the 9p protocol to share files between Windows and Linux. ChromeOS uses it to share files with Crostini, and qemu uses 9p (virtio-p9) to share files between guest and host. If you re noticing a pattern here, you d be right; for some reason 9p is the go-to protocol to exchange files between hypervisor and guest. Why? I have no idea, except maybe due to being designed well, simple to implement, and it s a lot easier to validate the data being shared and validate security boundaries. Simplicity has its value. As a result, there s a lot of lingering 9p support kicking around. Turns out Linux can even handle mounting 9p filesystems out of the box. This means that I can deploy a filesystem to my LAN or my localhost by running a process on top of a computer that needs nothing special, and mount it over the network on an unmodified machine unlike fuse, where you d need client-specific software to run in order to mount the directory. For instance, let s mount a 9p filesystem running on my localhost machine, serving requests on 127.0.0.1:564 (tcp) that goes by the name mountpointname to /mnt.

$ mount -t 9p \
-o trans=tcp,port=564,version=9p2000.u,aname=mountpointname \
127.0.0.1 \
/mnt

Linux will mount away, and attach to the filesystem as the root user, and by default, attach to that mountpoint again for each local user that attempts to use it. Nifty, right? I think so. The server is able to keep track of per-user access and authorization along with the host OS.

WHEREIN I STYX WITH IT
"Simple" here is intended as my highest form of praise. Writing complex things is easy. Taking your work, and simplifying it down the core is the most difficult part of our work.
Since I wanted to push myself a bit more with `rust` and `tokio` specifically, I opted to implement the whole stack myself, without third party libraries on the critical path where I could avoid it. The 9p protocol (sometimes called `Styx`, the original name for it) is incredibly simple. It s a series of client to server requests, which receive a server to client response. These are, respectively, `T` messages, which `t`ransmit a request to the server, which trigger an `R` message in response (`R`eply messages). These messages are TLV payload with a very straight forward structure so straight forward, in fact, that I was able to implement a working server off nothing more than a handful of man pages.
There's also a `9P2000.L` 9p variant which has more Linux specific extensions. There's a good chance I port this forward when I get the chance.
Later on after the basics worked, I found a more complete spec page that contains more information about the unix specific variant that I opted to use (`9P2000.u` rather than `9P2000`) due to the level of `Linux` specific support for the `9P2000.u` variant over the `9P2000` protocol.

MR ROBOTO The backend stack over at zoo is rust and tokio running i/o for an HTTP and WebRTC server. I figured I d pick something fairly similar to write my filesystem with, since 9P can be implemented on basically anything with I/O. That means tokio tcp server bits, which construct and use a 9p server, which has an idiomatic Rusty API that partially abstracts the raw R and T messages, but not so much as to cause issues with hiding implementation possibilities. At each abstraction level, there s an escape hatch allowing someone to implement any of the layers if required. I called this framework arigato which can be found over on docs.rs and crates.io.

/// Simplified version of the arigato File trait; this isn't actually
/// the same trait; there's some small cosmetic differences. The
/// actual trait can be found at:
///
/// https://docs.rs/arigato/latest/arigato/server/trait.File.html
trait File  
/// OpenFile is the type returned by this File via an Open call.
 type OpenFile: OpenFile;
/// Return the 9p Qid for this file. A file is the same if the Qid is
 /// the same. A Qid contains information about the mode of the file,
 /// version of the file, and a unique 64 bit identifier.
 fn qid(&self) -> Qid;
/// Construct the 9p Stat struct with metadata about a file.
 async fn stat(&self) -> FileResult<Stat>;
/// Attempt to update the file metadata.
 async fn wstat(&mut self, s: &Stat) -> FileResult<()>;
/// Traverse the filesystem tree.
 async fn walk(&self, path: &[&str]) -> FileResult<(Option<Self>, Vec<Self>)>;
/// Request that a file's reference be removed from the file tree.
 async fn unlink(&mut self) -> FileResult<()>;
/// Create a file at a specific location in the file tree.
 async fn create(
&mut self,
name: &str,
perm: u16,
ty: FileType,
mode: OpenMode,
extension: &str,
) -> FileResult<Self>;
/// Open the File, returning a handle to the open file, which handles
 /// file i/o. This is split into a second type since it is genuinely
 /// unrelated -- and the fact that a file is Open or Closed can be
 /// handled by the  arigato  server for us.
 async fn open(&mut self, mode: OpenMode) -> FileResult<Self::OpenFile>;
 
/// Simplified version of the arigato OpenFile trait; this isn't actually
/// the same trait; there's some small cosmetic differences. The
/// actual trait can be found at:
///
/// https://docs.rs/arigato/latest/arigato/server/trait.OpenFile.html
trait OpenFile  
/// iounit to report for this file. The iounit reported is used for Read
 /// or Write operations to signal, if non-zero, the maximum size that is
 /// guaranteed to be transferred atomically.
 fn iounit(&self) -> u32;
/// Read some number of bytes up to  buf.len()  from the provided
 ///  offset  of the underlying file. The number of bytes read is
 /// returned.
 async fn read_at(
&mut self,
buf: &mut [u8],
offset: u64,
) -> FileResult<u32>;
/// Write some number of bytes up to  buf.len()  from the provided
 ///  offset  of the underlying file. The number of bytes written
 /// is returned.
 fn write_at(
&mut self,
buf: &mut [u8],
offset: u64,
) -> FileResult<u32>;

Thanks, decade ago paultag! Let s do it! Let s use arigato to implement a 9p filesystem we ll call debugfs that will serve all the debug files shipped according to the Packages metadata from the apt archive. We ll fetch the Packages file and construct a filesystem based on the reported Build-Id entries. For those who don t know much about how an apt repo works, here s the 2-second crash course on what we re doing. The first is to fetch the Packages file, which is specific to a binary architecture (such as amd64, arm64 or riscv64). That architecture is specific to a component (such as main, contrib or non-free). That component is specific to a suite, such as stable, unstable or any of its aliases (bullseye, bookworm, etc). Let s take a look at the Packages.xz file for the unstable-debug suite, main component, for all amd64 binaries.

$ curl \
https://deb.debian.org/debian-debug/dists/unstable-debug/main/binary-amd64/Packages.xz \
  unxz

This will return the Debian-style rfc2822-like headers, which is an export of the metadata contained inside each .deb file which apt (or other tools that can use the apt repo format) use to fetch information about debs. Let s take a look at the debug headers for the netlabel-tools package in unstable which is a package named netlabel-tools-dbgsym in unstable-debug.

Package: netlabel-tools-dbgsym
Source: netlabel-tools (0.30.0-1)
Version: 0.30.0-1+b1
Installed-Size: 79
Maintainer: Paul Tagliamonte <paultag@debian.org>
Architecture: amd64
Depends: netlabel-tools (= 0.30.0-1+b1)
Description: debug symbols for netlabel-tools
Auto-Built-Package: debug-symbols
Build-Ids: e59f81f6573dadd5d95a6e4474d9388ab2777e2a
Description-md5: a0e587a0cf730c88a4010f78562e6db7
Section: debug
Priority: optional
Filename: pool/main/n/netlabel-tools/netlabel-tools-dbgsym_0.30.0-1+b1_amd64.deb
Size: 62776
SHA256: 0e9bdb087617f0350995a84fb9aa84541bc4df45c6cd717f2157aa83711d0c60

So here, we can parse the package headers in the Packages.xz file, and store, for each Build-Id, the Filename where we can fetch the .deb at. Each .deb contains a number of files but we re only really interested in the files inside the .deb located at or under /usr/lib/debug/.build-id/, which you can find in debugfs under rfc822.rs. It s crude, and very single-purpose, but I m feeling a bit lazy.

Who needs dpkg?! For folks who haven t seen it yet, a .deb file is a special type of .ar file, that contains (usually) three files inside debian-binary, control.tar.xz and data.tar.xz. The core of an .ar file is a fixed size (60 byte) entry header, followed by the specified size number of bytes.

[8 byte .ar file magic]
[60 byte entry header]
[N bytes of data]
[60 byte entry header]
[N bytes of data]
[60 byte entry header]
[N bytes of data]
...

First up was to implement a basic ar parser in ar.rs. Before we get into using it to parse a deb, as a quick diversion, let s break apart a .deb file by hand something that is a bit of a rite of passage (or at least it used to be? I m getting old) during the Debian nm (new member) process, to take a look at where exactly the .debug file lives inside the .deb file.

$ ar x netlabel-tools-dbgsym_0.30.0-1+b1_amd64.deb
$ ls
control.tar.xz debian-binary
data.tar.xz netlabel-tools-dbgsym_0.30.0-1+b1_amd64.deb
$ tar --list -f data.tar.xz   grep '.debug$'
./usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug

Since we know quite a bit about the structure of a .deb file, and I had to implement support from scratch anyway, I opted to implement a (very!) basic debfile parser using HTTP Range requests. HTTP Range requests, if supported by the server (denoted by a accept-ranges: bytes HTTP header in response to an HTTP HEAD request to that file) means that we can add a header such as range: bytes=8-68 to specifically request that the returned GET body be the byte range provided (in the above case, the bytes starting from byte offset 8 until byte offset 68). This means we can fetch just the ar file entry from the .deb file until we get to the file inside the .deb we are interested in (in our case, the data.tar.xz file) at which point we can request the body of that file with a final range request. I wound up writing a struct to handle a read_at-style API surface in hrange.rs, which we can pair with ar.rs above and start to find our data in the .deb remotely without downloading and unpacking the .deb at all. After we have the body of the data.tar.xz coming back through the HTTP response, we get to pipe it through an xz decompressor (this kinda sucked in Rust, since a tokio AsyncRead is not the same as an http Body response is not the same as std::io::Read, is not the same as an async (or sync) Iterator is not the same as what the xz2 crate expects; leading me to read blocks of data to a buffer and stuff them through the decoder by looping over the buffer for each lzma2 packet in a loop), and tarfile parser (similarly troublesome). From there we get to iterate over all entries in the tarfile, stopping when we reach our file of interest. Since we can t seek, but gdb needs to, we ll pull it out of the stream into a Cursor<Vec<u8>> in-memory and pass a handle to it back to the user. From here on out its a matter of gluing together a File traited struct in debugfs, and serving the filesystem over TCP using arigato. Done deal!

A quick diversion about compression I was originally hoping to avoid transferring the whole tar file over the network (and therefore also reading the whole debug file into ram, which objectively sucks), but quickly hit issues with figuring out a way around seeking around an `xz` file. What s interesting is `xz` has a great primitive to solve this specific problem (specifically, use a block size that allows you to seek to the block as close to your desired seek position just before it, only discarding at most `block size - 1` bytes), but `data.tar.xz` files generated by `dpkg` appear to have a single mega-huge block for the whole file. I don t know why I would have expected any different, in retrospect. That means that this now devolves into the base case of How do I seek around an `lzma2` compressed data stream ; which is a lot more complex of a question.
After going through a lot of this, I realized just how complex the xz format is -- it's a lot more than just lzma2!
Thankfully, notoriously brilliant tianon was nice enough to introduce me to Jon Johnson who did something super similar adapted a technique to seek inside a compressed `gzip` file, which lets his service oci.dag.dev seek through Docker container images super fast based on some prior work such as `soci-snapshotter`, `gztool`, and zran.c. He also pulled this party trick off for apk based distros over at apk.dag.dev, which seems apropos. Jon was nice enough to publish a lot of his work on this specifically in a central place under the name targz on his GitHub, which has been a ton of fun to read through. The gist is that, by dumping the decompressor s state (window of previous bytes, in-memory data derived from the last `N-1 bytes`) at specific checkpoints along with the compressed data stream offset in bytes and decompressed offset in bytes, one can seek to that checkpoint in the compressed stream and pick up where you left off creating a similar block mechanism against the wishes of gzip. It means you d need to do an `O(n)` run over the file, but every request after that will be sped up according to the number of checkpoints you ve taken. Given the complexity of `xz` and `lzma2`, I don t think this is possible for me at the moment especially given most of the files I ll be requesting will not be loaded from again especially when I can just cache the debug header by `Build-Id`. I want to implement this (because I m generally curious and Jon has a way of getting someone excited about compression schemes, which is not a sentence I thought I d ever say out loud), but for now I m going to move on without this optimization. Such a shame, since it kills a lot of the work that went into seeking around the `.deb` file in the first place, given the `debian-binary` and `control.tar.gz` members are so small.

The Good First, the good news right? It works! That s pretty cool. I m positive my younger self would be amused and happy to see this working; as is current day paultag. Let s take debugfs out for a spin! First, we need to mount the filesystem. It even works on an entirely unmodified, stock Debian box on my LAN, which is huge. Let s take it for a spin:

$ mount \
-t 9p \
-o trans=tcp,version=9p2000.u,aname=unstable-debug \
192.168.0.2 \
/usr/lib/debug/.build-id/

And, let s prove to ourselves that this actually mounted before we go trying to use it:

$ mount   grep build-id
192.168.0.2 on /usr/lib/debug/.build-id type 9p (rw,relatime,aname=unstable-debug,access=user,trans=tcp,version=9p2000.u,port=564)

Slick. We ve got an open connection to the server, where our host will keep a connection alive as root, attached to the filesystem provided in aname. Let s take a look at it.

$ ls /usr/lib/debug/.build-id/
00 0d 1a 27 34 41 4e 5b 68 75 82 8E 9b a8 b5 c2 CE db e7 f3
01 0e 1b 28 35 42 4f 5c 69 76 83 8f 9c a9 b6 c3 cf dc E7 f4
02 0f 1c 29 36 43 50 5d 6a 77 84 90 9d aa b7 c4 d0 dd e8 f5
03 10 1d 2a 37 44 51 5e 6b 78 85 91 9e ab b8 c5 d1 de e9 f6
04 11 1e 2b 38 45 52 5f 6c 79 86 92 9f ac b9 c6 d2 df ea f7
05 12 1f 2c 39 46 53 60 6d 7a 87 93 a0 ad ba c7 d3 e0 eb f8
06 13 20 2d 3a 47 54 61 6e 7b 88 94 a1 ae bb c8 d4 e1 ec f9
07 14 21 2e 3b 48 55 62 6f 7c 89 95 a2 af bc c9 d5 e2 ed fa
08 15 22 2f 3c 49 56 63 70 7d 8a 96 a3 b0 bd ca d6 e3 ee fb
09 16 23 30 3d 4a 57 64 71 7e 8b 97 a4 b1 be cb d7 e4 ef fc
0a 17 24 31 3e 4b 58 65 72 7f 8c 98 a5 b2 bf cc d8 E4 f0 fd
0b 18 25 32 3f 4c 59 66 73 80 8d 99 a6 b3 c0 cd d9 e5 f1 fe
0c 19 26 33 40 4d 5a 67 74 81 8e 9a a7 b4 c1 ce da e6 f2 ff

Outstanding. Let s try using gdb to debug a binary that was provided by the Debian archive, and see if it ll load the ELF by build-id from the right .deb in the unstable-debug suite:

$ gdb -q /usr/sbin/netlabelctl
Reading symbols from /usr/sbin/netlabelctl...
Reading symbols from /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug...
(gdb)

Yes! Yes it will!

$ file /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug
/usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter *empty*, BuildID[sha1]=e59f81f6573dadd5d95a6e4474d9388ab2777e2a, for GNU/Linux 3.2.0, with debug_info, not stripped

The Bad Linux s support for `9p` is mainline, which is great, but it s not robust. Network issues or server restarts will wedge the mountpoint (Linux can t reconnect when the tcp connection breaks), and things that work fine on local filesystems get translated in a way that causes a lot of network chatter for instance, just due to the way the syscalls are translated, doing an `ls`, will result in a `stat` call for each file in the directory, even though linux had just got a `stat` entry for every file while it was resolving directory names. On top of that, Linux will serialize all I/O with the server, so there s no concurrent requests for file information, writes, or reads pending at the same time to the server; and `read` and `write` throughput will degrade as latency increases due to increasing round-trip time, even though there are offsets included in the `read` and `write` calls. It works well enough, but is frustrating to run up against, since there s not a lot you can do server-side to help with this beyond implementing the `9P2000.L` variant (which, maybe is worth it).

The Ugly Unfortunately, we don t know the file size(s) until we ve actually opened the underlying tar file and found the correct member, so for most files, we don t know the real size to report when getting a stat. We can t parse the tarfiles for every stat call, since that d make ls even slower (bummer). Only hiccup is that when I report a filesize of zero, gdb throws a bit of a fit; let s try with a size of 0 to start:

$ ls -lah /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug
-r--r--r-- 1 root root 0 Dec 31 1969 /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug
$ gdb -q /usr/sbin/netlabelctl
Reading symbols from /usr/sbin/netlabelctl...
Reading symbols from /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug...
warning: Discarding section .note.gnu.build-id which has a section size (24) larger than the file size [in module /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug]
[...]

This obviously won t work since gdb will throw away all our hard work because of stat s output, and neither will loading the real size of the underlying file. That only leaves us with hardcoding a file size and hope nothing else breaks significantly as a result. Let s try it again:

$ ls -lah /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug
-r--r--r-- 1 root root 954M Dec 31 1969 /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug
$ gdb -q /usr/sbin/netlabelctl
Reading symbols from /usr/sbin/netlabelctl...
Reading symbols from /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug...
(gdb)

Much better. I mean, terrible but better. Better for now, anyway.

Kilroy was here Do I think this is a particularly good idea? I mean; kinda. I m probably going to make some fun `9p` `arigato`-based filesystems for use around my LAN, but I don t think I ll be moving to use `debugfs` until I can figure out how to ensure the connection is more resilient to changing networks, server restarts and fixes on i/o performance. I think it was a useful exercise and is a pretty great hack, but I don t think this ll be shipping anywhere anytime soon. Along with me publishing this post, I ve pushed up all my repos; so you should be able to play along at home! There s a lot more work to be done on `arigato`; but it does handshake and successfully export a working `9P2000.u` filesystem. Check it out on on my github at arigato, debugfs and also on crates.io and docs.rs. At least I can say I was here and I got it working after all these years.

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In March, 19 contributors have been paid to work on Debian LTS, their reports are available:

Abhijith PA did 0.0h (out of 10.0h assigned and 4.0h from previous period), thus carrying over 14.0h to the next month.

Adrian Bunk did 59.5h (out of 47.5h assigned and 52.5h from previous period), thus carrying over 40.5h to the next month.

Bastien Roucari s did 22.0h (out of 20.0h assigned and 2.0h from previous period).

Ben Hutchings did 9.0h (out of 2.0h assigned and 22.0h from previous period), thus carrying over 15.0h to the next month.

Chris Lamb did 18.0h (out of 18.0h assigned).

Daniel Leidert did 12.0h (out of 12.0h assigned).

Emilio Pozuelo Monfort did 0.0h (out of 3.0h assigned and 57.0h from previous period), thus carrying over 60.0h to the next month.

Guilhem Moulin did 22.5h (out of 7.25h assigned and 15.25h from previous period).

Holger Levsen did 0.0h (out of 0.5h assigned and 11.5h from previous period), thus carrying over 12.0h to the next month.

Lee Garrett did 0.0h (out of 0.0h assigned and 60.0h from previous period), thus carrying over 60.0h to the next month.

Markus Koschany did 40.0h (out of 40.0h assigned).

Ola Lundqvist did 19.5h (out of 24.0h assigned), thus carrying over 4.5h to the next month.

Roberto C. S nchez did 9.25h (out of 3.5h assigned and 8.5h from previous period), thus carrying over 2.75h to the next month.

Santiago Ruano Rinc n did 19.0h (out of 16.5h assigned and 2.5h from previous period).

Sean Whitton did 4.5h (out of 4.5h assigned and 1.5h from previous period), thus carrying over 1.5h to the next month.

Sylvain Beucler did 25.0h (out of 24.5h assigned and 35.5h from previous period), thus carrying over 35.0h to the next month.

Thorsten Alteholz did 14.0h (out of 14.0h assigned).

Tobias Frost did 12.0h (out of 12.0h assigned).

Utkarsh Gupta did 19.5h (out of 0.0h assigned and 48.75h from previous period), thus carrying over 29.25h to the next month.

Evolution of the situation In March, we have released 31 DLAs. Adrian Bunk was responsible for updating gtkwave not only in LTS, but also in unstable, stable, and old-stable as well. This update involved an upload of a new upstream release of gtkwave to each target suite to address 82 separate CVEs. Guilhem Moulin prepared an update of libvirt which was particularly notable, as it fixed multiple vulnerabilities which would lead to denial of service or information disclosure. In addition to the normal security updates, multiple LTS contributors worked at getting various packages updated in more recent Debian releases, including gross for bullseye/bookworm (by Adrian Bunk), imlib2 for bullseye, jetty9 and tomcat9/10 for bullseye/bookworm (by Markus Koschany), samba for bullseye, py7zr for bullseye (by Santiago Ruano Rinc n), cacti for bullseye/bookwork (by Sylvain Beucler), and libmicrohttpd for bullseye (by Thorsten Alteholz). Additionally, Sylvain actively coordinated with cacti upstream concerning an incomplete fix for CVE-2024-29894.

Thanks to our sponsors Sponsors that joined recently are in bold.

Platinum sponsors:

TOSHIBA (for 103 months)

Civil Infrastructure Platform (CIP) (for 71 months)

Gold sponsors:

Roche Diagnostics International AG (for 114 months)

Linode (for 108 months)

Babiel GmbH (for 97 months)

Plat Home (for 97 months)

CINECA (for 71 months)

University of Oxford (for 53 months)

Deveryware (for 40 months)

VyOS Inc (for 35 months)

EDF SA (for 24 months)

Silver sponsors:

Domeneshop AS (for 118 months)

Nantes M tropole (for 112 months)

Univention GmbH (for 104 months)

Universit Jean Monnet de St Etienne (for 104 months)

Ribbon Communications, Inc. (for 98 months)

Exonet B.V. (for 88 months)

Leibniz Rechenzentrum (for 82 months)

Minist re de l Europe et des Affaires trang res (for 65 months)

Cloudways by DigitalOcean (for 55 months)

Dinahosting SL (for 53 months)

Bauer Xcel Media Deutschland KG (for 47 months)

Platform.sh SAS (for 47 months)

Moxa Inc. (for 41 months)

sipgate GmbH (for 38 months)

OVH US LLC (for 36 months)

Tilburg University (for 36 months)

GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 28 months)

Soliton Systems K.K. (for 25 months)

THINline s.r.o.

Bronze sponsors:

Evolix (for 119 months)

Seznam.cz, a.s. (for 119 months)

Intevation GmbH (for 116 months)

Linuxhotel GmbH (for 116 months)

Daevel SARL (for 114 months)

Bitfolk LTD (for 113 months)

Megaspace Internet Services GmbH (for 113 months)

Greenbone AG (for 112 months)

NUMLOG (for 112 months)

WinGo AG (for 112 months)

Ecole Centrale de Nantes - LHEEA (for 108 months)

Entr ouvert (for 103 months)

Adfinis AG (for 100 months)

GNI MEDIA (for 95 months)

Laboratoire LEGI - UMR 5519 / CNRS (for 95 months)

Tesorion (for 95 months)

Bearstech (for 86 months)

LiHAS (for 86 months)

Catalyst IT Ltd (for 81 months)

Supagro (for 76 months)

Demarcq SAS (for 75 months)

Universit Grenoble Alpes (for 61 months)

TouchWeb SAS (for 53 months)

SPiN AG (for 50 months)

CoreFiling (for 45 months)

Institut des sciences cognitives Marc Jeannerod (for 40 months)

Observatoire des Sciences de l Univers de Grenoble (for 37 months)

Tem Innovations GmbH (for 32 months)

WordFinder.pro (for 31 months)

CNRS DT INSU R sif (for 30 months)

Alter Way (for 23 months)

Institut Camille Jordan (for 12 months)

Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services. P.S. We ve completed over a year of writing these blogs. If you have any suggestions on how to make them better or what you d like us to cover, or any other opinions/reviews you might have, et al, please let us know by dropping an email to us. We d be happy to hear your thoughts. :)

SSO Authentication for jitsi.debian.social, by Stefano Rivera Debian.social s jitsi instance has been getting some abuse by (non-Debian) people sharing sexually explicit content on the service. After playing whack-a-mole with this for a month, and shutting the instance off for another month, we opened it up again and the abuse immediately re-started. Stefano sat down and wrote an SSO Implementation that hooks into Jitsi s existing JWT SSO support. This requires everyone using jitsi.debian.social to have a Salsa account. With only a little bit of effort, we could change this in future, to only require an account to open a room, and allow guests to join the call.

/usr-move, by Helmut Grohne The biggest task this month was sending mitigation patches for all of the /usr-move issues arising from package renames due to the 2038 transition. As a result, we can now say that every affected package in unstable can either be converted with `dh-sequence-movetousr` or has an open bug report. The package set relevant to `debootstrap` except for the set that has to be uploaded concurrently has been moved to /usr and is awaiting migration. The move of `coreutils` happened to affect `piuparts` which hard codes the location of `/bin/sync` and received multiple updates as a result.

Miscellaneous contributions

Stefano Rivera uploaded a stable release update to python3.11 for bookworm, fixing a use-after-free crash.

Stefano uploaded a new version of python-html2text, and updated python3-defaults to build with it.

In support of Python 3.12, Stefano dropped distutils as a Build-Dependency from a few packages, and uploaded a complex set of patches to python-mitogen.

Stefano landed some merge requests to clean up dead code in dh-python, removed the flit plugin, and uploaded it.

Stefano uploaded new upstream versions of twisted, hatchling, python-flexmock, python-authlib, python mitogen, python-pipx, and xonsh.

Stefano requested removal of a few packages supporting the Opsis HDMI2USB hardware that DebConf Video team used to use for HDMI capture, as they are not being maintained upstream. They started to FTBFS, with recent sdcc changes.

DebConf 24 is getting ready to open registration, Stefano spent some time fixing bugs in the website, caused by infrastructure updates.

Stefano reviewed all the DebConf 23 travel reimbursements, filing requests for more information from SPI where our records mismatched.

Stefano spun up a Wafer website for the Berlin 2024 mini DebConf.

Roberto C. S nchez worked on facilitating the transfer of upstream maintenance responsibility for the dormant Shorewall project to a new team led by the current maintainer of the Shorewall packages in Debian.

Colin Watson fixed build failures in celery-haystack-ng, db1-compat, jsonpickle, libsdl-perl, kali, knews, openssh-ssh1, python-json-log-formatter, python-typing-extensions, trn4, vigor, and wcwidth. Some of these were related to the 64-bit time_t transition, since that involved enabling `-Werror=implicit-function-declaration`.

Colin fixed an off-by-one error in neovim, which was already causing a build failure in Ubuntu and would eventually have caused a build failure in Debian with stricter toolchain settings.

Colin added an sshd@.service template to openssh to help newer systemd versions make containers and VMs SSH-accessible over AF_VSOCK sockets.

Following the xz-utils backdoor, Colin spent some time testing and discussing OpenSSH upstream s proposed inline systemd notification patch, since the current implementation via libsystemd was part of the attack vector used by that backdoor.

Utkarsh reviewed and sponsored some Go packages for Lena Voytek and Rajudev.

Utkarsh also helped Mitchell Dzurick with the adoption of pyparted package.

Helmut sent 10 patches for cross build failures.

Helmut partially fixed architecture cross bootstrap tooling to deal with changes in `linux-libc-dev` and the recent `gcc-for-host` changes and also fixed a 64bit-time_t FTBFS in `libtextwrap`.

Thorsten Alteholz uploaded several packages from debian-printing: cjet, lprng, rlpr and epson-inkjet-printer-escpr were affected by the newly enabled compiler switch -Werror=implicit-function-declaration. Besides fixing these serious bugs, Thorsten also worked on other bugs and could fix one or the other.

Carles updated simplemonitor and python-ring-doorbell packages with new upstream versions.

Santiago is still working on the Salsa CI MRs to adapt the build jobs so they can rely on sbuild. Current work includes adapting the images used by the build job, implementing the basic sbuild support the related jobs, and adjusting the support for experimental and *-backports releases..
Additionally, Santiago reviewed some MR such as Make timeout action explicit in the logs and the subsequent Implement conditional timeout verbosity, and the batch of MRs included in https://salsa.debian.org/salsa-ci-team/pipeline/-/merge_requests/482.

Santiago also reviewed applications for the improving Salsa CI in Debian GSoC 2024 project. We received applications from four very talented candidates. The selection process is currently ongoing. A huge thanks to all of them!

As part of the DebConf 24 organization, Santiago has taken part in the Content team discussions.

The diffoscope maintainers are pleased to announce the release of diffoscope version 264. This version includes the following changes:

[ Chris Lamb ]
* Don't crash on invalid zipfiles, even if we encounter 'badness'
  halfway through the file. (Re: #1068705)
[ FC (Fay) Stegerman ]
* Fix a crash when there are (invalid) duplicate entries in .zip files.
  (Closes: #1068705)
* Add note when there are duplicate entries in ZIP files.
  (Closes: reproducible-builds/diffoscope!140)
[ Vagrant Cascadian ]
* Add an external tool reference for GNU Guix for zipdetails.

You find out more by visiting the project homepage.

Welcome to the March 2024 report from the Reproducible Builds project! In our reports, we attempt to outline what we have been up to over the past month, as well as mentioning some of the important things happening more generally in software supply-chain security. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website. Table of contents:

Arch Linux minimal container userland now 100% reproducible In remarkable news, Reproducible builds developer kpcyrd reported that that the Arch Linux minimal container userland is now 100% reproducible after work by developers dvzv and Foxboron on the one remaining package. This represents a real world , widely-used Linux distribution being reproducible. Their post, which kpcyrd suffixed with the question now what? , continues on to outline some potential next steps, including validating whether the container image itself could be reproduced bit-for-bit. The post, which was itself a followup for an Arch Linux update earlier in the month, generated a significant number of replies.

Validating Debian s build infrastructure after the XZ backdoor From our mailing list this month, Vagrant Cascadian wrote about being asked about trying to perform concrete reproducibility checks for recent Debian security updates, in an attempt to gain some confidence about Debian s build infrastructure given that they performed builds in environments running the high-profile XZ vulnerability. Vagrant reports (with some caveats):
So far, I have not found any reproducibility issues; everything I tested I was able to get to build bit-for-bit identical with what is in the Debian archive.
That is to say, reproducibility testing permitted Vagrant and Debian to claim with some confidence that builds performed when this vulnerable version of XZ was installed were not interfered with.

Making Fedora Linux (more) reproducible In March, Davide Cavalca gave a talk at the 2024 Southern California Linux Expo (aka SCALE 21x) about the ongoing effort to make the Fedora Linux distribution reproducible. Documented in more detail on Fedora s website, the talk touched on topics such as the specifics of implementing reproducible builds in Fedora, the challenges encountered, the current status and what s coming next. (YouTube video)

Increasing Trust in the Open Source Supply Chain with Reproducible Builds and Functional Package Management Julien Malka published a brief but interesting paper in the HAL open archive on Increasing Trust in the Open Source Supply Chain with Reproducible Builds and Functional Package Management:
Functional package managers (FPMs) and reproducible builds (R-B) are technologies and methodologies that are conceptually very different from the traditional software deployment model, and that have promising properties for software supply chain security. This thesis aims to evaluate the impact of FPMs and R-B on the security of the software supply chain and propose improvements to the FPM model to further improve trust in the open source supply chain. PDF
Julien s paper poses a number of research questions on how the model of distributions such as GNU Guix and NixOS can be leveraged to further improve the safety of the software supply chain , etc.

Software and source code identification with GNU Guix and reproducible builds In a long line of commendably detailed blog posts, Ludovic Court s, Maxim Cournoyer, Jan Nieuwenhuizen and Simon Tournier have together published two interesting posts on the GNU Guix blog this month. In early March, Ludovic Court s, Maxim Cournoyer, Jan Nieuwenhuizen and Simon Tournier wrote about software and source code identification and how that might be performed using Guix, rhetorically posing the questions: What does it take to identify software ? How can we tell what software is running on a machine to determine, for example, what security vulnerabilities might affect it? Later in the month, Ludovic Court s wrote a solo post describing adventures on the quest for long-term reproducible deployment. Ludovic s post touches on GNU Guix s aim to support time travel , the ability to reliably (and reproducibly) revert to an earlier point in time, employing the iconic image of Harold Lloyd hanging off the clock in Safety Last! (1925) to poetically illustrate both the slapstick nature of current modern technology and the gymnastics required to navigate hazards of our own making.

Two new Rust-based tools for post-processing determinism Zbigniew J drzejewski-Szmek announced add-determinism, a work-in-progress reimplementation of the Reproducible Builds project s own strip-nondeterminism tool in the Rust programming language, intended to be used as a post-processor in RPM-based distributions such as Fedora In addition, Yossi Kreinin published a blog post titled refix: fast, debuggable, reproducible builds that describes a tool that post-processes binaries in such a way that they are still debuggable with gdb, etc.. Yossi post details the motivation and techniques behind the (fast) performance of the tool.

Distribution work In Debian this month, since the testing framework no longer varies the build path, James Addison performed a bulk downgrade of the bug severity for issues filed with a level of `normal` to a new level of `wishlist`. In addition, 28 reviews of Debian packages were added, 38 were updated and 23 were removed this month adding to ever-growing knowledge about identified issues. As part of this effort, a number of issue types were updated, including Chris Lamb adding a new `ocaml_include_directories` toolchain issue [ ] and James Addison adding a new `filesystem_order_in_java_jar_manifest_mf_include_resource` issue [ ] and updating the `random_uuid_in_notebooks_generated_by_nbsphinx` to reference a relevant discussion thread [ ]. In addition, Roland Clobus posted his 24th status update of reproducible Debian ISO images. Roland highlights that the images for Debian unstable often cannot be generated due to changes in that distribution related to the 64-bit `time_t` transition. Lastly, Bernhard M. Wiedemann posted another monthly update for his reproducibility work in openSUSE.

Mailing list highlights Elsewhere on our mailing list this month:

Alexander Railean of Siemens asked the list to aid in understanding how one can independently verify the reproducibility of Java projects from the Maven Central repository. Having explored those repositories, Alexander could not find examples where the `buildinfo` file was present. Arnout Engelen responded with some details.

Fay Stegerman resuscitated a long-dormant thread to report that she added support in her `diff-zip-meta.py` tool to expose extra timestamps embedded in `.zip` and `.apk` metadata.

Website updates There were made a number of improvements to our website this month, including:

Pol Dellaiera noticed the frequent need to correctly cite the website itself in academic work. To facilitate easier citation across multiple formats, Pol contributed a Citation File Format (CIF) file. As a result, an export in BibTeX format is now available in the Academic Publications section. Pol encourages community contributions to further refine the `CITATION.cff` file. Pol also added an substantial new section to the buy in page documenting the role of Software Bill of Materials (SBOMs) and ephemeral development environments. [ ][ ]

Bernhard M. Wiedemann added a new commandments page to the documentation [ ][ ] and fixed some incorrect YAML elsewhere on the site [ ].

Chris Lamb add three recent academic papers to the publications page of the website. [ ]

Mattia Rizzolo and Holger Levsen collaborated to add Infomaniak as a sponsor of `amd64` virtual machines. [ ][ ][ ]

Roland Clobus updated the stable outputs page, dropping version numbers from Python documentation pages [ ] and noting that Python s `set` data structure is also affected by the `PYTHONHASHSEED` functionality. [ ]

Delta chat clients now reproducible Delta Chat, an open source messaging application that can work over email, announced this month that the Rust-based core library underlying Delta chat application is now reproducible.

diffoscope diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes such as uploading versions `259`, `260` and `261` to Debian and made the following additional changes:

New features:

Add support for the `zipdetails` tool from the Perl distribution. Thanks to Fay Stegerman and Larry Doolittle et al. for the pointer and thread about this tool. [ ]

Bug fixes:

Don t identify Redis database dumps as GNU R database files based simply on their filename. [ ]

Add a missing call to `File.recognizes` so we actually perform the filename check for GNU R data files. [ ]

Don t crash if we encounter an `.rdb` file without an equivalent `.rdx` file. (#1066991)

Correctly check for 7z being available and not lz4 when testing 7z. [ ]

Prevent a traceback when comparing a contentful `.pyc` file with an empty one. [ ]

Testsuite improvements:

Fix `.epub` tests after supporting the new `zipdetails` tool. [ ]

Don t use parenthesis within test skipping messages, as PyTest adds its own parenthesis. [ ]

Factor out Python version checking in `test_zip.py`. [ ]

Skip some Zip-related tests under Python 3.10.14, as a potential regression may have been backported to the 3.10.x series. [ ]

Actually test 7z support in the test_7z set of tests, not the lz4 functionality. (Closes: reproducible-builds/diffoscope#359). [ ]

In addition, Fay Stegerman updated diffoscope s monkey patch for supporting the unusual Mozilla ZIP file format after Python s `zipfile` module changed to detect potentially insecure overlapping entries within `.zip` files. (#362) Chris Lamb also updated the `trydiffoscope` command line client, dropping a build-dependency on the deprecated `python3-distutils` package to fix Debian bug #1065988 [ ], taking a moment to also refresh the packaging to the latest Debian standards [ ]. Finally, Vagrant Cascadian submitted an update for diffoscope version 260 in GNU Guix. [ ]

Upstream patches This month, we wrote a large number of patches, including:

Bernhard M. Wiedemann:

`helm` (SSL-related build failure)

`java-21-openjdk` (parallelism)

`libressl` (SSL-related build failure)

`nfdump` (date issue)

`python-django-q` (avoid stuck build)

`python-smart-open` (fails to build on single-CPU machines)

`python-stdnum` (fails to build in 2039)

`python-yarl` (regression)

`qemu` (build failure)

`rabbitmq-java-client` (with Fridrich Strba; Maven timestamp issue)

`rmw` (build fails in 2038)

`warewulf` (with Egbert Eich; `cpio` modification time and inode issue)

`wxWidgets` (fails to build in 2038)

Chris Lamb:

#1066042 filed against `python-quantities`.

#1066083 filed against `gnome-maps`.

#1066084 filed against `tox`.

#1066085 filed against `q2cli`.

#1067098 filed against `mpl-sphinx-theme`.

#1067099 filed against `woof-doom`.

#1067100 filed against `bochs`.

#1067101 filed against `storm-lang`.

#1067102 filed against `librsvg`.

#1067218 filed against `gretl`.

#1067483 filed against `postfix`.

#1067484 filed against `node-function-bind`.

#1067485 filed against `python-pysaml2`.

#1067947 filed against `golang-github-stvp-tempredis`.

James Addison:

#1065124 filed against `matplotlib`.

#1066014 filed against `pathos`.

#1066016 filed against `rdflib`.

#1066017 filed against `xonsh`.

#1066045 filed against `maven-bundle-plugin`. (This patch was then uploaded by Mattia Rizzollo.)

Ji Techet:

`geany` (toolchain-related issue for `glfw`)

Bernhard M. Wiedemann used reproducibility-tooling to detect and fix packages that added changes in their `%check` section, thus failing when built with the `--no-checks` option. Only half of all openSUSE packages were tested so far, but a large number of bugs were filed, including ones against `caddy`, `exiv2`, `gnome-disk-utility`, `grisbi`, `gsl`, `itinerary`, `kosmindoormap`, `libQuotient`, `med-tools`, `plasma6-disks`, `pspp`, `python-pypuppetdb`, `python-urlextract`, `rsync`, `vagrant-libvirt` and `xsimd`. Similarly, Jean-Pierre De Jesus DIAZ employed reproducible builds techniques in order to test a proposed refactor of the `ath9k-htc-firmware` package. As the change produced bit-for-bit identical binaries to the previously shipped pre-built binaries:
I don t have the hardware to test this firmware, but the build produces the same hashes for the firmware so it s safe to say that the firmware should keep working.

Reproducibility testing framework The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility. In March, an enormous number of changes were made by Holger Levsen:

Debian-related changes:

Sleep less after a so-called 404 package state has occurred. [ ]

Schedule package builds more often. [ ][ ]

Regenerate all our HTML indexes every hour, but only every 12h for the released suites. [ ]

Create and update unstable and experimental base systems on `armhf` again. [ ][ ]

Don t reschedule so many depwait packages due to the current size of the `i386` architecture queue. [ ]

Redefine our scheduling thresholds and amounts. [ ]

Schedule untested packages with a higher priority, otherwise slow architectures cannot keep up with the experimental distribution growing. [ ]

Only create the `stats_buildinfo.png` graph once per day. [ ][ ]

Reproducible Debian dashboard: refactoring, update several more static stats only every 12h. [ ]

Document how to use `systemctl` with new systemd-based services. [ ]

Temporarily disable `armhf` and `i386` continuous integration tests in order to get some stability back. [ ]

Use the `deb.debian.org` CDN everywhere. [ ]

Remove the rsyslog logging facility on bookworm systems. [ ]

Add `zst` to the list of packages which are false-positive diskspace issues. [ ]

Detect failures to bootstrap Debian base systems. [ ]

Arch Linux-related changes:

Temporarily disable builds because the pacman package manager is broken. [ ][ ]

Split `reproducible_html_live_status` and split the scheduling timing . [ ][ ][ ]

Improve handling when database is locked. [ ][ ]

Misc changes:

Show failed services that require manual cleanup. [ ][ ]

Integrate two new Infomaniak nodes. [ ][ ][ ][ ]

Improve IRC notifications for artifacts. [ ]

Run diffoscope in different systemd slices. [ ]

Run the node health check more often, as it can now repair some issues. [ ][ ]

Also include the string `Bot` in the `userAgent` for Git. (Re: #929013). [ ]

Document increased `tmpfs` size on our OUSL nodes. [ ]

Disable memory account for the `reproducible_build` service. [ ][ ]

Allow 10 times as many open files for the Jenkins service. [ ]

Set `OOMPolicy=continue` and `OOMScoreAdjust=-1000` for both the Jenkins and the `reproducible_build` service. [ ]

Mattia Rizzolo also made the following changes:

Debian-related changes:

Define a `systemd` slice to group all relevant services. [ ][ ]

Add a bunch of quotes in scripts to assuage the `shellcheck` tool. [ ]

Add stats on how many packages have been built today so far. [ ]

Instruct `systemd-run` to handle diffoscope s exit codes specially. [ ]

Prefer the `pgrep` tool over grepping the output of `ps`. [ ]

Re-enable a couple of `i386` and `armhf` architecture builders. [ ][ ]

Fix some stylistic issues flagged by the Python flake8 tool. [ ]

Cease scheduling Debian unstable and experimental on the `armhf` architecture due to the `time_t` transition. [ ]

Start a few more `i386` & `armhf` workers. [ ][ ][ ]

Temporarly skip `pbuilder` updates in the unstable distribution, but only on the `armhf` architecture. [ ]

Other changes:

Perform some large-scale refactoring on how the `systemd` service operates. [ ][ ]

Move the list of workers into a separate file so it s accessible to a number of scripts. [ ]

Refactor the `powercycle_x86_nodes.py` script to use the new IONOS API and its new Python bindings. [ ]

Also fix nph-logwatch after the worker changes. [ ]

Do not install the `stunnel` tool anymore, it shouldn t be needed by anything anymore. [ ]

Move temporary directories related to Arch Linux into a single directory for clarity. [ ]

Update the `arm64` architecture host keys. [ ]

Use a common Postfix configuration. [ ]

The following changes were also made by:

Jan-Benedict Glaw:

Initial work to clean up a messy NetBSD-related script. [ ][ ]

Roland Clobus:

Show the installer log if the installer fails to build. [ ]

Avoid the minus character (i.e. `-`) in a variable in order to allow for tags in openQA. [ ]

Update the schedule of Debian live image builds. [ ]

Vagrant Cascadian:

Maintenance on the `virt` nodes is completed so bring them back online. [ ]

Use the fully qualified domain name in configuration. [ ]

Node maintenance was also performed by Holger Levsen, Mattia Rizzolo [ ][ ] and Vagrant Cascadian [ ][ ][ ][ ]

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute* page on our website. However, you can get in touch with us via:

IRC: `#reproducible-builds` on `irc.oftc.net`.

Twitter: @ReproBuilds

Mastodon: @reproducible_builds@fosstodon.org

Mailing list: `rb-general@lists.reproducible-builds.org`

Getting the Belgian eID to work on Linux systems should be fairly easy, although some people do struggle with it. For that reason, there is a lot of third-party documentation out there in the form of blog posts, wiki pages, and other kinds of things. Unfortunately, some of this documentation is simply wrong. Written by people who played around with things until it kind of worked, sometimes you get a situation where something that used to work in the past (but wasn't really necessary) now stopped working, but it's still added to a number of locations as though it were the gospel. And then people follow these instructions and now things don't work anymore. One of these revolves around OpenSC. OpenSC is an open source smartcard library that has support for a pretty large number of smartcards, amongst which the Belgian eID. It provides a PKCS#11 module as well as a number of supporting tools. For those not in the know, PKCS#11 is a standardized C API for offloading cryptographic operations. It is an API that can be used when talking to a hardware cryptographic module, in order to make that module perform some actions, and it is especially popular in the open source world, with support in NSS, amongst others. This library is written and maintained by mozilla, and is a low-level cryptographic library that is used by Firefox (on all platforms it supports) as well as by Google Chrome and other browsers based on that (but only on Linux, and as I understand it, only for linking with smartcards; their BoringSSL library is used for other things). The official eID software that we ship through eid.belgium.be, also known as "BeID", provides a PKCS#11 module for the Belgian eID, as well as a number of support tools to make interacting with the card easier, such as the "eID viewer", which provides the ability to read data from the card, and validate their signatures. While the very first public version of this eID PKCS#11 module was originally based on OpenSC, it has since been reimplemented as a PKCS#11 module in its own right, with no lineage to OpenSC whatsoever anymore. About five years ago, the Belgian eID card was renewed. At the time, a new physical appearance was the most obvious difference with the old card, but there were also some technical, on-chip, differences that are not so apparent. The most important one here, although it is not the only one, is the fact that newer eID cards now use a NIST P-384 elliptic curve-based private keys, rather than the RSA-based ones that were used in the past. This change required some changes to any PKCS#11 module that supports the eID; both the BeID one, as well as the OpenSC card-belpic driver that is written in support of the Belgian eID. Obviously, the required changes were implemented for the BeID module; however, the OpenSC card-belpic driver was not updated. While I did do some preliminary work on the required changes, I was unable to get it to work, and eventually other things took up my time so I never finished the implementation. If someone would like to finish the work that I started, the preliminal patch that I wrote could be a good start -- but like I said, it doesn't yet work. Also, you'll probably be interested in the official documentation of the eID card. Unfortunately, in the mean time someone added the Applet 1.8 ATR to the card-belpic.c file, without also implementing the required changes to the driver so that the PKCS#11 driver actually supports the eID card. The result of this is that if you have OpenSC installed in NSS for either Firefox or any Chromium-based browser, and it gets picked up before the BeID PKCS#11 module, then NSS will stop looking and pass all crypto operations to the OpenSC PKCS#11 module rather than to the official eID PKCS#11 module, and things will not work at all, causing a lot of confusion. I have therefore taken the following two steps:

The official eID packages now conflict with the OpenSC PKCS#11 module. Specifically only the PKCS#11 module, not the rest of OpenSC, so you can theoretically still use its tools. This means that once we release this new version of the eID software, when you do an upgrade and you have OpenSC installed, it will remove the PKCS#11 module and anything that depends on it. This is normal and expected.
I have filed a pull request against OpenSC that removes the Applet 1.8 ATR from the driver, so that OpenSC will stop claiming that it supports the 1.8 applet.

When the pull request is accepted, we will update the official eID software to make the conflict versioned, so that as soon as it works again you will again be able to install the OpenSC and BeID packages at the same time. In the mean time, if you have the OpenSC PKCS#11 module installed on your system, and your eID authentication does not work, try removing it.

The diffoscope maintainers are pleased to announce the release of diffoscope version 263. This version includes the following changes:

[ Chris Lamb ]
* Add support for the zipdetails(1) tool included in the Perl distribution.
  Thanks to Larry Doolittle et al. for the pointer to this tool.
* Don't use parenthesis within test "skipping " messages; PyTest adds its own
  parenthesis, so we were ending up with double nested parens.
* Fix the .epub tests after supporting zipdetails(1).
* Update copyright years and debian/tests/control.
[ FC (Fay) Stegerman ]
* Fix MozillaZipContainer's monkeypatch after Python's zipfile module changed
  to detect potentially insecure overlapping entries within .zip files.
  (Closes: reproducible-builds/diffoscope#362)

You find out more by visiting the project homepage.

The diffoscope maintainers are pleased to announce the release of diffoscope version 262. This version includes the following changes:

[ Chris Lamb ]
* Factor out Python version checking in test_zip.py. (Re: #362)
* Also skip some zip tests under 3.10.14 as well; a potential regression may
  have been backported to the 3.10.x series. The underlying cause is still to
  be investigated. (Re: #362)

You find out more by visiting the project homepage.

Personal: As many of you know, I lost my beloved son March 9th. This has hit me really hard, but I am staying strong and holding on to all the wonderful memories I have. He grew up to be an amazing man, devoted christian and wonderful father. He was loved by everyone who knew him and will be truly missed by us all. I have had folks ask me how they can help. He left behind his 7 year old son Mason. Mason was Billy s world and I would like to make sure Mason is taken care of. I have set up a gofundme for Mason and all proceeds will go to the future care of him. https://gofund.me/25dbff0c

Work report Kubuntu: Bug bashing! I am triaging allthebugs for Plasma which can be seen here: https://bugs.launchpad.net/plasma-5.27/+bug/2053125 I am happy to report many of the remaining bugs have been fixed in the latest bug fix release 5.27.11. I prepared https://kde.org/announcements/plasma/5/5.27.11/ and Rik uploaded to archive, thank you. Unfortunately, this and several other key fixes are stuck in transition do to the time_t64 transition, which you can read about here: https://wiki.debian.org/ReleaseGoals/64bit-time . It is the biggest transition in Debian/Ubuntu history and it couldn t come at a worst time. We are aware our ISO installer is currently broken, calamares is one of those things stuck in this transition. There is a workaround in the comments of the bug report: https://bugs.launchpad.net/ubuntu/+source/calamares/+bug/2054795 Fixed an issue with plasma-welcome. Found the fix for emojis and Aaron has kindly moved this forward with the fontconfig maintainer. Thanks! I have received an https://kfocus.org/spec/spec-ir14.html laptop and it is truly a great machine and is now my daily driver. A big thank you to the Kfocus team! I can t wait to show it off at https://linuxfestnorthwest.org/. KDE Snaps: You will see the activity in this ramp back up as the KDEneon Core project is finally a go! I will participate in the project with part time status and get everyone in the Enokia team up to speed with my snap knowledge, help prepare the qt6/kf6 transition, package plasma, and most importantly I will focus on documentation for future contributors. I have created the ( now split ) qt6 with KDE patchset support and KDE frameworks 6 SDK and runtime snaps. I have made the kde-neon-6 extension and the PR is in: https://github.com/canonical/snapcraft/pull/4698 . Future work on the extension will include multiple versions track support and core24 support.

I have successfully created our first qt6/kf6 snap ark. They will show showing up in the store once all the required bits have been merged and published. Thank you for stopping by. ~Scarlett

The diffoscope maintainers are pleased to announce the release of diffoscope version 261. This version includes the following changes:

[ Chris Lamb ]
* Don't crash if we encounter an .rdb file without an equivalent .rdx file.
  (Closes: #1066991)
* In addition, don't identify Redis database dumps (etc.) as GNU R database
  files based simply on their filename. (Re: #1066991)
* Update copyright years.

You find out more by visiting the project homepage.

Debian is running a "vcswatch" service that keeps track of the status of all packaging repositories that have a Vcs-Git (and other VCSes) header set and shows which repos might need a package upload to push pending changes out. Naturally, this is a lot of data and the scratch partition on qa.debian.org had to be expanded several times, up to 300 GB in the last iteration. Attempts to reduce that size using shallow clones (git clone --depth=50) did not result more than a few percent of space saved. Running git gc on all repos helps a bit, but is tedious and as Debian is growing, the repos are still growing both in size and number. I ended up blocking all repos with checkouts larger than a gigabyte, and still the only cure was expanding the disk, or to lower the blocking threshold. Since we only need a tiny bit of info from the repositories, namely the content of debian/changelog and a few other files from debian/, plus the number of commits since the last tag on the packaging branch, it made sense to try to get the info without fetching a full repo clone. The question if we could grab that solely using the GitLab API at salsa.debian.org was never really answered. But then, in #1032623, G bor N meth suggested the use of git clone --filter blob:none. As things go, this sat unattended in the bug report for almost a year until the next "disk full" event made me give it a try. The blob:none filter makes git clone omit all files, fetching only commit and tree information. Any blob (file content) needed at git run time is transparently fetched from the upstream repository, and stored locally. It turned out to be a game-changer. The (largish) repositories I tried it on shrank to 1/100 of the original size. Poking around I figured we could even do better by using tree:0 as filter. This additionally omits all trees from the git clone, again only fetching the information at run time when needed. Some of the larger repos I tried it on shrank to 1/1000 of their original size. I deployed the new option on qa.debian.org and scheduled all repositories to fetch a new clone on the next scan:

The initial dip from 100% to 95% is my first "what happens if we block repos > 500 MB" attempt. Over the week after that, the git filter clones reduce the overall disk consumption from almost 300 GB to 15 GB, a 1/20. Some repos shrank from GBs to below a MB. Perhaps I should make all my git clones use one of the filters.

Closing arguments in the trial between various people and Craig Wright over whether he's Satoshi Nakamoto are wrapping up today, amongst a bewildering array of presented evidence. But one utterly astonishing aspect of this lawsuit is that expert witnesses for both sides agreed that much of the digital evidence provided by Craig Wright was unreliable in one way or another, generally including indications that it wasn't produced at the point in time it claimed to be. And it's fascinating reading through the subtle (and, in some cases, not so subtle) ways that that's revealed.

One of the pieces of evidence entered is screenshots of data from Mind Your Own Business, a business management product that's been around for some time. Craig Wright relied on screenshots of various entries from this product to support his claims around having controlled meaningful number of bitcoin before he was publicly linked to being Satoshi. If these were authentic then they'd be strong evidence linking him to the mining of coins before Bitcoin's public availability. Unfortunately the screenshots themselves weren't contemporary - the metadata shows them being created in 2020. This wouldn't fundamentally be a problem (it's entirely reasonable to create new screenshots of old material), as long as it's possible to establish that the material shown in the screenshots was created at that point. Sadly, well.

One part of the disclosed information was an email that contained a zip file that contained a raw database in the format used by MYOB. Importing that into the tool allowed an audit record to be extracted - this record showed that the relevant entries had been added to the database in 2020, shortly before the screenshots were created. This was, obviously, not strong evidence that Craig had held Bitcoin in 2009. This evidence was reported, and was responded to with a couple of additional databases that had an audit trail that was consistent with the dates in the records in question. Well, partially. The audit record included session data, showing an administrator logging into the data base in 2011 and then, uh, logging out in 2023, which is rather more consistent with someone changing their system clock to 2011 to create an entry, and switching it back to present day before logging out. In addition, the audit log included fields that didn't exist in versions of the product released before 2016, strongly suggesting that the entries dated 2009-2011 were created in software released after 2016. And even worse, the order of insertions into the database didn't line up with calendar time - an entry dated before another entry may appear in the database afterwards, indicating that it was created later. But even more obvious? The database schema used for these old entries corresponded to a version of the software released in 2023.

This is all consistent with the idea that these records were created after the fact and backdated to 2009-2011, and that after this evidence was made available further evidence was created and backdated to obfuscate that. In an unusual turn of events, during the trial Craig Wright introduced further evidence in the form of a chain of emails to his former lawyers that indicated he had provided them with login details to his MYOB instance in 2019 - before the metadata associated with the screenshots. The implication isn't entirely clear, but it suggests that either they had an opportunity to examine this data before the metadata suggests it was created, or that they faked the data? So, well, the obvious thing happened, and his former lawyers were asked whether they received these emails. The chain consisted of three emails, two of which they confirmed they'd received. And they received a third email in the chain, but it was different to the one entered in evidence. And, uh, weirdly, they'd received a copy of the email that was submitted - but they'd received it a few days earlier. In 2024.

And again, the forensic evidence is helpful here! It turns out that the email client used associates a timestamp with any attachments, which in this case included an image in the email footer - and the mysterious time travelling email had a timestamp in 2024, not 2019. This was created by the client, so was consistent with the email having been sent in 2024, not being sent in 2019 and somehow getting stuck somewhere before delivery. The date header indicates 2019, as do encoded timestamps in the MIME headers - consistent with the mail being sent by a computer with the clock set to 2019.

But there's a very weird difference between the copy of the email that was submitted in evidence and the copy that was located afterwards! The first included a header inserted by gmail that included a 2019 timestamp, while the latter had a 2024 timestamp. Is there a way to determine which of these could be the truth? It turns out there is! The format of that header changed in 2022, and the version in the email is the new version. The version with the 2019 timestamp is anachronistic - the format simply doesn't match the header that gmail would have introduced in 2019, suggesting that an email sent in 2022 or later was modified to include a timestamp of 2019.

This is by no means the only indication that Craig Wright's evidence may be misleading (there's the whole argument that the Bitcoin white paper was written in LaTeX when general consensus is that it's written in OpenOffice, given that's what the metadata claims), but it's a lovely example of a more general issue.

Our technology chains are complicated. So many moving parts end up influencing the content of the data we generate, and those parts develop over time. It's fantastically difficult to generate an artifact now that precisely corresponds to how it would look in the past, even if we go to the effort of installing an old OS on an old PC and setting the clock appropriately (are you sure you're going to be able to mimic an entirely period appropriate patch level?). Even the version of the font you use in a document may indicate it's anachronistic. I'm pretty good at computers and I no longer have any belief I could fake an old document.

(References: this Dropbox, under "Expert reports", "Patrick Madden". Initial MYOB data is in "Appendix PM7", further analysis is in "Appendix PM42", email analysis is "Sixth Expert Report of Mr Patrick Madden")

comments

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In February, 18 contributors have been paid to work on Debian LTS, their reports are available:

Abhijith PA did 10.0h (out of 14.0h assigned), thus carrying over 4.0h to the next month.

Adrian Bunk did 13.5h (out of 24.25h assigned and 41.75h from previous period), thus carrying over 52.5h to the next month.

Bastien Roucari s did 20.0h (out of 20.0h assigned).

Ben Hutchings did 2.0h (out of 14.5h assigned and 9.5h from previous period), thus carrying over 22.0h to the next month.

Chris Lamb did 18.0h (out of 18.0h assigned).

Daniel Leidert did 10.0h (out of 10.0h assigned).

Emilio Pozuelo Monfort did 3.0h (out of 28.25h assigned and 31.75h from previous period), thus carrying over 57.0h to the next month.

Guilhem Moulin did 7.25h (out of 4.75h assigned and 15.25h from previous period), thus carrying over 12.75h to the next month.

Holger Levsen did 0.5h (out of 3.5h assigned and 8.5h from previous period), thus carrying over 11.5h to the next month.

Lee Garrett did 0.0h (out of 18.25h assigned and 41.75h from previous period), thus carrying over 60.0h to the next month.

Markus Koschany did 40.0h (out of 40.0h assigned).

Roberto C. S nchez did 3.5h (out of 8.75h assigned and 3.25h from previous period), thus carrying over 8.5h to the next month.

Santiago Ruano Rinc n did 13.5h (out of 13.5h assigned and 2.5h from previous period), thus carrying over 2.5h to the next month.

Sean Whitton did 4.5h (out of 0.5h assigned and 5.5h from previous period), thus carrying over 1.5h to the next month.

Sylvain Beucler did 24.5h (out of 27.75h assigned and 32.25h from previous period), thus carrying over 35.5h to the next month.

Thorsten Alteholz did 14.0h (out of 14.0h assigned).

Tobias Frost did 12.0h (out of 12.0h assigned).

Utkarsh Gupta did 11.25h (out of 26.75h assigned and 33.25h from previous period), thus carrying over 48.75 to the next month.

Evolution of the situation In February, we have released 17 DLAs. The number of DLAs published during February was a bit lower than usual, as there was much work going on in the area of triaging CVEs (a number of which turned out to not affect Debia buster, and others which ended up being duplicates, or otherwise determined to be invalid). Of the packages which did receive updates, notable were sudo (to fix a privilege management issue), and iwd and wpa (both of which suffered from authentication bypass vulnerabilities). While this has already been already announced in the Freexian blog, we would like to mention here the start of the Long Term Support project for Samba 4.17. You can find all the important details in that post, but we would like to highlight that it is thanks to our LTS sponsors that we are able to fund the work from our partner, Catalyst, towards improving the security support of Samba in Debian 12 (Bookworm).

Thanks to our sponsors Sponsors that joined recently are in bold.

Platinum sponsors:

TOSHIBA (for 102 months)

Civil Infrastructure Platform (CIP) (for 70 months)

Gold sponsors:

Roche Diagnostics International AG (for 113 months)

Linode (for 107 months)

Babiel GmbH (for 96 months)

Plat Home (for 96 months)

CINECA (for 70 months)

University of Oxford (for 52 months)

Deveryware (for 39 months)

VyOS Inc (for 34 months)

EDF SA (for 23 months)

Silver sponsors:

Domeneshop AS (for 117 months)

Nantes M tropole (for 112 months)

Univention GmbH (for 103 months)

Universit Jean Monnet de St Etienne (for 103 months)

Ribbon Communications, Inc. (for 97 months)

Exonet B.V. (for 87 months)

Leibniz Rechenzentrum (for 81 months)

Minist re de l Europe et des Affaires trang res (for 64 months)

Cloudways by DigitalOcean (for 54 months)

Dinahosting SL (for 52 months)

Bauer Xcel Media Deutschland KG (for 46 months)

Platform.sh SAS (for 46 months)

Moxa Inc. (for 40 months)

sipgate GmbH (for 37 months)

OVH US LLC (for 35 months)

Tilburg University (for 35 months)

GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 27 months)

Soliton Systems K.K. (for 24 months)

Bronze sponsors:

Evolix (for 118 months)

Seznam.cz, a.s. (for 118 months)

Intevation GmbH (for 115 months)

Linuxhotel GmbH (for 115 months)

Daevel SARL (for 113 months)

Bitfolk LTD (for 112 months)

Megaspace Internet Services GmbH (for 112 months)

NUMLOG (for 112 months)

Greenbone AG (for 111 months)

WinGo AG (for 111 months)

Ecole Centrale de Nantes - LHEEA (for 107 months)

Entr ouvert (for 102 months)

Adfinis AG (for 99 months)

GNI MEDIA (for 94 months)

Laboratoire LEGI - UMR 5519 / CNRS (for 94 months)

Tesorion (for 94 months)

Bearstech (for 85 months)

LiHAS (for 85 months)

Catalyst IT Ltd (for 80 months)

Supagro (for 75 months)

Demarcq SAS (for 74 months)

Universit Grenoble Alpes (for 60 months)

TouchWeb SAS (for 52 months)

SPiN AG (for 49 months)

CoreFiling (for 44 months)

Institut des sciences cognitives Marc Jeannerod (for 39 months)

Observatoire des Sciences de l Univers de Grenoble (for 36 months)

Tem Innovations GmbH (for 31 months)

WordFinder.pro (for 30 months)

CNRS DT INSU R sif (for 29 months)

Alter Way (for 22 months)

Institut Camille Jordan (for 11 months)

/usr-move, by Helmut Grohne Much of the work was spent on handling interaction with time time64 transition and sending patches for mitigating fallout. The set of packages relevant to `debootstrap` is mostly converted and the patches for `glibc` and `base-files` have been refined due to feedback from the upload to Ubuntu noble. Beyond this, he sent patches for all remaining packages that cannot move their files with `dh-sequence-movetousr` and packages using `dpkg-divert` in ways that `dumat` would not recognize.

Upcoming improvements to Salsa CI, by Santiago Ruano Rinc n Last month, Santiago Ruano Rinc n started the work on integrating sbuild into the Salsa CI pipeline. Initially, Santiago used sbuild with the `unshare` chroot mode. However, after discussion with josch, jochensp and helmut (thanks to them!), it turns out that the unshare mode is not the most suitable for the pipeline, since the level of isolation it provides is not needed, and some test suites would fail (eg: krb5). Additionally, one of the requirements of the build job is the use of ccache, since it is needed by some C/C++ large projects to reduce the compilation time. In the preliminary work with unshare last month, it was not possible to make ccache to work. Finally, Santiago changed the chroot mode, and now has a couple of POC (cf: 1 and 2) that rely on the `schroot` and `sudo`, respectively. And the good news is that ccache is successfully used by sbuild with schroot! The image here comes from an example of building `grep`. At the end of the build, `ccache -s` shows the statistics of the cache that it used, and so a little more than half of the calls of that job were cacheable. The most important pieces are in place to finish the integration of sbuild into the pipeline. Other than that, Santiago also reviewed the very useful merge request !346, made by IOhannes zm lnig to autodetect the release from debian/changelog. As agreed with IOhannes, Santiago is preparing a merge request to include the release autodetection use case in the very own Salsa CI s CI.

Packaging simplemonitor, by Carles Pina i Estany Carles started using simplemonitor in 2017, opened a WNPP bug in 2022 and started packaging simplemonitor dependencies in October 2023. After packaging five direct and indirect dependencies, Carles finally uploaded simplemonitor to unstable in February. During the packaging of simplemonitor, Carles reported a few issues to upstream. Some of these were to make the simplemonitor package build and run tests reproducibly. A reproducibility issue was reprotest overriding the timezone, which broke simplemonitor s tests. There have been discussions on resolving this upstream in simplemonitor and in reprotest, too. Carles also started upgrading or improving some of simplemonitor s dependencies.

Miscellaneous contributions

Stefano Rivera spent some time doing admin on debian.social infrastructure. Including dealing with a spike of abuse on the Jitsi server.

Stefano started to prepare a new release of dh-python, including cleaning out a lot of old Python 2.x related code. Thanks to Niels Thykier (outside Freexian) for spear-heading this work.

DebConf 24 planning is beginning. Stefano discussed venues and finances with the local team and remotely supported a site-visit by Nattie (outside Freexian).

Also in the DebConf 24 context, Santiago took part in discussions and preparations related to the Content Team.

A JIT bug was reported against pypy3 in Debian Bookworm. Stefano bisected the upstream history to find the patch (it was already resolved upstream) and released an update to pypy3 in bookworm.

Enrico participated in /usr-merge discussions with Helmut.

Colin Watson backported a python-channels-redis fix to bookworm, rediscovered while working on debusine.

Colin dug into a cluster of celery build failures and tracked the hardest bit down to a Python 3.12 regression, now fixed in unstable. celery should be back in testing once the 64-bit time_t migration is out of the way.

Thorsten Alteholz uploaded a new upstream version of cpdb-libs. Unfortunately upstream changed the naming of their release tags, so updating the watch file was a bit demanding. Anyway this version 2.0 is a huge step towards introduction of the new Common Print Dialog Backends.

Helmut send patches for 48 cross build failures.

Helmut changed debvm to use mkfs.ext4 instead of genext2fs.

Helmut sent a debci MR for improving collector robustness.

In preparation for DebConf 25, Santiago worked on the Brest Bid.

Welcome to the February 2024 report from the Reproducible Builds project! In our reports, we try to outline what we have been up to over the past month as well as mentioning some of the important things happening in software supply-chain security.

Reproducible Builds at FOSDEM 2024 Core Reproducible Builds developer Holger Levsen presented at the main track at FOSDEM on Saturday 3rd February this year in Brussels, Belgium. However, that wasn t the only talk related to Reproducible Builds. However, please see our comprehensive FOSDEM 2024 news post for the full details and links.

Maintainer Perspectives on Open Source Software Security Bernhard M. Wiedemann spotted that a recent report entitled Maintainer Perspectives on Open Source Software Security written by Stephen Hendrick and Ashwin Ramaswami of the Linux Foundation sports an infographic which mentions that 56% of [polled] projects support reproducible builds .

Three new reproducibility-related academic papers A total of three separate scholarly papers related to Reproducible Builds have appeared this month: Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors by Taylor R. Schorlemmer, Kelechi G. Kalu, Luke Chigges, Kyung Myung Ko, Eman Abdul-Muhd, Abu Ishgair, Saurabh Bagchi, Santiago Torres-Arias and James C. Davis (Purdue University, Indiana, USA) is concerned with the problem that:
Package maintainers can guarantee package authorship through software signing [but] it is unclear how common this practice is, and whether the resulting signatures are created properly. Prior work has provided raw data on signing practices, but measured single platforms, did not consider time, and did not provide insight on factors that may influence signing. We lack a comprehensive, multi-platform understanding of signing adoption and relevant factors. This study addresses this gap. (arXiv, full PDF)

Reproducibility of Build Environments through Space and Time by Julien Malka, Stefano Zacchiroli and Th o Zimmermann (Institut Polytechnique de Paris, France) addresses:
[The] principle of reusability [ ] makes it harder to reproduce projects build environments, even though reproducibility of build environments is essential for collaboration, maintenance and component lifetime. In this work, we argue that functional package managers provide the tooling to make build environments reproducible in space and time, and we produce a preliminary evaluation to justify this claim.
The abstract continues with the claim that Using historical data, we show that we are able to reproduce build environments of about 7 million Nix packages, and to rebuild 99.94% of the 14 thousand packages from a 6-year-old Nixpkgs revision. (arXiv, full PDF)
Options Matter: Documenting and Fixing Non-Reproducible Builds in Highly-Configurable Systems by Georges Aaron Randrianaina, Djamel Eddine Khelladi, Olivier Zendra and Mathieu Acher (Inria centre at Rennes University, France):
This paper thus proposes an approach to automatically identify configuration options causing non-reproducibility of builds. It begins by building a set of builds in order to detect non-reproducible ones through binary comparison. We then develop automated techniques that combine statistical learning with symbolic reasoning to analyze over 20,000 configuration options. Our methods are designed to both detect options causing non-reproducibility, and remedy non-reproducible configurations, two tasks that are challenging and costly to perform manually. (HAL Portal, full PDF)

Mailing list highlights From our mailing list this month:

User cen posted a query asking How to verify a package by rebuilding it locally on Debian which received a followup from Vagrant Cascadian.

James Addison asked Two questions about build-path reproducibility in Debian regarding the differences in the testing performed by Debian s GitLab continuous integration (CI) pipeline and the Debian-specific testing performed by the Reproducible Builds project itself, and followed this with a separate but related question regarding misconfigured reprotest configurations.

Distribution work In Debian this month, 5 reviews of Debian packages were added, 22 were updated and 8 were removed this month adding to Debian s knowledge about identified issues. A number of issue types were updated as well. [ ][ ][ ][ ] In addition, Roland Clobus posted his 23rd update of the status of reproducible ISO images on our mailing list. In particular, Roland helpfully summarised that all major desktops build reproducibly with bullseye, bookworm, trixie and sid provided they are built for a second time within the same DAK run (i.e. [within] 6 hours) and that there will likely be further work at a MiniDebCamp in Hamburg. Furthermore, Roland also responded in-depth to a query about a previous report
Fedora developer Zbigniew J drzejewski-Szmek announced a work-in-progress script called `fedora-repro-build` that attempts to reproduce an existing package within a koji build environment. Although the projects `README` file lists a number of fields will always or almost always vary and there is a non-zero list of other known issues, this is an excellent first step towards full Fedora reproducibility.
Jelle van der Waa introduced a new linter rule for Arch Linux packages in order to detect cache files leftover by the Sphinx documentation generator which are unreproducible by nature and should not be packaged. At the time of writing, 7 packages in the Arch repository are affected by this.
Elsewhere, Bernhard M. Wiedemann posted another monthly update for his work elsewhere in openSUSE.

diffoscope diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes such as uploading versions `256`, `257` and `258` to Debian and made the following additional changes:

Use a deterministic name instead of trusting `gpg` s use-embedded-filenames. Many thanks to Daniel Kahn Gillmor dkg@debian.org for reporting this issue and providing feedback. [ ][ ]

Don t error-out with a traceback if we encounter `struct.unpack`-related errors when parsing Python `.pyc` files. (#1064973). [ ]

Don t try and compare `rdb_expected_diff` on non-GNU systems as `%p` formatting can vary, especially with respect to MacOS. [ ]

Fix compatibility with `pytest` 8.0. [ ]

Temporarily fix support for Python 3.11.8. [ ]

Use the `7zip` package (over `p7zip-full`) after a Debian package transition. (#1063559). [ ]

Bump the minimum Black source code reformatter requirement to 24.1.1+. [ ]

Expand an older changelog entry with a CVE reference. [ ]

Make `test_zip` black clean. [ ]

In addition, James Addison contributed a patch to parse the headers from the `diff(1)` correctly [ ][ ] thanks! And lastly, Vagrant Cascadian pushed updates in GNU Guix for diffoscope to version 255, 256, and 258, and updated trydiffoscope to 67.0.6.

reprotest reprotest is our tool for building the same source code twice in different environments and then checking the binaries produced by each build for any differences. This month, Vagrant Cascadian made a number of changes, including:

Create a (working) proof of concept for enabling a specific number of CPUs. [ ][ ]

Consistently use 398 days for time variation rather than choosing randomly and update `README.rst` to match. [ ][ ]

Support a new `--vary=build_path.path` option. [ ][ ][ ][ ]

Website updates There were made a number of improvements to our website this month, including:

Chris Lamb:

Improve the relative sizing of headers. [ ]

Re-order and punch up the introduction and documentation on the `SOURCE_DATE_EPOCH` page. [ ]

Update `SOURCE_DATE_EPOCH` documentation re. `datetime.datetime.fromtimestamp`. Thanks, James Addison. [ ]

Add a post about Reproducible Builds at FOSDEM 2024. [ ]

Holger Levsen:

Update the GNU Guix page to include their reproducibility QA page. [ ]

Add Sune Vuorela and Jan-Benedict Glaw to our contributors list. [ ][ ]

Mattia Rizzolo:

Add Sovereign Tech Fund s logo to our sponsors. [ ]

Update our sponsors list. [ ]

Reproducibility testing framework The Reproducible Builds project operates a comprehensive testing framework (available at tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In February, a number of changes were made by Holger Levsen:

Debian-related changes:

Temporarily disable upgrading/bootstrapping Debian unstable and experimental as they are currently broken. [ ][ ]

Use the 64-bit `amd64` kernel on all `i386` nodes; no more 686 PAE kernels. [ ]

Add an Erlang package set. [ ]

Other changes:

Grant Jan-Benedict Glaw shell access to the Jenkins node. [ ]

Enable debugging for NetBSD reproducibility testing. [ ]

Use `/usr/bin/du --apparent-size` in the Jenkins shell monitor. [ ]

Revert reproducible nodes: mark osuosl2 as down . [ ]

Thanks again to Codethink, for they have doubled the RAM on our `arm64` nodes. [ ]

Only set `/proc/$pid/oom_score_adj` to -1000 if it has not already been done. [ ]

Add the `opemwrt-target-tegra` and `jtx` task to the list of zombie jobs. [ ][ ]

Vagrant Cascadian also made the following changes:

Overhaul the handling of OpenSSH configuration files after updating from Debian bookworm. [ ][ ][ ]

Add two new `armhf` architecture build nodes, `virt32z` and `virt64z`, and insert them into the Munin monitoring. [ ][ ] [ ][ ]

In addition, Alexander Couzens updated the OpenWrt configuration in order to replace the `tegra` target with `mpc85xx` [ ], Jan-Benedict Glaw updated the NetBSD build script to use a separate `$TMPDIR` to mitigate out of space issues on a tmpfs-backed `/tmp` [ ] and Zheng Junjie added a link to the GNU Guix tests [ ]. Lastly, node maintenance was performed by Holger Levsen [ ][ ][ ][ ][ ][ ] and Vagrant Cascadian [ ][ ][ ][ ].

Upstream patches The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

Philip Rinn:

`gimagereader` (date)

Bernhard M. Wiedemann:

`grass` (date-related issue)

`grub2` (filesystem ordering issue)

`latex2html` (drop a non-deterministic log)

`mhvtl` (tar)

`obs` (build-tool issue)

`ollama` (GZip embedding the modification time)

`presenterm` (filesystem-ordering issue)

`qt6-quick3d` (parallelism)

Chris Lamb:

#1064506 filed against `geophar`.

#1064891 filed against `pytest-repeat`.

#1064892 filed against `klepto`.

James Addison:

#1064519 filed against `flask-limiter`.

`python-parsl-doc` (disable dynamic argument evaluation by Sphinx `autodoc` extension)

`python3-pytest-repeat` (remove `entry_points.txt` creation that varied by shell)

`python3-selinux` (remove packaged `direct_url.json` file that embeds build path)

`python3-sepolicy` (remove packaged `direct_url.json` file that embeds build path)

#1064575 filed against `pyswarms`.

#1064638 filed against `python-x2go`.

`snapd` (fix timestamp header in packaged manual-page)

`zzzeeksphinx` (existing RB patch forwarded and merged (with modifications))

Johannes Schauer Marin Rodrigues:

#1063939 filed against `fop`.

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

IRC: `#reproducible-builds` on `irc.oftc.net`.

Twitter: @ReproBuilds

Mastodon: @reproducible_builds@fosstodon.org

Mailing list: `rb-general@lists.reproducible-builds.org`

Search Results: "chr"

7 May 2024

Display control HDR signalling status update; backlight status update; EDID and DDC/CI.

Strategy for video and gaming use-cases Multi-plane support in compositors Underlay, overlay, or mixed strategy for video and gaming use-cases; KMS Plane UAPI to simplify the plane arrangement problem; Shared plane arrangement algorithm desired. HDR video and hardware overlay

Frame timing and VRR Frame timing: Limitations of uAPI; Current user space solutions; Brainstorm better uAPI; Cursor/overlay plane updates with VRR; KMS commit and buffer-readiness deadlines;

Power Saving vs Color/Latency ABM (adaptive backlight management); PSR1 latencies; Power optimization vs color accuracy/latency requirements.

Content-Adaptive Scaling & Sharpening Content-Adaptive Scalers on display hardware; New drm_colorop for content adaptive scaling; Proprietary algorithms.

Display Mux Laptop muxes for switching of the embedded panel between the integrated GPU and the discrete GPU; Seamless/atomic hand-off between drivers on Linux desktops.

Real time scheduling & async KMS API Potential benefits: lower latency input feedback, better VRR handling, buffer synchronization, etc. Issues around async uAPI usage and async-call handling.

27 April 2024

Changes in version 0.0.11 (2024-04-27) Synchronized with QuantLib 1.34 Calendar updates for Brazil, India, Singapore, South Africa, Thailand, United States Minor continuous integration update

26 April 2024

19 April 2024

18 April 2024

13 April 2024

12 April 2024

11 April 2024

Delta chat clients now reproducible Delta Chat, an open source messaging application that can work over email, announced this month that the Rust-based core library underlying Delta chat application is now reproducible.

5 April 2024

29 March 2024

28 March 2024

22 March 2024

18 March 2024

14 March 2024

13 March 2024

9 March 2024

Display control

HDR signalling status update;

backlight status update;

EDID and DDC/CI.

Strategy for video and gaming use-cases

Multi-plane support in compositors

Underlay, overlay, or mixed strategy for video and gaming use-cases;

KMS Plane UAPI to simplify the plane arrangement problem;

Shared plane arrangement algorithm desired.

HDR video and hardware overlay

Frame timing and VRR

Frame timing:

Limitations of uAPI;

Current user space solutions;

Brainstorm better uAPI;

Cursor/overlay plane updates with VRR;

KMS commit and buffer-readiness deadlines;

Power Saving vs Color/Latency

ABM (adaptive backlight management);

PSR1 latencies;

Power optimization vs color accuracy/latency requirements.

Content-Adaptive Scaling & Sharpening

Content-Adaptive Scalers on display hardware;

New drm_colorop for content adaptive scaling;

Proprietary algorithms.

Display Mux

Laptop muxes for switching of the embedded panel between the integrated GPU and the discrete GPU;

Seamless/atomic hand-off between drivers on Linux desktops.

Real time scheduling & async KMS API

Potential benefits: lower latency input feedback, better VRR handling, buffer synchronization, etc.

Issues around async uAPI usage and async-call handling.

Changes in version 0.0.11 (2024-04-27)

Synchronized with QuantLib 1.34

Calendar updates for Brazil, India, Singapore, South Africa, Thailand, United States

Minor continuous integration update