Courtesy of my CRANberries, there is a diffstat report relative to previous release. More detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the Rcpp R-Forge page. If you like this or other open-source work I do, you can sponsor me at GitHub.Changes in RcppArmadillo version 0.12.8.2.1 (2024-04-15)
- One-char bug fix release commenting out one test that upsets reticulate when accessing a scipy sparse matrix
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
So far, I have not found any reproducibility issues; everything I tested I was able to get to build bit-for-bit identical with what is in the Debian archive.That is to say, reproducibility testing permitted Vagrant and Debian to claim with some confidence that builds performed when this vulnerable version of XZ was installed were not interfered with.
Functional package managers (FPMs) and reproducible builds (R-B) are technologies and methodologies that are conceptually very different from the traditional software deployment model, and that have promising properties for software supply chain security. This thesis aims to evaluate the impact of FPMs and R-B on the security of the software supply chain and propose improvements to the FPM model to further improve trust in the open source supply chain. PDFJulien s paper poses a number of research questions on how the model of distributions such as GNU Guix and NixOS can be leveraged to further improve the safety of the software supply chain , etc.
normal
to a new level of wishlist
. In addition, 28 reviews of Debian packages were added, 38 were updated and 23 were removed this month adding to ever-growing knowledge about identified issues. As part of this effort, a number of issue types were updated, including Chris Lamb adding a new ocaml_include_directories
toolchain issue [ ] and James Addison adding a new filesystem_order_in_java_jar_manifest_mf_include_resource
issue [ ] and updating the random_uuid_in_notebooks_generated_by_nbsphinx
to reference a relevant discussion thread [ ].
In addition, Roland Clobus posted his 24th status update of reproducible Debian ISO images. Roland highlights that the images for Debian unstable often cannot be generated due to changes in that distribution related to the 64-bit time_t
transition.
Lastly, Bernhard M. Wiedemann posted another monthly update for his reproducibility work in openSUSE.
buildinfo
file was present. Arnout Engelen responded with some details.
diff-zip-meta.py
tool to expose extra timestamps embedded in .zip
and .apk
metadata.
CITATION.cff
file. Pol also added an substantial new section to the buy in page documenting the role of Software Bill of Materials (SBOMs) and ephemeral development environments. [ ][ ]
amd64
virtual machines. [ ][ ][ ]
set
data structure is also affected by the PYTHONHASHSEED
functionality. [ ]
259
, 260
and 261
to Debian and made the following additional changes:
zipdetails
tool from the Perl distribution. Thanks to Fay Stegerman and Larry Doolittle et al. for the pointer and thread about this tool. [ ]File.recognizes
so we actually perform the filename check for GNU R data files. [ ].rdb
file without an equivalent .rdx
file. (#1066991).pyc
file with an empty one. [ ].epub
tests after supporting the new zipdetails
tool. [ ]test_zip.py
. [ ]zipfile
module changed to detect potentially insecure overlapping entries within .zip
files. (#362)
Chris Lamb also updated the trydiffoscope
command line client, dropping a build-dependency on the deprecated python3-distutils
package to fix Debian bug #1065988 [ ], taking a moment to also refresh the packaging to the latest Debian standards [ ]. Finally, Vagrant Cascadian submitted an update for diffoscope version 260 in GNU Guix. [ ]
helm
(SSL-related build failure)java-21-openjdk
(parallelism)libressl
(SSL-related build failure)nfdump
(date issue)python-django-q
(avoid stuck build)python-smart-open
(fails to build on single-CPU machines)python-stdnum
(fails to build in 2039)python-yarl
(regression)qemu
(build failure)rabbitmq-java-client
(with Fridrich Strba; Maven timestamp issue)rmw
(build fails in 2038)warewulf
(with Egbert Eich; cpio
modification time and inode issue)wxWidgets
(fails to build in 2038)python-quantities
.gnome-maps
.tox
.q2cli
.mpl-sphinx-theme
.woof-doom
.bochs
.storm-lang
.librsvg
.gretl
.postfix
.node-function-bind
.python-pysaml2
.golang-github-stvp-tempredis
.matplotlib
.pathos
.rdflib
.xonsh
.maven-bundle-plugin
. (This patch was then uploaded by Mattia Rizzollo.)geany
(toolchain-related issue for glfw
)%check
section, thus failing when built with the --no-checks
option. Only half of all openSUSE packages were tested so far, but a large number of bugs were filed, including ones against caddy
, exiv2
, gnome-disk-utility
, grisbi
, gsl
, itinerary
, kosmindoormap
, libQuotient
, med-tools
, plasma6-disks
, pspp
, python-pypuppetdb
, python-urlextract
, rsync
, vagrant-libvirt
and xsimd
.
Similarly, Jean-Pierre De Jesus DIAZ employed reproducible builds techniques in order to test a proposed refactor of the ath9k-htc-firmware
package. As the change produced bit-for-bit identical binaries to the previously shipped pre-built binaries:
I don t have the hardware to test this firmware, but the build produces the same hashes for the firmware so it s safe to say that the firmware should keep working.
armhf
again. [ ][ ]i386
architecture queue. [ ]stats_buildinfo.png
graph once per day. [ ][ ]systemctl
with new systemd-based services. [ ]armhf
and i386
continuous integration tests in order to get some stability back. [ ]deb.debian.org
CDN everywhere. [ ]zst
to the list of packages which are false-positive diskspace issues. [ ]Bot
in the userAgent
for Git. (Re: #929013). [ ]tmpfs
size on our OUSL nodes. [ ]reproducible_build
service. [ ][ ]OOMPolicy=continue
and OOMScoreAdjust=-1000
for both the Jenkins and the reproducible_build
service. [ ]systemd
slice to group all relevant services. [ ][ ]shellcheck
tool. [ ]systemd-run
to handle diffoscope s exit codes specially. [ ]pgrep
tool over grepping the output of ps
. [ ]i386
and armhf
architecture builders. [ ][ ]armhf
architecture due to the time_t
transition. [ ]i386
& armhf
workers. [ ][ ][ ]pbuilder
updates in the unstable distribution, but only on the armhf
architecture. [ ]systemd
service operates. [ ][ ]powercycle_x86_nodes.py
script to use the new IONOS API and its new Python bindings. [ ]stunnel
tool anymore, it shouldn t be needed by anything anymore. [ ]arm64
architecture host keys. [ ]-
) in a variable in order to allow for tags in openQA. [ ]#reproducible-builds
on irc.oftc.net
.
rb-general@lists.reproducible-builds.org
__init__
and __repr__
, but on request also more.
But given that those type definitions are available to other code, a lot more can be done.
There exists several separate packages to work on data classes.
For example you can have data validation from JSON with dacite.
But Debian likes a pretty strange format usually called Deb822, which is in fact derived from the RFC 822 format of e-mail messages.
Those files includes single messages with a well known format.
So I'd like to introduce some Deb822 format support for Python Data Classes.
For now the code resides in the Debian Cloud tool.
Usage
Setup
It uses the standard data classes support and several helper functions.
Also you need to enable support for postponed evaluation of annotations.
from __future__ import annotations
from dataclasses import dataclass
from dataclasses_deb822 import read_deb822, field_deb822
@dataclass
class Package:
package: str = field_deb822('Package')
version: str = field_deb822('Version')
arch: str = field_deb822('Architecture')
multi_arch: Optional[str] = field_deb822(
'Multi-Arch',
default=None,
)
for p in read_deb822(Package, sys.stdin, ignore_unknown=True):
print(p)
from __future__ import annotations
from dataclasses import dataclass
from debian_cloud_images.utils.dataclasses_deb822 import read_deb822, field_deb822
from typing import Optional
import sys
@dataclass
class Package:
package: str = field_deb822('Package')
version: str = field_deb822('Version')
arch: str = field_deb822('Architecture')
multi_arch: Optional[str] = field_deb822(
'Multi-Arch',
default=None,
)
for p in read_deb822(Package, sys.stdin, ignore_unknown=True):
print(p)
Courtesy of my CRANberries, there is a diffstat report relative to previous release. More detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the Rcpp R-Forge page. If you like this or other open-source work I do, you can sponsor me at GitHub.Changes in RcppArmadillo version 0.12.8.2.0 (2024-04-02)
- Upgraded to Armadillo release 12.8.2 (Cortisol Injector)
- Workaround for FFTW3 header clash
- Workaround in testing framework for issue under macOS
- Minor cleanups to reduce code bloat
- Improved documentation
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
How am I? Well, I'm, as I wrote in my platform, I'm a proud grandfather doing a lot of free software stuff, doing a lot of sports, have some goals in mind which I like to do and hopefully for the best of Debian.And How are you today? [Andreas]:
How I'm doing today? Well, actually I have some headaches but it's fine for the interview. So, usually I feel very good. Spring was coming here and today it's raining and I plan to do a bicycle tour tomorrow and hope that I do not get really sick but yeah, for the interview it's fine.What do you do in Debian? Could you mention your story here? [Andreas]:
Yeah, well, I started with Debian kind of an accident because I wanted to have some package salvaged which is called WordNet. It's a monolingual dictionary and I did not really plan to do more than maybe 10 packages or so. I had some kind of training with xTeddy which is totally unimportant, a cute teddy you can put on your desktop. So, and then well, more or less I thought how can I make Debian attractive for my employer which is a medical institute and so on. It could make sense to package bioinformatics and medicine software and it somehow evolved in a direction I did neither expect it nor wanted to do, that I'm currently the most busy uploader in Debian, created several teams around it. DebianMate is very well known from me. I created the Blends team to create teams and techniques around what we are doing which was Debian TIS, Debian Edu, Debian Science and so on and I also created the packaging team for R, for the statistics package R which is technically based and not topic based. All these blends are covering a certain topic and R is just needed by lots of these blends. So, yeah, and to cope with all this I have written a script which is routing an update to manage all these uploads more or less automatically. So, I think I had one day where I uploaded 21 new packages but it's just automatically generated, right? So, it's on one day more than I ever planned to do.What is the first thing you think of when you think of Debian? Editors' note: The question was misunderstood as the worst thing you think of when you think of Debian [Andreas]:
The worst thing I think about Debian, it's complicated. I think today on Debian board I was asked about the technical progress I want to make and in my opinion we need to standardize things inside Debian. For instance, bringing all the packages to salsa, follow some common standards, some common workflow which is extremely helpful. As I said, if I'm that productive with my own packages we can adopt this in general, at least in most cases I think. I made a lot of good experience by the support of well-formed teams. Well-formed teams are those teams where people support each other, help each other. For instance, how to say, I'm a physicist by profession so I'm not an IT expert. I can tell apart what works and what not but I'm not an expert in those packages. I do and the amount of packages is so high that I do not even understand all the techniques they are covering like Go, Rust and something like this. And I also don't speak Java and I had a problem once in the middle of the night and I've sent the email to the list and was a Java problem and I woke up in the morning and it was solved. This is what I call a team. I don't call a team some common repository that is used by random people for different packages also but it's working together, don't hesitate to solve other people's problems and permit people to get active. This is what I call a team and this is also something I observed in, it's hard to give a percentage, in a lot of other teams but we have other people who do not even understand the concept of the team. Why is working together make some advantage and this is also a tough thing. I [would] like to tackle in my term if I get elected to form solid teams using the common workflow. This is one thing. The other thing is that we have a lot of good people in our infrastructure like FTP masters, DSA and so on. I have the feeling they have a lot of work and are working more or less on their limits, and I like to talk to them [to ask] what kind of change we could do to move that limits or move their personal health to the better side.The DPL term lasts for a year, What would you do during that you couldn't do now? [Andreas]:
Yeah, well this is basically what I said are my main issues. I need to admit I have no really clear imagination what kind of tasks will come to me as a DPL because all these financial issues and law issues possible and issues [that] people who are not really friendly to Debian might create. I'm afraid these things might occupy a lot of time and I can't say much about this because I simply don't know.What are three key terms about you and your candidacy? [Andreas]:
As I said, I like to work on standards, I d like to make Debian try [to get it right so] that people don't get overworked, this third key point is be inviting to newcomers, to everybody who wants to come. Yeah, I also mentioned in my term this diversity issue, geographical and from gender point of view. This may be the three points I consider most important.Preferred text editor? [Andreas]:
Yeah, my preferred one? Ah, well, I have no preferred text editor. I'm using the Midnight Commander very frequently which has an internal editor which is convenient for small text. For other things, I usually use VI but I also use Emacs from time to time. So, no, I have not preferred text editor. Whatever works nicely for me.What is the importance of the community in the Debian Project? How would like to see it evolving over the next few years? [Andreas]:
Yeah, I think the community is extremely important. So, I was on a lot of DebConfs. I think it's not really 20 but 17 or 18 DebCons and I really enjoyed these events every year because I met so many friends and met so many interesting people that it's really enriching my life and those who I never met in person but have read interesting things and yeah, Debian community makes really a part of my life.And how do you think it should evolve specifically? [Andreas]:
Yeah, for instance, last year in Kochi, it became even clearer to me that the geographical diversity is a really strong point. Just discussing with some women from India who is afraid about not coming next year to Busan because there's a problem with Shanghai and so on. I'm not really sure how we can solve this but I think this is a problem at least I wish to tackle and yeah, this is an interesting point, the geographical diversity and I'm running the so-called mentoring of the month. This is a small project to attract newcomers for the Debian Med team which has the focus on medical packages and I learned that we had always men applying for this and so I said, okay, I dropped the constraint of medical packages. Any topic is fine, I teach you packaging but it must be someone who does not consider himself a man. I got only two applicants, no, actually, I got one applicant and one response which was kind of strange if I'm hunting for women or so. I did not understand but I got one response and interestingly, it was for me one of the least expected counters. It was from Iran and I met a very nice woman, very open, very skilled and gifted and did a good job or have even lose contact today and maybe we need more actively approach groups that are underrepresented. I don't know if what's a good means which I did but at least I tried and so I try to think about these kind of things.What part of Debian has made you smile? What part of the project has kept you going all through the years? [Andreas]:
Well, the card game which is called Mao on the DebConf made me smile all the time. I admit I joined only two or three times even if I really love this kind of games but I was occupied by other stuff so this made me really smile. I also think the first online DebConf in 2020 made me smile because we had this kind of short video sequences and I tried to make a funny video sequence about every DebConf I attended before. This is really funny moments but yeah, it's not only smile but yeah. One thing maybe it's totally unconnected to Debian but I learned personally something in Debian that we have a do-ocracy and you can do things which you think that are right if not going in between someone else, right? So respect everybody else but otherwise you can do so. And in 2020 I also started to take trees which are growing widely in my garden and plant them into the woods because in our woods a lot of trees are dying and so I just do something because I can. I have the resource to do something, take the small tree and bring it into the woods because it does not harm anybody. I asked the forester if it is okay, yes, yes, okay. So everybody can do so but I think the idea to do something like this came also because of the free software idea. You have the resources, you have the computer, you can do something and you do something productive, right? And when thinking about this I think it was also my Debian work. Meanwhile I have planted more than 3,000 trees so it's not a small number but yeah, I enjoy this.What part of Debian would you have some criticisms for? [Andreas]:
Yeah, it's basically the same as I said before. We need more standards to work together. I do not want to repeat this but this is what I think, yeah.What field in Free Software generally do you think requires the most work to be put into it? What do you think is Debian's part in the field? [Andreas]:
It's also in general, the thing is the fact that I'm maintaining packages which are usually as modern software is maintained in Git, which is fine but we have some software which is at Sourceport, we have software laying around somewhere, we have software where Debian somehow became Upstream because nobody is caring anymore and free software is very different in several things, ways and well, I in principle like freedom of choice which is the basic of all our work. Sometimes this freedom goes in the way of productivity because everybody is free to re-implement. You asked me for the most favorite editor. In principle one really good working editor would be great to have and would work and we have maybe 500 in Debian or so, I don't know. I could imagine if people would concentrate and say five instead of 500 editors, we could get more productive, right? But I know this will not happen, right? But I think this is one thing which goes in the way of making things smooth and productive and we could have more manpower to replace one person who's [having] children, doing some other stuff and can't continue working on something and maybe this is a problem I will not solve, definitely not, but which I see.What do you think is Debian's part in the field? [Andreas]:
Yeah, well, okay, we can bring together different Upstreams, so we are building some packages and have some general overview about similar things and can say, oh, you are doing this and some other person is doing more or less the same, do you want to join each other or so, but this is kind of a channel we have to our Upstreams which is probably not very successful. It starts with code copies of some libraries which are changed a little bit, which is fine license-wise, but not so helpful for different things and so I've tried to convince those Upstreams to forward their patches to the original one, but for this and I think we could do some kind of, yeah, [find] someone who brings Upstream together or to make them stop their forking stuff, but it costs a lot of energy and we probably don't have this and it's also not realistic that we can really help with this problem.Do you have any questions for me? [Andreas]:
I enjoyed the interview, I enjoyed seeing you again after half a year or so. Yeah, actually I've seen you in the eating room or cheese and wine party or so, I do not remember we had to really talk together, but yeah, people around, yeah, for sure. Yeah.
If you like this or other open-source work I do, you can sponsor me at GitHub.Changes in version 0.3.1 (2024-04-02)
- New Maintainer
- Deleted several repository files no longer used or needed
- Added
.editorconfig
,ChangeLog
andcleanup
- Converted NEWS.md to NEWS.Rd
- Simplified
R
/ directory to one source file- Simplified
src/
removing redundantMakevars
- Added
ulid()
alias- Updated / edited roxygen and README.md documention
- Removed vignette which was identical to README.md
- Switched continuous integration to GitHub Actions
- Placed upstream (header-only) library into
src/ulid/
- Renamed single interface file to
src/wrapper
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
Rscript
. It allows for piping as well for shebang
scripting via #!
, uses command-line arguments more
consistently and still starts
faster. It also always loaded the methods
package which
Rscript
only began to do in recent years.
littler
lives on Linux and Unix, has its difficulties on macOS due to
yet-another-braindeadedness there (who ever thought case-insensitive
filesystems as a default were a good idea?) and simply does not exist on
Windows (yet the build system could be extended see RInside for
an existence proof, and volunteers are welcome!). See the FAQ
vignette on how to add it to your PATH
. A few examples
are highlighted at the Github repo:, as well
as in the examples
vignette.
This release contains another fair number of small changes and
improvements to some of the scripts I use daily to build or test
packages, adds a new front-end ciw.r
for the
recently-released ciw package
offering a CRAN Incoming Watcher , a new helper
installDeps2.r
(extending installDeps.r
), a
new doi-to-bib converter, allows a different temporary directory setup I
find helpful, deals with one corner deployment use, and more.
The full change description follows.
My CRANberries service provides a comparison to the previous release. Full details for the littler release are provided as usual at the ChangeLog page, and also on the package docs website. The code is available via the GitHub repo, from tarballs and now of course also from its CRAN page and viaChanges in littler version 0.3.20 (2024-03-23)
- Changes in examples scripts
- New (dependency-free) helper
installDeps2.r
to install dependencies- Scripts
rcc.r
,tt.r
,tttf.r
,tttlr.r
useenv
argument-S
to set-t
tor
tt.r
can now fill ininst/tinytest
if it is present- New script
ciw.r
wrapping new package ciwtttf.t
can now use devtools and itsloadall
- New script
doi2bib.r
to call the DOI converter REST service (following a skeet by Richard McElreath)- Changes in package
- The CI setup uses checkout@v4 and the r-ci-setup action
- The Suggests: is a little tighter as we do not list all packages optionally used in the the examples (as R does not check for it either)
- The package load messag can account for the rare build of R under different architecture (Berwin Turlach in #117 closing #116)
- In non-vanilla mode, the temporary directory initialization in re-run allowing for a non-standard temp dir via config settings
install.packages("littler")
. Binary packages are
available directly in Debian as
well as (in a day or two) Ubuntu binaries at
CRAN thanks to the tireless Michael Rutter.
Comments and suggestions are welcome at the GitHub repo.
If you like this or other open-source work I do, you can sponsor me at
GitHub.
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
incoming()
(now along with
an alias ciw()
) which summarises the state of the incoming
directories at CRAN. I happen
to like having these things at my (shell) fingertips, so it goes along
with (still draft) wrapper
ciw.r that will be part of the next littler release.
For example, when I do this right now as I type this, I see
(typically less than one second later)
edd@rob:~$ ciw.r
Folder Name Time Size Age
<char> <char> <POSc> <char> <difftime>
1: pretest instantiate_0.2.2.tar.gz 2024-03-20 13:29:00 17K 0.07 hours
2: recheck tinytable_0.2.0.tar.gz 2024-03-20 12:50:00 565K 0.72 hours
3: pending Matrix_1.7-0.tar.gz 2024-03-20 12:05:00 2.3M 1.47 hours
4: recheck survey_4.4-2.tar.gz 2024-03-20 02:02:00 2.2M 11.52 hours
5: waiting equateIRT_2.4.0.tar.gz 2024-03-19 17:00:00 895K 20.55 hours
6: pending ravetools_0.1.5.tar.gz 2024-03-19 12:06:00 1.0M 25.45 hours
7: waiting glmmTMB_1.1.9.tar.gz 2024-03-18 16:04:00 4.2M 45.48 hours
edd@rob:~$
ciw.r --help
or ciw.r --usage
for more.
Alternatively, in your R session, you can call
ciw::incoming()
(or now ciw::ciw()
) for the
same result (and/or load the package first).
This release adds some packaging touches, brings the new alias
ciw()
as well as a state variable with all (known) folder
names and some internal improvements for dealing with error conditions.
The NEWS entry follows.
Courtesy of my CRANberries, there is also a diffstat report for this release. If you like this or other open-source work I do, you can sponsor me at GitHub.Changes in version 0.0.2 (2024-03-20)
- The package README and DESCRIPTION have been expanded
- An alias
ciw
can now be used forincoming
- Network error handling is now more robist
- A state variable
known_folders
lists all CRAN folders belowincoming
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
incoming()
which summarises the state of the incoming
directories at CRAN. I happen
to like having these things at my (shell) fingertips, so it goes along
with (still draft) wrapper
ciw.r that will be part of the next littler release.
For example, when I do this right now as I type this, I see
edd@rob:~$ ciw.r
Folder Name Time Size Age
<char> <char> <POSc> <char> <difftime>
1: waiting maximin_1.0-5.tar.gz 2024-03-13 22:22:00 20K 2.48 hours
2: inspect GofCens_0.97.tar.gz 2024-03-13 21:12:00 29K 3.65 hours
3: inspect verbalisr_0.5.2.tar.gz 2024-03-13 20:09:00 79K 4.70 hours
4: waiting rnames_1.0.1.tar.gz 2024-03-12 15:04:00 2.7K 33.78 hours
5: waiting PCMBase_1.2.14.tar.gz 2024-03-10 12:32:00 406K 84.32 hours
6: pending MPCR_1.1.tar.gz 2024-02-22 11:07:00 903K 493.73 hours
edd@rob:~$
r
. Good enough for me. From a well-connected EC2 instance
it is about 800ms on the command-line. When I do I from here inside an R
session it is maybe 700ms. And doing it over in Europe is faster still.
(I am using ping=FALSE
for these to omit the default sanity
check of can I haz networking? to speed things up. The check adds
another 200ms or so.)
The function (and the wrapper) offer a ton of options too this is
ridiculously easy to do thanks to the docopt
package:
edd@rob:~$ ciw.r -x
Usage: ciw.r [-h] [-x] [-a] [-m] [-i] [-t] [-p] [-w] [-r] [-s] [-n] [-u] [-l rows] [-z] [ARG...]
-m --mega use 'mega' mode of all folders (see --usage)
-i --inspect visit 'inspect' folder
-t --pretest visit 'pretest' folder
-p --pending visit 'pending' folder
-w --waiting visit 'waiting' folder
-r --recheck visit 'waiting' folder
-a --archive visit 'archive' folder
-n --newbies visit 'newbies' folder
-u --publish visit 'publish' folder
-s --skipsort skip sorting of aggregate results by age
-l --lines rows print top 'rows' of the result object [default: 50]
-z --ping run the connectivity check first
-h --help show this help text
-x --usage show help and short example usage
where ARG... can be one or more file name, or directories or package names.
Examples:
ciw.r -ip # run in 'inspect' and 'pending' mode
ciw.r -a # run with mode 'auto' resolved in incoming()
ciw.r # run with defaults, same as '-itpwr'
When no argument is given, 'auto' is selected which corresponds to 'inspect', 'waiting',
'pending', 'pretest', and 'recheck'. Selecting '-m' or '--mega' are select as default.
Folder selecting arguments are cumulative; but 'mega' is a single selections of all folders
(i.e. 'inspect', 'waiting', 'pending', 'pretest', 'recheck', 'archive', 'newbies', 'publish').
ciw.r is part of littler which brings 'r' to the command-line.
See https://dirk.eddelbuettel.com/code/littler.html for more information.
edd@rob:~$
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
md5
, sha-1
,
sha-256
, sha-512
, crc32
,
xxhash32
, xxhash64
, murmur32
,
spookyhash
, blake3
,crc32c
and
now also xxh3_64
and xxh3_128
), and enables
easy comparison of (potentially large and nested) R language objects as
it relies on the native serialization in R. It is a mature and
widely-used package (with 65.8 million downloads just on the partial
cloud mirrors of CRAN which keep logs) as many tasks may involve
caching of objects for which it provides convenient
general-purpose hash key generation to quickly identify the various
objects.
This release updates the included xxHash version to the
current verion 0.8.2 updating the existing xxhash32
and
xxhash64
hash functions and also adding the newer
xxh3_64
and xxh3_128
ones. We have a project
at work using xxh3_128
from Python which made me realize
having it from R would be nice too, and given the existing
infrastructure in the package actually doing so was fairly quick and
straightforward.
My CRANberries
provides a summary of changes to the previous
version. For questions or comments use the issue tracker
off the GitHub
repo. For documentation (including the changelog)
see the documentation
site.
If you like this or other open-source work I do, you can now sponsor me at
GitHub.
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
Package maintainers can guarantee package authorship through software signing [but] it is unclear how common this practice is, and whether the resulting signatures are created properly. Prior work has provided raw data on signing practices, but measured single platforms, did not consider time, and did not provide insight on factors that may influence signing. We lack a comprehensive, multi-platform understanding of signing adoption and relevant factors. This study addresses this gap. (arXiv, full PDF)
[The] principle of reusability [ ] makes it harder to reproduce projects build environments, even though reproducibility of build environments is essential for collaboration, maintenance and component lifetime. In this work, we argue that functional package managers provide the tooling to make build environments reproducible in space and time, and we produce a preliminary evaluation to justify this claim.The abstract continues with the claim that Using historical data, we show that we are able to reproduce build environments of about 7 million Nix packages, and to rebuild 99.94% of the 14 thousand packages from a 6-year-old Nixpkgs revision. (arXiv, full PDF)
This paper thus proposes an approach to automatically identify configuration options causing non-reproducibility of builds. It begins by building a set of builds in order to detect non-reproducible ones through binary comparison. We then develop automated techniques that combine statistical learning with symbolic reasoning to analyze over 20,000 configuration options. Our methods are designed to both detect options causing non-reproducibility, and remedy non-reproducible configurations, two tasks that are challenging and costly to perform manually. (HAL Portal, full PDF)
fedora-repro-build
that attempts to reproduce an existing package within a koji build environment. Although the projects README
file lists a number of fields will always or almost always vary and there is a non-zero list of other known issues, this is an excellent first step towards full Fedora reproducibility.
256
, 257
and 258
to Debian and made the following additional changes:
gpg
s use-embedded-filenames. Many thanks to Daniel Kahn Gillmor dkg@debian.org for reporting this issue and providing feedback. [ ][ ]struct.unpack
-related errors when parsing Python .pyc
files. (#1064973). [ ]rdb_expected_diff
on non-GNU systems as %p
formatting can vary, especially with respect to MacOS. [ ]pytest
8.0. [ ]7zip
package (over p7zip-full
) after a Debian package transition. (#1063559). [ ]test_zip
black clean. [ ]diff(1)
correctly [ ][ ] thanks! And lastly, Vagrant Cascadian pushed updates in GNU Guix for diffoscope to version 255, 256, and 258, and updated trydiffoscope to 67.0.6.
README.rst
to match. [ ][ ]--vary=build_path.path
option. [ ][ ][ ][ ]SOURCE_DATE_EPOCH
page. [ ]SOURCE_DATE_EPOCH
documentation re. datetime.datetime.fromtimestamp
. Thanks, James Addison. [ ]/usr/bin/du --apparent-size
in the Jenkins shell monitor. [ ]arm64
nodes. [ ]/proc/$pid/oom_score_adj
to -1000 if it has not already been done. [ ]opemwrt-target-tegra
and jtx
task to the list of zombie jobs. [ ][ ]armhf
architecture build nodes, virt32z
and virt64z
, and insert them into the Munin monitoring. [ ][ ] [ ][ ]tegra
target with mpc85xx
[ ], Jan-Benedict Glaw updated the NetBSD build script to use a separate $TMPDIR
to mitigate out of space issues on a tmpfs-backed /tmp
[ ] and Zheng Junjie added a link to the GNU Guix tests [ ].
Lastly, node maintenance was performed by Holger Levsen [ ][ ][ ][ ][ ][ ] and Vagrant Cascadian [ ][ ][ ][ ].
gimagereader
(date)grass
(date-related issue)grub2
(filesystem ordering issue)latex2html
(drop a non-deterministic log)mhvtl
(tar)obs
(build-tool issue)ollama
(GZip embedding the modification time)presenterm
(filesystem-ordering issue)qt6-quick3d
(parallelism)flask-limiter
.python-parsl-doc
(disable dynamic argument evaluation by Sphinx autodoc
extension)python3-pytest-repeat
(remove entry_points.txt
creation that varied by shell)python3-selinux
(remove packaged direct_url.json
file that embeds build path)python3-sepolicy
(remove packaged direct_url.json
file that embeds build path)pyswarms
.python-x2go
.snapd
(fix timestamp header in packaged manual-page)zzzeeksphinx
(existing RB patch forwarded and merged (with modifications))#reproducible-builds
on irc.oftc.net
.
rb-general@lists.reproducible-builds.org
Courtesy of my CRANberries, there is also a diffstat report for this release. If you like this or other open-source work I do, you can sponsor me at GitHub.Changes in prrd version 0.0.6 (2024-03-06)
- The summary function has received several enhancements:
- Extended summary is only running when failures are seen.
- The
summariseQueue
function now displays an anticipated completion time and remaining duration.- The use of optional package foghorn has been refined, and refactored, when running summaries.
- The
dequeueJobs.r
scripts can receive a date argument, the date can be parse viaanydate
if anytime ins present.- The
enqueeJobs.r
now considers skipped package when running 'addfailed' while ensuring selecting packages are still on CRAN.- The CI setup has been updated (twice),
- Enqueing and dequing functions and scripts now support relative directories, updated documentation (#18 by Joshua Ulrich).
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
theme_ipsum_rc()
function from hrbrthemes by Bob Rudis in a zero (added) dependency way. A
simple example is (also available as a demo inside the package)
contrasts the default style (on left) with the one added by this package
(on the right):
This version mostly just updates to the newest releases of ggplot2 as one
must, and takes advantage of Bob s update to hrbrthemes
yesterday.
The full set of changes since the initial CRAN release follows.
Courtesy of my CRANberries, there is a diffstat report relative to previous release. More detailed information is on the repo where comments and suggestions are welcome. If you like this or other open-source work I do, you can sponsor me at GitHub.Changes in spdl version 0.0.2 (2024-03-04)
- Added continuous integrations action based on r2u
- Added
demo/
directory and a READNE.md- Minor edits to help page content
- Synchronised with ggplot2 3.5.0 via hrbrthemes
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
Courtesy of my CRANberries, there is a diffstat report relative to previous release. More detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the Rcpp R-Forge page. If you like this or other open-source work I do, you can sponsor me at GitHub.Changes in RcppArmadillo version 0.12.8.1.0 (2024-03-02)
- Upgraded to Armadillo release 12.8.1 (Cortisol Injector)
- Workaround in
norm()
for yet another bug in macOS accelerate framework- Update README for RcppArmadillo usage counts
- Update examples to use '#include <RcppArmadillo/Lighter>' for faster compilation excluding unused Rcpp features
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
NEWS
file entry follows.
Courtesy of CRANberries, there is also a diffstat report for the most recent release. If you like this or other open-source work I do, you can sponsor me at GitHub.Changes in RcppEigen version 0.3.4.0.0 (2024-02-28)
- The Eigen version has been upgrade to release 3.4.0 (Yixuan)
- Extensive reverse-dependency checks ensure only three out of over 400 packages at CRAN are affected; PRs and patches helped other packages
- The long-running branch also contains substantial contributions from Mikael Jagan (for the lme4 interface) and Andrew Johnson (revdep PRs)
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
256
. This version includes the following changes:
* CVE-2024-25711: Use a determistic name when extracting content from GPG
artifacts instead of trusting the value of gpg's --use-embedded-filenames.
This prevents a potential information disclosure vulnerability that could
have been exploited by providing a specially-crafted GPG file with an
embedded filename of, say, "../../.ssh/id_rsa".
Many thanks to Daniel Kahn Gillmor <dkg@debian.org> for reporting this
issue and providing feedback.
(Closes: reproducible-builds/diffoscope#361)
* Temporarily fix support for Python 3.11.8 re. a potential regression
with the handling of ZIP files. (See reproducible-builds/diffoscope#362)
Courtesy of my CRANberries, there is a diffstat report relative to previous release. More detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the Rcpp R-Forge page. If you like this or other open-source work I do, you can sponsor me at GitHub.Changes in RcppArmadillo version 0.12.8.0.0 (2024-02-06)
- Upgraded to Armadillo release 12.8.0 (Cortisol Injector)
- Faster detection of symmetric expressions by
pinv()
andrank()
- Expanded
shift()
to handle sparse matrices- Expanded
conv_to
for more flexible conversions between sparse and dense matrices- Added
cbrt()
- More compact representation of integers when saving matrices in CSV format
- Five non-user facing top-level include files have been removed (#432 closing #400 and building on #395 and #396)
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
Our exploit path resulted in the ability to upload malicious PyTorch releases to GitHub, upload releases to [Amazon Web Services], potentially add code to the main repository branch, backdoor PyTorch dependencies the list goes on. In short, it was bad. Quite bad.The attack pivoted on PyTorch s use of self-hosted runners as well as submitting a pull request to address a trivial typo in the project s
README
file to gain access to repository secrets and API keys that could subsequently be used for malicious purposes.
archlinux-userland-fs-cmp
, the tool is supposed to be used from a rescue image (any Linux) with an Arch install mounted to, [for example], /mnt
. Crucially, however, at no point is any file from the mounted filesystem eval d or otherwise executed. Parsers are written in a memory safe language.
More information about the tool can be found on their announcement message, as well as on the tool s homepage. A GIF of the tool in action is also available.
SOURCE_DATE_EPOCH
code?
Chris Lamb started a thread on our mailing list summarising some potential problems with the source code snippet the Reproducible Builds project has been using to parse the SOURCE_DATE_EPOCH
environment variable:
I m not 100% sure who originally wrote this code, but it was probably sometime in the ~2015 era, and it must be in a huge number of codebases by now. Anyway, Alejandro Colomar was working on the shadow security tool and pinged me regarding some potential issues with the code. You can see this conversation here.Chris ends his message with a request that those with intimate or low-level knowledge of
time_t
, C types, overflows and the various parsing libraries in the C standard library (etc.) contribute with further info.
SOURCE_DATE_EPOCH
to document its interaction with distribution rebuilds. [ ].
254
and 255
to Debian but focusing on triaging and/or merging code from other contributors. This included adding support for comparing eXtensible ARchive (.XAR/.PKG) files courtesy of Seth Michael Larson [ ][ ], as well considerable work from Vekhir in order to fix compatibility between various and subtle incompatible versions of the progressbar libraries in Python [ ][ ][ ][ ]. Thanks!
arm64
architecture workers from 24 to 16. [ ]arm64
nodes when they hit an OOM (out of memory) state. [ ]real_year
variable to 2024 [ ] and bump various copyright years as well [ ].iptables
tool everywhere, else our custom rc.local
script fails. [ ]/srv/workspace/pbuilder
directory on boot. [ ]chroot-installation
jobs to a maximum of 4 concurrent runs. [ ][ ]armhf
architecture test infrastructure. This provided the incentive to replace the UPS batteries and consolidate infrastructure to reduce future UPS load. [ ]
Elsewhere in our infrastructure, however, Holger Levsen also adjusted the email configuration for @reproducible-builds.org
to deal with a new SMTP email attack. [ ]
cython
(nondeterminstic path issue)deluge
(issue with modification time of .egg
file)gap-ferret
, gap-semigroups
& gap-simpcomp
(nondeterministic config.log
file)grpc
(filesystem ordering issue )hub
(random)kubernetes1.22
& kubernetes1.23
(sort-related issue)kubernetes1.24
& kubernetes1.25
(go -trimpath
vs random issue)libjcat
(drop test files with random bytes)luajit
(Use new d
option for deterministic bytecode output)meson
[ ][ ] (sort the results from Python filesystem call)python-rjsmin
(drop GCC instrumentation artifacts)qt6-virtualkeyboard+others
(bug parallelism/race)SoapySDR
(parallelism-related issue)systemd
(sorting problem)warewulf
(CPIO modification time issue, etc.)guake
( Schroedinger file due to race condition)qhelpgenerator-qt5
(timezone localization; fix also merged upstream for QT6)sphinx
(search index doctitle
sorting)mm-common
package in Debian this was quickly fixed, however. [ ]
#reproducible-builds
on irc.oftc.net
.
rb-general@lists.reproducible-builds.org
Next.