What happened in the
Reproducible
Builds effort between June 19th and
June 25th 2016.
Media coverage
- Holger Levsen gave a talk at openSUSE Conference 2016 explaining the general idea and status of Reproducible Builds. This talk is available as video recording.
- This was followed by Bernhard Wiedemannn, detailing his work on Reproducible Builds for openSUSE which is also available as video recording:
- openSUSE uses SOURCE_DATE_EPOCH now too
- How to create bit-for-bit identical RPMs
- How strip-nondeterminism is Python and thus unsuitable for the openSUSE base system
- Mozilla awarded $77k to work on reproducible builds for Tails.
The goal is to enable anyone (given sufficient technical skills and
hardware resources) to rebuild from source a given Tails release, in
order to independently verify that it matches the ISO image that
was published. A substantial part of this work will be done in Debian:
for example, to make the side-effects of some packages'
post-installation scripts deterministic. On the longer term, this
work should benefit other projects that want to make their own
builds reproducible (e.g. operating system images for the cloud and
embedded systems, operating system installation media, other Live
systems).
GSoC and Outreachy updates
Toolchain fixes
Other upstream fixes
Emil Velikov searched on IRC for hints on how to guarantee unique values during
build
to invalidate
shader caches in Mesa, when also no
VCS information
is available. A possible solution is a timestamp, which is unique enough for
local builds, but can still be reproducible by allowing it to be overwritten
with
SOURCE_DATE_EPOCH
.
Packages fixed
The following 9 packages have become reproducible due to changes in their
build dependencies:
cclib
librun-parts-perl
llvm-toolchain-snapshot
python-crypto
python-openid
r-bioc-shortread
r-bioc-variantannotation
ruby-hdfeos5
sqlparse
The following packages have become reproducible after being fixed:
Some uploads have fixed some reproducibility issues, but not all of them:
Patches submitted that have not made their way to the archive yet:
- #827684 against cgoban by Chris Lamb: set
SHELL
to static value.
- #827731 against tin by Alexis Bienven e: drop patch which overwrites
__DATE__
/__TIME__
macros, since gcc can handle it now
- #827863 against swedish by Alexis Bienven e: use C locale for sorting.
- #827987 against glances by Chris Lamb: Use
SOURCE_DATE_EPOCH
for embedded timestamp.
- #827994 against cmtk by Chris Lamb: use C locale for sorting.
- #828008 against aghermann by Chris Lamb: honour
SOURCE_DATE_EPOCH
for timestamps embedded into manpages.
- #828012 against bind9 by Chris Lamb: honour
SOURCE_DATE_EPOCH
for embedded timestamp.
- #828017 against frog by Chris Lamb: don't include pyc/pyo files in the package.
- #828021 against extra-cmake-modules by Scarlett Clark: normalize permission and file order in tarballs.
- #828060 against libffado by Chris Lamb: exclude file with test output from package.
- #828066 against gsmlib by Chris Lamb: honour
SOURCE_DATE_EPOCH
for timestamps embedded into manpages.
- #828067 against grib-api by Chris Lamb: exclude pyc files from package.
- #828122 against libxmlbird by Chris Lamb: sort list of globbed files.
- #828123 against magnum by Chris Lamb: use static value for embedded hostname.
- #828131 against pyjwt by Chris Lamb: exclude coverage data from package.
- #828145 against mkdocs by Chris Lamb: honour
SOURCE_DATE_EPOCH
for embedded timestamp.
- #828164 against zeal by Chris Lamb: use UTC for embedded timestamp.
- #828168 against x42-plugins by Daniel Shahaf: use
printf
instead of non-portable echo
.
Package reviews
139 reviews have been added, 20 have been updated and 21 have been removed in this week.
New issues found:
53 FTBFS bugs have been reported by Chris Lamb, Santiago Vila and Mateusz ukasik.
diffoscope development
Quote of the week
"My builds are so reproducible, they fail exactly every second time."
Johannes Ziemke (@discordianfish)
Misc.
This week's edition was written by Chris Lamb (lamby), Reiner Herrmann and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.