What happened in the
reproducible
builds effort this week:
Media coverage
Nathan Willis covered
our DebConf15 status
update in Linux Weekly News.
Access to
non-LWN subscribers will be given on Thursday 24th.
Linux Journal published a
more general
piece
last Tuesday.
Unexpected praise for reproducible builds appeared this week in the form of
several iOS applications identified as including spyware. The malware was
undetected by Apple screening. This actually happened because
application developers had simply
downloaded a trojaned version of XCode
through an unofficial
source. While reproducible builds can't really help users of non-free software, this is exactly the kind of attacks that we are trying to prevent in our systems.
Toolchain fixes
Niko Tyni wrote and uploaded
a better patch
for the source order problem in
libmodule-build-perl.
Tristan Seligmann
identified how the code generated by
python-cffi could be emitted in random order in some cases. Upstream has already
fixed the problem.
Packages fixed
The following 24 packages became reproducible due to changes in their
build dependencies:
apache-curator,
checkbox-ng,
gant,
gnome-clocks,
hawtjni,
jackrabbit,
jersey1,
libjsr305-java,
mathjax-docs,
mlpy,
moap,
octave-geometry,
paste,
pdf.js,
pyinotify,
pytango,
python-asyncssh,
python-mock,
python-openid,
python-repoze.who,
shadow,
swift,
tcpwatch-httpproxy,
transfig.
The following packages became reproducible after getting fixed:
Some uploads fixed some reproducibility issues but not all of them:
Patches submitted which have not made their way to the archive yet:
reproducible.debian.net
Tests for
Coreboot,
OpenWrt,
NetBSD, and
FreeBSD now runs weekly (instead of monthly).
diffoscope development
Python 3 offers new features (namely
yield from
and
concurrent.futures
) that could help implement parallel processing. The clear separation of bytes and unicode strings is also likely to reduce encoding related issues.
Mattia Rizolo thus kicked the effort of porting diffoscope to Python 3.
tlsh was the only dependency missing a Python 3 module. This got quickly fixed by a
new upload.
The rest of the code has been
moved to the point where only incompatibilities between Python 2.7 and Pyhon 3.4 had to be changed. The commit stream still require some cleanups but all tests are now passing under Python 3.
Documentation update
The documentation on
how to assemble the weekly reports has been updated. (Lunar)
The example on how to use
SOURCE_DATE_EPOCH with CMake has been improved. (Ben Beockel, Daniel Kahn Gillmor)
The solution for
timestamps in man pages generated by Sphinx now uses SOURCE_DATE_EPOCH. (Mattia Rizzolo)
Package reviews
45
reviews have
been removed, 141 added and 62 updated this week.
67 new FTBFS reports have been filled by Chris Lamb, Niko Tyni, and Lisandro Dami n Nicanor P rez Meyer.
New issues added this week:
randomness_in_r_rdb_rds_databases,
python-ply_compiled_parse_tables.
Misc.
The
prebuilder script is now properly testing umask variations again.
Santiago Villa started a
discussion on debian-devel on how binNMUs would work for reproducible builds.