Powerlevel10k is a theme for Zsh. It contains some powerful
features, is astoundingly fast, and easy to customize. I am quite
amazed at the skills of its main author. Be sure to also have a
look at Zsh for Humans, a complete Zsh configuration including
this theme.
One of the nice features of Powerlevel10k is transient prompts:
past prompts are reduced to a more minimal configuration to save space
by removing unneeded information.
My implementation of a transient prompt with Zsh. Past prompts are compact and include the time of the command execution, the hostname, and the status of the previous command while the complete prompt contains more information like the current directory and the Git branch.
When it comes to configuring my shell, I still prefer writing and
understanding each line going into it. Therefore, I am still building
my Zsh configuration from scratch. Here is how I have integrated
the above transient feature into my prompt.
The first step is to configure the appearance of the prompt in its
compact form. Let s assume we have a variable, $_vbe_prompt_compact
set to 1 when we want a compact prompt. We use the
following function to define the prompt appearance:
_vbe_prompt ()localretval=$?# When compact, just time + prompt signif(($_vbe_prompt_compact));then# Current time (with timezone for remote hosts)
_vbe_prompt_segment cyan default "%D %H:%M$ SSH_TTY+ %Z "# Hostname for remote hosts[[$SSH_TTY]]&&\
_vbe_prompt_segment black magenta "%B%M%b"# Status of the last commandif(($retval));then
_vbe_prompt_segment red default $ PRCH[reta]else
_vbe_prompt_segment green cyan $ PRCH[ok]fi# End of prompt
_vbe_prompt_end
returnfi# Regular prompt with many information# [ ]
setopt prompt_subst
PS1='$(_vbe_prompt) '
Update (2021.05)
The following part has been rewritten to be
more robust. The code is stolen from Powerlevel10k s issue #888.
See the comments for more details.
Our next step is to redraw the prompt after accepting a command. We
wrap Zsh line editor into a function:1
_vbe-zle-line-init()[[$CONTEXT== start ]]return0# Start regular line editor(( $+zle_bracketed_paste ))&& print -r -n - $zle_bracketed_paste[1]
zle .recursive-edit
local -i ret=$?(( $+zle_bracketed_paste ))&& print -r -n - $zle_bracketed_paste[2]# If we received EOT, we exit the shellif[[$ret==0&&$KEYS==$'\4']];then_vbe_prompt_compact=1
zle .reset-prompt
exitfi# Line edition is over. Shorten the current prompt._vbe_prompt_compact=1
zle .reset-prompt
unset _vbe_prompt_compact
if(( ret ));then# Ctrl-C
zle .send-break
else# Enter
zle .accept-line
fireturn ret
zle -N zle-line-init _vbe-zle-line-init
That s all!
One downside of using the powerline fonts is that it messes with
copy/paste. As I am using tmux, I use the following snippet to work
around this issue and use only standard Unicode characters when
copying from the terminal:
Copying and pasting the text from the screenshot above yields the
following text:
14:21 % ssh eizo.luffy.cx
Linux eizo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64Last login: Fri Apr 23 14:20:39 2021 from 2a01:cb00:3f:b02:9db6:efa4:d85:7f9f14:21 CEST % uname -a
Linux eizo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux14:21 CEST %Connection to eizo.luffy.cx closed.14:22 % git status
On branch article/zsh-transientUntracked files: (use "git add <file>..." to include in what will be committed) ../../media/images/zsh-compact-prompt@2x.jpgnothing added to commit but untracked files present (use "git add" to track)
We have to manually enable bracketed paste because
Zsh does it after zle-line-init.
Armadillo is a powerful and expressive C++ template library for linear algebra aiming towards a good balance between speed and ease of use with a syntax deliberately close to a Matlab. RcppArmadillo integrates this library with the R environment and language and is widely used by (currently) 865 other packages on CRAN.
This new release brings Armadillo 10.5.0 which was released early on Friday. We had done one full test in the 10.5 rc1 prerelease one week earlier, and did another test on 10.5.0 and this 0.10.5.0.0 RcppArmadillo release just for added rigour. The package was then uploaded to CRAN late Friday (my timezone). The automated process flagged one NOTE as a false positive (yet another instance of the well-known (yet dreaded) issue of Suggests != Depends by one these 865 packages). This lead to a need of an inspection by one of the CRAN maintainers, and the weekend being the weekend it was only processed just now.
Upstream moves at a speed that is a little faster than the cadence CRAN likes. As we had released RcppArmadillo 0.10.4.0.0 on April 13 we did not want to follow-up too soon thereafter with 0.10.4.1.0 which was thusly only a GitHub and drat release (which can always be had easily too via install.packages("RcppArmadillo", repos="https://RcppCore.github.io/drat").)
The full set of changes follows. We include the aforementioned interim release as well.
Changes in RcppArmadillo version 0.10.5.0 (2021-05-21)
Upgraded to Armadillo release 10.5 (Antipodean Fortress)
added .clamp() member function
expanded the standalone clamp() function to handle complex values
more efficient use of OpenMP
vector, matrix and cube constructors now initialise elements to zero by default; use the fill::none specifier, eg. mat X(4,5,fill::none), to disable element initialisation
Added codecov.yml to exclude Armadillo from coverage analysis
Changes in RcppArmadillo version 0.10.4.1.0 (2021-04-23)
Upgraded to Armadillo release 10.4.1 (Pressure Cooker)
I wrote for LWN for about two years. During that
time, I wrote (what seems to me an impressive) 34
articles, but I always had a pile of ideas in the back of my
mind. Those are ideas, notes, and scribbles lying around. Some were
just completely abandoned because they didn't seem a good fit for LWN.
Concretely, I stored those in branches in a git repository, and used
the branch name (and, naively, the last commit log) as indicators of
the topic.
This was the state of affairs when I left:
remotes/private/attic/novena 822ca2bb add letter i sent to novena, never published
remotes/private/attic/secureboot de09d82b quick review, add note and graph
remotes/private/attic/wireguard 5c5340d1 wireguard review, tutorial and comparison with alternatives
remotes/private/backlog/dat 914c5edf Merge branch 'master' into backlog/dat
remotes/private/backlog/packet 9b2c6d1a ham radio packet innovations and primer
remotes/private/backlog/performance-tweaks dcf02676 config notes for http2
remotes/private/backlog/serverless 9fce6484 postponed until kubecon europe
remotes/private/fin/cost-of-hosting 00d8e499 cost-of-hosting article online
remotes/private/fin/kubecon f4fd7df2 remove published or spun off articles
remotes/private/fin/kubecon-overview 21fae984 publish kubecon overview article
remotes/private/fin/kubecon2018 1edc5ec8 add series
remotes/private/fin/netconf 3f4b7ece publish the netconf articles
remotes/private/fin/netdev 6ee66559 publish articles from netdev 2.2
remotes/private/fin/pgp-offline f841deed pgp offline branch ready for publication
remotes/private/fin/primes c7e5b912 publish the ROCA paper
remotes/private/fin/runtimes 4bee1d70 prepare publication of runtimes articles
remotes/private/fin/token-benchmarks 5a363992 regenerate timestamp automatically
remotes/private/ideas/astropy 95d53152 astropy or python in astronomy
remotes/private/ideas/avaneya 20a6d149 crowdfunded blade-runner-themed GPLv3 simcity-like simulator
remotes/private/ideas/backups-benchmarks fe2f1f13 review of backup software through performance and features
remotes/private/ideas/cumin 7bed3945 review of the cumin automation tool from WM foundation
remotes/private/ideas/future-of-distros d086ca0d modern packaging problems and complex apps
remotes/private/ideas/on-dying a92ad23f another dying thing
remotes/private/ideas/openpgp-discovery 8f2782f0 openpgp discovery mechanisms (WKD, etc), thanks to jonas meurer
remotes/private/ideas/password-bench 451602c0 bruteforce estimates for various password patterns compared with RSA key sizes
remotes/private/ideas/prometheus-openmetrics 2568dbd6 openmetrics standardizing prom metrics enpoints
remotes/private/ideas/telling-time f3c24a53 another way of telling time
remotes/private/ideas/wallabako 4f44c5da talk about wallabako, read-it-later + kobo hacking
remotes/private/stalled/bench-bench-bench 8cef0504 benchmarking http benchmarking tools
remotes/private/stalled/debian-survey-democracy 909bdc98 free software surveys and debian democracy, volunteer vs paid work
Wow, what a mess! Let's see if I can make sense of this:
Attic
Those are articles that I thought about, then finally rejected, either
because it didn't seem worth it, or my editors rejected it, or I just
moved on:
novena: the project is ooold now, didn't seem to fit a LWN
article. it was basically "how can i build my novena now" and "you
guys rock!" it seems like the MNT Reform is the brain child of
the Novena now, and I dare say it's even cooler!
secureboot: my LWN editors were critical of my approach, and
probably rightly so - it's a really complex subject and I was
probably out of my depth... it's also out of date now, we did
manage secureboot in Debian
wireguard: LWN ended up writingextensive coverage, and
I was biased against Donenfeld because of conflicts in a previous
project
Backlog
Those were articles I was planning to write about next.
dat: I already had written Sharing and archiving data sets with
Dat, but
it seems I had more to say... mostly performance issues, beaker, no
streaming, limited adoption... to be investigated, I guess?
packet: a primer on data communications over ham radio, and the
cool new tech that has emerged in the free software world. those
are mainly notes about Pat, Direwolf, APRS and so
on... just never got around to making sense of it or really using
the tech...
performance-tweaks: "optimizing websites at the age of http2",
the unwritten story of the optimization of this website with HTTP/2
and friends
serverless: god. one of the leftover topics at Kubecon, my notes
on this were thin, and the actual subject, possibly even
thinner... the only lie worse than the cloud is that there's no
server at all! concretely, that's a pile of notes about
Kubecon which I wanted to sort
through. Probably belongs in the attic now.
Fin
Those are finished articles, they were published on my website and
LWN, but the branches were kept because previous drafts had private
notes that should not be published.
backups-benchmarks: review of backup software through performance
and features, possibly based on those benchmarks, maybe based
on this list from restic although they refused
casync. benchmark articles are hard though, especially when
you want to "cover them all"... I did write a silly Attic vs
Bup back when those programs existed (2014), in a related
note...
ideas/on-dying: "what happens when a hacker dies?" rather grim
subject, but a more and more important one... joeyh has ideas
again, phk as well, then there's a protocol for dying
(really grim)... then there are site policies like GitHub,
Facebook, etc... more in the branch, but that one I can't help but
think about now that family has taken a bigger place in my life...
ideas/openpgp-discovery: OpenPGP discovery mechanisms (WKD, etc),
suggested by Jonas Meurer (somewhere?), only links to
Mailveloppe, LEAP, WKD (or is it WKS?), another
standard, probably would need to talk about OpenPGP CA now
and how Debian and Tor manage their keyrings... pain in the back.
ideas/password-bench: bruteforce estimates for various password
patterns compared with RSA key sizes, spinoff of my smartcard
article, in
the crypto-bench, look at this shiny graph, surely that
must mean an article, right?
ideas/prometheus-openmetrics: "Evolving the Prometheus exposition
format into a standard", seems like this happened
ideas/telling-time: telling time to users is hard. xclock vs
ttyclock, etc. maybe gameclock and undertime as well? syncing time
is hard, but it turns out showing it is non trivial as
well... basically turning this bug report into an article. for
some reason I linked to this meme, derived from this
meme, presumably a premonition of my stupid idea of writing
undertime TIMEZONES!
ideas/wallabako: "talk about wallabako, read-it-later + kobo
hacking", that's it, not even a link to the project!
A lot of those branches were actually just an empty commit, with the
commitlog being the "pitch", more or less. I'd send that list to my
editors, sometimes with a few more links (basically the above), and
they would nudge me one way or the other.
Sometimes they would actively discourage me to write about something,
and I would do it anyways, send them a draft, and they would patiently
make me rewrite it until it was a decent article. This was especially
hard with the terminal emulatorseries, which took forever to
write and even got my editors upset when they realized I had never
installed Fedora (I ended up installing it, and I was proven wrong!)
Stalled
Oh, and then there's those: those are either "ideas" or "backlog" that
got so far behind that I just moved them out of the way because I was
tired of seeing them in my list.
stalled/bench-bench-bench benchmarking http benchmarking tools, a
horrible mess of links, copy-paste from terminals, and ideas about
benchmarking... some of this trickled out into this benchmarking
guide at Tor, but not much more than the list of tools
stalled/debian-survey-democracy: "free software surveys and
Debian democracy, volunteer vs paid work"... A long standing
concern of mine is that all Debian work is supposed to be
volunteer, and paying explicitly for work inside Debian has
traditionally been frowned upon, even leading to serious drama and
dissent (remember Dunc-Tank)? back when I was writing for LWN,
I was also doing paid work for Debian LTS. I also learned
that a lot (most?) Debian Developers were actually being paid by
their job to work on Debian. So I was confused by this apparent
contradiction, especially given how the LTS project has been mostly
accepted, while Dunc-Tank was not... See also this talk at Debconf
16. I had hopes that this study would show the "hunch"
people have offered (that most DDs are paid to work on Debian) but
it seems to show the reverse (only 36% of DDs, and 18% of all
respondents paid). So I am still confused and worried about the
sustainability of Debian.
What do you think?
So that's all I got. As people might have noticed here, I have much
less time to write these days, but if there's any subject in there I
should pick, what is the one that you would find most interesting?
Oh! and I should mention that you can write to LWN! If you think
people should know more about some Linux thing, you can get paid to
write for it! Pitch it to the editors, they won't bite. The worst
that can happen is that they say "yes" and there goes two years of
your life learning to write. Because no, you don't know how to write,
no one does. You need an editor to write.
That's why this article looks like crap and has a smiley.
So we're a fair way through the release, then. Testing of almost all the standard images has finished. Pretty much all of the disk images are now complete and in place.People are working their way through the tests of the debian-live images in the various desktop flavours. These have to be done on real hardware - so it does take time. A new tester - peylight - has dropped in to help for the first time. Sqrt not has also joined us from the other end of the timezone scale - we have somebody at UTC-0700 and somebody at UTC+0430 today. [I can't remember where Linux-fan is timezone wise] All of the help from all the testers is very welcome, as ever. A slight pause - a couple of us have a meal to eat - but it looks as if we've done well on timings. The original estimate was for 2000UTC - maybe a little after that and we'll be finished and the images release can be published - there were a couple of minor hiccups but we've done well so far. Thanks, as always, to the people behind the scenes doing all the work, to DSA and admins providing large machines for us to do the builds on and to the people who drop in and spend a few hours of their time on a working day/weekend to help out.
You'll probably want to add a remote
control to that setup. I used an
old Streamzap I had
lying around.
Installing the OS on the SD-card
Plug the SD card into a computer using a USB adapter.
Download the imager and use it to
install Raspbian on the SDcard.
Then you can simply plug the SD card into the Pi and boot.
System configuration
Using sudo raspi-config, I changed the following:
Set hostname (System Options)
Wait for network at boot (System Options): needed for NFS
Disable screen blanking (Display Options)
Enable ssh (Interface Options)
Configure locale, timezone and keyboard (Localisation Options)
apt install unattended-upgrades anacron
echo 'Unattended-Upgrade::Origins-Pattern
"origin=Debian,codename=$ distro_codename ,label=Debian";
"origin=Debian,codename=$ distro_codename ,label=Debian-Security";
"origin=Raspbian,codename=$ distro_codename ,label=Raspbian";
"origin=Raspberry Pi Foundation,codename=$ distro_codename ,label=Raspberry Pi Foundation";
;' sudo tee /etc/apt/apt.conf.d/51unattended-upgrades-raspbian
Headless setup
Should you need to do the setup without a monitor, you can enable ssh by
inserting the SD card into a computer and then creating an empty file called
ssh in the boot partition.
Plug it into your router and boot it up. Check the IP that it received by
looking at the active DHCP leases in your router's admin panel.
Then login:
and only allowing ssh connections.
After starting ufw using systemctl start ufw.service, you can check that
it's configured as expected using ufw status. It should display the
following:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
Installing Kodi
Kodi is very straightforward to install since it's now part of the Raspbian repositories:
apt install kodi
To make it start at boot/login, while still being able to exit and use other
apps if needed:
Network File System
In order to avoid having to have all media storage connected directly to the
Pi via USB, I setup an
NFS share over my local
network.
First, give static IP allocations to the server and the Pi in your DHCP
server, then add it to the /etc/hosts file on your NFS server:
Here s my (sixteenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 25th month of contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
This month was bat-shit crazy. Why? We ll come to it later, probably 15th of this month?
Anyway, besides being crazy, hectic, adventerous, and the first of 2021, this month I was super-insanely busy. With what? Hm, more about this later this month! ^_^
However, I still did some Debian stuff here and there. Here are the following things I worked on:
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my sixteenth month as a Debian LTS and seventh month as a Debian ELTS paid contributor.
I was assigned 26.00 hours for LTS and 36.75 hours for ELTS and worked on the following things:
(however, I worked extra for 9 hours for LTS and 9 hours for ELTS this month, which I intend to balance from the next month!)
LTS CVE Fixes and Announcements:
Issued DLA 2518-1, fixing CVE-2020-35492, for cairo.
For Debian 9 Stretch, these problems have been fixed in version 1.14.8-1+deb9u1.
Prepared DSA 4831-1, fixing CVE-2020-26298, for ruby-redcarpet.
For Debian 10 Buster, these problems have been fixed in version 3.4.0-4+deb10u1. The announcement was released by the Security Team.
This January, on 23rd and 24th, we had Mini DebConf India 2021 online.
I had a talk as well, titled, Why Point Releases are important and how you can help
prepare them?".
It was a fun and a very short talk, where I just list out the reasons and ways to help in
the preparation of point releases . I did some experimentation with this talk, figuring
out what works for the audience and what doesn t and where can I improve for the next time
I talk about this topic! \o/
You can listen to the talk here
and let me know if you have any feedback!
Anyway, the conference lasted for 2 days and I also did some volunteering (talk director,
talk miester) in Hindi and English, both! It was all so fun and new. Anyway, here s the picture we took:
In another exciting news, I got my first CVE assigned!!! \o/
No, it is not something that I found, it was discovered by Tavis Ormandy. I just assigned
this a CVE ID, CVE-2021-3181.
This is my first, so I am very excited about this! ^_^
Besides, there s something more that is in the pipelines. Can t talk about it now, shh. But
hopefully very sooooooon!
Other $things! \o/
This month was tiresome, with most of the time being spent on the Debian stuff, I did
very little work outside it, really. The issues and patches that I sent are:
Issue #700 for redcarpet, asking for a reproducer for CVE-2020-26298 and some additional patch related queries.
Issue #7 for in-parallel, asking them to not use relative paths for tests.
Issue #8 for in-parallel, reporting a test failure for the library.
Issue #2 for rake-ant, asking them to bump their dependencies to a newer version.
PR #3 for rake-ant, bumping the dependencies to a newer version, fixing the above issue, heh.
Issue #4 for rake-ant, requesting to drop git from their gemspec.
PR #5 for rake-ant, dropping git from gemspec, fixing the above issue, heh.
Issue #95 for WavPack, asking for a review of past security vulnerabilites wrt v4.70.0.
Reviewed PR #128 for ruby-openid, addressing the past regression with CVE fix merge.
Reviewed PR #63 for cocoapods-acknowledgements, updating redcarpet to v3.5.1, as a safety measure due to recently discovered vulnerability.
Issue #1331 for bottle, asking for relevant commits for CVE-2020-28473 and clarifying other things.
Issue #5 for em-redis, reporting test failures on IPv6-only build machines.
Issue #939 for eventmachine, reporting test failures for em-redis on IPv6-only build machines.
Welcome to the October 2020 report from the Reproducible Builds project.
In our monthly reports, we outline the major things that we have been up to over the past month. As a brief reminder, the motivation behind the Reproducible Builds effort is to ensure flaws have not been introduced in the binaries we install on our systems. If you are interested in contributing to the project, please visit our main website.
The previous year has seen great progress in Arch Linux to get reproducible builds in the hands of the users and developers. In this talk we will explore the current tooling that allows users to reproduce packages, the rebuilder software that has been written to check packages and the current issues in this space.
GNU Mes rebuild is definitely an application of [Diverse Double-Compiling]. [..] This is an awesome application of DDC, and I believe it s the first publicly acknowledged use of DDC on a binary
Debian-related work
In August, Lucas Nussbaum performed an archive-wide rebuild of packages to test enabling the reproducible=+fixfilepath Debian build flag by default. Enabling this fixfilepath feature will likely fix reproducibility issues in an estimated 500-700 packages. However, this month Vagrant Cascadian posted to the debian-devel mailing list:
It would be great to see the reproducible=+fixfilepath feature enabled by default in dpkg-buildflags, and we would like to proceed forward with this soon unless we hear any major concerns or other outstanding issues. [ ] We would like to move forward with this change soon, so please raise any concerns or issues not covered already.
Debian Developer Stuart Prescott has been improving python-debian, a Python library that is used to parse Debian-specific files such as changelogs, .dscs, etc. In particular, Stuart is working on adding support for .buildinfo files used for recording reproducibility-related build metadata:
This can mostly be a very thin layer around the existing Deb822 types, using the existing Changes code for the file listings, the existing PkgRelations code for the package listing and gpg_* functions for signature handling.
Bernhard M. Wiedemann also reported three issues against bison, ibus and postgresql12.
Tools
diffoscope is our in-depth and content-aware diff utility. Not only could you locate and diagnose reproducibility issues, it provides human-readable diffs of all kinds too. This month, Chris Lamb uploaded version 161 to Debian (later backported by Mattia Rizzolo), as well as made the following changes:
Move test_ocaml to the assert_diff helper. []
Update tests to support OCaml version 4.11.1. Thanks to Sebastian Ramacher for the report. (#972518)
Bump minimum version of the Black source code formatter to 20.8b1. (#972518)
In addition, Jean-Romain Garnier temporarily updated the dependency on radare2 to ensure our test pipelines continue to work [], and for the GNU Guix distribution Vagrant Cascadian diffoscope to version 161 [].
In related development, trydiffoscope is the web-based version of diffoscope. This month, Chris Lamb made the following changes:
Mark a --help-only test as being a superficial test. (#971506)
Add a real, albeit flaky, test that interacts with the try.diffoscope.org service. []
Bump debhelper compatibility level to 13 [] and bump Standards-Version to 4.5.0 [].
Lastly, disorderfs version 0.5.10-2 was uploaded to Debian unstable by Holger Levsen, which enabled security hardening via DEB_BUILD_MAINT_OPTIONS [] and dropped debian/disorderfs.lintian-overrides [].
Add a citation link to the academic article regarding dettrace [], and added yet another supply-chain security attack publication [].
Reformatted the Jekyll s Liquid templating language and CSS formatting to be consistent [] as well as expand a number of tab characters [].
Used relative_url to fix missing translation icon on various pages. []
Published two announcement blog posts regarding the restarting of our IRC meetings. [][]
Added an explicit note regarding the lack of an in-person summit in 2020 to our events page. []
Testing framework
The Reproducible Builds project operates a Jenkins-based testing framework that powers tests.reproducible-builds.org. This month, Holger Levsen made the following changes:
Make a number of updates to reflect that our sponsor Profitbricks has renamed itself to IONOS. [][][][]
Run a F-Droid maintenance routine twice a month to utilise its cleanup features. []
Fix the target name in OpenWrt builds to ath79 from ath97. []
Add a missing Postfix configuration for a node. []
Temporarily disable Arch Linux builds until a core node is back. []
Make a number of changes to our thanks page. [][][]
Build node maintenance was performed by both Holger Levsen [][] and Vagrant Cascadian [][][], Vagrant Cascadian also updated the page listing the variations made when testing to reflect changes for in build paths [] and Hans-Christoph Steiner made a number of changes for F-Droid, the free software app repository for Android devices, including:
Do not fail reproducibility jobs when their cleanup tasks fail. []
Skip libvirt-related sudo command if we are not actually running libvirt. []
Use direct URLs in order to eliminate a useless HTTP redirect. []
If you are interested in contributing to the Reproducible Builds project, please visit the Contribute page on our website. However, you can also get in touch with us via:
Welcome to the August 2020 report from the Reproducible Builds project.
In our monthly reports, we summarise the things that we have been up to over the past month. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced from the original free software source code to the pre-compiled binaries we install on our systems. If you re interested in contributing to the project, please visit our main website.
This month, Jennifer Helsby launched a new reproduciblewheels.com website to address the lack of reproducibility of Python wheels.
To quote Jennifer s accompanying explanatory blog post:
One hiccup we ve encountered in SecureDrop development is that not all Python wheels can be built reproducibly. We ship multiple (Python) projects in Debian packages, with Python dependencies included in those packages as wheels. In order for our Debian packages to be reproducible, we need that wheel build process to also be reproducible
Reproducible builds at DebConf20
There were a number of talks at the recent online-only DebConf20 conference on the topic of reproducible builds.
Holger gave a talk titled Reproducing Bullseye in practice , focusing on independently verifying that the binaries distributed from ftp.debian.org are made from their claimed sources. It also served as a general update on the status of reproducible builds within Debian. The video (145 MB) and slides are available.
There were also a number of other talks that involved Reproducible Builds too. For example, the Malayalam language mini-conference had a talk titled , ? ( I want to join Debian, what should I do? ) presented by Praveen Arimbrathodiyil, the Clojure Packaging Team BoF session led by Elana Hashman, as well as Where is Salsa CI right now? that was on the topic of Salsa, the collaborative development server that Debian uses to provide the necessary tools for package maintainers, packaging teams and so on.
Jonathan Bustillos (Jathan) also gave a talk in Spanish titled Un camino verificable desde el origen hasta el binario ( A verifiable path from source to binary ). (Video, 88MB)
Development work
After many years of development work, the compiler for the Rust programming language now generates reproducible binary code. This generated some general discussion on Reddit on the topic of reproducibility in general.
Paul Spooren posted a request for comments to OpenWrt s openwrt-devel mailing list asking for clarification on when to raise the PKG_RELEASE identifier of a package. This is needed in order to successfully perform rebuilds in a reproducible builds context.
In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update.
Chris Lamb provided some comments and pointers on an upstream issue regarding the reproducibility of a Snap / SquashFS archive file. []
Debian
Holger Levsen identified that a large number of Debian .buildinfo build certificates have been tainted on the official Debian build servers, as these environments have files underneath the /usr/local/sbin directory []. He also filed against bug for debrebuild after spotting that it can fail to download packages from snapshot.debian.org [].
This month, several issues were uncovered (or assisted) due to the efforts of reproducible builds.
For instance, Debian bug #968710 was filed by Simon McVittie, which describes a problem with detached debug symbol files (required to generate a traceback) that is unlikely to have been discovered without reproducible builds. In addition, Jelmer Vernooij called attention that the new Debian Janitor tool is using the property of reproducibility (as well as diffoscope when applying archive-wide changes to Debian:
New merge proposals also include a link to the diffoscope diff between a vanilla build and the build with changes. Unfortunately these can be a bit noisy for packages that are not reproducible yet, due to the difference in build environment between the two builds. []
56 reviews of Debian packages were added, 38 were updated and 24 were removed this month adding to our knowledge about identified issues. Specifically, Chris Lamb added and categorised the nondeterministic_version_generated_by_python_param and the lessc_nondeterministic_keys toolchain issues. [][]
Holger Levsen sponsored Lukas Puehringer s upload of the python-securesystemslib pacage, which is a dependency of in-toto, a framework to secure the integrity of software supply chains. []
Lastly, Chris Lamb further refined his merge request against the debian-installer component to allow all arguments from sources.list files (such as [check-valid-until=no]) in order that we can test the reproducibility of the installer images on the Reproducible Builds own testing infrastructure and sent a ping to the team that maintains that code.
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of these patches, including:
diffoscopediffoscope is our in-depth and content-aware diff utility that can not only locate and diagnose reproducibility issues, it provides human-readable diffs of all kinds. In August, Chris Lamb made the following changes to diffoscope, including preparing and uploading versions 155, 156, 157 and 158 to Debian:
New features:
Support extracting data of PGP signed data. (#214)
Try files named .pgp against pgpdump(1) to determine whether they are Pretty Good Privacy (PGP) files. (#211)
Support multiple options for all file extension matching. []
Bug fixes:
Don t raise an exception when we encounter XML files with <!ENTITY> declarations inside the Document Type Definition (DTD), or when a DTD or entity references an external resource. (#212)
pgpdump(1) can successfully parse some binary files, so check that the parsed output contains something sensible before accepting it. []
Temporarily drop gnumeric from the Debian build-dependencies as it has been removed from the testing distribution. (#968742)
Correctly use fallback_recognises to prevent matching .xsb binary XML files.
Correct identify signed PGP files as file(1) returns data . (#211)
Logging improvements:
Emit a message when ppudump version does not match our file header. []
Don t use Python s repr(object) output in Calling external command messages. []
Include the filename in the not identified by any comparator message. []
Codebase improvements:
Bump Python requirement from 3.6 to 3.7. Most distributions are either shipping with Python 3.5 or 3.7, so supporting 3.6 is not only somewhat unnecessary but also cumbersome to test locally. []
Drop some unused imports [], drop an unnecessary dictionary comprehensions [] and some unnecessary control flow [].
Correct typo of output in a comment. []
Release process:
Move generation of debian/tests/control to an external script. []
Add some URLs for the site that will appear on PyPI.org. []
Update author and author email in setup.py for PyPI.org and similar. []
Testsuite improvements:
Update PPU tests for compatibility with Free Pascal versions 3.2.0 or greater. (#968124)
Mark that our identification test for .ppu files requires ppudump version 3.2.0 or higher. []
Add an assert_diff helper that loads and compares a fixture output. [][][][]
Misc:
Duplicate docker instructions in the Get diffoscope section of the diffoscope website. []
In addition, Mattia Rizzolo documented in setup.py that diffoscope works with Python version 3.8 [] and Frazer Clews applied some Pylint suggestions [] and removed some deprecated methods [].
Clarify & fix a few entries on the who page [][] and ensure that images do not get to large on some viewports [].
Clarify use of a pronoun re. Conservancy. []
Use View all our monthly reports over View all monthly reports . []
Move a is a suffix out of the link target on the SOURCE_DATE_EPOCH age. []
In addition, Javier Jard n added the freedesktop-sdk project [] and Kushal Das added SecureDrop project [] to our projects page. Lastly, Michael P hn added internationalisation and translation support with help from Hans-Christoph Steiner [].
Testing framework
The Reproducible Builds project operate a Jenkins-based testing framework to power tests.reproducible-builds.org. This month, Holger Levsen made the following changes:
System health checks:
Improve explanation how the status and scores are calculated. [][]
Update and condense view of detected issues. [][]
Query the canonical configuration file to determine whether a job is disabled instead of duplicating/hardcoding this. []
Detect several problems when updating the status of reporting-oriented metapackage sets. []
Detect when diffoscope is not installable [] and failures in DNS resolution [].
Mark that the u-boot Universal Boot Loader should not build architecture independent packages on the arm64 architecture anymore. []
Finally, build node maintenance was performed by Holger Levsen [], Mattia Rizzolo [][] and Vagrant Cascadian [][][][]
Mailing list
On our mailing list this month, Leo Wandersleb sent a message to the list after he was wondering how to expand his WalletScrutiny.com project (which aims to improve the security of Bitcoin wallets) from Android wallets to also monitor Linux wallets as well:
If you think you know how to spread the word about reproducibility in the context of Bitcoin wallets through WalletScrutiny, your contributions are highly welcome on this PR []
Julien Lepiller posted to the list linking to a blog post by Tavis Ormandy titled You don t need reproducible builds. Morten Linderud (foxboron) responded with a clear rebuttal that Tavis was only considering the narrow use-case of proprietary vendors and closed-source software. He additionally noted that the criticism that reproducible builds cannot prevent against backdoors being deliberately introduced into the upstream source ( bugdoors ) are decidedly (and deliberately) outside the scope of reproducible builds to begin with.
Chris Lamb included the Reproducible Builds mailing list in a wider discussion regarding a tentative proposal to include .buildinfo files in .deb packages, adding his remarks regarding requiring a custom tool in order to determine whether generated build artifacts are identical in a reproducible context. []
Jonathan Bustillos (Jathan) posted a quick email to the list requesting whether there was a list of To do tasks in Reproducible Builds.
Lastly, Chris Lamb responded at length to a query regarding the status of reproducible builds for Debian ISO or installation images. He noted that most of the technical work has been performed but there are at least four issues until they can be generally advertised as such . He pointed that the privacy-oriented Tails operation system, which is based directly on Debian, has had reproducible builds for a number of years now. []
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
Dealing with the void during MiniDebConf Online #1
Between 28 and 31 May this year, we set out to create our first ever online MiniDebConf for Debian. Many people have been meaning to do something similar for a long time, but it just didn t work out yet. With many of us being in lock down due to COVID-19, and with the strong possibility looming that DebConf20 might have had to become an online event, we rushed towards organising the first ever Online MiniDebConf and put together some form of usable video stack for it.
I could go into all kinds of details on the above, but this post is about a bug that lead to a pretty nifty feature for DebConf20. The tool that we use to capture Jitsi calls is called Jibri (Jitsi Broadcasting Infrustructure). It had a bug (well, bug for us, but it s an upstream feature) where Jibri would hang up after 30s of complete silence, because it would assume that the call has ended and that the worker can be freed up again. This would result in the stream being ended at the end of every talk, so before the next talk, someone would have to remember to press play again in their media player or on the video player on the stream page. Hrmph.
Easy solution on the morning that the conference starts? I was testing a Debian Live image the night before in a KVM and thought that I might as well just start a Jitsi call from there and keep a steady stream of silence so that Jibri doesn t hang up.
It worked! But the black screen and silence on stream was a bit eery. Because this event was so experimental in nature, and because we were on such an incredibly tight timeline, we opted not to seek sponsors for this event, so there was no sponsors loop that we d usually stream during a DebConf event. Then I thought Ah! I could just show the schedule! .
The stream looked bright and colourful (and was even useful!) and Jitsi/Jibri didn t die. I thought my work was done. As usual, little did I know how untrue that was.
The silence was slightly disturbing after the talks, and people asked for some music. Playing music on my VM and capturing the desktop audio in to Jitsi was just a few pulseaudio settings away, so I spent two minutes finding some freely licensed tracks that sounded ok enough to just start playing on the stream. I came across mini-albums by Captive Portal and Cinema Noir, During the course of the MiniDebConf Online I even started enjoying those. Someone also pointed out that it would be really nice to have a UTC clock on the stream. I couldn t find a nice clock in a hurry so I just added a tmux clock in the meantime while we deal with the real-time torrent of issues that usually happens when organising events like this.
Speaking of issues, during our very first talk of the last day, our speaker had a power cut during the talk and abruptly dropped off. Oops! So, since I had a screenshare open from the VM to the stream, I thought I d just pop in a quick message in a text editor to let people know that we re aware of it and trying to figure out what s going on.
In the end, MiniDebConf Online worked out all right. Besides the power cut for our one speaker, and another who had a laptop that was way too under-powered to deal with video, everything worked out very well. Even the issues we had weren t show-stoppers and we managed to work around them.
DebConf20 Moves Online
For DebConf, we usually show a sponsors loop in between sessions. It s great that we give our sponsors visibility here, but in reality people see the sponsors loop and think Talk over! and then they look away. It s also completely silent and doesn t provide any additional useful information. I was wondering how I could take our lessons from MDCO#1 and integrate our new tricks with the sponsors loop. That is, add the schedule, time, some space to type announcements on the screen and also add some loopable music to it.
I used OBS before in making my videos, and like the flexibility it provides when working with scenes and sources. A scene is what you would think of as a screen or a document with its own collection of sources or elements. For example, a scene might contain sources such as a logo, clock, video, image, etc. A scene can also contain another scene. This is useful if you want to contain a banner or play some background music that is shared between scenes.
The above screenshots illustrate some basics of scenes and sources. First with just the DC20 banner, and then that used embedded in another scene.
For MDCO#1, I copied and pasted the schedule into a LibreOffice Impress slide that was displayed on the stream. Having to do this for all 7 days of DebConf, plus dealing with scheduling changes would be daunting. So, I started to look in to generating some schedule slides programmatically. Stefano then pointed me to the Happening Now page on the DebConf website, where the current schedule block is displayed. So all I would need to do in OBS was to display a web page. Nice!
Unfortunately the OBS in Debian doesn t have the ability to display web pages out of the box (we need to figure out CEF in Debian), but fortunately someone provides a pre-compiled version of the plugin called Linux Browser that works just fine. This allowed me to easily add the schedule page in its own scene.
Being able to display a web page solved another problem. I wasn t fond of having to type / manage the announcements in OBS. It would either be a bit prone to user error, and if you want to edit the text while the loop is running, you d have to disrupt the loop, go to the foreground scene, and edit the text before resuming the loop. That s a bit icky. Then I thought that we could probably just get that from a web page instead. We could host some nice html snippet in a repository in salsa, and then anyone could easily commit an MR to update the announcement.
But then I went a step further, use an etherpad! Then anyone in the orga team can quickly update the announcement and it would be instantly changed on the stream. Nice! So that small section of announcement text on the screen is actually a whole web browser with an added OBS filter to crop away all the pieces we don t want. Overkill? Sure, but it gave us a decent enough solution that worked in time for the start of DebConf. Also, being able to type directly on to the loop screen works out great especially in an emergency. Oh, and uhm the clock is also a website rendered in its own web browser :-P
So, I had the ability to make scenes, add elements and add all the minimal elements I wanted in there. Great! But now I had to figure out how to switch scenes automatically. It s probably worth mentioning that I only found some time to really dig into this right before DebConf started, so with all of this I was scrambling to find things that would work without too many bugs while also still being practical.
Now I needed the ability to switch between the scenes automatically / programmatically. I had never done this in OBS before. I know it has some API because there are Android apps that you can use to control OBS with from your phone. I discovered that it had an automatic scene switcher, but it s very basic. It can only switch based on active window, which can be useful in some cases, but since we won t have any windows open other than OBS, this tool was basically pointless.
After some quick searches, I found a plugin called Advanced Scene Switcher. This plugin can do a lot more, but has some weird UI choices, and is really meant for gamers and other types of professional streamers to help them automate their work flow and doesn t seem at all meant to be used for a continuous loop, but, it worked, and I could make it do something that will work for us during the DebConf.
I had a chicken and egg problem because I had to figure out a programming flow, but didn t really have any content to work with, or an idea of all the content that we would eventually have. I ve been toying with the idea in my mind and had some idea that we could add fun facts, postcards (an image with some text), time now in different timezones, Debian news (maybe procured by the press team), cards that contain the longer announcements that was sent to debconf-announce, perhaps a shout out or two and some photos from previous DebConfs like the group photos. I knew that I wouldn t be able to build anything substantial by the time DebConf starts, but adding content to OBS in between talks is relatively easy, so we could keep on building on it during DebConf.
Nattie provided the first shout out, and I made 2 video loops with the DC18/19 pictures and also two Did you know cards. So the flow I ended up with was: Sponsors -> Happening Now -> Random video (which would be any of those clips) -> Back to sponsors. This ended up working pretty well for quite a while. With the first batch of videos the sponsor loop would come up on average about every 2 minutes, but as much shorter clips like shout outs started to come in faster and faster, it made sense to play a few 2-3 shout-outs before going back to sponsors.
So here is a very brief guide on how I set up the sequencing in Advanced Scene Switcher.
If no condition was met, a video would play from the Random tab.
Then in the Random tab, I added the scenes that were part of the random mix. Annoyingly, you have to specify how long it should play for. If you don t, the no condition thingy is triggered and another video is selected. The time is also the length of the video minus one second, because
You can t just say that a random video should return back to a certain scene, you have to specify that in the sequence tab for each video. Why after 1 second? Because, at least in my early tests, and I didn t circle back to this, it seems like 0s can randomly either mean instantly, or never. Yes, this ended up being a bit confusing and tedious, and considering the late hours I worked on this, I m surprised that I didn t manage to screw it up completely at any point.
I also suspected that threads would eventually happen. That is, when people create video replies to other videos. We had 3 threads in total. There was a backups thread, beverage thread and an impersonation thread. The arrow in the screenshot above points to the backups thread. I know it doesn t look that complicated, but it was initially somewhat confusing to set up and make sense out of it.
For the next event, the Advanced Scene Switcher might just get some more taming, or even be replaced entirely. There are ways to drive OBS by API, and even the Advanced Scene Switcher tool can be driven externally to some degree, but I think we definitely want to replace it by the next full DebConf. We had the problem that when a talk ended, we would return to the loop in the middle of a clip, which felt very unnatural and sometimes even confusing. So Stefano helped me with a helper script that could read the socket from Vocto, which I used to write either Loop or Standby to a file, and then the scene switcher would watch that file and keep the sponsors loop ready for start while the talks play. Why not just switch to sponsors when the talk ends? Well, the little bit of delay in switching would mean that you would see a tiny bit of loop every time before switching to sponsors. This is also why we didn t have any loop for the ad-hoc track (that would have probably needed another OBS instance, we ll look more into solutions for this for the future).
Then for all the clips. There were over 50 of them. All of them edited by hand in kdenlive. I removed any hard clicks, tried to improve audibility, remove some sections at the beginning and the end that seemed extra and added some music that would reduce in volume when someone speaks. In the beginning, I had lots of fun with choosing music for the clips. Towards the end, I had to rush them through and just chose the same tune whether it made sense or not. For comparison of what a difference the music can make, compare the original and adapted version for Valhalla s clip above, or this original and adapted video from urbec. This part was a lot more fun than dealing with the video sequencer, but I also want to automate it a bit. When I can fully drive OBS from Python I ll likely instead want to show those cards and control music volume from Python (what could possibly go wrong ).
The loopy name happened when I requested an @debconf.org alias for this. I was initially just thinking about loop@debconf.org but since I wanted to make it clear that the purpose of this loop is also to have some fun, I opted for loopy instead:
I was really surprised by how people took to loopy. I hoped it would be good and that it would have somewhat positive feedback, but the positive feedback was just immense. The idea was that people typically saw it in between talks. But a few people told me they kept it playing after the last talk of the day to watch it in the background. Some asked for the music because they want to keep listening to it while working (and even for jogging!?). Some people also asked for recordings of the loop because they want to keep it for after DebConf. The shoutouts idea proved to be very popular. Overall, I m very glad that people enjoyed it and I think it s safe to say that loopy will be back for the next event.
Also throughout this experiment Loopy Loop turned into yet another DebConf mascot. We gain one about every DebConf, some by accident and some on purpose. This one was not quite on purpose. I meant to make an image for it for salsa, and started with an infinite loop symbol. That s a loop, but by just adding two more solid circles to it, it looks like googly eyes, now it s a proper loopy loop!
I like the progress we ve made on this, but there s still a long way to go, and the ideas keep heaping up. The next event is quite soon (MDCO#2 at the end of November, and it seems that 3 other MiniDebConf events may also be planned), but over the next few events there will likely be significantly better graphics/artwork, better sequencing, better flow and more layout options. I hope to gain some additional members in the team to deal with incoming requests during DebConf. It was quite hectic this time! The new OBS also has a scripting host that supports Python, so I should be able to do some nice things even within OBS without having to drive it externally (like, display a clock without starting a web browser).
The Loopy Loop Music
The two mini albums that mostly played during the first few days were just a copy and paste from the MDCO#1 music, which was:
I have much more things to say about DebConf20, but I ll keep that for another post, and hopefully we can get all the other video stuff in a post from the video team, because I think there s been some real good work done for this DebConf. Also thanks to Infomaniak who was not only a platinum sponsor for this DebConf, but they also provided us with plenty of computing power to run all the video stuff on. Thanks again!
The DebConf 20 song - a sea shanty - to the tune of "Fathom the bowl"
Here's to DebConf 20, the brightest and best Now it's this year's orga team getting no rest We're not met in Haifa - it's all doom and gloom And I'm sat like a lifer here trapped in my room
I'm sat in my room, it's all doom and gloom And I'm sat at my keyboard here trapped in my room
Now there's IRC rooms and there's jitsi and all But no fun conversations as we meet in the hall No hugs for old friends, no shared wine and cheese Just shared indigestion as we take our ease
I'm sat in my room, it's all doom and gloom And I'm sat with three screens around me in my room
But there's people to chat to, and faces we know And new things to learn and we're all on the go Algo en espanol - there's no cause for alarm An Indic track showcasing Malayalam
I'm sat in my room, it's all doom and gloom And I'm sat with my Thinkpads and cats in my room
With webcams and buffering, with lag and delay It's as well that there's Debconf time all through the day The effects of tiredness are hard to foresee For the Debian clocks all are timezone UTC
I'm sat in my room, it's all doom and gloom And I'll sing out of tune as I'm sat in my room
There's no social drinking, there's no games of Mao Keeping social distance, we can't think quite how This year is still friendly though minus some fun We'll catch up next year when we'll all get some sun
I'm sat in my room, it's all doom and gloom I'm sat with my friends around here in my room
There's loopy@debconf and snippets and such To cheer us all up, sure, it doesn't take much For we're all one big family, though we each code alone And we sometimes switch off or just complain and moan
I'm sat in my room, it's all doom and gloom And there's space for us all in the debconf chat room
This is my first DebConf - hope it won't be my last And we'll meet up somewhere when this COVID is past To all who have done this - we deserve the credit Now if you'll excuse me - I've web pages to edit
I'm sat in my room, it's not all doom and gloom And we're met as one Debian here in my room
The nanotime 0.3.0 release four days ago was so exciting that we decided to do it again! Kidding aside, and fairly extensive tests notwithstanding we were bitten by a few build errors: who knew clang on macOS needed extra curlies to be happy, another manifestation of Solaris having no idea what a timezone setting America/New_York is, plus some extra pickyness from the SAN tests and whatnot. So Leonardo and I gave it some extra care over the weekend, uploaded it late yesterday and here we are with 0.3.1. Thanks again to CRAN for prompt processing even though they are clearly deluged shortly before their (brief) summer break.
nanotime relies on the RcppCCTZ package for (efficient) high(er) resolution time parsing and formatting up to nanosecond resolution, and the bit64 package for the actual integer64 arithmetic. Initially implemented using the S3 system, it has benefitted greatly from work by Leonardo Silvestri who rejigged internals in S4 and now added new types for periods, intervals and durations.
The NEWS snippet adds full details.
Changes in version 0.3.1 (2020-08-09)
Several small cleanups to ensure a more robust compilation (Leonardo and Dirk in #75 fixing #74).
Show Solaris some extra love by skipping tests and examples with a timezone (Dirk in #76).
Welcome to the July 2020 report from the Reproducible Builds project.
In these monthly reports, we round-up the things that we have been up to over the past month. As a brief refresher, the motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced from the original free software source code to the pre-compiled binaries we install on our systems. (If you re interested in contributing to the project, please visit our main website.)
I ve accidentally shipped broken updates to users in the past because the build system was feature-tested and the final binary assumed the instructions would be present without further runtime checks
Website
On our website this month, Chris Lamb updated the main Reproducible Builds website and documentation to drop a number of unused Javascript files [][][] and added unminified versions of Bootstrap and jQuery []. He also fixed a number of broken URLs [][].
Gonzalo Bulnes Guilpain made a large number of grammatical improvements [][][][][] as well as some misspellings, case and whitespace changes too [][][].
Lastly, Holger Levsen updated the README file [], marked the Alpine Linux continuous integration tests as currently disabled [] and linked the Arch Linux Reproducible Status page from our projects page [].
diffoscopediffoscope is our in-depth and content-aware diff utility that can not only locate and diagnose reproducibility issues, it provides human-readable diffs of all kinds. In July, Chris Lamb made the following changes to diffoscope, including releasing versions 150, 151, 152, 153 & 154:
New features:
Add support for flash-optimised F2FS filesystems. (#207)
Don t require zipnote(1) to determine differences in a .zip file as we can use libarchive. []
Allow --profile as a synonym for --profile=-, ie. write profiling data to standard output. []
Increase the minimum length of the output of strings(1) to eight characters to avoid unnecessary diff noise. []
Drop some legacy argument styles: --exclude-directory-metadata and --no-exclude-directory-metadata have been replaced with --exclude-directory-metadata= yes,no . []
Bug fixes:
Pass the absolute path when extracting members from SquashFS images as we run the command with working directory in a temporary directory. (#189)
Correct adding a comment when we cannot extract a filesystem due to missing libguestfs module. []
Don t crash when listing entries in archives if they don t have a listed size such as hardlinks in ISO images. (#188)
Output improvements:
Strip off the file offset prefix from xxd(1) and show bytes in groups of 4. []
Don t emit javap not found in path if it is available in the path but it did not result in an actual difference. []
Fix ... not available in path messages when looking for Java decompilers that used the Python class name instead of the command. []
Logging improvements:
Add a bit more debugging info when launching libguestfs. []
Reduce the --debug log noise by truncating the has_some_content messages. []
Fix the compare_files log message when the file does not have a literal name. []
Codebase improvements:
Rewrite and rename exit_if_paths_do_not_exist to not check files multiple times. [][]
Add an add_comment helper method; don t mess with our internal list directly. []
Replace some simple usages of str.format with Python f-strings [] and make it easier to navigate to the main.py entry point [].
In the RData comparator, always explicitly return None in the failure case as we return a non-None value in the success one. []
Tidy some imports [][][] and don t alias a variable when we do not use it. []
Clarify the use of a separate NullChanges quasi-file to represent missing data in the Debian package comparator [] and clarify use of a null diff in order to remember an exit code. []
Clarify and correct our contributing info. [][][][][][]
Jean-Romain Garnier also made the following changes:
Allow passing a file with a list of arguments via diffoscope @args.txt. (!62)
Improve the output of side-by-side diffs by detecting added lines better. (!64)
Remove offsets before instructions in objdump [][] and remove raw instructions from ELF tests [].
Other tools
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build. It is used automatically in most Debian package builds. In July, Chris Lamb ensured that we did not install the internal handler documentation generated from Perl POD documents [] and fixed a trivial typo []. Marc Herbert added a --verbose-level warning when the Archive::Cpio Perl module is missing. (!6)
reprotest is our end-user tool to build same source code twice in widely differing environments and then checks the binaries produced by each build for any differences. This month, Vagrant Cascadian made a number of changes to support diffoscope version 153 which had removed the (deprecated) --exclude-directory-metadata and --no-exclude-directory-metadata command-line arguments, and updated the testing configuration to also test under Python version 3.8 [].
Distributions
Debian
In June 2020, Timo R hling filed a wishlist bug against the debhelper build tool impacting the reproducibility status of hundreds of packages that use the CMake build system. This month however, Niels Thykier uploaded debhelper version 13.2 that passes the -DCMAKE_SKIP_RPATH=ON and -DBUILD_RPATH_USE_ORIGIN=ON arguments to CMake when using the (currently-experimental) Debhelper compatibility level 14.
According to Niels, this change:
should fix some reproducibility issues, but may cause breakage if packages run binaries directly from the build directory.
34 reviews of Debian packages were added, 14 were updated and 20 were removed this month adding to our knowledge about identified issues. Chris Lamb added and categorised the nondeterministic_order_of_debhelper_snippets_added_by_dh_fortran_mod [] and gem2deb_install_mkmf_log [] toolchain issues.
Lastly, Holger Levsen filed two more wishlist bugs against the debrebuild Debian package rebuilder tool [][].
Other distributions
In Arch Linux, there was a mass rebuild of old packages in an attempt to make them reproducible. This was performed because building with a previous release of the pacman package manager caused file ordering and size calculation issues when using the btrfs filesystem.
A system was also implemented for Arch Linux packagers to receive notifications if/when their package becomes unreproducible, and packagers now have access to a dashboard where they can all see all their unreproducible packages (more info).
Paul Spooren sent two versions of a patch for the OpenWrt embedded distribution for adding a build system revision to the packages manifest so that all external feeds can be rebuilt and verified. [][]
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of these patches, including:
Bernhard M. Wiedemann:
afl (fix an incorrectly built manual page varied from kernel boot options)
Vagrant Cascadian also reported two issues, the first regarding a regression in u-boot boot loader reproducibility for a particular target [] and a non-deterministic segmentation fault in the guile-ssh test suite []. Lastly, Jelle van der Waa filed a bug against the MeiliSearch search API to report that it embeds the current build date.
Testing framework
We operate a large and many-featured Jenkins-based testing framework that powers tests.reproducible-builds.org.
This month, Holger Levsen made the following changes:
Add notes explaining all the issues that hosts are experiencing [] and handle zipped job log files correctly [].
Separate nodes which have been automatically marked as down [] and show status icons for jobs with issues [].
Misc:
Disable all Alpine Linux jobs until they are or Alpine is fixed. []
Perform some general upkeep of build nodes hosted by OSUOSL. [][][][]
In addition, Mattia Rizzolo updated the init_node script to suggest using sudo instead of explicit logout and logins [][] and the usual build node maintenance was performed by Holger Levsen [][][][][][], Mattia Rizzolo [][] and Vagrant Cascadian [][][][].
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.
In July, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 25.25h for LTS (out of 30 max; all done) and 13.25h for ELTS (out of 20 max; all done).
We shifted suites: welcome Stretch LTS and Jessie ELTS. The LTS->ELTS switch happened at the start of the month, but the oldstable->LTS switch happened later (after finalizing and flushing proposed-updates to a last point release), causing some confusion but nothing major.
ELTS - Jessie
New local build setup
ELTS buildds: request timezone harmonization
Reclassify in-progress updates from jessie-LTS to jessie-ELTS
python3.4: finish preparing update, security upload ELA 239-1
net-snmp: global triage: bisect CVE-2019-20892 to identify affected version, jessie/stretch not-affected
nginx: global triage: clarify CVE-2013-0337 status; locate CVE-2020-11724 original patch and regression tests, update MITRE
Reclassify in-progress/needed updates from stretch/oldstable to stretch-LTS
rails: upstream security: follow-up on CVE-2020-8163 (RCE) on upstream bug tracker and create pull request for 4.x (merged), hence getting some upstream review
rails: global security: continue coordinating upload in multiple Debian versions, prepare fixes for common stretch/buster vulnerabilities in buster
Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.
In June, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 30h for LTS (out of 30 max; all done) and 5.25h for ELTS (out of 20 max; all done).
While LTS is part of the Debian project, fellow contributors sometimes surprise me: suggestion to vote for sponsors-funded projects with concorcet was only met with overhead concerns, and there were requests for executive / business owner decisions (we're currently heading towards consultative vote); I heard concerns about discussing non-technical issues publicly (IRC team meetings are public though); the private mail infrastructure was moved from self-hosting straight to Google; when some got an issue with Debian Social for our first video conference, there were immediate suggestions to move to Zoom...
Well, we do need some people to make those LTS firmware updates in non-free
Also this was the last month before shifting suites: goodbye to Jessie LTS and Wheezy ELTS, welcome Stretch LTS and Jessie ELTS.
ELTS - Wheezy
mysql-connector-java: improve testsuite setup; prepare wheezy/jessie/stretch triple builds; coordinate versioning scheme with security-team; security upload ELA 234-1
ntp: wheezy+jessie triage: 1 ignored (too intrusive to backport); 1 postponed (hard to exploit, no patch)
Clean-up (ditch) wheezy VMs
LTS - Jessie
mysql-connector-java: see common work in ELTS
mysql-connector-java: security uploads DLA 2245-1 (LTS) and DSA 4703 (oldstable)
ntp: wheezy+jessie triage (see ELTS)
rails: global triage, backport 2 patches, security upload DLA 2251-1
rails: global security: prepare stretch/oldstable update
rails: new important CVE on unmaintained 4.x, fixes introduce several regressions, propose new fix to upstream, update stretch proposed update [and jessie, but rails will turn out unsupported in ELTS]
python3.4: prepare update to fix all pending non-criticial issues, 5/6 ready
This comic was based on this essay from Augusten Burroughs: How to live
unhappily ever after. In addition to the essay, I highly recommend
reading his books. It's also been described in psychology as flow.
Distributed teams are where people you work with aren t physically co-located, ie. they re at another office building, home or an outsourced company abroad. They re becoming increasingly popular, for DevOps and other teams, due to recruitment, diversity, flexibility and cost savings. Challenges arise due to timezones, language barriers, cultures and ways of working. People actively participating in Open Source communities tend to be effective in distributed teams. This session looks at how to apply core Open Source principles to distributed teams in Enterprise organisations, and the importance of shared purposes/goals, (mis)communication, leading vs managing teams, sharing and learning. We'll also look at practical aspects of what's worked well for others, such as alternatives to daily standups, promoting video conferencing, time management and virtual coffee breaks. This session is relevant for those leading or working in distributed teams, wanting to know how to cultivate an inclusive culture of increased trust and collaboration that leads to increased productivity and performance.
I know most Debian people know about this already But in case you
don t follow the usual Debian communications channels, this might
interest you!
Given most of the world is still under COVID-19 restrictions, and that
we want to work on Debian, given there is no certainty as to what the
future holds in store for us Our DPL fearless as they always are
had the bold initiative to make this weekend into the first-ever
miniDebConf
Online
(MDCO)!
So, we are already halfway through DebCamp (which means, you can come
and hang out with us in the debian.social DebCamp Jitsi
lounge, where some
impromptu presentations might happen (or not).
Starting tomorrow morning (11AM UTC),
we will have a quite interesting set of talks. I am reproducing the
schedule here:
Saturday 2020.05.30
Time (UTC)
Speaker
Talk
11:00 - 11:10
MDCO team members
Hello + Welcome
11:30 - 11:50
Wouter Verhelst
Extrepo
12:00 - 12:45
JP Mengual
Debian France, trust european organization
13:00 - 13:20
Arnaud Ferraris
Bringing Debian to mobile phones, one package at a time
13:30 - 15:00
Lunch Break
A chance for the teams to catch some air
15:00 - 15:45
JP Mengual
The community team, United Nations Organizations of Debian?
16:00 - 16:45
Christoph Biedl
Clevis and tang - overcoming the disk unlocking problem
17:00 - 17:45
Antonio Terceiro
I m a programmer, how can I help Debian
Sunday 2020.05.31
Time (UTC)
Speaker
Talk
11:00 - 11:45
Andreas Tille
The effect of Covid-19 on the Debian Med project
12:00 - 12:45
Paul Gevers
BoF: running autopkgtest for your package
13:00 - 13:20
Ben Hutchings
debplate: Build many binary packages with templates
13:30 - 15:00
Lunch break
A chance for the teams to catch some air
15:00 - 15:45
Holger Levsen
Reproducing bullseye in practice
16:00 - 16:45
Jonathan Carter
Striving towards excellence
17:00 - 17:45
Delib*
Organizing Peer-to-Peer Debian Facilitation Training
18:00 - 18:15
MDCO team members
Closing
subject to confirmation
Timezone
Remember this is an online event, meant for all of the world! Yes, the
chosen times seem quite Europe-centric (but they are mostly a function
of the times the talk submitters requested).
Talks are 11:00 18:00UTC, which means, 06:00 13:00 Mexico (GMT-5),
20:00 03:00 Japan (GMT+9), 04:00 11:00 Western
Canada/USA/Mexico (GMT-7) and the rest of the world, somewhere in
between.
(No, this was clearly not optimized for our dear usual beer
team. Sorry! I
guess we need you to be fully awake at beertime!)
[update] Connecting!
Of course, I didn t make it clear at first how to connect to the
Online miniDebConf, silly me!
The video streams are available at: https://video.debconf.org/
Suggested: tune in to the #minidebconf-online IRC channel in OFTC.
That should be it. Hope to see you there!
(Stay home, stay safe )
I know most Debian people know about this already But in case you
don t follow the usual Debian communications channels, this might
interest you!
Given most of the world is still under COVID-19 restrictions, and that
we want to work on Debian, given there is no certainty as to what the
future holds in store for us Our DPL fearless as they always are
had the bold initiative to make this weekend into the first-ever
miniDebConf
Online
(MDCO)!
So, we are already halfway through DebCamp (which means, you can come
and hang out with us in the debian.social DebCamp Jitsi
lounge, where some
impromptu presentations might happen (or not).
Starting tomorrow morning (11AM UTC),
we will have a quite interesting set of talks. I am reproducing the
schedule here:
Saturday 2020.05.30
Time (UTC)
Speaker
Talk
11:00 - 11:10
MDCO team members
Hello + Welcome
11:30 - 11:50
Wouter Verhelst
Extrepo
12:00 - 12:45
JP Mengual
Debian France, trust european organization
13:00 - 13:20
Arnaud Ferraris
Bringing Debian to mobile phones, one package at a time
13:30 - 15:00
Lunch Break
A chance for the teams to catch some air
15:00 - 15:45
JP Mengual
The community team, United Nations Organizations of Debian?
16:00 - 16:45
Christoph Biedl
Clevis and tang - overcoming the disk unlocking problem
17:00 - 17:45
Antonio Terceiro
I m a programmer, how can I help Debian
Sunday 2020.05.31
Time (UTC)
Speaker
Talk
11:00 - 11:45
Andreas Tille
The effect of Covid-19 on the Debian Med project
12:00 - 12:45
Paul Gevers
BoF: running autopkgtest for your package
13:00 - 13:20
Ben Hutchings
debplate: Build many binary packages with templates
13:30 - 15:00
Lunch break
A chance for the teams to catch some air
15:00 - 15:45
Holger Levsen
Reproducing bullseye in practice
16:00 - 16:45
Jonathan Carter
Striving towards excellence
17:00 - 17:45
Delib*
Organizing Peer-to-Peer Debian Facilitation Training
18:00 - 18:15
MDCO team members
Closing
subject to confirmation
Timezone
Remember this is an online event, meant for all of the world! Yes, the
chosen times seem quite Europe-centric (but they are mostly a function
of the times the talk submitters requested).
Talks are 11:00 18:00UTC, which means, 06:00 13:00 Mexico (GMT-5),
20:00 03:00 Japan (GMT+9), 04:00 11:00 Western
Canada/USA/Mexico (GMT-7) and the rest of the world, somewhere in
between.
(No, this was clearly not optimized for our dear usual beer
team. Sorry! I
guess we need you to be fully awake at beertime!)
[update] Connecting!
Of course, I didn t make it clear at first how to connect to the
Online miniDebConf, silly me!
The video streams are available at: https://video.debconf.org/
Suggested: tune in to the #minidebconf-online IRC channel in OFTC.
That should be it. Hope to see you there!
(Stay home, stay safe )
A minor routine update 0.0.4 of gettz arrived on CRAN overnight.
gettz provides a possible fallback in situations where Sys.timezone() fails to determine the system timezone. That happened when e.g. the file /etc/localtime somehow is not a link into the corresponding file with zoneinfo data in, say, /usr/share/zoneinfo. Since the package was written (in the fall of 2016), R added a similar extended heuristic approach itself.
This release adds registration of the compiled routine via R_registerRoutines() and R_useDynamicSymbols(), adds .registration=TRUE to useDynLib() in NAMESPACE, and uses an unquoted symbol in .Call(). Two new badges were added to the README.md as well. And as in the previous release in 2016: No new code, or new features.
Courtesy of CRANberries, there is a comparison to the previous release.
More information is on the gettz page. For questions or comments use the issue tracker off the GitHub repo.
If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.
A new release 0.2.7 of RcppCCTZ is now at CRAN.
RcppCCTZ uses Rcpp to bring CCTZ to R. CCTZ is a C++ library for translating between absolute and civil times using the rules of a time zone. In fact, it is two libraries. One for dealing with civil time: human-readable dates and times, and one for converting between between absolute and civil times via time zones. And while CCTZ is made by Google(rs), it is not an official Google product. The RcppCCTZ page has a few usage examples and details. This package was the first CRAN package to use CCTZ; by now at least three others do using copies in their packages which remains less than ideal.
This version adds internal extensions, contributed by Leonardo, which support upcoming changes to the nanotime package we are working on.
Changes in version 0.2.7 (2020-03-18)
Added functions _RcppCCTZ_convertToCivilSecond that converts a time point to the number of seconds since epoch, and _RcppCCTZ_convertToTimePoint that converts a number of seconds since epoch into a time point; these functions are only callable from C level (Leonardo in #34 and #35).
Added function _RcppCCTZ_getOffset that returns the offset at a speficied time-point for a specified timezone; this function is only callable from C level (Leonardo in #32).
My implementation of a transient prompt with Zsh. Past prompts are compact and include the time of the command execution, the hostname, and the status of the previous command while the complete prompt contains more information like the current directory and the Git branch.
Wrote a timezone checker page.
This month, the Reproducible Builds project restarted our IRC meetings, managing to convene twice: the first time on October 12th (
Also this was the last month before shifting suites: goodbye to Jessie LTS and Wheezy ELTS, welcome Stretch LTS and Jessie ELTS.
ELTS - Wheezy
I know most Debian people know about this already But in case you
don t follow the usual Debian communications channels, this might
interest you!
Given most of the world is still under COVID-19 restrictions, and that
we want to work on Debian, given there is no certainty as to what the
future holds in store for us Our DPL fearless as they always are
had the bold initiative to make this weekend into the first-ever
So, we are already halfway through DebCamp (which means, you can come
and hang out with us in the 
