Dirk Eddelbuettel: RcppArmadillo used by 1001 CRAN Packages
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
Software signing is not a new problem, so there must be some solution already, right? Yes, but signing software and maintaining keys is very difficult especially for non-security folks and UX of existing tools such as PGP leave much to be desired. That s why we need something like sigstore - an easy to use software/toolset for signing software artifacts.The second post (titled Signing Software The Easy Way with Sigstore and Cosign) goes into some technical details of getting started.
Some time ago I checked Signal s reproducibility and it failed. I asked others to test in case I did something wrong, but nobody made any reports. Since then I tried to test the Google Play Store version of the apk against one I compiled myself, and that doesn t match either.
Most users are not capable of building from source code themselves, but we can at least get them able enough to check signatures and shasums. When reputable people who can tell everyone they were able to reproduce the project s build, others at least have a secondary source of validation.
Related to this, there was continuing discussion on how to embed/encode the build metadata for the Debian live images which were being worked on by Roland Clobus.
- All major configurations are still built regularly using live-build and bullseye.
- All major configurations are reproducible now; Jenkins is green.
- I ve worked around the issue for the Cinnamon image.
- The patch was accepted and released within a few hours.
- My main focus for the last month was on the live-build tool itself.
- It will properly use the proxy for all HTTP traffic.
I m working for Oracle in the Build Group for OpenJDK which is primary responsible for creating a built artifact of the OpenJDK source code. [ ] For the last few years, we have worked on a low-effort, background-style project to make the build of OpenJDK itself building reproducible. We ve come far, but there are still issues I d like to address. [ ]
183
, 184
and 185
as well as performed significant triaging of merge requests and other issues in addition to making the following changes:
.rds
files. [ ]format_class
import. [ ]close_archive
when garbage collecting Archive
instances, unless open_archive
definitely returned successfully. This prevents, for example, an AttributeError
where PGPContainer
s cleanup routines were rightfully assuming that its temporary directory had actually been created. [ ].rdb
files after refactoring temporary directory handling. [ ]python3-rpm
is installed or not at build time. [ ]androguard
module not being in the (expected) python3-androguard
Debian package. [ ]shellcheck
warning in debian/tests/control.sh
. [ ]h5py
in our tests that doesn t concern us. [ ].1
from the Standards-Version
field as it s required. [ ]--diff-context
option to control unified diff context size [ ] and Jean-Romain Garnier fixed the Macho comparator for architectures other than x86-64
[ ].
gtk4
(date-related issue)build-compare
(random tempfile problem)itinerary
(time-related build failure)lcalc
.htscodecs
.osdlyrics
.xtermcontrol
.rust-insta
.python-tomli
.python-pairix
.python-pybedtools
(forwarded upstream).#reproducible-builds
on irc.oftc.net
.
rb-general@lists.reproducible-builds.org
186
. This version includes the following changes:
[ Chris Lamb ]
* Don't call close_archive when garbage-collecting Archive instances unless
open_archive returned successfully. This prevents, amongst others, an
AttributeError traceback due to PGPContainer's cleanup routines assuming
that its temporary directory had been created.
(Closes: reproducible-builds/diffoscope#276)
* Ensure that the string "RPM archives" exists in the package description,
regardless of whether python3-rpm is installed or not at build time.
[ Jean-Romain Garnier ]
* Fix the LVM Macho comparator for non-x86-64 architectures.
178
. This version includes the following changes:
[ Chris Lamb ]
* Don't traceback on an broken symlink in a directory.
(Closes: reproducible-builds/diffoscope#269)
* Rewrite the calculation of a file's "fuzzy hash" to make the control
flow cleaner.
[ Balint Reczey ]
* Support .deb package members compressed with the Zstandard algorithm.
(LP: #1923845)
[ Jean-Romain Garnier ]
* Overhaul the Mach-O executable file comparator.
* Implement tests for the Mach-O comparator.
* Switch to new argument format for the LLVM compiler.
* Fix test_libmix_differences in testsuite for the ELF format.
* Improve macOS compatibility for the Mach-O comparator.
* Add llvm-readobj and llvm-objdump to the internal EXTERNAL_TOOLS data
structure.
[ Mattia Rizzolo ]
* Invoke gzip(1) with the short option variants to support Busybox's gzip.
(Closes: reproducible-builds/diffoscope#268)
SECCOMP_RET_USER_NOTIF
filters to inject file descriptors into the target process using SECCOMP_IOCTL_NOTIF_ADDFD
. This lets container managers fully emulate syscalls like open()
and connect()
, where an actual file descriptor is expected to be available after a successful syscall. In the process I fixed a couple bugs and refactored the file descriptor receiving code.
zero-initialize stack variables with ClangCONFIG_INIT_STACK_ALL_ZERO
, which besides actually being faster, has a few behavior benefits as well. Unlike pattern initialization, which has a higher chance of triggering existing bugs, zero initialization provides safe defaults for strings, pointers, indexes, and sizes. Like the pattern initialization, this feature stops entire classes of uninitialized stack variable flaws.
common syscall entry/exit routineskfree()
hardeningCONFIG_SLAB_FREELIST_HARDENED
feature-parity with the SLUB heap allocator, I added naive double-free detection and the ability to detect cross-cache freeing in the SLAB allocator. This should keep a class of type-confusion bugs from biting kernels using SLAB. (Most distro kernels use SLUB, but some smaller devices prefer the slightly more compact SLAB, so this hardening is mostly aimed at those systems.)
new CAP_CHECKPOINT_RESTORE
capabilityCAP_CHECKPOINT_RESTORE
capability, splitting this functionality off of CAP_SYS_ADMIN
. The needs for the kernel to correctly checkpoint and restore a process (e.g. used to move processes between containers) continues to grow, and it became clear that the security implications were lower than those of CAP_SYS_ADMIN
yet distinct from other capabilities. Using this capability is now the preferred method for doing things like changing /proc/self/exe
.
debugfs
boot-time visibility restrictiondebugfs
boot parameter to control the visibility of the kernel s debug filesystem. The contents of debugfs continue to be a common area of sensitive information being exposed to attackers. While this was effectively possible by unsetting CONFIG_DEBUG_FS
, that wasn t a great approach for system builders needing a single set of kernel configs (e.g. a distro kernel), so now it can be disabled at boot time.
more seccomp architecture support-fstack-protector
(and -fstack-protector-strong
) support for RISC-V. This is the initial global-canary support while the patches to GCC to support per-task canaries is getting finished (similar to the per-task canaries done for arm64). This will mean nearly all stack frame write overflows are no longer useful to attackers on this architecture. It s nice to see this finally land for RISC-V, which is quickly approaching architecture feature parity with the other major architectures in the kernel.
new tasklet
APItasklet
API to make their use safer. Much like the timer_list
refactoring work done earlier, the tasklet
API is also a potential source of simple function-pointer-and-first-argument controlled exploits via linear heap overwrites. It s a smaller attack surface since it s used much less in the kernel, but it is the same weak design, making it a sensible thing to replace. While the use of the tasklet
API is considered deprecated (replaced by threaded IRQs), it s not always a simple mechanical refactoring, so the old API still needs refactoring (since that CAN be done mechanically is most cases).
x86 FSGSBASE
implementationFSGSBASE
series. This provides task switching performance improvements while keeping the kernel safe from modules accidentally (or maliciously) trying to use the features directly (which exposed an unprivileged direct kernel access hole).
filter x86 MSR writesMSR_IA32_ENERGY_PERF_BIAS
. Boris Petkov has decided enough is enough and has now enabled logging and kernel tainting (TAINT_CPU_OUT_OF_SPEC
) by default and a way to disable MSR writes at runtime. (However, since this is controlled by a normal module parameter and the root user can just turn writes back on, I continue to recommend that people build with CONFIG_X86_MSR=n
.) The expectation is that userspace MSR writes will be entirely removed in future kernels.
uninitialized_var()
macro removeduninitialized_var()
macro, which had been used to silence compiler warnings. The rationale for this macro was weak to begin with ( the compiler is reporting an uninitialized variable that is clearly initialized ) since it was mainly papering over compiler bugs. However, it creates a much more fragile situation in the kernel since now such uses can actually disable automatic stack variable initialization, as well as mask legitimate unused variable warnings. The proper solution is to just initialize variables the compiler warns about.
function pointer cast removals-Wcast-function-type
. The future use of Control Flow Integrity checking (which does validation of function prototypes matching between the caller and the target) tends not to work well with function casts, so it d be nice to get rid of these before CFI lands.
flexible array conversions-Warray-bounds
, which catches a lot of potential buffer overflows at compile time.
That s it for now! Please let me know if you think anything else needs some attention. Next up is Linux v5.10.
2021, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
163
. This version includes the following changes:
[ Chris Lamb ]
* Bug fixes & new features:
- Normalise "ret" to "retq" in objdump output to support multiple versions
of obdump(1). (Closes: #976760, reproducible-builds/diffoscope#227)
- Don't show progress indicators when running zstd(1).
(Closes: reproducible-builds/diffoscope#226)
- Move the slightly-confusing behaviour of loading an "existing diff" if a
single file is passed to diffoscope to the new --load-existing-diff
command.
* Output improvements:
- Use pprint.pformat in the JSON comparator to serialise the differences
from jsondiff to make the output render better.
- Correct tense in --debug log output.
* Code quality:
* Don't use an old-style "super" call.
- Rewrite the filter routine for post-processing output from readelf(1).
- Update my copyright years.
- Remove unncessary PEP 263 encoding lines (replaced via PEP 3120).
- Use "minimal" instead of "basic" as a variable name to match the
underlying package name.
- Add comment regarding Java tests for diffoscope contributors who are not
using Debian. (Re: reproducible-builds/diffoscope!58)
* Debian packaging:
- Update debian/copyright to match copyright notices in source-tree.
(Closes: reproducible-builds/diffoscope#224)
- Ensure the new "diffoscope-minimal" package has a different short
description from the main "diffoscope" one.
[ Jean-Romain Garnier ]
* Add tests for OpenJDK 14.
[ Conrad Ratschan ]
* Add comparator for "legacy" uboot uImage files.
(MR: reproducible-builds/diffoscope!69)
Welcome to the October 2020 report from the Reproducible Builds project. In our monthly reports, we outline the major things that we have been up to over the past month. As a brief reminder, the motivation behind the Reproducible Builds effort is to ensure flaws have not been introduced in the binaries we install on our systems. If you are interested in contributing to the project, please visit our main website.
The previous year has seen great progress in Arch Linux to get reproducible builds in the hands of the users and developers. In this talk we will explore the current tooling that allows users to reproduce packages, the rebuilder software that has been written to check packages and the current issues in this space.During the Reproducible Builds summit in Marrakesh in 2019, developers from the GNU Guix, NixOS and Debian distributions were able to produce a bit-for-bit identical GNU Mes binary despite using three different versions of GCC. Since this summit, additional work resulted in a bit-for-bit identical Mes binary using
tcc
, and last month a fuller update was posted to this effect by the individuals involved. This month, however, David Wheeler updated his extensive page on Fully Countering Trusting Trust through Diverse Double-Compiling, remarking that:
GNU Mes rebuild is definitely an application of [Diverse Double-Compiling]. [..] This is an awesome application of DDC, and I believe it s the first publicly acknowledged use of DDC on a binaryThere was a small, followup discussion on our mailing list. In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update. This month, the Reproducible Builds project restarted our IRC meetings, managing to convene twice: the first time on October 12th (summary & logs), and later on the 26th (logs). As mentioned in previous reports, due to the unprecedented events throughout 2020, there will be no in-person summit event this year. On our mailing list this month El as Alejandro posted a request for help with a local configuration
reproducible=+fixfilepath
Debian build flag by default. Enabling this fixfilepath
feature will likely fix reproducibility issues in an estimated 500-700 packages. However, this month Vagrant Cascadian posted to the debian-devel mailing list:
It would be great to see theDebian Developer Stuart Prescott has been improvingreproducible=+fixfilepath
feature enabled by default indpkg-buildflags
, and we would like to proceed forward with this soon unless we hear any major concerns or other outstanding issues. [ ] We would like to move forward with this change soon, so please raise any concerns or issues not covered already.
python-debian
, a Python library that is used to parse Debian-specific files such as changelogs, .dscs
, etc. In particular, Stuart is working on adding support for .buildinfo
files used for recording reproducibility-related build metadata:
This can mostly be a very thin layer around the existingA total of 159 Debian packages were categorised, 69 had their categorisation updated, and 33 had their classification removed this month, adding to our knowledge about identified issues. As part of this, Chris Lamb identified and classified two new issues:Deb822
types, using the existingChanges
code for the file listings, the existingPkgRelations
code for the package listing andgpg_*
functions for signature handling.
build_path_captured_in_emacs_el_file
and rollup_embeds_build_path
.
go
(version 1.15.3 has improved reproducibility over 1.14)goxel
(sort SCons-related filesystem ordering issue)lal
(rework an old date-related patch)lalmetaio
(date)libsemigroups
(build failure in single-CPU mode)memcached
(build failure in 2025 due to expired SSL certificate)octant
(SUSE-specific date issue)openmpi4
(date-related problem, revive old patch)sbcl
(datetime and hostname issue)selinux-policy/policycoreutils
(date-related issue in timezone)evince
(forwarded upstream).libsass-python
(forwarded upstream).pitivi
.sound-juicer
.pcbasic
.ora2pg
(forwarded upstream).fckit
.gita
.libgrokj2k
.softether-vpn
.perl
.ruby-appraiser
.gmerlin-avdecoder
.node-proxy
.yard
.emacs
.netcdf-parallel
.dh-fortran-mod
.bison
, ibus
and postgresql12
.
161
to Debian (later backported by Mattia Rizzolo), as well as made the following changes:
test_ocaml
to the assert_diff
helper. [ ]20.8b1
. (#972518)radare2
to ensure our test pipelines continue to work [ ], and for the GNU Guix distribution Vagrant Cascadian diffoscope to version 161 [ ].
In related development, trydiffoscope is the web-based version of diffoscope. This month, Chris Lamb made the following changes:
--help
-only test as being a superficial test. (#971506)try.diffoscope.org
service. [ ]debhelper
compatibility level to 13 [ ] and bump Standards-Version
to 4.5.0 [ ].0.5.10-2
was uploaded to Debian unstable by Holger Levsen, which enabled security hardening via DEB_BUILD_MAINT_OPTIONS
[ ] and dropped debian/disorderfs.lintian-overrides
[ ].
dettrace
[ ], and added yet another supply-chain security attack publication [ ].relative_url
to fix missing translation icon on various pages. [ ]tests.reproducible-builds.org
. This month, Holger Levsen made the following changes:
dpkg-buildpackage
. [ ]ath79
from ath97
. [ ]sudo
command if we are not actually running libvirt
. [ ]#reproducible-builds
on irc.oftc.net
.
rb-general@lists.reproducible-builds.org
ora2pg
is a tool used to migrate an Oracle database to PostgreSQL. This month, I submitted a patch to make it build reproducibly. [...]
declares-possibly-conflicting-debhelper-compat-versions
tag as we may specify the Debhelper compatibility level in debian/rules
or debian/control
(#972464) and dropped a reference to missing manual page [...].
perl
: Please make the build mostly reproducible. (#972559)
fckit
: Please make the build (mostly) reproducible. (#972378)
libgrokj2k
: Please make the documentation reproducible. (#972494)
netcdf-parallel
: Please make the settings file reproducible. (#972930)
dh-fortran-mod
: Please make the output reproducible
version graph. (#965255)
emacs
package to make the generated .el
files reproducible, a regression that is causing many packages to become unreproducible. (#972861)
dpkg-buildflags
to enable reproducible=+fixfilepath
by default.
dettrace
[...], and added yet another supply-chain security attack publication [...].relative_url
to fix missing translation icon on various pages. [...]161
to Debian:
test_ocaml
to the assert_diff
helper. [...]20.8b1
. (#972518)--help
-only test as being a 'superficial' test. (#971506)try.diffoscope.org
service. [...]debhelper
compatibility level to 13 [...] and bump Standards-Version
to 4.5.0 [...].jackson-databind
, a Java library for processing JSON, to address an external entity expansion vulnerability.
tomcat8
, the Java application server. This was to fix an issue where an excessive number of concurrent streams could have resulted in users seeing responses for unexpected resources.
3.1.2-1
) New upstream bugfix release.
6.0.8-2
Apply a patch from Yossi Gottlieb to fix a crash when reporting RDB/AOF file errors. (#972683)6.0.9-1
New upstream release.1.6.8+dfsg-1
) New upstream release)
4.0.25-1
) New upstream release, where parsing configuration file now works correctly with Turkish locale. (#972387)
2.0-1
) New upstream release.
20.8b1-2
) Non-maintainer upload to correct version handling to avoid a ModuleNotFoundError
error which was affecting a number of related packages. (#970901)
161
. This version includes the following changes:
[ Chris Lamb ]
* Fix failing testsuite: (Closes: #972518)
- Update testsuite to support OCaml 4.11.1. (Closes: #972518)
- Reapply Black and bump minimum version to 20.8b1.
* Move the OCaml tests to the assert_diff helper.
[ Jean-Romain Garnier ]
* Add support for radare2 as a disassembler.
[ Paul Spooren ]
* Automatically deploy Docker images in the continuous integration pipeline.
159
. This version includes the following changes:
[ Chris Lamb ]
* Show "ordering differences only" in strings(1) output.
(Closes: reproducible-builds/diffoscope#216)
* Don't alias output from "os.path.splitext" to variables that we do not end
up using.
* Don't raise exceptions when cleaning up after a guestfs cleanup failure.
[ Jean-Romain Garnier ]
* Make "Command" subclass a new generic Operation class.
Welcome to the July 2020 report from the Reproducible Builds project. In these monthly reports, we round-up the things that we have been up to over the past month. As a brief refresher, the motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced from the original free software source code to the pre-compiled binaries we install on our systems. (If you re interested in contributing to the project, please visit our main website.)
ftp.debian.org
were made from their claimed sources.
Tavis Ormandy published a blog post making the provocative claim that You don t need reproducible builds , asserting elsewhere that the many attacks that have been extensively reported in our previous reports are fantasy threat models . A number of rebuttals have been made, including one from long-time contributor Reproducible Builds contributor Bernhard Wiedemann.
On our mailing list this month, Debian Developer Graham Inggs posted to our list asking for ideas why the openorienteering-mapper
Debian package was failing to build on the Reproducible Builds testing framework. Chris Lamb remarked from the build logs that the package may be missing a build dependency, although Graham then used our own diffoscope tool to show that the resulting package remains unchanged with or without it. Later, Nico Tyni noticed that the build failure may be due to the relationship between the FILE
C preprocessor macro and the -ffile-prefix-map
GCC flag.
An issue in Zephyr, a small-footprint kernel designed for use on resource-constrained systems, around .a
library files not being reproducible was closed after it was noticed that a key part of their toolchain was updated that now calls --enable-deterministic-archives
by default.
Reproducible Builds developer kpcyrd commented on a pull request against the libsodium cryptographic library wrapper for Rust, arguing against the testing of CPU features at compile-time. He noted that:
I ve accidentally shipped broken updates to users in the past because the build system was feature-tested and the final binary assumed the instructions would be present without further runtime checksDavid Kleuker also asked a question on our mailing list about using
SOURCE_DATE_EPOCH
with the install(1)
tool from GNU coreutils. When comparing two installed packages he noticed that the filesystem birth times differed between them. Chris Lamb replied, realising that this was actually a consequence of using an outdated version of diffoscope and that a fix was in diffoscope version 146 released in May 2020.
Later in July, John Scott posted asking for clarification regarding on the Javascript files on our website to add metadata for LibreJS, the browser extension that blocks non-free Javascript scripts from executing. Chris Lamb investigated the issue and realised that we could drop a number of unused Javascript files [ ][ ][ ] and added unminified versions of Bootstrap and jQuery [ ].
README
file [ ], marked the Alpine Linux continuous integration tests as currently disabled [ ] and linked the Arch Linux Reproducible Status page from our projects page [ ].
150
, 151
, 152
, 153
& 154
:
zipnote(1)
to determine differences in a .zip
file as we can use libarchive
. [ ]--profile
as a synonym for --profile=-
, ie. write profiling data to standard output. [ ]strings(1)
to eight characters to avoid unnecessary diff noise. [ ]--exclude-directory-metadata
and --no-exclude-directory-metadata
have been replaced with --exclude-directory-metadata= yes,no
. [ ]xxd(1)
and show bytes in groups of 4. [ ]javap not found in path
if it is available in the path but it did not result in an actual difference. [ ]... not available in path
messages when looking for Java decompilers that used the Python class name instead of the command. [ ]--debug
log noise by truncating the has_some_content
messages. [ ]compare_files
log message when the file does not have a literal name. [ ]exit_if_paths_do_not_exist
to not check files multiple times. [ ][ ]add_comment
helper method; don t mess with our internal list directly. [ ]str.format
with Python f-strings [ ] and make it easier to navigate to the main.py
entry point [ ].None
in the failure case as we return a non-None
value in the success one. [ ]NullChanges
quasi-file to represent missing data in the Debian package comparator [ ] and clarify use of a null diff in order to remember an exit code. [ ]diffoscope @args.txt
. (!62)objdump
[ ][ ] and remove raw instructions from ELF tests [ ].--verbose
-level warning when the Archive::Cpio Perl module is missing. (!6)
reprotest is our end-user tool to build same source code twice in widely differing environments and then checks the binaries produced by each build for any differences. This month, Vagrant Cascadian made a number of changes to support diffoscope version 153 which had removed the (deprecated) --exclude-directory-metadata
and --no-exclude-directory-metadata
command-line arguments, and updated the testing configuration to also test under Python version 3.8 [ ].
debhelper
build tool impacting the reproducibility status of hundreds of packages that use the CMake build system. This month however, Niels Thykier uploaded debhelper
version 13.2 that passes the -DCMAKE_SKIP_RPATH=ON
and -DBUILD_RPATH_USE_ORIGIN=ON
arguments to CMake when using the (currently-experimental) Debhelper compatibility level 14.
According to Niels, this change:
should fix some reproducibility issues, but may cause breakage if packages run binaries directly from the build directory.34 reviews of Debian packages were added, 14 were updated and 20 were removed this month adding to our knowledge about identified issues. Chris Lamb added and categorised the
nondeterministic_order_of_debhelper_snippets_added_by_dh_fortran_mod
[ ] and gem2deb_install_mkmf_log
[ ] toolchain issues.
Lastly, Holger Levsen filed two more wishlist bugs against the debrebuild
Debian package rebuilder tool [ ][ ].
afl
(fix an incorrectly built manual page varied from kernel boot options)brp-check-suse
(sorting issue)dnscrypt-proxy
(sort the output of find(1)
)graphviz
(timezone issue, forwarded from Debian)guile-gcrypt
(parallelism)insighttoolkit
(prevent CPU detection, forwarded upstreamipopt
(parallelism issue and use https://tracker.debian.org/pkg/strip-nondeterminism)jboss-logging-tools
(date, forwarded upstream)kismet
(date)lcov
(date issue, already upstream)multus
(date issue, already upstream)multus
(date)paperjam
(date issue, forwarded upstream)pspp
(scrub testsuite.log
)python-PyNaCl
(sort Python glob/readdir)python-enaml
(workaround an open upstream Python issue)sac
(omit creation time from .zip
files)sql-parser
(sort, already upstream)ugrep
(CPU-related issue, already upstream)ugrep
(CPU-related issue)unknown-horizons
(filesystem ordering issue, already upstream)unknown-horizons
(filesystem ordering issue)xfce4-panel-profiles
(POSIX.1-2001/pax headers)yast2-sound
(uses uname -r
)apache-sshd
(date)tests.reproducible-builds.org
.
This month, Holger Levsen made the following changes:
sbuild
exit code. [ ][ ]php-horde
packages back to the pkg-php-pear
package set for the bullseye distribution. [ ]debrebuild
. [ ]logrotate
[ ], pbuilder
[ ], NetBSD [ ], unkillable processes [ ], unresponsive nodes [ ][ ][ ][ ], proxy connection failures [ ], too many installed kernels [ ], etc.systemd
units. [ ]init_node
script to suggest using sudo instead of explicit logout and logins [ ][ ] and the usual build node maintenance was performed by Holger Levsen [ ][ ][ ][ ][ ][ ], Mattia Rizzolo [ ][ ] and Vagrant Cascadian [ ][ ][ ][ ].
#reproducible-builds
on irc.oftc.net
.
rb-general@lists.reproducible-builds.org
152
. This version includes the following changes:
[ Chris Lamb ]
* Bug fixes:
- Don't require zipnote(1) to determine differences in a .zip file as we
can use libarchive directly.
* Reporting improvements:
- Don't emit "javap not found in path" if it is available in the path but
it did not result in any actual difference.
- Fix "... not available in path" messages when looking for Java
decompilers; we were using the Python class name (eg. "<class
'diffoscope.comparators.java.Javap'>") over the actual command we looked
for (eg. "javap").
* Code improvements:
- Replace some simple usages of str.format with f-strings.
- Tidy inline imports in diffoscope.logging.
- In the RData comparator, always explicitly return a None value in the
failure cases as we return a non-None value in the "success" one.
[ Jean-Romain Garnier ]
* Improve output of side-by-side diffs, detecting added lines better.
(MR: reproducible-builds/diffoscope!64)
* Allow passing file with list of arguments to ArgumentParser (eg.
"diffoscope @args.txt"). (MR: reproducible-builds/diffoscope!62)
.doctrees
from installed files was created via Arch s TODO list mechanism. These .doctree
files are caches generated by the Sphinx documentation generator when developing documentation so that Sphinx does not have to reparse all input files across runs. They should not be packaged, especially as they lead to the package being unreproducible as their pickled format contains unreproducible data. Jelle van der Waa and Eli Schwartz submitted various upstream patches to fix projects that install these by default.
Dimitry Andric was able to determine why the reproducibility status of FreeBSD s base.txz
depended on the number of CPU cores, attributing it to an optimisation made to the Clang C compiler [ ]. After further detailed discussion on the FreeBSD bug it was possible to get the binaries reproducible again [ ].
For the GNU Guix operating system, Vagrant Cascadian started a thread about collecting reproducibility metrics and Jan janneke Nieuwenhuizen posted that they had further reduced their bootstrap seed to 25% which is intended to reduce the amount of code to be audited to avoid potential compiler backdoors.
In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update as well as made the following changes within the distribution itself:
autogen
(Date issue)carla
(Timestamp in Windows Portable Executable executables)fonttosfnt/xorg-x11-fonts
(Address space layout randomization issue)fossil
(Date issue)gcc10 C++
(Link-time optimisation issue)grep
(Profile-guided optimisation issue)kubernetes1.18
(Remove Go build identifier)libjcat
(Remove certificate)lifelines
(Date issue)miredo
(Drop hostname)stressapptest
(Override date, user & host)reproducible-check
tool that reports on the reproducible status of installed packages on a running Debian system. They were subsequently all fixed by Chris Lamb [ ][ ][ ].
Timo R hling filed a wishlist bug against the debhelper
build tool impacting the reproducibility status of 100s of packages that use the CMake build system which led to a number of tests and next steps. [ ]
Chris Lamb contributed to a conversation regarding the nondeterministic execution of order of Debian maintainer scripts that results in the arbitrary allocation of UNIX group IDs, referencing the Tails operating system s approach this [ ]. Vagrant Cascadian also added to a discussion regarding verification formats for reproducible builds.
47 reviews of Debian packages were added, 37 were updated and 69 were removed this month adding to our knowledge about identified issues. Chris Lamb identified and classified a new uids_gids_in_tarballs_generated_by_cmake_kde_package_app_templates
issue [ ] and updated the paths_vary_due_to_usrmerge as deterministic
issue, and Vagrant Cascadian updated the cmake_rpath_contains_build_path
and gcc_captures_build_path
issues. [ ][ ][ ].
Lastly, Debian Developer Bill Allombert started a mailing list thread regarding setting the -fdebug-prefix-map
command-line argument via an environment variable and Holger Levsen also filed three bugs against the debrebuild
Debian package rebuilder tool (#961861, #961862 & #961864).
SOURCE_DATE_EPOCH
git log
example to another section [ ]. Chris Lamb also limited the number of news posts to avoid showing items from (for example) 2017 [ ].
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build. It is used automatically in most Debian package builds. This month, Mattia Rizzolo bumped the debhelper
compatibility level to 13 [ ] and adjusted a related dependency to avoid potential circular dependency [ ].
autogen
(race condition)cockpit
(date)fossil
(date)libnvidia-container
(date)libv3270
( date)netcdf-fortran
.seqtools
.python-pauvre
.petitboot
.fonts-anonymous-pro
.python-pyqtgraph
(forwarded upstream)libqmi
.tkabber-plugins
.python-stem
.golang-v2ray-core
.critcl
.gftl
.libmbim
.neovim-qt
.golang-github-viant-toolbox
.libxml2
(random data corruption)frr
(build fails on single-processor machines), ghc-yesod-static/git-annex
(a filesystem ordering issue) and ooRexx
(ASLR-related issue).
147
, 148
and 149
to Debian and made the following changes:
/Info
stanza). (#150)jsondiff
version 1.2.0. (#159)File.recognizes
that checks candidates against file(1)
. [ ]subprocess.check_output
by using a wrapper. (#151)AbstractMissingType
type instead of remembering to check for both types of missing files. [ ].changes
, .dsc
and .buildinfo
comparators. [ ]f-strings
to tidy up code [ ][ ] and remove explicit u"unicode"
strings [ ].--new-file
option when comparing directories by merging DirectoryContainer.compare
and Container.compare
. (#180)--diff-mask=REGEX
. (!51)--html-dir
presenter format. [ ]--html-dir
format. [ ][ ]tlsh
fuzzy-matching library during tests [ ] and tweaked the build system to remove an unwanted .build
directory [ ]. For the GNU Guix distribution Vagrant Cascadian updated the version of diffoscope to version 147 [ ] and later 148 [ ].
tests.reproducible-builds.org
. Amongst many other tasks, this tracks the status of our reproducibility efforts across many distributions as well as identifies any regressions that have been introduced. This month, Holger Levsen made the following changes:
rsync2buildinfos.debian.net
every night. [ ].buildinfo
files to include a fix regarding comparing source vs. binary package versions. [ ]archlinux_html_pages
, openwrt_rebuilder_today
and openwrt_rebuilder_future
to known broken jobs. [ ]<meta>
header to refresh the page every 5 minutes. [ ]fixfilepath
on bullseye, to get better data about the ftbfs_due_to_f-file-prefix-map
categorised issue.
Lastly, the usual build node maintenance was performed by Holger Levsen [ ][ ], Mattia Rizzolo [ ] and Vagrant Cascadian [ ][ ][ ][ ][ ].
#reproducible-builds
on irc.oftc.net
.
rb-general@lists.reproducible-builds.org
This month s report was written by Bernhard M. Wiedemann, Chris Lamb, Eli Schwartz, Holger Levsen, Jelle van der Waa and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.
150
. This version includes the following changes:
[ Chris Lamb ]
* Don't crash when listing entries in archives if they don't have a listed
size (such as hardlinks in .ISO files).
(Closes: reproducible-builds/diffoscope#188)
* Dump PE32+ executables (including EFI applications) using objdump.
(Closes: reproducible-builds/diffoscope#181)
* Tidy detection of JSON files due to missing call to File.recognizes that
checks against the output of file(1) which was also causing us to attempt
to parse almost every file using json.loads. (Whoops.)
* Drop accidentally-duplicated copy of the new --diff-mask tests.
* Logging improvements:
- Split out formatting of class names into a common method.
- Clarify that we are generating presenter formats in the opening logs.
[ Jean-Romain Garnier ]
* Remove objdjump(1) offsets before instructions to reduce diff noise.
(Closes: reproducible-builds/diffoscope!57)
149
. This version includes the following changes:
[ Chris Lamb ]
* Update tests for file 5.39. (Closes: reproducible-builds/diffoscope#179)
* Downgrade the tlsh warning message to an "info" level warning.
(Closes: #888237, reproducible-builds/diffoscope#29)
* Use the CSS "word-break" property over manually adding U+200B zero-width
spaces that make copy-pasting cumbersome.
(Closes: reproducible-builds/diffoscope!53)
* Codebase improvements:
- Drop some unused imports from the previous commit.
- Prevent an unnecessary .format() when rendering difference comments.
- Use a semantic "AbstractMissingType" type instead of remembering to check
for both "missing" files and missing containers.
[ Jean-Romain Garnier ]
* Allow user to mask/filter reader output via --diff-mask=REGEX.
(MR: reproducible-builds/diffoscope!51)
* Make --html-dir child pages open in new window to accommodate new web
browser content security policies.
* Fix the --new-file option when comparing directories by merging
DirectoryContainer.compare and Container.compare.
(Closes: reproducible-builds/diffoscope#180)
* Fix zsh completion for --max-page-diff-block-lines.
[ Mattia Rizzolo ]
* Do not warn about missing tlsh during tests.
Welcome to the May 2020 report from the Reproducible Builds project. One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. Nonetheless, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into seemingly secure software during the various compilation and distribution processes. In these reports we outline the most important things that we and the rest of the community have been up to over the past month.
Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle.In related news, the LineageOS Android distribution announced that a hacker had access to the infrastructure of their servers after exploiting an unpatched vulnerability. Marcin Jachymiak of the Sia decentralised cloud storage platform posted on their blog that their
siac
and siad
utilities can now be built reproducibly:
This means that anyone can recreate the same binaries produced from our official release process. Now anyone can verify that the release binaries were created using the source code we say they were created from. No single person or computer needs to be trusted when producing the binaries now, which greatly reduces the attack surface for Sia users.Synchronicity is a distributed build system for Rust build artifacts which have been published to crates.io. The goal of Synchronicity is to provide a distributed binary transparency system which is independent of any central operator. The Comparison of Linux distributions article on Wikipedia now features a Reproducible Builds column indicating whether distributions approach and progress towards achieving reproducible builds.
binutils
package ships its own, unreproducible, log files in its binary packages. It was followed-up by replies from Chris Lamb and Matthias Klose.
ocaml_cmti_files
toolchain issue.
.apk
packages.
Allan McRae of the ArchLinux project posted their third Reproducible builds progress report to the arch-dev-public
mailing list which includes the following call for help:
We also need help to investigate and fix the packages that fail to reproduce that we have not investigated as of yet.In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update.
142
, 143
, 144
, 145
and 146
to Debian, PyPI, etc.
file
now supports recognising JSON data. (#106).changes
and .buildinfo
handling to show all details (including the GnuPG header and footer components) even when referenced files are not present. (#122)BuildinfoFile
comparator (etc.) regardless of whether the associated files (such as the orig.tar.gz
and the .deb
) are present. [ ].buildinfo
, .changes
, etc. [ ]apksigner(1)
. (#121).zip
files. (#116).mobilepovision
files. (#113)differences
typo in the ApkFile
handler. (#127)id="foo"
anchor reference twice in the HTML output, otherwise identically-named parts will not be able to linked to via a #foo
anchor. (#120)#
. [ ]--json
presenter; it will usually be too complicated to be readable by the human anyway. [ ]Command [ ] failed with exit code
messages to remove duplicate exited with exit
but also to note that diffoscope
is interpreting this as an error. [ ]Command [ ] exited with 1
messages. (#126)debian
Python module. [ ]stderr from
if both commands emit the same output. [ ]apksigner
test failures due to lack of binfmt_misc
, eg. on Salsa CI and elsewhere. [ ].travis.yml
as we use Salsa instead. [ ]Dockerfile
improvements:
.dockerignore
file to whitelist files we actually need in our container. (#105)ARG
instead of ENV
when setting up the DEBIAN_FRONTEND
environment variable at runtime. (#103)build-essential
during build so we can install the recommended packages from Git. [ ]shell=False
keyword argument to subprocess.Popen
so that the potentially-unsafe shell=True
is more obvious. [ ]MissingFile
s special handling of deb822
to prevent leaking through abstract layers. [ ][ ]try
/except
block when cleaning up temporary files with respect to the flake8
quality assurance tool. [ ]in_dsc_path
to dsc_in_same_dir
to clarify the use of this variable. [ ]debian_fallback
class [ ] and add descriptions for the file types. [ ]Openssl
command class to OpenSSLPKCS7
to accommodate other command names with this prefix. [ ]--debugger
command-line argument to --pdb
. [ ]stat(2)
birth times (ie. st_birthtime
) in the same way we do with the stat(1)
command s Access:
and Change:
times to fix a nondeterministic build failure in GNU Guix. (#74)LibarchiveMember
s has_same_content
method was called regardless of the underlying type of file. [ ]
debian/py3dist-overrides
to ensure the rpm-python
module is used in package dependencies (#89) and moved to using the new execute_after_*
and execute_before_*
Debhelper rules [ ].
absolute_url
and relative_url
where possible [ ][ ] and move a number of configuration variables to _config.yml
[ ][ ].golang-packaging
(toolchain issue, affecting times in minikube
)jboss-logging-tools
(toolchain issue, affecting date for resteasy
)linux_logo
(sort find
output to avoid inheriting filesystem order)moonjit
(generate reproducible output by default if SOURCE_DATE_EPOCH
is set)vala
(report ASLR nondeterminism)earlyoom
(timestamps in Gzip files)fmt
(Don t install sphinx-build
cached files as they are unneeded & unreproducible)nvidia-settings
(timestamp in Gzip files)ataqv
.elinks
.briquolo
.cryptominisat
.wolfssl
.mistral
.python-watcherclient
.tree-puzzle
.nulib2
.process-cpp
.bowtie2
.properties-cpp
.wand
(forwarded upstream)vows
.libstatgrab
.texi2html
.grub
.systemtap
.mono
.mescc-tools
: Inherit CFLAGS
in a Makefile
, allowing -ffile-prefix-map
/-fdebug-prefix-map
to sanitise build paths (merged upstream).1.8.1-1
to Debian unstable and Bernhard M. Wiedemann fixed an off-by-one error when parsing PNG image modification times. (#16)
In disorderfs, our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues, Chris Lamb replaced the term dirents in place of directory entries in human-readable output/log messages [ ] and used the astyle source code formatter with the default settings to the main disorderfs.cpp
source file [ ].
Holger Levsen bumped the debhelper-compat level
to 13 in disorderfs [ ] and reprotest [ ], and for the GNU Guix distribution Vagrant Cascadian updated the versions of disorderfs to version 0.5.10 [ ] and diffoscope to version 145 [ ].
libtool
. [ ]_docs
subdirectory to find the _docs/index.md
file after an internal move. (#27)ltmain.sh
etc. in preformatted quotes. [ ]SOURCE_DATE_EPOCH
Python examples onto more lines to prevent visual overflow on the page. [ ]faketime
to the project s Github page. (!57)tests.reproducible-builds.org
that, amongst many other tasks, tracks the status of our reproducibility efforts as well as identifies any regressions that have been introduced. Holger Levsen made the following changes:
let VARIABLE=0
exits with an error. [ ].buildinfo
files with the same name. [ ]/usr
merge variation on Debian unstable. [ ]molly-guard
. [ ]debrebuild
script. [ ][ ][ ][ ].buildinfo
files. [ ][ ]alpine_schroot.sh
script now that a patch for abuild
had been released upstream. [ ]
brcm47xx
target to bcm47xx
. [ ]
jenkins
to run the blacklist
command [ ] and the usual build node maintenance was performed was performed by Holger Levsen [ ][ ][ ], Mattia Rizzolo [ ][ ] and Vagrant Cascadian [ ][ ][ ].
To make the results accessible, storable and create tools around them, they should all follow the same schema, a reproducible builds verification format. The format tries to be as generic as possible to cover all open source projects offering precompiled source code. It stores the rebuilder results of what is reproducible and what not.Hans-Christoph Steiner of the Guardian Project also continued his previous discussion regarding making our website translatable. Lastly, Leo Wandersleb posted a detailed request for feedback on a question of supply chain security and other issues of software review; Leo is the founder of the Wallet Scrutiny project which aims to prove the security of Android Bitcoin Wallets:
Do you own your Bitcoins or do you trust that your app allows you to use your coins while they are actually controlled by them ? Do you have a backup? Do they have a copy they didn t tell you about? Did anybody check the wallet for deliberate backdoors or vulnerabilities? Could anybody check the wallet for those?Elsewhere, Leo had posted instructions on his attempts to reproduce the binaries for the BlueWallet Bitcoin wallet for iOS and Android platforms.
#reproducible-builds
on irc.oftc.net
.
rb-general@lists.reproducible-builds.org
This month s report was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Jelle van der Waa and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.
146
. This version includes the following changes:
[ Chris Lamb ]
* Refactor .changes and .buildinfo handling to show all details (including
the GPG header and footer components), even when referenced files are not
present. (Closes: reproducible-builds/diffoscope#122)
* Normalise filesystem stat(2) "birth times" (ie. st_birthtime) in the same
way we do with stat(1)'s "Access:" and "Change:" times to fix a
nondetermistic build failure on GNU Guix.
(Closes: reproducible-builds/diffoscope#74)
* Drop the (default) subprocess.Popen(shell=False) keyword argument so that
the more unsafe shell=True is more obvious.
* Ignore lower vs. upper-case when ordering our file format descriptions.
* Don't skip string normalisation in Black.
[ Mattia Rizzolo ]
* Add a "py3dist" override for the rpm-python module (Closes: #949598)
* Bump the debhelper compat level to 13 and use the new
execute_after_*/execture_before_* style rules.
* Fix a spelling error in changelog.
[ Daniel Fullmer ]
* Mount GuestFS filesystem images readonly.
[ Jean-Romain Garnier ]
* Prevent an issue where (for example) LibarchiveMember's has_same_content
method is called regardless of the actual type of file.
Please note that the change to execptions andChanges in Rcpp version 1.0.4 (2020-03-13)
- Changes in Rcpp API:
- Safer
Rcpp_list*
,Rcpp_lang*
andFunction.operator()
(Romain in #1014, #1015).- A number of
#nocov
markers were added (Dirk in #1036, #1042 and #1044).- Finalizer calls clear external pointer first (Kirill M ller and Dirk in #1038).
- Scalar operations with a rhs matrix no longer change the matrix value (Qiang in #1040 fixing (again) #365).
Rcpp::exception
andRcpp::stop
are now more thread-safe (Joshua Pritikin in #1043).- Changes in Rcpp Attributes:
- The
cppFunction
helper now deals correctly with mulitpledepends
arguments (TJ McKinley in #1016 fixing #1017).- Invisible return objects are now supported via new option (Kun Ren in #1025 fixing #1024).
- Unavailable packages referred to in
LinkingTo
are now reported (Dirk in #1027 fixing #1026).- The
sourceCpp
function can now create a debug DLL on Windows (Dirk in #1037 fixing #1035).- Changes in Rcpp Documentation:
- The
.github/
directory now has more explicit guidance on contributing, issues, and pull requests (Dirk).- The Rcpp Attributes vignette describe the new invisible return object option (Kun Ren in #1025).
- Vignettes are now included as pre-made pdf files (Dirk in #1029)
- The Rcpp FAQ has a new entry on the recommended
importFrom
directive (Dirk in #1031 fixing #1030).- The bib file for the vignette was once again updated to current package versions (Dirk).
- Changes in Rcpp Deployment:
Rcpp::stop()
in pr #1043 has been seen to have a minor side effect on macOS issue #1046 which has already been fixed by Kevin in pr #1047 for which I may prepare a 1.0.4.1 release for the Rcpp drat repo in a day or two.
Thanks to CRANberries, you can also look at a diff to the previous release. Questions, comments etc should go to the rcpp-devel mailing list off the R-Forge page. Bugs reports are welcome at the GitHub issue tracker as well (where one can also search among open or closed issues); questions are also welcome under rcpp
tag at StackOverflow which also allows searching among the (currently) 2356 previous questions.
If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
NEWS
file.
Changes in Rcpp version 0.12.1 (2015-09-10)Thanks to CRANberries, you can also look at a diff to the previous release As always, even fuller details are on the Rcpp Changelog page and the Rcpp page which also leads to the downloads page, the browseable doxygen docs and zip files of doxygen output for the standard formats. A local directory has source and documentation too. Questions, comments etc should go to the rcpp-devel mailing list off the R-Forge page.
- Changes in Rcpp API:
- Correct use of WIN32 instead of _WIN32 to please Windows 10
- Add an assignment operator to
DimNameProxy
(PR #339 by Florian)- Add vector and matrix accessors
.at()
with bounds checking (PR #342 by Florian)- Correct character vector conversion from single char (PR #344 by Florian fixing issue #343)
- Correct on use of
R_xlen_t
back tosize_t
(PR #348 by Romain)- Correct subsetting code to allow for single assignment (PR #349 by Florian)
- Enable subset assignment on left and righ-hand side (PR #353 by Qiang, fixing issue #345)
- Refreshed to included
tinyformat
template library (PR #357 by Dirk, issue #356)- Add
operator<<()
for vectors and matrices (PR #361 by Dan fixing issue #239)- Make
String
andString_Proxy
objects comparable (PR #366 and PR #372 by Dan, fixing issue #191)- Add a new class
Nullable
for objects which may beNULL
(PR #368 by Dirk and Dan, fixing issue #363)- Correct creation and access of large matrices (PR #370 by Florian, fixing issue #369)
- Changes in Rcpp Attributes:
- Correctly reset directory in case of no-rebuilding but Windows code (PR #335 by Dirk)
- Changes in Rcpp Modules:
- We no longer define multiple Modules objects named
World
in the unit tests with was seen to have a bad effect with R 3.2.2 or later (PR #351 by Dirk fixing issue #350).- Applied patch by Kurt Hornik which improves how Rcpp loads Modules (PR #353 by Dirk)
- Changes in Rcpp Documentation:
- The
Rcpp.bib
file with bibliographic references was updated.
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
R_xlen_t
has been added.
That means we can now do stunts like
R> library(Rcpp)
R> big <- 2^31-1
R> bigM <- rep(NA, big)
R> bigM2 <- c(bigM, bigM)
R> cppFunction("double getSz(LogicalVector x) return x.length(); ")
R> getSz(bigM)
[1] 2147483647
R> getSz(bigM2)
[1] 4294967294
R>
where prior versions of Rcpp would just have said
> getSz(bigM2)
Error in getSz(bigM2) :
long vectors not supported yet: ../../src/include/Rinlinedfuns.h:137
>
which is clearly not Texas-style. Another wellcome change, also thanks to Qiang Kou, adds encoding support for strings.
A lot of other things got polished. We are still improving exception handling as we still get the odd curveballs in a corner cases. Matt Dziubinski corrected the var()
computation to use the proper two-pass method and added better support for lambda functions in Sugar expression using sapply()
, Qiang Kou added more pull requests mostly for string initialization, and Romain added a pull request which made data frame creation a little more robust, and JJ was his usual self in tirelessly looking after all aspects of Rcpp Attributes.
As always, you can follow the development via the GitHub repo and particularly the Issue tickets and Pull Requests. And any discussions, questions, ... regarding Rcpp are always welcome at the rcpp-devel mailing list.
Last but not least, we are also extremely pleased to annouce that Qiang Kou has joined us in the Rcpp-Core team. We are looking forward to a lot more awesome!
See below for a detailed list of changes extracted from the NEWS
file.
Changes in Rcpp version 0.12.0 (2015-07-24)Thanks to CRANberries, you can also look at a diff to the previous release As always, even fuller details are on the Rcpp Changelog page and the Rcpp page which also leads to the downloads page, the browseable doxygen docs and zip files of doxygen output for the standard formats. A local directory has source and documentation too. Questions, comments etc should go to the rcpp-devel mailing list off the R-Forge page.
- Changes in Rcpp API:
Rcpp_eval()
no longer usesR_ToplevelExec
when evaluating R expressions; this should resolve errors where calling handlers (e.g. throughsuppressMessages()
) were not properly respected.- All internal length variables have been changed from
R_len_t
toR_xlen_t
to support vectors longer than 2^31-1 elements (via pull request 303 by Qiang Kou).- The sugar function
sapply
now supports lambda functions (addressing issue 213 thanks to Matt Dziubinski)- The
var
sugar function now uses a more robust two-pass method, supports complex numbers, with new unit tests added (via pull request 320 by Matt Dziubinski)String
constructors now allow encodings (via pull request 310 by Qiang Kou)String
objects are preserving the underlyingSEXP
objects better, and are more careful about initializations (via pull requests 322 and 329 by Qiang Kou)- DataFrame constructors are now a little more careful (via pull request 301 by Romain Francois)
- For R 3.2.0 or newer,
Rf_installChar()
is used instead ofRf_install(CHAR())
(via pull request 332).- Changes in Rcpp Attributes:
- Use more robust method of ensuring unique paths for generated shared libraries.
- The
evalCpp
function now also supports theplugins
argument.- Correctly handle signature termination characters (' ' or ';') contained in quotes.
- Changes in Rcpp Documentation:
- The
Rcpp-FAQ
vignette was once again updated with respect to OS X issues and Fortran libraries needed for e.g. RcppArmadillo.- The included
Rcpp.bib
bibtex file (which is also used by other Rcpp* packages) was updated with respect to its CRAN references.
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.
Next.