107.md 11.4 KB
Newer Older
1
---
2
layout: new/blog
3
week: 107
4
published: 2017-05-17 16:05:59
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
---

Here's what happened in the [Reproducible
Builds](https://reproducible-builds.org) effort between Sunday May 7 and
Saturday May 13 2017:


Report from Reproducible Builds Hamburg Hackathon
-------------------------------------------------

We were 16 participants from 12 projects: 7 Debian, 2 repeatr.io, 1 ArchLinux, 1 coreboot + LEDE, 1 F-Droid, 1 ElectroBSD + privoxy, 1 GNU R, 1 in-toto.io, 1 Meson and 1 openSUSE. Three people came from the USA, 3 from the UK, 2 Finland, 1 Austria, 1 Denmark and 6 from Germany, plus we several guests from our gracious hosts at the CCCHH hackerspace as well as a guest from Australia…

We had four presentations:

- "Reproducible Builds everywhere" by h01ger
- [https://in-toto.io](in-toto.io) by Justin Cappos
- [http://repeatr.io](repeatr.io) by Eric Myhre
- [http://mesonbuild.com](Meson) by Jussi Pakkanen

Some of the things we worked on:

- h01ger did orga stuff for this very hackathon, discussed [tests.r-b.o](https://tests.reproducible-builds.org) with various non-Debian contributors, filed some bugs and restarted the [policy discussion in #844431](https://bugs.debian.org/844431). He also did some polishing work on tests.r-b.o which shall be covered in next issue of our weekly blog.
- Justin Cappos involved many of us in interesting discussions and started to write an academic paper about Reproducible Builds of which he shared an early beta on our mailinglist.
28
- Chris Lamb (lamby) filed a number of patches for individual packages, worked on diffoscope, merged many changes to `strip-nondeterminism` and also filed [#862073](https://bugs.debian.org/862073) against dak to upload buildinfo files to external services.
29 30 31 32 33 34 35 36 37 38
- Maria Glukhova (siamezzze) fixed a bug with plots on tests.reproducible-builds.org and worked on diffoscope test coverage.
- Lynxis worked on a new squashfs upstream release improving support for reproducible squashfs filesystems and also had some time to hack on coreboot and show others how to install coreboot on real hardware.
- Michael Poehn worked on integrating F-Droid builds into tests.reproducible-builds.org, on the F-Droid verification utility and also ran some app reproducibility tests.
- Bernhard worked on various unreproducible issues upstream and submitted fixes for [curl](https://github.com/curl/curl/pull/1490), [bzr](https://bugs.launchpad.net/bzr/+bug/1691419), [ant](https://bz.apache.org/bugzilla/show_bug.cgi?id=61079).
- Erin Myhre worked on bootstrapping cleanroom builds of compiler components in Repeatr sandboxes.
- Calvin Behling merged improvements to [reppl](https://github.com/polydawn/reppl) for a cleaner storage format and better error handling and did design work for next version of repeatr pipeline execution. Calvin also lead the reproducibility testing of restaurant mood lighting.
- Eric and Calvin also claim to have had all sorts of useful exchanges about the state of other projects, and learned a lot about where to look for more info about debian bootstrap and archive mirroring from steven and lamby :)
- Phil Hands came by to say hi and worked on testing [d-i on jenkins.debian.net](https://jenkins.debian.net/view/lvc).
- Chris West (Faux) worked on extending `misc.git:has-only.py`, and started looking at Britney.

Georg Faerber's avatar
Georg Faerber committed
39
We had a Debian focused meeting where we discussed a number of topics:
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90

- IRC meetings: yes, we want to try again to have them, monthly, a poll for a good date is being held.
- Debian tests post Stretch: we'll add tests for stable/Stretch.
- .buildinfo files, how forward: we need sourceful uploads for any arch:all packages. dak should send .buildinfo files to buildinfo.debian.net.
- (pre?) Stretch release press release: we should do that, esp. as our achievements are largely unrelated to Stretch.
- Reproducible Builds Summit 3: yes, we want that.
- what to do (in notes.git) with resolved issues: keep the issues.
- strip-nondeterminism quo vadis: Justin reminded us that strip-nondeterminism is a workaround we want to get rid off.

And then we also had a lot of fun in the hackerspace, enjoying some of their gimmicks,
such as being able to open physical doors with `ssh` or controlling light and music with an webbrowser without authentication (besides being in the right network).

[<img width="360" alt="Not quite the hackathon"
src="/blog/images/hamburg-hackathon-2017.jpg"
/>](/blog/images/hamburg-hackathon-2017.jpg)

(This wasn't the hackathon per-se, but some of us appreciated these sights and so we thought you would too.)

Many thanks to:

- [Debian](https://wiki.debian.org/Sprints) for sponsoring food and accommodation!
- [Dock Europe](http://dock-europe.net) for providing us with really nice accommodation in the house!
- [CCC Hamburg](http://hamburg.ccc.de) for letting us use their hackerspace for >3 days non-stop!


News and media coverage
-----------------------

openSUSE has had a [security breach in their
infrastructure](https://lists.opensuse.org/opensuse-announce/2017-05/msg00000.html),
including their build services. As of this writing, the scope and impact are
still unclear, however the incident illustrates that no one should rely on
being able to secure their infrastructure at all times. Reproducible Builds
help mitigate this by allowing independent verification of build results, by
parties that are unaffected by the compromise.

(Whilst this can happen to *anyone*. Kudos to openSUSE for being open about it.
Now let's continue working on Reproducible Builds everywhere!)

On May 13th Chris Lamb gave a talk on Reproducible Builds at [OSCAL
2017](https://oscal.openlabs.cc/) in Tirana, Albania.

[<img width="240" alt="OSCAL 2017"
src="/blog/images/oscal2017.jpg"
/>](/blog/images/oscal2017.jpg)


Toolchain bug reports and fixes
-------------------------------

- Chris Lamb:
91
  * Fixed a long-standing toolchain issue ([#842635](https://bugs.debian.org/842635), [#858389](https://bugs.debian.org/858389)) in [docbook-to-man](https://tracker.debian.org/pkg/docbook-to-man) by
92
    adopting the package.
93 94
  * [#862003](https://bugs.debian.org/862003) filed against [debhelper](https://tracker.debian.org/pkg/debhelper).
  * [#862073](https://bugs.debian.org/862073) filed against ftp.debian.org, to upload buildinfo files to
95 96
    buildinfo.debian.net.
- Steven Chamberlain:
97
  * [#862059](https://bugs.debian.org/862059) filed against [sbuild](https://tracker.debian.org/pkg/sbuild), for signing buildinfo files.
98
- Ximin Luo:
99 100 101
  * [#862112](https://bugs.debian.org/862112) filed against [r-base](https://tracker.debian.org/pkg/r-base).
  * [#862113](https://bugs.debian.org/862113) filed against [gcc-6](https://tracker.debian.org/pkg/gcc-6).
  * [#862116](https://bugs.debian.org/862116) filed against [dpkg](https://tracker.debian.org/pkg/dpkg).
102 103 104 105 106 107


Packages' bug reports
----------------------

- Chris Lamb:
108 109 110 111 112 113 114 115 116 117
  * [#862088](https://bugs.debian.org/862088) filed against [compass-h5bp-plugin](https://tracker.debian.org/pkg/compass-h5bp-plugin).
  * [#862140](https://bugs.debian.org/862140) filed against [ofxstatement-plugins](https://tracker.debian.org/pkg/ofxstatement-plugins).
  * [#862179](https://bugs.debian.org/862179) filed against [acct](https://tracker.debian.org/pkg/acct).
  * [#862183](https://bugs.debian.org/862183) filed against [libjgroups-java](https://tracker.debian.org/pkg/libjgroups-java).
  * [#862195](https://bugs.debian.org/862195) filed against [sendip](https://tracker.debian.org/pkg/sendip).
  * [#862451](https://bugs.debian.org/862451) filed against [wammu](https://tracker.debian.org/pkg/wammu), forwarded [upstream](https://github.com/gammu/wammu/pull/49).
  * [#862484](https://bugs.debian.org/862484) filed against [seqan2](https://tracker.debian.org/pkg/seqan2).
  * [#862553](https://bugs.debian.org/862553) filed against [vim-command-t](https://tracker.debian.org/pkg/vim-command-t).
  * [#862588](https://bugs.debian.org/862588) filed against [tkhtml1](https://tracker.debian.org/pkg/tkhtml1).
  * [#862592](https://bugs.debian.org/862592) filed against [taskcoach](https://tracker.debian.org/pkg/taskcoach).
118
- Chris West:
119
  * [#862252](https://bugs.debian.org/862252) filed against [dns-root-data](https://tracker.debian.org/pkg/dns-root-data).
120 121 122 123 124 125 126 127 128


Reviews of unreproducible packages
----------------------------------

11 package reviews have been added, 2562 have been updated and 278 have been
removed in this week, adding to our knowledge about [identified
issues](https://tests.reproducible-builds.org/debian/index_issues.html). Most
of the updates were to move ~1800 packages affected by the generic catch-all
129 130
[captures_build_path](https://tests.reproducible-builds.org/issues/unstable/captures_build_path_issue.html) (out of ~2600 total) to the more specific
[gcc_captures_build_path](https://tests.reproducible-builds.org/issues/unstable/gcc_captures_build_path_issue.html), fixed by our [proposed patches to GCC](https://bugs.debian.org/862113).
131 132 133

5 issue types have been updated:

134 135 136 137 138
- Updated [docbook_to_man_one_byte_delta](https://tests.reproducible-builds.org/issues/unstable/docbook_to_man_one_byte_delta_issue.html)
- Added [ocaml_captures_build_path](https://tests.reproducible-builds.org/issues/unstable/ocaml_captures_build_path_issue.html)
- Added [gcj_captures_build_path](https://tests.reproducible-builds.org/issues/unstable/gcj_captures_build_path_issue.html)
- Added [gcc_captures_build_path](https://tests.reproducible-builds.org/issues/unstable/gcc_captures_build_path_issue.html)
- Re-added [docbook_to_man_one_byte_delta](https://tests.reproducible-builds.org/issues/unstable/docbook_to_man_one_byte_delta_issue.html)
139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154


Weekly QA work
--------------

During our reproducibility testing, FTBFS bugs have been detected and reported by:

 - Adrian Bunk (1)
 - Chris Lamb (2)
 - Chris West (1)


diffoscope development
----------------------

diffoscope development continued [on the experimental
155
branch](https://salsa.debian.org/reproducible-builds/diffoscope/commits/experimental):
156 157 158 159 160

- Maria Glukhova:
  - Code refactoring and more tests.
- Chris Lamb:
  - Add safeguards against unpacking recursive or deeply-nested archives.
161
    (Closes: [#780761](https://bugs.debian.org/780761))
162 163 164 165 166


strip-nondeterminism development
--------------------------------

167
- strip-nondeterminism `0.033-1` and `-2` were uploaded to unstable by Chris Lamb. It included [contributions](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commits/debian/0.033-2) from:
168 169 170 171 172 173 174 175 176 177 178 179

- Bernhard M. Wiedemann:
  - Add cpio handler.
  - Code quality improvements.
- Chris Lamb:
  - Add documentation and increase verbosity, in support of the long-term aim
    of removing the need for this tool.


reprotest development
---------------------

180
- reprotest `0.6.1` and `0.6.2` were uploaded to unstable by Ximin Luo. It included [contributions](https://salsa.debian.org/reproducible-builds/reprotest/commits/debian/0.6.2) from:
181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205

- Ximin Luo:
  * Add a documentation section on "Known bugs".
  * Move developer documentation away from the man page.
  * Mention release instructions in the previous changelog.
  * Preserve directory structure when copying artifacts. Otherwise hash output
    on a successful reproduction sometimes fails, because find(1) can't find
    the artifacts using the original artifact_pattern.
- Chris Lamb
  * Add proper release instructions and a keyring.


trydiffoscope development
-------------------------

- Chris Lamb:
  * Uses the diffoscope from Debian experimental if possible.



Misc.
-----

This week's edition was written by Ximin Luo, Holger Levsen and Chris Lamb &
reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.