202.md 7.31 KB
Newer Older
1 2 3
---
layout: new/blog
week: 202
4
published: 2019-03-13 14:24:20
5 6
---

Chris Lamb's avatar
Chris Lamb committed
7
Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday March 3 and Saturday March 9 2019:
8

Chris Lamb's avatar
Chris Lamb committed
9
* On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this week Holger Levsen explained why [Debian Buster will only be 54% reproducible](https://lists.reproducible-builds.org/pipermail/rb-general/2019-March/001492.html) (in short: due to Debian bugs [#894441](https://bugs.debian.org/894441) and [#900837](https://bugs.debian.org/900837)). There was some follow-up discussion on [Reddit](https://www.reddit.com/r/linux/comments/axxkov/debian_buster_will_only_be_54_reproducible_while/) and [Hacker News](https://news.ycombinator.com/item?id=19310638).
10

Chris Lamb's avatar
Chris Lamb committed
11
* Russ Cox and Filippo Vasorda submitted a [formal change proposal](https://go.googlesource.com/proposal/) to the [Go programming language](https://golang.org/) entitled [*Secure the Public Go Module Ecosystem with the Go Notary*](https://go.googlesource.com/proposal/+/master/design/25530-notary.md) which speaks to reproducible builds and their impact on code provenance.
12

Chris Lamb's avatar
Chris Lamb committed
13
* [Wireshark](https://www.wireshark.org/) (the popular network protocol analyser) [revealed in their 3.0.0 release notes](https://www.wireshark.org/docs/relnotes/wireshark-3.0.0.html) that their build system now produces reproducible builds. ([#15163](https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15163)).
14

Chris Lamb's avatar
Chris Lamb committed
15
* 5 Debian package reviews were added, 6 were updated and 13 were removed in this week adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Two issue types were identified by Chris Lamb: [`timestamps_in_pdf_generated_by_daps`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/f4953e97) and [`randomness_in_postgres_opcodes`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/dd1186d4).
16

Chris Lamb's avatar
Chris Lamb committed
17
* Holger Levsen updated the top-level navigation on the [reproducible-builds.org project website](https://reproducible-builds.org) to link [tests.reproducible-builds.org](https://tests.reproducible-builds.org) more prominently. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/58291d3)]
Bernhard M. Wiedemann's avatar
Bernhard M. Wiedemann committed
18

Chris Lamb's avatar
Chris Lamb committed
19 20 21 22 23 24 25 26 27 28 29 30
## diffoscope development

[![]({{ "/images/blog/202/diffoscope.svg" | prepend: site.baseurl }})](https://diffoscope.org)

[diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. This week:

Chris Lamb [uploaded version `113` to Debian unstable](https://tracker.debian.org/news/1033884/accepted-diffoscope-113-source-all-into-unstable/) fixing a long list of issues. It [included contributions already covered in previous weeks](https://salsa.debian.org/reproducible-builds/diffoscope/commits/113) as well as new ones by Chris, including:

* Provide explicit help when the libarchive system package is missing or "incomplete". ([#50](https://salsa.debian.org/reproducible-builds/issues/50))
* Explicitly mention when the guestfs module is missing at runtime and we are falling back to a binary diff. ([#45](https://salsa.debian.org/reproducible-builds/diffoscope/issues/45))

Vagrant Cascadian made the corresponding update to [GNU Guix](https://www.gnu.org/software/guix/). [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=11599cff1e0335797deab8f48d1fe8741d7eeb11)]
31

Bernhard M. Wiedemann's avatar
Bernhard M. Wiedemann committed
32 33 34
## Packages reviewed and fixed, and bugs filed

* Bernhard M. Wiedemann:
Chris Lamb's avatar
Chris Lamb committed
35 36
    * [python-django-filter](https://github.com/carltongibson/django-filter/issues/1050) (report `FTBFS-2019-03-10`)
    * [python-apache-libcloud](https://github.com/apache/libcloud) ([fix `FTBFS-2031`](https://github.com/apache/libcloud/pull/1279) & [report `FTBFS-2038`](https://issues.apache.org/jira/browse/LIBCLOUD-1038))
Bernhard M. Wiedemann's avatar
Bernhard M. Wiedemann committed
37 38
    * [utox](https://github.com/uTox/uTox/pull/1334) (merged, date)
    * [vimb](https://github.com/fanglingsu/vimb/pull/542) (merged, date)
Chris Lamb's avatar
Chris Lamb committed
39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
    * [pcp](https://build.opensuse.org/request/show/682435) (fix date and [PGO](https://en.wikipedia.org/wiki/Profile-guided_optimization)-like effects from `gcc --coverage`)

* Chris Lamb
    * [#924003](https://bugs.debian.org/924003) filed against [splint](https://tracker.debian.org/pkg/splint).

## Test framework development

We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). This week, Holger Levsen made the following improvements:

* Analyse node maintenance job runs to determine whether to mark nodes offline. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0276c1f9)]
* Detect hanging health check runs, not just failed ones. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b9941d09)]
* Allow members of the `jenkins` UNIX group to [`sudo(8)`](https://en.wikipedia.org/wiki/Sudo) to the `jenkins` user [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/71d44a9f)] and simplify adding users to said group [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b7131499)].
* Improve the "SHA1 checker" script to deal with packages with more than one version [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/05db9170)] and to re-download [buildinfo.debian.net](https://buildinfo.debian.net/)'s files if they are older than two weeks. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5740acdc)]
* Node maintenance. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/db541e4e)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/28cb883b)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/37544eb9)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/23ae81fb)]
* In the version checker, correctly deal with a rare situation when several, say, [diffoscope](https://diffoscope.org) versions are available in one Debian suite at the same time. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f9a5c2c8)]

In addition, Alexander "*lynxis*" Couzens, made a number of changes to our [OpenWrt](https://en.wikipedia.org/wiki/OpenWrt) support, including:

* Add OpenWrt support to our database. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b556fbf7)]
* Adding a `reproducible_openwrt_package_parser.py` script. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/02dd59fd)]
* Strip unreproducible certificates from images. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/74fc1f1d)]

## Outreachy

Don't forget that Reproducible Builds is part of May/August 2019 round of [Outreachy](https://www.outreachy.org/). Outreachy provides internships to work free software. Internships are open to applicants around the world, working remotely and are not required to move. Interns are paid a stipend of $5,500 for the three month internship and have an additional $500 travel stipend to attend conferences/events.

So far, we received more than ten initial requests from candidates. The closing date for applicants is April 2nd. More information is available [on the application page](https://www.outreachy.org/may-2019-august-2019-outreachy-internships/communities/debian/).


---

This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.