Hervé Boutemy · Bernhard M. Wiedemann · Chris Lamb · Chris Lamb · Chris Lamb · Holger Levsen
--- a/.gitignore
+++ b/.gitignore
 *.sw[p-z]
 *~
 #*
-
+.sass-cache
 /_site
--- a/_blog/posts/194.md
+++ b/_blog/posts/194.md
 ---
 layout: new/blog
 week: 194
+published: 2019-01-16 16:39:41
 ---

 Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday January 6 and Saturday January 12 2019:
@@ -9,7 +10,7 @@ Here's what happened in the [Reproducible Builds](https://reproducible-builds.or

 * This week has seen lots of progress on [an initial implementation of `-fmacro-prefix-map` and `-ffile-prefix-map`](https://reviews.llvm.org/D49466) in the [LLVM](https://llvm.org/) compiler toolkit. This may make it into [Clang](https://clang.llvm.org/)'s 8.0 branch, to be created next week.

-* Chris Lamb opened Debian bug [#918480](https://bugs.debian.org/918480), requesting that the [`squashfs-tools`](https://tracker.debian.org/pkg/squashfs-tools) package (which creates and maniupulates read-only compressed file systems) moves to the [`squashfskit`](https://github.com/squashfskit/squashfskit) fork maintained by Alexander "*lynxis*" Couzens. However, it transpired that most of the changes required for the generation of reproducible `squashfs` filesystem images have been merged upstream modulo two patches that Chris rebased & backported and [were subsequently uploaded](https://tracker.debian.org/news/1018142/accepted-squashfs-tools-143-8-source-into-unstable/) in `squashfs-tools 1:4.3-8` by the Debian maintainer, Laszlo Boszormenyi.
+* Chris Lamb opened Debian bug [#918480](https://bugs.debian.org/918480), requesting that the [`squashfs-tools`](https://tracker.debian.org/pkg/squashfs-tools) package (which creates and manipulates read-only compressed file systems) moves to the [`squashfskit`](https://github.com/squashfskit/squashfskit) fork maintained by Alexander "*lynxis*" Couzens. However, it transpired that most of the changes required for the generation of reproducible `squashfs` filesystem images have been merged upstream modulo two patches that Chris rebased & backported and [were subsequently uploaded](https://tracker.debian.org/news/1018142/accepted-squashfs-tools-143-8-source-into-unstable/) in `squashfs-tools 1:4.3-8` by the Debian maintainer, Laszlo Boszormenyi.

 * Arnout Engelen's thread on our [mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) regarding [how to share rebuilder "attestations"](https://lists.reproducible-builds.org/pipermail/rb-general/2019-January/001378.html) in the Java ecosystem is ongoing.

@@ -59,7 +60,7 @@ There were a number of updates to our [Jenkins](https://jenkins.io/)-based testi

 * Holger Levsen:
    * [Arch Linux](https://www.archlinux.org/)-specific changes:
-        * Use Debian's `sed`, `untar` and others with `sudo` as they is not available in the `bootstrap.tar.gz` file ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8db9c2da)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7d26da99)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/05eae000)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d925daa0)], etc.).
+        * Use Debian's `sed`, `untar` and others with `sudo` as they are not available in the `bootstrap.tar.gz` file ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8db9c2da)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7d26da99)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/05eae000)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d925daa0)], etc.).
        * Fix incorrect `sudoers(5)` regex. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/fe7da4e6)]
        * Only move old `schroot` away if it exists. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b0af8956)]
        * Add and drop debug code, cleanup cruft, exit on `cleanup()`, etc. ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d0fd4d07)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b24eb8f5)])
@@ -73,8 +74,8 @@ There were a number of updates to our [Jenkins](https://jenkins.io/)-based testi
    * Fix the `NODE_NAME` value in case it's not a full-qualified domain name. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e03630ea)]
    * Node maintenance. ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6db573c1)], etc.)
 * Vagrant Cascadian:
-	* [Reinstall failed disk in armhf node](https://bugs.debian.org/918651)
-	* Node maintenance (disk issues, kernel issues/upgrades/downgrades, firmware upgrades, etc.)
+    * [Reinstall failed disk in armhf node](https://bugs.debian.org/918651)
+    * Node maintenance (disk issues, kernel issues/upgrades/downgrades, firmware upgrades, etc.)

 ---


--- a/_blog/posts/195.md
+++ b/_blog/posts/195.md
@@ -3,10 +3,103 @@ layout: new/blog
 week: 195
 ---

-* [FIXME](https://bugs.debian.org/919207)
+Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday January 13th and Saturday January 19th 2019:

-* [FIXME](https://lists.reproducible-builds.org/pipermail/rb-general/2019-January/001402.html)
+* In the [Rust](https://www.rust-lang.org/) programming language community there was an interesting discussion on the [/r/rust](https://www.reddit.com/r/rust) subreddit around [the ripgrep utility becoming reproducible in Debian](https://www.reddit.com/r/rust/comments/afscgo/ripgrep_0100_is_reproducible_in_debian/). In addition, [Tony Arcieri](https://tonyarcieri.com/) opened a issue in the Rust's [Secure Code Working Group](https://twitter.com/rustsecurecode) enquiring about [reproducible builds tooling](https://github.com/rust-secure-code/wg/issues/28).

-* [FIXME](https://www.reddit.com/r/rust/comments/afscgo/ripgrep_0100_is_reproducible_in_debian/)
+* Last week, Chris Lamb opened Debian bug [#919207](https://bugs.debian.org/919207) requesting that the [`squashfs-tools`](https://tracker.debian.org/pkg/squashfs-tools) package (which creates and manipulates read-only compressed file systems) applies a patch to remove non-deterministic data introduced by a "fragmentation deflator" thread. This was the final patch required for reproducible images for (at least) [Tails](https://tails.boum.org).

-* [Time-based FTBFS in Debian](https://lists.debian.org/debian-lts/2019/01/msg00033.html)
+    Whilst Laszlo Boszormenyi applied the patch, he [subsequently reverted the change](https://bugs.debian.org/919207#15) as it was breaking [LZO](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Oberhumer) compression. However, Chris subsequently [updated and fixed the issue](https://bugs.debian.org/919207#24) which was then uploaded in version [`1:4.3-11`](https://tracker.debian.org/news/1022501/accepted-squashfs-tools-143-11-source-into-unstable/).
+
+* As part of the [Debian Long Term Support (LTS)](https://wiki.debian.org/LTS) effort it was [noticed that an old package was failing to build beyond ~2015](https://lists.debian.org/debian-lts/2019/01/msg00033.html).
+
+* Holger Levsen released and uploaded `disorderfs` (our [FUSE](https://github.com/libfuse/libfuse)-based filesystem that deliberately introduces non-determinism into filesystems) version `0.5.6-1` to Debian unstable [[...](https://tracker.debian.org/news/1021833/accepted-disorderfs-056-1-source-into-unstable/)] and Chris Lamb released/uploaded `strip-nondeterminism` (our tool that post-processes files to remove known non-deterministic output) version `1.1.0-1` to Debian unstable [[...](https://tracker.debian.org/news/1020523/accepted-strip-nondeterminism-110-1-source-all-into-unstable/)] too.
+
+* Chris Lamb added 8 Debian package reviews but 12 were also updated and 14 were removed in this week, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
+
+* There were a number of interesting discussions on [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this week including:
+    * Hervé Boutemy posted [a brief introduction to "reproducible-central"](https://lists.reproducible-builds.org/pipermail/rb-general/2019-January/001408.html) after a number of discussions and documentation regarding [Java Virtual Machine rebuilder attestations](https://reproducible-builds.org/docs/jvm/) and the [Apache Maven](https://maven.apache.org/) build tool.
+    * Elio Qoshi from [Ura Design](https://ura.design/) asking [whether we would be interested](https://lists.reproducible-builds.org/pipermail/rb-general/2019-January/001412.html) in updating [our style guide]({{ "/style-epoch/" | prepend: site.baseurl }}).
+    * Lastly, Eli Schwartz posted an update regarding [reproducible package archives](https://lists.reproducible-builds.org/pipermail/rb-general/2019-January/001402.html) in [Arch Linux](https://www.archlinux.org/).
+
+## Packages reviewed and fixed, and bugs filed
+
+* Bernhard M. Wiedemann:
+    * [python-cmarkgfm](https://github.com/theacodes/cmarkgfm/pull/17) (merged, sort python glob)
+* Chris Lamb:
+    * [#919566](https://bugs.debian.org/919566) filed against [satpy](https://tracker.debian.org/pkg/satpy) ([forwarded upstream](https://github.com/pytroll/satpy/pull/579)).
+
+## [diffoscope](https://diffoscope.org/) development
+
+[diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. There was a few updates this week including contributions from:
+
+* Chris Lamb:
+    * Fix inverted logic and invalid reference to `file` in the [FreePascal](https://www.freepascal.org/) comparator. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/248e9ba)]
+    * Use [`str.format`](https://docs.python.org/3.4/library/stdtypes.html#str.format) over `+` for string concatenation. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/7bf992b)]
+    * Re-enable [Gnumeric](http://www.gnumeric.org/) `Build-Depends`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/b696748)] [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/12882be)]
+
+* Jelle van der Waa:
+    * Remove an unused `re` import in the [WebAssembly](https://webassembly.org/) comparator. ([MR: !18](https://salsa.debian.org/reproducible-builds/diffoscope/merge_requests/18))
+
+Version `108` was then [uploaded to Debian unstable](https://tracker.debian.org/news/1020530/accepted-diffoscope-108-source-all-into-unstable/) by Chris Lamb and was subsequently [backported to the `stretch-backports` distribution](https://tracker.debian.org/news/1021754/accepted-diffoscope-108bpo91-source-all-into-stretch-backports/) by Mattia Rizzolo.
+
+## Website development
+
+There were a number of updates to the [reproducible-builds.org](https://reproducible-builds.org) project website this week, including:
+
+* Hervé Boutemy:
+    * Large number of changes to the [Java Virtual Machine]({{ "/docs/jvm/" | prepend: site.baseurl }}) page including adding the `build-root` property for multi-module builds [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/bfd1421)], adding instructions on [Apache Maven](https://maven.apache.org/) rebuild arguments [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/190ca8b)], amongst many others [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/4a7e0fe)] [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/928c71f)] [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/12a8023)].
+* Holger Levsen:
+    * Drop [LEDE](https://en.wikipedia.org/wiki/LEDE) as the project has re-merged with [OpenWrt](https://openwrt.org/). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/4257259)]
+* Peter Wu:
+    * Mention `QT_RCC_SOURCE_DATE_OVERRIDE` and add some more CMake, RPATH and Qt notes on the [deterministic build systems]({{ "/docs/deterministic-build-systems/" | prepend: site.baseurl }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/36bca83)] [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/83d4700)] [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/77d689d)].
+    * Document the use of `-fmacro-prefix-map` and `-ffile-prefix-map` on the [build path]({{ "/docs/build-path/" | prepend: site.baseurl }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/edca632)]
+    * Fix some links and typos on the [contribute]({{ "/contribute/" | prepend: site.baseurl }}) page, some dead links to [Salsa](https://salsa.debian.org) and correct some link formatting issues. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/61fd247)] [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/56d3c75)] [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/821d532)]
+
+## Test framework development
+
+We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). This week:
+
+* [Arch Linux](https://www.archlinux.org/) is the first project being built on nodes dedicated from [OSUOSL](https://osuosl.org/).
+
+   Interestingly, these new nodes are running `4.19` Linux kernels from the `stretch-backports` distribution as [Qt](https://www.qt.io/) in Arch needs a newer kernel than the kernel in Debian stretch to build. As a result of this we are now seeing 1,736 builds of Arch packages in the last 24h, meaning our subset of packages are being fully rebuilt every 5 or 6 days.
+
+* [F-Droid](https://f-droid.org/) becomes the second project to be tested on these new nodes after Holger Levsen increased the size of various partitions to accommodate the builds, as well as to provide a [Squid](http://www.squid-cache.org/) proxy for all our OSUOSL nodes.
+
+The following more-specific changes were made:
+
+* Eli Schwartz:
+    * Import Arch Linux [GnuPG](https://www.gnupg.org/) keys before running [`makepkg`](https://wiki.archlinux.org/index.php/makepkg). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1b36569b)]
+    * Perform a giant cleanup of trailing whitespaces. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1fa9f22b)]
+
+* Holger Levsen:
+    * [Arch Linux](https://www.archlinux.org/)-specific changes:
+        * Adjust the rescheduling of packages which have been tested *X* days ago. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/14ddcf02)] [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/18a33594)] [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/90da004f)]
+        * Adopt maintenance job to work with the new OSUOSL nodes. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c8702012)]
+        * Support [OpenSSH](https://www.openssh.com/) running on ports other than `22`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/71879c41)]
+        * Fix the path to the Arch Linux `mirrorlist`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a6675634)]
+    * [Debian](https://www.debian.org/)-specific changes:
+        * Fix warning message to include the name of broken package sets [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f281ec75)] and also show the total number of packages in a package set [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/47654780)].
+        * Don't update [`pbuilder`](https://wiki.debian.org/PbuilderTricks) and Debian [`schroots`](https://wiki.debian.org/Schroot) on OSUOSL nodes. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/38ed2e99)]
+        * Clarify "stalled" status of the [LeMaker HiKey960](http://www.lemaker.org/product-hikeysecond-specification.html) boards. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/82b6130d)]
+        * Document how to access [Codethink](https://www.codethink.co.uk/)'s `arm64` nodes. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/71b4ea09)]
+    * [F-Droid](https://f-droid.org/)-specific changes:
+        * Remove duplicate job definitions. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c2718ea4)]
+    * Misc/generic changes:
+        * Update the "job health page", adding a helpful footer. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0b414680)] [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d56945e4)]
+        * Use `time.osuosl.org` as the [NTP](https://en.wikipedia.org/wiki/Network_Time_Protocol) server for OSUOSL nodes, de.pool.ntp.org for the rest. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/060817f9)]
+        * Warn if we detect the wrong [Maximum Transmission Unit (MTU))[https://en.wikipedia.org/wiki/Maximum_transmission_unit). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2def2676)]
+        * Drop another mention of [LEDE](https://en.wikipedia.org/wiki/LEDE). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5f457969)]
+    * Node maintenance. ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a5b35523)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e86711cc)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/34a9e2bb)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0133292e)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/dce5c729)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6f3a20a9)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/20e2b9f6)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/99b5ae65)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/193fb3a3)], etc.)
+
+* Mattia Rizzolo:
+    * Fix a variable name in the "deploy Jenkins" script. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/20e39567)]
+    * Fix a non-fatal syntax error in the "health check" script. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4bf29894)]
+    * Node maintenance. ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b1ab00ca)], etc.)
+
+* Vagrant Cascadian:
+    * Node maintenance. ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/49de7ae8)], [[...](https://bugs.debian.org/919851)], etc.)
+
+---
+
+This week's edition was written by [Bernhard M. Wiedemann](https://lizards.opensuse.org/author/bmwiedemann/), [Chris Lamb](https://chris-lamb.co.uk/), [Holger Levsen](http://layer-acht.org/thinking/) & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.
--- a/_blog/posts/196.md
+++ b/_blog/posts/196.md
+
+* FIXME: tracker.debian.org/nix is finally available in Debian
+
+* [FIXME](https://github.com/pytroll/satpy/pull/579#issuecomment-455991066)
+
+* [FIXME](https://linux.conf.au/schedule/presentation/185/)
+
+* [etc.](https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20190114/011054.html)
--- a/_data/projects.yml
+++ b/_data/projects.yml
@@ -86,12 +86,6 @@
    url: https://www.gnu.org/software/guix/news/reproducible-builds-a-means-to-an-end.html
  - name: Package submission guidelines
    url: https://gnu.org/software/guix/manual/html_node/Submitting-Patches.html
- name: LEDE
-  url: https://lede-project.org/
-  logo: lede.png
-  resources:
-  - name: Continuous tests
-    url: https://tests.reproducible-builds.org/lede/
 - name: Monero
  url: https://getmonero.org/
  logo: monero.png

--- a/_docs/build_path.md
+++ b/_docs/build_path.md
@@ -22,10 +22,20 @@ post-processing tool to
 change them to a pre-determined value[^debugedit]. A work-around is to
 [define the build path as part of the build environment]({{ "/docs/perimeter/" | prepend: site.baseurl }}),
 however `reprotest` changes it so this makes it harder to assess reproducibility.
-Another work-around is GCC's `-fdebug-prefix-map`, though it does not
-fix other sources of irreproducibility such as `__FILE__`, and in some
-packages the option itself is saved into other parts of the build
-output by another tool.
+Certain compiler flags can work around the issue:
+
+ * [`-fdebug-prefix-map=OLD=NEW`](https://gcc.gnu.org/onlinedocs/gcc/Debugging-Options.html#index-fdebug-prefix-map)
+   can strip directory prefixes from debug info.
+   (available in all GCC versions, Clang 3.8)
+ * [`-fmacro-prefix-map=OLD=NEW`](https://gcc.gnu.org/onlinedocs/gcc/Preprocessor-Options.html#index-fmacro-prefix-map)
+   is similar to `-fdebug-prefix-map`, but addresses irreproducibility due to
+   the use of `__FILE__` macros and alike.
+   (available since GCC 8, Clang support is [pending](https://bugs.llvm.org/show_bug.cgi?id=38135))
+ * `-ffile-prefix-map=OLD=NEW` is an alias for both `-fdebug-prefix-map` and
+   `-fmacro-prefix-map`.
+   (available since GCC 8, Clang support is [pending](https://bugs.llvm.org/show_bug.cgi?id=38135))
+
+Note that some packages save the compile options in the build output.

 [^debugedit]: [debugedit](https://fedoraproject.org/wiki/Releases/FeatureBuildId) can replace the path used at build time by a predefined one but it does that by rewriting bytes in place. As this does not reorder the hash table of strings, the resulting bytes are still depending on the original build path.


--- a/_docs/deterministic_build_systems.md
+++ b/_docs/deterministic_build_systems.md
@@ -46,6 +46,58 @@ What follows are some advices on common issues that can affect source
 code or build systems that make multiple builds from the exact same
 source different.

+CMake notes
+-----------
+The default configuration of CMake makes the build directory part of the
+build environment. Here are some known issues and recommendations:
+
+ * CMake sets a `RPATH` for binaries that link to a library in the the
+   same project. Even when this is stripped at installation time, the
+   build-id section will be different. Possible workarounds:
+   * Set `CMAKE_BUILD_WITH_INSTALL_RPATH=ON` or `CMAKE_SKIP_RPATH=ON` to
+     ensure a deterministic RPATH. Disadvantage: programs from the build
+     directory cannot be run without setting `LD_LIBRARY_PATH`.
+   * Set
+     [`CMAKE_BUILD_RPATH_USE_ORIGIN=ON`](https://cmake.org/cmake/help/git-master/prop_tgt/BUILD_RPATH_USE_ORIGIN.html)
+     to enable the use of relative directories in RPATH (requires CMake
+     3.14). This is an appropriate option for both upstream projects
+     and downstream distributions.
+ * Qt projects can use [rcc](https://doc.qt.io/qt-5/rcc.html) to embed
+   resources such as translations and images. Since Qt 5.8, rcc includes
+   the file modification time of source files in the build output.
+   This is especially problematic for translation files that are
+   generated at build time. Possible workarounds:
+   * (Since Qt 5.9) If a project does not rely on an accurate
+     [QFileInfo::lastModified](https://doc.qt.io/qt-5/qfileinfo.html#lastModified),
+     pass `--format-version 1` to `rcc`. If
+     [`AUTORCC`](https://cmake.org/cmake/help/latest/prop_tgt/AUTORCC.html)
+     is enabled, this can be done by setting
+     [`CMAKE_AUTORCC_OPTIONS`](https://cmake.org/cmake/help/latest/variable/CMAKE_AUTORCC_OPTIONS.html)
+     to `--format-version;1`. Upstream projects are encouraged to do
+     this after checking that Qt 5.9 or newer is in use.
+   * (Since Qt 5.11) Set the `QT_RCC_SOURCE_DATE_OVERRIDE` environment
+     variable which behaves similar to
+     [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/specs/source-date-epoch/).
+   * Ensure that generated source files are touched with a fixed
+     timestamp before rcc is called. See also <https://bugs.debian.org/894476>.
+ * Qt projects that use `Q_OBJECT` macros require
+   [moc](https://doc.qt.io/qt-5/moc.html) to generate additional C++
+   files. CMake will automatically do this when
+   [`AUTOMOC`](https://cmake.org/cmake/help/latest/prop_tgt/AUTOMOC.html)
+   is enabled, but then the relative path from the build directory to
+   the source directory will become part of the build environment.
+   For example, if the build directory is `/tmp/build` and the source
+   file is at `/tmp/foo/widget.h`, then the generated file will include
+   `../[...]/../foo/widget.h`. Possible workarounds:
+   * Use the `-p` option to override the include prefix. This requires
+     the prefix plus the header filename to be available from the
+     include path.
+     See also <https://gitlab.kitware.com/cmake/cmake/issues/18815>.
+   * Ensure that the build directory and source directory remains fixed
+     across builds. For example, if users always create a `build`
+     directory in the source tree, then reproducibility won't be
+     affected.
+
 Disclaimer
 ----------


--- a/_docs/jvm.md
+++ b/_docs/jvm.md
@@ -44,17 +44,23 @@ source.url=<url where to download official source tarball>
 source.scm.uri=<source control management url as in pom.xml>
 source.scm.tag=<source control management tag as in pom.xml>

-# build environment information
+# build instructions
+build-tool=<mvn|sbt|...>
+build.setup=<optional url of documentation explaining specific additional setup when necessary: will be enhanced in a future buildinfo format version>
+
+# effective build environment information
 java.version=<full Java version>
 os.name=<Operating system name>
-build-tool=<mvn|sbt|...>
+source.used=<artifact|url|scm, depending on which has been used for the build>

-# Each build tool or plugin is free to add additional entries to the buildinfo.
+# Each build tool or plugin is free to add additional entries to the buildinfo,
+# both for build instructions and effective build environment.
 # For example, the sbt plugin may add the following for Scala:
 sbt.version=1.2.3
 scala.version=2.12.6

-# and Maven could add:
+# and Maven could add data on rebuild instructions and effective environment:
+mvn.rebuild-args=-Dmaven.test.skip package
 mvn.version=3.5.4

 # A buildinfo file can contain checksums for multiple output files, for
@@ -79,9 +85,19 @@ Reproducible Builds for Maven
 Getting reproducible builds with Maven requires configuration: see [https://reproducible-maven-builds.github.io/](https://reproducible-maven-builds.github.io/)
 for more details.

-To create a source release zip, see [Apache Source Release Assembly Descriptor](https://maven.apache.org/apache-resource-bundles/#Source_Release_Assembly_Descriptor)
+### source release archive
+To create a source release archive, see [Apache Source Release Assembly Descriptor](https://maven.apache.org/apache-resource-bundles/#Source_Release_Assembly_Descriptor)
 that is commonly used. Nothing prevents you to create your own assembly descriptor or even use another plugin: don't hesitate to share recipes.

+### rebuild arguments
+A rebuilder does not need to execute integration tests or even unit tests, may even skip compiling unit tests.
+Classical arguments contain following patterns:
+- `package` phase: no need to `deploy` or even `install`
+- `-Dmaven.test.skip`: avoid running tests and even compiling tests
+- `-DskipTests`: avoid running tests, but still builds (necessary for some projects)
+- `-Dgpg.skip`: avoid pgp signing
+- `-Papache-release` or any release profile: activate release-specific tasks used by `maven-release-plugin`
+
 Reproducible Builds for sbt
 ---------------------------


--- a/contribute/index.md
+++ b/contribute/index.md
@@ -14,7 +14,7 @@ First, please join the [rb-general general mailing-list](https://lists.reproduci

 IRC discussions happen in the `#reproducible-builds` channel on [irc.oftc.net](https://www.oftc.net/).

-* [Join the Reproducible Builds group]({{ "/contribute/salsa/" | prepend: site.baseurl }}")
+* [Join the Reproducible Builds group]({{ "/contribute/salsa/" | prepend: site.baseurl }})
  on [Salsa](https://salsa.debian.org/) to contribute directly on our Git
  repositories.

@@ -38,10 +38,10 @@ IRC discussions happen in the `#reproducible-builds` channel on [irc.oftc.net](h
   packages that use debhelper will be much easier to make reproducible with
   just an upgrade of the toolchain.

-1. [Inventory issues](#Inventorying_issues) found by the continuous integration
+1. [Inventory issues](#inventorying-issues) found by the continuous integration
   platform.

-1. [Fix known reproducibility issues](#Fixing_issues). See the
+1. [Fix known reproducibility issues](#fixing-issues). See the
   [inventory of identified issues](https://reproducible.debian.net/index_issues.html).

 1. Improve our common [tools]({{ "/tools/" | prepend: site.baseurl }}):
@@ -68,7 +68,7 @@ to be friendly, supportive, and have fun experimenting together.

 ## How to report bugs in Debian

-[Overview of all bug reports concerning reproducible builds](http://bugs.debian.org/cgi-bin/pkgreport.cgi?usertag=reproducible-builds@lists.alioth.debian.org)
+[Overview of all bug reports concerning reproducible builds](https://bugs.debian.org/cgi-bin/pkgreport.cgi?usertag=reproducible-builds@lists.alioth.debian.org)

 All bugs relevant to the reproducible builds project should use
 [usertags](https://bugs.debian.org/usertags) with user
@@ -150,7 +150,7 @@ as found by continuous integration. The first packages in the list are the one
 who have been tried most recently.

 Notes about packages are kept in the
-[notes](https://salsa.debian.org/reproducible-builds/notes.git). Git repository
+[notes](https://salsa.debian.org/reproducible-builds/reproducible-notes). Git repository
 in `packages.yml`. The list of [known common issues](https://reproducible.debian.net/index_issues.html)
 is kept in the `issues.yml` file.

@@ -168,11 +168,11 @@ known issues to get an idea of what you may found. Here is some more advice:
  happens during the compilation. Investigation can be done using
  [sources.debian.org](https://sources.debian.org/) (see link at the top).

-* First step should be a search for the [`__DATE__`, `__TIME__` or `__TIMESTAMP__](https://reproducible.debian.net/issues/timestamps_from_cpp_macros_issue.html)
+* First step should be a search for the [`__DATE__`, `__TIME__` or `__TIMESTAMP__`](https://reproducible.debian.net/issues/timestamps_from_cpp_macros_issue.html)
  using [codesearch](https://codesearch.debian.net/).  Otherwise, try to locate
  calls to `date` in `configure.ac`, `Makefile.am`, etc.

-The [clean-notes](https://salsa.debian.org/reproducible-builds/misc.git/tree/clean-notes)
+The [clean-notes](https://salsa.debian.org/reproducible-builds/reproducible-misc/blob/master/clean-notes)
 script in the `misc` repository will detect outdated notes and re-order
 packages by alphabetical order. It should be run before committing changes to
 the `notes` repository.
@@ -209,7 +209,8 @@ The usual steps are:
 1. [Create a new bug report](https://wiki.debian.org/ReproducibleBuilds/Contribute#How_to_report_bugs),
   and don't forget to attach the patch!

-1. Add an entry or reference the bug in `packages.yml` in `notes.git`.
+1. Add an entry or reference the bug in `packages.yml` in
+   [reproducible-notes](https://salsa.debian.org/reproducible-builds/reproducible-notes).

 ### Fixing a toolchain package

@@ -249,13 +250,14 @@ requires some more steps, but the general process is the same:
 1. Document the changes on the
   [wiki](https://wiki.debian.org/ReproducibleBuilds/ExperimentalToolchain#Modified_packages).

-1. Reference the bug in `issues.yml` in `notes.git` and on the wiki page about
-   the issue if there's one.
+1. Reference the bug in `issues.yml` in
+   [reproducible-notes](https://salsa.debian.org/reproducible-builds/reproducible-notes)
+   and on the wiki page about the issue if there is one.

 1. Everybody with a [Debian SSO](https://sso.debian.org) client certificate
   (both DDs and guests) can schedule source packages to be rebuilt by using
   the authenticated endpoint at
-   https://tests.reproducible-builds.org/cgi-bin/schedule. There are handy
+   <https://tests.reproducible-builds.org/cgi-bin/schedule>. There are handy
   icons (`♻`)in every package page that links to that cgi-bin script with the
   correct parameters.  If you don't have a valid client certificate or have
   any other trouble you can find somebody in the #debian-reproducible IRC
@@ -275,10 +277,10 @@ Several jobs have been created to regularly test packages (from `main/sid`) on
 [reproducible build overview of packages](https://reproducible.debian.net).

 The setup is explained [in this blog post](http://layer-acht.org/thinking/blog/20140925-reproducible-builds/)
-onlya and this post is somewhat outdated by now and needs to be amended.
+only, but this post is somewhat outdated by now and needs to be amended.

 See the various `reproducible_*` scripts in the
-[Jenkins Git repository](http://salsa.debian.org/qa/jenkins.debian.net/tree/master/bin/)
+[Jenkins Git repository](https://salsa.debian.org/qa/jenkins.debian.net/tree/master/bin/)

 ## Working on installation media or live systems

@@ -287,7 +289,7 @@ be great.

 In Debian, [#900918](https://bugs.debian.org/900918) is being used to track the
 progress of reproducible installation images. There is an
-`[analyze_image](https://github.com/adrelanos/Whonix/blob/master/help-steps/analyze_image)`
+[analyze_image](https://github.com/adrelanos/Whonix/blob/master/help-steps/analyze_image)
 Bash script that creates sha512 hashes of all files included within an image,
 access rights, symlinks, partition table, bootloader and more. Doing this with
 two images that should match and comparing the reports the script creates can
@@ -298,7 +300,7 @@ script for more generic, Debian use cases
 ## External links

 * [Reproducible installs](https://wiki.debian.org/ReproducibleBuilds/ReproducibleInstalls)
-* [Announcing Whonix's First Implementation of Verifiable Builds](http://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20131209/000009.html)
+* [Announcing Whonix's First Implementation of Verifiable Builds](https://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20131209/000009.html)
 * [Whonix Verifiable Builds](https://www.whonix.org/wiki/Verifiable_Builds)
 * [Tails reproducible builds blueprint](https://tails.boum.org/blueprint/reproducible_builds/)
 * [reproducible debootstrap](https://github.com/lamby/debootstrap/commits/pu/source-date-epoch)

--- a/images/logos/lede.png
+++ b/images/logos/lede.png