* Holger has renewed and sponsored the reproducible-builds.org domain for the fourth year.
* New sources of indeterminism about using inode numbers, ctime and certain filesystem-dependent sizes have been documented in [theunreproduciblepackage](https://github.com/bmwiedemann/theunreproduciblepackage/tree/master/filesystem)
Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday August 5 and Saturday August 11 2018:
*The briar project wrote about its [effort to make its android app build reproducible](https://blog.grobox.de/2018/building-briar-reproducible-and-why-it-matters/). Apparently, one last issue is around readdir order influencing an .arsc file.
*Don't forget that a number of Reproducible Builds team were presenting at [DebConf18](https://debconf18.debconf.org/) the annual Debian Developers conference: Benjamin Hof gave a talk titled [Software transparency: package security beyond signatures and reproducible builds](https://debconf18.debconf.org/talks/104-software-transparency-package-security-beyond-signatures-and-reproducible-builds/)" and there was also a status update from the team entitled "[Reproducible Buster and beyond](https://debconf18.debconf.org/talks/80-reproducible-buster-and-beyond/)". These, and many more talks, are available [Resources](https://reproducible-builds.org/resources/) section of our website.
* The prototype fund [noted in a tweet how two of its supported projects overlap](https://twitter.com/prototypefund/status/1027088342071029761)
* The [Prototype Fund](https://prototypefund.de/)noted in a Tweet how [two of its newly-supported projects complement each other](https://twitter.com/prototypefund/status/1027088342071029761), one of them being the Reproducible Builds and the other being the [Briar Project](https://briarproject.org/), a secure messaging platform intended to "create safe spaces to debate any topic, plan events, and organise social movements."
Upstream work
-------------
* Levente Polyak's proposal to [make rubygems set `SOURCE_DATE_EPOCH` by default to make all gems reproducible](https://github.com/rubygems/rubygems/issues/2290) was re-opened after it was previously closed as "wontfix".
*[Mes](https://gitlab.com/janneke/mes), a Scheme-based compiler for our "sister" [bootstrappable builds](http://bootstrappable.org) effort, [announced their 0.17 release](https://lists.reproducible-builds.org/pipermail/rb-general/2018-August/001106.html).
* The [Briar Project](https://briarproject.org/) wrote about their [effort to make their Android app build reproducibly](https://blog.grobox.de/2018/building-briar-reproducible-and-why-it-matters/); their one remaining issue regards `readdir` order influencing an `.arsc` file.
* Ryan Scott [fixed the `--extra-build` flag](https://salsa.debian.org/reproducible-builds/reprotest/commit/65960de) in `reprotest`, our "end-user" tool to build arbitrary software and check it for reproducibility.
* Vagrant Cascadian [opened a wishlist request](https://github.com/lamby/buildinfo.debian.net/issues/49) against [buildinfo.debian.net](https://buildinfo.debian.net/)(our experiment into how to process, store and distribute `.buildinfo` files after the Debian package management tools have generated them) to try and find a solution to checking matches against the actual Debian archive.
* There were a number of changes to our [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org/), including Chris Lamb submitting a merge request to [ensure that we print "0" (and not an empty) string when a division denominator is zero](https://salsa.debian.org/qa/jenkins.debian.net/merge_requests/9) and Mattia Rizzolo [modifying Jekyll to run in incremental mode](https://salsa.debian.org/qa/jenkins.debian.net/commit/5b2360df) to improve the caching of [our website](https://reproducible-builds.org/).
* On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general), Arnout Engelen started two discussions around [comparing the Debian and Archlinux approaches to `.buildinfo` files](https://lists.reproducible-builds.org/pipermail/rb-general/2018-August/001105.html) which came from a [previous discussion about filename conventions](https://lists.reproducible-builds.org/pipermail/rb-general/2018-August/001103.html).
* New sources of non-determinism regarding [inode numbers](https://en.wikipedia.org/wiki/Inode), `ctime` and certain filesystem-dependent sizes have been added to Bernhard Wiedemann's [theunreproduciblepackage](https://github.com/bmwiedemann/theunreproduciblepackage).
* 14 package reviews were added, 10 were updated and 16 were removed in this week, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
* Holger renewed the [reproducible-builds.org](https://reproducible-builds.org) domain name for the fourth year and Chris Lamb added the recent [DebConf18](https://debconf18.debconf.org/) presentations with metadata to our website's [Resources](https://reproducible-builds.org/resources/) page [(commit)](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/608b904).
Packages reviewed and fixed, and bugs filed
-------------------------------------------
* Toolchain patches:
* GNU makemerged [a patch to have sorted globs again](https://savannah.gnu.org/bugs/?52076) which helps to make many packages more reproducible
* util-linux [now makes it easier to disable ASLR](https://github.com/karelzak/util-linux/issues/668) with `setarch -R $PROGRAM`
* The [GNU make](https://www.gnu.org/software/make/) project [merged a patch to have sorted globs again](https://savannah.gnu.org/bugs/?52076), helping to make many packages more reproducible.
* util-linux [made it easier to disable ASLR](https://github.com/karelzak/util-linux/issues/668) with `setarch -R $PROGRAM`.
* [syncthing](https://build.opensuse.org/request/show/628525) ([date](https://github.com/syncthing/syncthing/commit/c51365c634c9687009778caf097ba059b88f8805) via version update to 0.14.49)
* [syncthing](https://build.opensuse.org/request/show/628525) ([date](https://github.com/syncthing/syncthing/commit/c51365c634c9687009778caf097ba059b88f8805) via a version update to `0.14.49`)
* [systemtap](https://build.opensuse.org/request/show/627384) ([drop date](https://sourceware.org/ml/systemtap/2017-q4/msg00166.html) via version update)
* cleaned up [reproducibleopensuse scripts](https://github.com/bmwiedemann/reproducibleopensuse/pull/1)
* fixed a bashism in [theunreproduciblepackage](https://github.com/bmwiedemann/theunreproduciblepackage/pull/5)
* fixed a Bashism in [theunreproduciblepackage](https://github.com/bmwiedemann/theunreproduciblepackage/pull/5)
diffoscope development
----------------------
There were a handful of updates to [diffoscope](https://diffoscope.org), our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages:
* Chris Lamb:
*[Don't include the filename in the `llvm-bcanalyzer` output](https://salsa.debian.org/reproducible-builds/diffoscope/commit/1599b01). ([#905598](https://bugs.debian.org/905598))
* Mattia Rizzolo:
*[Explicitly add `file` to the dependencies of the autopkgtests to have the tests triggered whenever the `file` package changes](https://salsa.debian.org/reproducible-builds/diffoscope/commit/fc0ae56).
* Ricardo Gaviria:
*[Handle error when encrypted archive file is exctracted.](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a6beb04). ([#904685](https://bugs.debian.org/904685))
jenkins.debian.net development
------------------------------
*[reopened reproducible builds proposal: make gem define SOURCE_DATE_EPOCH itself (#2290)](https://github.com/rubygems/rubygems/issues/2290)
This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.
Chris Lamb authored