Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday March 3 and Saturday March 9 2019:
*[FIXME](https://www.wireshark.org/docs/relnotes/wireshark-3.0.0.html) - The build system now produces reproduciblebuilds ([Bug 15163](https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15163)).
*On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this week Holger Levsen explained why [Debian Buster will only be 54% reproducible](https://lists.reproducible-builds.org/pipermail/rb-general/2019-March/001492.html)(in short: due to Debian bugs [#894441](https://bugs.debian.org/894441) and [#900837](https://bugs.debian.org/900837)). There was some follow-up discussion on [Reddit](https://www.reddit.com/r/linux/comments/axxkov/debian_buster_will_only_be_54_reproducible_while/) and [Hacker News](https://news.ycombinator.com/item?id=19310638).
*FIXME [Proposal: Secure the Public Go Module Ecosystem with the Go Notary](https://go.googlesource.com/proposal/+/master/design/25530-notary.md)
*Russ Cox and Filippo Vasorda submitted a [formal change proposal](https://go.googlesource.com/proposal/) to the [Go programming language](https://golang.org/) entitled [*Secure the Public Go Module Ecosystem with the Go Notary*](https://go.googlesource.com/proposal/+/master/design/25530-notary.md)which speaks to reproducible builds and their impact on code provenance.
* Holger explained why [Debian Buster will only be 54% reproducible (while we could be at >90%)](https://lists.reproducible-builds.org/pipermail/rb-general/2019-March/001492.html), in short: due to #894441 and #900837, which in turn is blocked by #894441.
* that email was #2 on hackernews on march 5th: https://news.ycombinator.com/item?id=19310638 and also [discussed on reddit](https://www.reddit.com/r/linux/comments/axxkov/debian_buster_will_only_be_54_reproducible_while/)
*[Wireshark](https://www.wireshark.org/)(the popular network protocol analyser) [revealed in their 3.0.0 release notes](https://www.wireshark.org/docs/relnotes/wireshark-3.0.0.html) that their build system now produces reproducible builds. ([#15163](https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15163)).
*5 Debian package reviews were added, 6 were updated and 13 were removed in this week, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Two issue types were noticed by Chris Lamb: [`timestamps_in_pdf_generated_by_daps`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/f4953e97) and [`randomness_in_postgres_opcodes`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/dd1186d4).
*Vagrant Cascadian updated diffoscope to 113 in [GNU Guix](https://www.gnu.org/software/guix/). [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=11599cff1e0335797deab8f48d1fe8741d7eeb11)]
*Holger Levsen updated the top-level navigation on the [reproducible-builds.org project website](https://reproducible-builds.org) to link [tests.reproducible-builds.org](https://tests.reproducible-builds.org) more prominently. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/58291d3)]
* "FIXME: lynxis did: INFO: INSERT INTO distributions (name) VALUES ('openwrt')" -- *I don't feel I understand this entry enough to expand on it; sorry. Can someone elaborate here? --lamby*
[diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. This week:
Chris Lamb [uploaded version `113` to Debian unstable](https://tracker.debian.org/news/1033884/accepted-diffoscope-113-source-all-into-unstable/) fixing a long list of issues. It [included contributions already covered in previous weeks](https://salsa.debian.org/reproducible-builds/diffoscope/commits/113) as well as new ones by Chris, including:
* Provide explicit help when the libarchive system package is missing or "incomplete". ([#50](https://salsa.debian.org/reproducible-builds/issues/50))
* Explicitly mention when the guestfs module is missing at runtime and we are falling back to a binary diff. ([#45](https://salsa.debian.org/reproducible-builds/diffoscope/issues/45))
Vagrant Cascadian made the corresponding update to [GNU Guix](https://www.gnu.org/software/guix/). [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=11599cff1e0335797deab8f48d1fe8741d7eeb11)]
*[pcp](https://build.opensuse.org/request/show/682435)(fix date and PGO-like effects from gcc --coverage)
*[pcp](https://build.opensuse.org/request/show/682435)(fix date and [PGO](https://en.wikipedia.org/wiki/Profile-guided_optimization)-like effects from `gcc --coverage`)
* Chris Lamb
*[#924003](https://bugs.debian.org/924003) filed against [splint](https://tracker.debian.org/pkg/splint).
## Test framework development
We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). This week, Holger Levsen made the following improvements:
* Analyse node maintenance job runs to determine whether to mark nodes offline. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0276c1f9)]
* Detect hanging health check runs, not just failed ones. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b9941d09)]
* Allow members of the `jenkins` UNIX group to [`sudo(8)`](https://en.wikipedia.org/wiki/Sudo) to the `jenkins` user [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/71d44a9f)] and simplify adding users to said group [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b7131499)].
* Improve the "SHA1 checker" script to deal with packages with more than one version [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/05db9170)] and to re-download [buildinfo.debian.net](https://buildinfo.debian.net/)'s files if they are older than two weeks. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5740acdc)]
* In the version checker, correctly deal with a rare situation when several, say, [diffoscope](https://diffoscope.org) versions are available in one Debian suite at the same time. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f9a5c2c8)]
In addition, Alexander "*lynxis*" Couzens, made a number of changes to our [OpenWrt](https://en.wikipedia.org/wiki/OpenWrt) support, including:
* Add OpenWrt support to our database. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b556fbf7)]
* Adding a `reproducible_openwrt_package_parser.py` script. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/02dd59fd)]
* Strip unreproducible certificates from images. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/74fc1f1d)]
## Outreachy
Don't forget that Reproducible Builds is part of May/August 2019 round of [Outreachy](https://www.outreachy.org/). Outreachy provides internships to work free software. Internships are open to applicants around the world, working remotely and are not required to move. Interns are paid a stipend of $5,500 for the three month internship and have an additional $500 travel stipend to attend conferences/events.
So far, we received more than ten initial requests from candidates. The closing date for applicants is April 2nd. More information is available [on the application page](https://www.outreachy.org/may-2019-august-2019-outreachy-internships/communities/debian/).
---
This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.
Chris Lamb authored3481efa1