@@ -16,7 +16,7 @@ Here's what happened in the [Reproducible Builds](https://reproducible-builds.or
* 17 reviews of Debian packages were added, 2 were updated and 10 were removed in this week, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
* There were a number of updates to to the [reproducible-builds.org project website](https://reproducible-builds.org), including Stefano Zacchiroli adding the Reproducible Builds Steering Committee to the [*Who is involved?*](https://reproducible-builds.org/who/) page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ade9a01)] and `jajajasalu2` dropping invalid links to the `trydiffoscope` and `reprotest` issue trackers [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2a25dde)].
* There were a number of updates to the [reproducible-builds.org project website](https://reproducible-builds.org), including Stefano Zacchiroli adding the Reproducible Builds Steering Committee to the [*Who is involved?*](https://reproducible-builds.org/who/) page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ade9a01)] and `jajajasalu2` dropping invalid links to the `trydiffoscope` and `reprotest` issue trackers [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2a25dde)].
**Don't forget that Reproducible Builds is part of May/August 2019 round of [Outreachy](https://www.outreachy.org/) which offers paid internships to work on free software.** Internships are open to applicants around the world and are paid a stipend for the three month internship with an additional travel stipend to attend conferences. So far, we received more than ten initial requests from candidates and the closing date for applicants is **April 2nd**. More information is available [on the application page](https://www.outreachy.org/may-2019-august-2019-outreachy-internships/communities/debian/).
Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday March 31 and Saturday April 6 2019:
*On Monday the first we announced a double news item: a crowd-funded audit of Intel's 8086 CPU and an intention to propose a patch to the [Berne Convention](https://en.wikipedia.org/wiki/Berne_Convention) on copyright law. See https://www.reproducible-builds.org/news/2019/04/01/reproducible-builds-twain-Intel-8086-audit-and-Berne-Convention-patches/ and https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001517.html
*Bernhard M. Wiedemann wrote blog post about his [import of openSUSE Tumbleweed into IPFS](https://lizards.opensuse.org/2019/04/03/experimental-opensuse-mirror-via-ipfs/) to aid verification of older binaries.
*[Chris Lamb](https://chris-lamb.co.uk/) filed a wishlist bug against the Debian [`jenkins.debian.org`](http://bugs.debian.org/jenkins.debian.org) "[psuedo-package](https://www.debian.org/Bugs/pseudo-packages)" to request that we test and ensure the reproducibility status of [Debian Installer](https://www.debian.org/devel/debian-installer/) images.
*[FIXME](#926242)
*[Holger Levsen](http://layer-acht.org/thinking/) requested permission for [Diffoscope](https://diffoscope.org/) version 113 to enter the upcoming Debian *buster* release via bug [#926065](https://bugs.debian.org/926065). This was subsequently processed by Jonathan Wiltshire.
*[diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. This week Chris Lamb changed the behaviour such that specifying "`-`" (a hyphen) is explicitly required on the command-line to read a single diff from standard input to avoid somewhat non-intuitive behaviour when *diffoscope* is called without any arguments. [[#54](https://salsa.debian.org/reproducible-builds/diffoscope/issues/54)]
* 33 reviews of Debian packages were added, 2 were updated and 8 were removed in this week adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Chris Lamb identifier and triaged a fresh toolchain issue, [`randomness_in_perl6_precompiled_libraries`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/b718ab29).
* There were a number of updates to the [reproducible-builds.org project website](https://reproducible-builds.org), including Chris Lamb adding an explicit link to the "[who]({{"/who/" | prepend: site.baseurl }})" and "[donate]({{"/donate/" | prepend: site.baseurl }})" pages in the new footer template [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2d14946)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7a95a81)] as well as tidying thelanguage a little[[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7a222f0)]. In addition, Daniel Shahaf adding an April's Fools joke [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/68f4b00)].
* On our [mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/), David Wheeler started a thread regarding the [definition of reproducibility](https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001523.html) and how it appears on the [reproducible-builds.org project website](https://reproducible-builds.org).
* Chris Lamb updated the [LetsEncrypt](https://letsencrypt.org/) SSL certificate for [buildinfo.debian.net](https://buildinfo.debian.net).
* On the [Software Freedom Conservancy](https://sfconservancy.org/) blog, [Pamela Chestek](https://chesteklegal.com/) wrote a post titled "[Do You Know Where Your Code Came From?](https://sfconservancy.org/blog/2019/apr/04/nosource-nosecurity/) which references the Reproducible Builds project. In addition,Reproducible Builds (and supply chain security in general) were mentioned on [episode 15 of the LibreLounge podcast](https://librelounge.org/episodes/episode-15-at-libre-planet-with-sean-obrien.html).
* Bernhard M. Wiedemann wrote [a blogpost](https://lizards.opensuse.org/2019/04/03/experimental-opensuse-mirror-via-ipfs/) about his import of openSUSE Tumbleweed into IPFS to aid the verification of older binaries.
* A number of fixes for the [pesign-obs-integration](https://github.com/openSUSE/pesign-obs-integration) to [pass through rpm %licence filetype tag](https://github.com/openSUSE/pesign-obs-integration/pull/13) and [better keep rpm bits](https://github.com/openSUSE/pesign-obs-integration/pull/14) and a related [fix of a rpm bug](https://github.com/rpm-software-management/rpm/pull/656)
* A number of fixes for the [pesign-obs-integration](https://github.com/openSUSE/pesign-obs-integration) to [pass through RPM `%licence` filetype tag](https://github.com/openSUSE/pesign-obs-integration/pull/13) and [better keep RPM bits](https://github.com/openSUSE/pesign-obs-integration/pull/14) and a related [fix of an RPM bug](https://github.com/rpm-software-management/rpm/pull/656)
*[warzone2100](https://build.opensuse.org/request/show/691438)(sort zip -X [already upstream](https://github.com/Warzone2100/warzone2100/pull/98))
* [warzone2100](https://build.opensuse.org/request/show/691438) (`sort zip -X` [already upstream](https://github.com/Warzone2100/warzone2100/pull/98))
* [diffoscope](https://build.opensuse.org/request/show/691762) (update to version 113)
*[Chris Lamb updated the SSL certificate for buildinfo.debian.net](https://buildinfo.debian.net)
* Chris Lamb:
* [#926298](https://bugs.debian.org/926298) filed against [adms](https://tracker.debian.org/pkg/adms).
* [#926300](https://bugs.debian.org/926300) filed against [qpid-proton](https://tracker.debian.org/pkg/qpid-proton).
* [#926301](https://bugs.debian.org/926301) filed against [coda](https://tracker.debian.org/pkg/coda).
* [#926421](https://bugs.debian.org/926421) filed against [netcdf-parallel](https://tracker.debian.org/pkg/netcdf-parallel).
## Test framework development
* We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). The following changes were done this week:
* Chris Lamb:
* Avoid double spaces in IRC output, eg. "`Failed http://example.com/`". [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f4b80011)]
* Holger Levsen:
* Don't turn nodes offline too quickly. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0e33802d)]
* Add new experimental [buildinfos.debian.net](https://buildinfos.debian.net) service. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4bcef9ec)]
* Apply [`flake8`](http://flake8.pycqa.org/en/latest/) to the `email2irc.py` script. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/31f0e955)]
* Use "`[check-valid-until=no]`" over "`Acquire::Check-Valid-Until`" in our [APT](https://en.wikipedia.org/wiki/APT_(Debian)) serup. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/bbe0f1b2)]
* Install the `python3-yaml` library everywhere as it is needed by the deploy script. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/46d33b21)]
* Special-case the `src:debian-installer` package as it has "special" download requirements. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e3117ca2)] (see [#926242](https://bugs.debian.org/926242))
* Add the new `reproducible-builds.org`[MX records](https://en.wikipedia.org/wiki/MX_record) to our [Munin](http://munin-monitoring.org/) confurations. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9ddd1042)]
* Drop the old [Alioth](https://en.wikipedia.org/wiki/Alioth_(Debian)) OpenSSH key from Jenkins' `authorized_keys`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/116e7a39)]
*[Reproducible Builds and supply chain security in general mentioned on episode 15 of the LibreLounge podcast approx 9m in.](https://librelounge.org/episodes/episode-15-at-libre-planet-with-sean-obrien.html)
This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Daniel Shahaf, Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.
Chris Lamb authoredef1fad68