Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday February 24 and Saturday March 2 2019:
*Holger uploaded koji 1.16.2-1, fixing CVE-2018-1002161. Closes: #922922.
*On Tuesday 26th Chris Lamb spoke at [Speck&Tech 31 "Open Security"](https://www.eventbrite.com/e/specktech-31-open-security-tickets-53503912643) on Reproducible Builds.
* Eric Myhre reported about the developer of Dwarf Fortress reporting some "butterfly-effect style" bugs in
deterministic world generation this week: http://www.bay12games.com/dwarves/#2019-02-21 - Reproducible builds: it's not just for compilers, it's for dwarfs too. And their entire universe...!
* On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this week:
* Eric Myhre [posted about the developer of Dwarf Fortress reporting](https://lists.reproducible-builds.org/pipermail/rb-general/2019-February/001473.html) some "butterfly-effect style" bugs in deterministic world generation in a post titled [*Reproducible builds: it's not just for compilers, it's for dwarfs too. And their entire universe...!*](http://www.bay12games.com/dwarves/#2019-02-21).
* Holger Levsen posted an update after he calculated that [Debian is 54% reproducible in practice](https://lists.reproducible-builds.org/pipermail/rb-general/2019-March/001479.html).
*Bernhard M. Wiedemann posted his monthly [*Reproducible Builds status update*](https://lists.opensuse.org/opensuse-factory/2019-02/msg00599.html) for the [openSUSE](https://opensuse.org/) distribution. This includes some verification of official builds, where for 81.2% similar (but not bit-identical) build results were produced.
*Alexander "*lynxis*" Couzens [announced the first release](https://bugs.debian.org/918480#42) of [`squashfskit`](https://github.com/squashfskit/squashfskit), a set of utilities that create and manipulate read-only compressed file systems that was forked from `squashfs-tools`.
*Vagrant Cascadian updated diffoscope in [GNU Guix](https://www.gnu.org/software/guix/)[[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6dacaa70a0874662cbdabfc6df987cd5a09a518c)].
*Bernhard M. Wiedemann [posted his monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-02/msg00599.html) for the [openSUSE](https://opensuse.org/) distribution. This includes some verification of official builds, where 81.2%-similar (NB. not yet bit-identical build results were achieved.
*Graham Christensen corrected some broken links on the [reproducible-builds.org](https://reproducible-builds.org) project website. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/43ba1a1)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a691971)]
*Holger uploaded version `1.16.2-1` of [koji](https://pagure.io/koji) — the RPM building and tracking system — to Debian, fixing [CVE-2018-1002161](https://security-tracker.debian.org/tracker/CVE-2018-1002161) to address a SQL injection attack. ([#922922](https://bugs.debian.irg/922922))
*[FIXME](https://diff.intrinsic.com/)
* A tool to [compare the differences between between two versions of the same Node "npm" package](https://diff.intrinsic.com/) was released, speaking to the same concerns for code provenance that the Reproducible Builds project has.
* 15 Debian package reviews were added, 3 were updated and 14 were removed in this week, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
[diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. This week:
* Chris Lamb:
* Improved the displayed comment when falling back to a binary diff to include the file type. [(#49)](https://salsa.debian.org/reproducible-builds/diffoscope/issues/49)
* Tided definition of "no file-specific differences were detected" message suffix. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a671bfb)]
* Corrected a "recurse" typo. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d41f09b)]
* Vagrant Cascadian updated diffoscope in [GNU Guix](https://www.gnu.org/software/guix/). [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6dacaa70a0874662cbdabfc6df987cd5a09a518c)]
*[#923169](https://bugs.debian.org/923169) filed against [node-lunr](https://tracker.debian.org/pkg/node-lunr).
*[#923170](https://bugs.debian.org/923170) filed against [heudiconv](https://tracker.debian.org/pkg/heudiconv).
In additiom, one of Chris Lamb's previous patches for the [Sphinx](https://sphinx-doc.org) documentation system [was merged upstream](https://github.com/sphinx-doc/sphinx/pull/6028#issuecomment-467885608).and he [updated his branch against](https://github.com/shadow-maint/shadow/pull/146#issuecomment-468750829) the `shadow` password utility.
## Test framework development
We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). This week, Holger Levsen made the following improvements:
* Improve the output of the Debian reproducible "SHA1" chcker [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5a50d32f)], also including stats for non-reproducible binNMUs, `arch:all` and `arch:amd64` packages [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/151b4f00)].
* Deal with zero results in the SHA1 checker. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/38bf9944)]
This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.
Chris Lamb authored