[Reproducible-builds] Week 21 in Stretch cycle

Jérémy Bobbio lunar at debian.org
Tue Sep 22 09:39:27 UTC 2015 

   What happened in the [1]reproducible builds effort this week:

Media coverage

   Nathan Willis covered [2]our DebConf15 status update in Linux
   Weekly News. Access to non-LWN subscribers will be given on
   Thursday 24th.

   Linux Journal published a [3]more general piece last Tuesday.

   Unexpected praise for reproducible builds appeared this week in
   the form of several iOS applications identified as including
   spyware. The malware was undetected by Apple screening. This
   actually happened because application developers had simply
   [4]downloaded a trojaned version of XCode through an unofficial
   source. While reproducible builds can't really help users of
   non-free software, this is exactly the kind of attacks that we
   are trying to prevent in our systems.

Toolchain fixes

     * Mathieu Malaterre uploaded abi-compliance-checker/1.99.11-1
       which [5]drops the timestamps from the generated HTML
       reports and [6]makes the generated .abi.tar.gz files
       reproducible. Original patches by Chris Lamb.

   Niko Tyni wrote and uploaded [7]a better patch for the source
   order problem in libmodule-build-perl.

   Tristan Seligmann [8]identified how the code generated by
   python-cffi could be emitted in random order in some cases.
   Upstream has already [9]fixed the problem.

Packages fixed

   The following 24 packages became reproducible due to changes in
   their build dependencies: apache-curator, checkbox-ng, gant,
   gnome-clocks, hawtjni, jackrabbit, jersey1, libjsr305-java,
   mathjax-docs, mlpy, moap, octave-geometry, paste, pdf.js,
   pyinotify, pytango, python-asyncssh, python-mock,
   python-openid, python-repoze.who, shadow, swift,
   tcpwatch-httpproxy, transfig.

   The following packages became reproducible after getting fixed:
     * apparmor/2.10-2 uploaded by intrigeri, fixed upstream by
       Christian Boltz, with the same change [10]suggested by
       Reiner Herrmann.
     * ardour/1:4.2~dfsg-2 by IOhannes m zmölnig.
     * dcmtk/3.6.1~20150629-1 uploaded by Andreas Tille,
       [11]original patch by akira.
     * deap/1.0.1-4 by Daniel Stender.
     * firebird2.5/2.5.4.26856.ds4-2 by Damyan Ivanov.
     * gamera/3.4.2+svn1437-1 by Daniel Stender.
     * genometools/1.5.7-1 by Sascha Steinbiss.
     * golang-github-go-xorm-core/0.4.4-1 by Alexandre Viau.
     * klibc/2.0.4-4 by Ben Hutchings.
     * libgtk2-perl/2:1.2496-3 by intrigeri.
     * lsof/4.89+dfsg-0.1 uploaded by Laurent Bigonville,
       [12]original patch by Lunar.
     * monotone/1.1-6 by Markus Wanner.
     * ndisc6/1.0.1-4 by Santiago Vila.
     * privoxy/3.0.23-4 by Roland Rosenfeld.
     * ruby-flexmock/2.0.0~rc1-1 by Antonio Terceiro.
     * ruby-html2haml/2.0.0-1 by Lunar.
     * tunnelx/20140102-3 uploaded by Wookey, [13]original patch
       by Chris Lamb.
     * wtforms/2.0.2-1 by Orestis Ioannou, [14]original patch by
       Juan Picca.

   Some uploads fixed some reproducibility issues but not all of
   them:
     * maxima/5.37-1 by Camm Maguire, [15]report by akira.

   Patches submitted which have not made their way to the archive
   yet:
     * 783152 on kmod by Lunar: export SOURCE_DATE_EPOCH in
       debian/rules.
     * 799010 on 389-ds-base by Chris Lamb: use SOURCE_DATE_EPOCH
       value as the build date.
     * 799206 on python-sqlalchemy-utils by Chris Lamb: sort the
       list of extra requirement.
     * 799330 on cappuccino by Chris Lamb: pass a fixed seed to
       polygen.
     * 799410 on segment by Chris Lamb: use date of the latest
       debian/changelog entry as build date.

reproducible.debian.net

   Tests for [16]Coreboot, [17]OpenWrt, [18]NetBSD, and
   [19]FreeBSD now runs weekly (instead of monthly).

diffoscope development

   Python 3 offers new features (namely yield from and
   concurrent.futures) that could help implement parallel
   processing. The clear separation of bytes and unicode strings
   is also likely to reduce encoding related issues.

   Mattia Rizolo thus kicked the effort of porting diffoscope to
   Python 3. tlsh was the only dependency missing a Python 3
   module. This got quickly fixed by a new upload.

   The rest of the code has been [20]moved to the point where only
   incompatibilities between Python 2.7 and Pyhon 3.4 had to be
   changed. The commit stream still require some cleanups but all
   tests are now passing under Python 3.

Documentation update

   The documentation on [21]how to assemble the weekly reports has
   been updated. (Lunar)

   The example on how to use [22]SOURCE_DATE_EPOCH with CMake has
   been improved. (Ben Beockel, Daniel Kahn Gillmor)

   The solution for [23]timestamps in man pages generated by
   Sphinx now uses SOURCE_DATE_EPOCH. (Mattia Rizzolo)

Package reviews

   45 [24]reviews have been removed, 141 added and 62 updated this
   week.

   67 new FTBFS reports have been filled by Chris Lamb, Niko Tyni,
   and Lisandro Damián Nicanor Pérez Meyer.

   New issues added this week:
   [25]randomness_in_r_rdb_rds_databases,
   [26]python-ply_compiled_parse_tables.

Misc.

   The [27]prebuilder script is now properly testing umask
   variations again.

   Santiago Villa started a [28]discussion on debian-devel on how
   binNMUs would work for reproducible builds.

References

   1. https://wiki.debian.org/ReproducibleBuilds
   2. https://lwn.net/Articles/657479/
   3. http://www.linuxjournal.com/content/debian-project-aims-keep-cia-our-computers
   4. http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/
   5. https://bugs.debian.org/798470
   6. https://bugs.debian.org/798481
   7. https://bugs.debian.org/798882
   8. https://bugs.debian.org/799278
   9. https://bitbucket.org/cffi/cffi/commits/1cfe8c7a59e88186f1a07a9dde28e1787fd900d0
  10. https://bugs.debian.org/797415
  11. https://bugs.debian.org/790133
  12. https://bugs.debian.org/762433
  13. https://bugs.debian.org/799221
  14. https://bugs.debian.org/788599
  15. https://bugs.debian.org/795056
  16. https://reproducible.debian.net/coreboot/
  17. https://reproducible.debian.net/openwrt/
  18. https://reproducible.debian.net/netbsd
  19. https://reproducible.debian.net/freebsd/
  20. https://anonscm.debian.org/cgit/reproducible/diffoscope.git/log/?h=pu/py3
  21. https://anonscm.debian.org/cgit/reproducible/misc.git/tree/reports/README
  22. https://wiki.debian.org/ReproducibleBuilds/TimestampsProposal
  23. https://wiki.debian.org/ReproducibleBuilds/TimestampsInManpagesGeneratedBySphinx
  24. https://reproducible.debian.net/unstable/amd64/index_notes.html
  25. https://reproducible.debian.net/issues/unstable/randomness_in_r_rdb_rds_databases_issue.html
  26. https://reproducible.debian.net/issues/unstable/python-ply_compiled_parse_tables_issue.html
  27. https://anonscm.debian.org/cgit/reproducible/misc.git/tree/prebuilder
  28. https://lists.debian.org/debian-devel/2015/09/msg00366.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150922/fa3a425a/attachment.sig>

More information about the Reproducible-builds mailing list