Reproducible Builds in September 2024

Chris Lamb chris at reproducible-builds.org
Wed Oct 9 00:34:04 BST 2024


--------------------------------------------------------------------
        o
      ⬋   ⬊      September 2024 in Reproducible Builds
     o     o
      ⬊   ⬋      https://reproducible-builds.org/reports/2024-09/
        o
--------------------------------------------------------------------


Welcome to the September 2024 report from the Reproducible Builds project!

Our reports attempt to outline what we've been up to over the past
month, highlighting news items from elsewhere in tech where they are
related. As ever, if you are interested in contributing to the project,
please visit our Contribute [1] page on our website.

 [0] https://reproducible-builds.org
 [1] https://reproducible-builds.org/contribute/

                                    §

Table of contents:

 * New binsider tool to analyse ELF binaries
 * Unreproducibility of GHC Haskell compiler “95% fixed”
 * Mailing list summary
 * Towards a 100% bit-for-bit reproducible OS
 * Two new reproducibility-related academic papers
 * Distribution work
 * diffoscope
 * Other software development
 * Android toolchain core count issue reported
 * New Gradle plugin for reproducibility
 * Website updates
 * Upstream patches
 * Reproducibility testing framework

                                    §


New binsider [2] tool to analyse ELF binaries
---------------------------------------------

Reproducible Builds developer Orhun Parmaksız [3] has announced a
fantastic new tool to analyse the contents of ELF binaries [4].
According to the project's README page [5]:

> Binsider can perform static and dynamic analysis, inspect strings,
> examine linked libraries, and perform hexdumps, all within a user-
> friendly terminal user interface!

 [2] https://binsider.dev/
 [3] https://blog.orhun.dev/
 [4] https://en.wikipedia.org/wiki/Executable_and_Linkable_Format
 [5] https://github.com/orhun/binsider#readme

More information about Binsider's features and how it works can be found
within Binsider's documentation pages [6].

 [6] https://binsider.dev/usage/general-analysis/

                                    §


Unreproducibility of GHC Haskell compiler "95% fixed"
-----------------------------------------------------

A seven-year-old bug [7] about the nondeterminism of object code
generated by the Glasgow Haskell Compiler [8] (GHC) received a recent
update [9], consisting of Rodrigo Mesquita [10] noting that the
issue is:

> 95% fixed by <merge request> !12680 [11] when -fobject-determinism is
> enabled. [12]

 [7] https://gitlab.haskell.org/ghc/ghc/-/issues/12935
 [8] https://www.haskell.org/ghc/
 [9] https://gitlab.haskell.org/ghc/ghc/-/issues/12935#note_583525
 [10] https://alt-romes.github.io/
 [11] https://gitlab.haskell.org/ghc/ghc/-/merge_requests/12680
 [12] https://gitlab.haskell.org/ghc/ghc/-/issues/12935#note_583525

The linked merge request [13] has since been merged, and Rodrigo goes on
to say that:

> After that patch is merged, there are some rarer bugs in both
> interface file determinism (eg. #25170 [14]) and in object determinism
> (eg. #25269 [15]) that need to be taken care of, but the great majority
> of the work needed to get there should have been merged already. When
> merged, I think we should close this one in favour of the more specific
> determinism issues like the two linked above.

 [13] https://gitlab.haskell.org/ghc/ghc/-/merge_requests/12680
 [14] https://gitlab.haskell.org/ghc/ghc/-/issues/25170
 [15] https://gitlab.haskell.org/ghc/ghc/-/issues/25269

                                    §


Mailing list summary
--------------------

On our mailing list [16] this month:

* Fay Stegerman let everyone know [17] that she started a thread on the
  Fediverse [18] about the problems caused by unreproducible
  zlib/deflate compression in .zip and .apk files and later followed up
  [19] with the results of her subsequent investigation.

 [16] https://lists.reproducible-builds.org/listinfo/rb-general/
 [17] https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003526.html
 [18] https://tech.lgbt/@obfusk/113081697577399562
 [19] https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003547.html

* Long-time developer kpcyrd wrote that "there has been a recent
  public discussion [20] on the Arch Linux [21] GitLab [instance] about
  the challenges and possible opportunities for making the Linux kernel
  package reproducible", all relating to the CONFIG_MODULE_SIG
  flag. [22]

 [20] https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/merge_requests/1
 [21] https://archlinux.org/
 [22] https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003530.html

* Bernhard M. Wiedemann followed-up to an in-person conversation at our
  recent Hamburg 2024 summit [23] on the potential presence for
  Reproducible Builds in recognised standards. [24]

 [23] https://reproducible-builds.org/events/hamburg2024/
 [24] https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003539.html

* Fay Stegerman also wrote about her worry about the "possible
  repercussions for RB tooling of Debian migrating from zlib to zlib-
  ng" as reproducibility requires identical compressed data
  streams. [25]

 [25] https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003543.html

* Martin Monperrus [26] wrote the list announcing the latest release of
  maven-lockfile [27] that is designed aid "building Maven projects
  with integrity". [28]

 [26] https://www.monperrus.net/martin/
 [27] https://github.com/chains-project/maven-lockfile/
 [28] https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003544.html

* Lastly, Bernhard M. Wiedemann wrote about potential role of
  reproducible builds in combatting silent data corruption, as detailed
  in a recent Tweet [29] and scholarly paper [30] on faulty CPU
  cores. [31]

 [29] https://x.com/petereliaskraft/status/1840011158347972765
 [30] https://dl.acm.org/doi/abs/10.1145/3458336.3465297
 [31] https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003548.html

§


Towards a 100% bit-for-bit reproducible OS
------------------------------------------

Bernhard M. Wiedemann began writing on journey towards a 100% bit-for-
bit reproducible operating system [32] on the openSUSE [33] wiki:

> This is a report of Part 1 of my journey: building 100% bit-
> reproducible packages for every package that makes up [openSUSE's]
> minimalVM image. This target was chosen as the smallest useful
> result/artifact. The larger package-sets get, the more disk-space
> and build-power is required to build/verify all of them.

 [32] https://en.opensuse.org/openSUSE:Reproducible_openSUSE/Part1
 [33] https://en.opensuse.org/Main_Page

                                    §


Two new reproducibility-related academic papers
-----------------------------------------------

Marvin Strangfeld [36] published his bachelor thesis, "Reproducibility
of Computational Environments for Software Development" [37]" from RWTH
Aachen University [38]. The author offers a more precise theoretical
definition of computational environments compared to previous
definitions, which can be applied to describe real-world computational
environments. Additionally, Marvin provide a definition of
reproducibility in computational environments, enabling discussions
about the extent to which an environment can be made reproducible. The
thesis is available to browse or download in PDF format [39].

 [36] https://strangfeld.io/
 [37] https://doi.org/10.5281/zenodo.13843189
 [38] https://www.rwth-aachen.de
 [39] https://doi.org/10.5281/zenodo.13843189

In addition, Shenyu Zheng, Bram Adams and Ahmed E. Hassan of Queen's
University, ON, Canada [40] have published an article [41] on
"hermeticity" in Bazel [42]-based build systems:

> A hermetic build system manages its own build dependencies, isolated
> from the host file system, thereby securing the build process.
> Although, in recent years, new artifact-based build technologies
> like Bazel [43] offer build hermeticity as a core functionality, no
> empirical study has evaluated how effectively these new build
> technologies achieve build hermeticity. This paper studies 2,439
> non-hermetic build dependency packages of 70 Bazel-using open-source
> projects by analyzing 150 million Linux system file calls collected
> in their build processes. We found that none of the studied projects
> has a completely hermetic build process, largely due to the use of
> non-hermetic top-level toolchains. [44]

 [40] https://www.queensu.ca/
 [41] https://mcis.cs.queensu.ca/publications/2024/ieeesw-shenyu.pdf
 [42] https://bazel.build/
 [43] https://bazel.build/
 [44] https://mcis.cs.queensu.ca/publications/2024/ieeesw-shenyu.pdf

                                    §


Distribution work
-----------------

In Debian this month, 14 reviews of Debian packages were added, 12 were
updated and 20 were removed, all adding to our knowledge about
identified issues [45]. A number of issue types were updated as
well. [46][47]

In addition, Holger opened 4 bugs against the debrebuild component of
the devscripts [48] suite of tools. In particular:

 * #1081047 [49]: Fails to download .dsc file.
 * #1081048 [50]: Does not work with a proxy.
 * #1081050 [51]: Fails to create a debrebuild.tar.
 * #1081839 [52]: Fails with E: mmdebstrap failed to run error.

 [45] https://tests.reproducible-builds.org/debian/index_issues.html
 [46] https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/7ee69bc5
 [47] https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/5ade3942
 [48] https://salsa.debian.org/debian/devscripts
 [49] https://bugs.debian.org/1081047
 [50] https://bugs.debian.org/1081048
 [51] https://bugs.debian.org/1081050
 [52] https://bugs.debian.org/1081839

Last month, an issue was filed [53] to update the Salsa CI pipeline [54]
(used by 1,000s of Debian packages) to no longer test for
reproducibility with reprotest's build_path variation. Holger Levsen
provided a rationale [55] for this change in the issue, which has
already been made to the tests being performed by tests.reproducible-
builds.org [56]. This month, this issue was closed by Santiago R. R.
[57], nicely explaining that build path variation is no longer the
default, and, if desired, how developers may enable it again.

 [53] https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/368
 [54] https://salsa.debian.org/salsa-ci-team/pipeline
 [55] https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/368#note_520933
 [56] https://tests.reproducible-builds.org
 [57] https://salsa.debian.org/salsa-ci-team/pipeline/-/commit/3e772018954782b02114d8c95f9972bc950fde92

In openSUSE news, Bernhard M. Wiedemann published another report [58]
for that distribution.

 [58] https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/3CRGGASV7HFS5NQ4ECQ3DKPIJCCRKAYY/

                                    §


"diffoscope"
------------

diffoscope is our in-depth and content-aware diff utility that can
locate and diagnose reproducibility issues. This month, Chris Lamb
made the following changes, including preparing and uploading version
278 to Debian:

* New features:

    * Add a helpful contextual message to the output if comparing
      Debian .orig tarballs within .dsc files without the ability to
      "fuzzy-match" away the leading directory. [61]

* Bug fixes:

    * Drop removal of calculated os.path.basename from GNU readelf
      output. [62]
    * Correctly invert "X% similar" value and do not emit "100%
      similar". [63]

* Misc:

    * Temporarily remove procyon-decompiler from Build-Depends as it
      was removed from testing (via #1057532 [64]). (#1082636 [65])
    * Update copyright years. [66]

 [61] https://salsa.debian.org/reproducible-builds/diffoscope/commit/e748a477
 [62] https://salsa.debian.org/reproducible-builds/diffoscope/commit/74bd931d
 [63] https://salsa.debian.org/reproducible-builds/diffoscope/commit/7ec9db5d
 [64] https://bugs.debian.org/1057532
 [65] https://bugs.debian.org/1082636
 [66] https://salsa.debian.org/reproducible-builds/diffoscope/commit/021d9cf8

For trydiffoscope [67], the command-line client for the web-based
version of diffoscope, Chris Lamb also:

* Added an explicit python3-setuptools dependency. (#1080825 [68])
* Bumped the Standards-Version to 4.7.0. [69]

 [67] https://try.diffoscope.org
 [68] https://bugs.debian.org/1080825
 [69] https://salsa.debian.org/reproducible-builds/trydiffoscope/commit/392e64d

                                    §


Other software development
--------------------------

disorderfs [70] is our FUSE [71]-based filesystem that deliberately
introduces non-determinism into system calls to reliably flush out
reproducibility issues. This month, version 0.5.11-4 was uploaded to
Debian unstable [72] by Holger Levsen making the following changes:

* Replace build-dependency on the obsolete pkg-config package with one
  on pkgconf, following a Lintian [73] check. [74]
* Bump Standards-Version field to 4.7.0, with no related changes
  needed. [75]

 [70] https://tracker.debian.org/pkg/disorderfs
 [71] https://en.wikipedia.org/wiki/Filesystem_in_Userspace
 [72] https://tracker.debian.org/news/1570782/accepted-disorderfs-0511-4-source-into-unstable/
 [73] https://wiki.debian.org/Lintian
 [74] https://salsa.debian.org/reproducible-builds/disorderfs/commit/0211d95
 [75] https://salsa.debian.org/reproducible-builds/disorderfs/commit/d500480

In addition, reprotest [76] is our tool for building the same source
code twice in different environments and then checking the binaries
produced by each build for any differences. This month, version 0.7.28
was uploaded to Debian unstable [77] by Holger Levsen including a change
by Jelle van der Waa to move away from the pipes Python module to shlex,
as the former will be removed in Python version 3.13 [78].

 [76] https://salsa.debian.org/reproducible-builds/reprotest
 [77] https://tracker.debian.org/news/1561430/accepted-reprotest-0728-source-into-unstable/
 [78] https://salsa.debian.org/reproducible-builds/reprotest/commit/b7a2104

                                    §


Android toolchain core count issue reported
-------------------------------------------

Fay Stegerman reported an issue with the Android toolchain [79] where a
part of the build system generates a different classes.dex file (and
thus a different .apk) depending on the number of cores available during
the build, thereby breaking Reproducible Builds:

> We've rebuilt [tag v3.6.1]) multiple times (each time in a fresh
> container): with 2, 4, 6, 8, and 16 cores available, respectively:
>
> * With 2 and 4 cores we always get an unsigned APK with
>   SHA-256 14763d682c9286ef….
> * With 6, 8, and 16 cores we get an unsigned APK with SHA-256
>   35324ba4c492760… instead.

 [79] https://issuetracker.google.com/issues/366412380

                                    §


New Gradle plugin for reproducibility
-------------------------------------

A new plugin [80] for the Gradle [81] build tool for Java has been released.
This easily-enabled plugin [82] results in:

> reproducibility settings [being] applied to some of Gradle's built-in
> tasks that should really be the default. Compatible with Java 8 and
> Gradle 8.3 or later.

 [80] https://github.com/gradlex-org/reproducible-builds
 [81] https://gradle.org/
 [82] https://github.com/gradlex-org/reproducible-builds#usage

                                    §


Website updates
---------------

There were a rather substantial number of improvements made to our
website this month, including:

* Chris Lamb:

    * Attempt to use GitLab CI to 'artifact' the website; hopefully
      useful for testing branches. [83]
    * Correct the linting rule whilst building the website. [84]
    * Make a number of small changes to Kees' post written by
      Vagrant. [85][86][87]
    * Add the Civil Infrastructure Platform [88] to the Projects [89]
      page. [90]
    * Miscellaneous administration of misfiled images. [91][92]

 [83] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f1f98564
 [84] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e72d54fd
 [85] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f13914e5
 [86] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5ef0e7d3
 [87] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5eb0421d
 [88] https://www.cip-project.org/
 [89] https://reproducible-builds.org/who/projects/
 [90] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/33b4dfd5
 [91] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8f252f66
 [92] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ebcb3ec0

* Evangelos Tzaras made a huge number of changes related to the recent
  Hamburg 2024 summit [93] ([94][95][96][97][98]) as well as proposed an
  infographic about which question Reproducible Builds is trying to
  answer [99].

 [93] https://reproducible-builds.org/events/hamburg2024/
 [94] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3cbc7c7f
 [95] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1d1cdfb8
 [96] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f146906c
 [97] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6703515c
 [98] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/41bb491c
 [99] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8a12fdd3

* Holger Levsen added his two presentations ("Reproducible Builds: The
  First Eleven Years" [100] and "Preserving *other* build artifacts"
  [101]) to the website. [102]

 [100] https://debconf24.debconf.org/talks/18-reproducible-builds-the-first-eleven-years/
 [101] https://debconf24.debconf.org/talks/17-preserving-other-build-artifacts/
 [102] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7a661236

* Jelle van der Waa completely modernised the System Images [103]
  documentation, noting that "a lot has changed since 2017(!); ext4,
  erofs and FAT filesystems can now be made reproducible". [104]

 [103] https://reproducible-builds.org/docs/system-images/
 [104] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/672c19a3

* Developer 'RyanSquared' replaced the continuous integration test link
  for Arch Linux [105] on our Projects [106] page with an external
  instance [107] [108][109] as well as updated the documentation to
  reflect the dependencies required to build the website [110].

 [105] https://archlinux.org/
 [106] https://reproducible-builds.org/who/projects/
 [107] https://reproducible.archlinux.org/
 [108] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/67d13a6c
 [109] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/eaa4ba9b
 [110] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/634587d6

* Vagrant Cascadian pushed a lengthy interview with Linux developer
  Kees Cook [111]. [112][113][114][115]

 [111] https://reproducible-builds.org/news/2024/09/29/supporter-spotlight-kees-cook/
 [112] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/53a4b2f6
 [113] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f935cd0b
 [114] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2c1f10e7
 [115] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/04eb01ff

                                    §


Upstream patches
----------------

The Reproducible Builds project detects, dissects and attempts to fix
as many currently-unreproducible packages as possible. We endeavour to
send all of our patches upstream where appropriate. This month, we
wrote a large number of such patches, including:

* Bernhard M. Wiedemann:

    * agama-integration-tests [116] (random)
    * contrast [117] (FTBFS-nocheck)
    * cpython [118] (FTBFS-2038)
    * crash [119] (parallelism, race)
    * ghostscript [120] (toolchain date)
    * glycin-loaders [121] (FTBFS -j1)
    * gstreamer-plugins-rs [122] (date, other)
    * kernel-doc/Sphinx [123] (toolchain bug, parallelism/race)
    * kernel [124] (parallelism in BTF)
    * libcamera [125] (random key)
    * libgtop [126] (uname -r)
    * libsamplerate [127] (random temporary directory)
    * lua-luarepl [128] (FTBFS)
    * meson [129] (toolchain)
    * netty [130] (modification time in .a)
    * nvidia-persistenced [131] (date)
    * nvidia-xconfig [132] (date-related issue)
    * obs-build [133] (build-tooling corruption)
    * perl [134] (Perl records kernel version)
    * pinentry [135] (make efl [136] droppable)
    * python-PyGithub [137] (FTBFS 2024-11-25)
    * python-Sphinx [138] (parallelism/race)
    * python-chroma-hnswlib [139] (CPU)
    * python-libcst [140]
    * python-pygraphviz [141] (random timing)
    * python312 [142] (.pyc embeds modification time)
    * python312 [143] (drop .pyc from documentation time)
    * scap-security-guide [144] (date)
    * seahorse [145] (parallelism)
    * subversion [146] (minor Java .jar modification times)
    * xen/acpica [147] (date-related issue in toolchain)
    * xmvn [148] (random)

 [116] https://github.com/openSUSE/agama/pull/1576
 [117] https://build.opensuse.org/request/show/1203242
 [118] https://github.com/python/cpython/issues/124851
 [119] https://bugzilla.opensuse.org/show_bug.cgi?id=1230281
 [120] https://mail.gnu.org/archive/html/bug-ghostscript/2024-09/msg00000.html
 [121] https://bugzilla.opensuse.org/show_bug.cgi?id=1230879
 [122] https://gitlab.freedesktop.org/gstreamer/gst-plugins-rs/-/issues/599
 [123] https://lore.kernel.org/linux-doc/33018311-0bdf-4258-b0c0-428a548c710d@suse.de/T/#t
 [124] https://bugzilla.opensuse.org/show_bug.cgi?id=1230414
 [125] https://bugs.libcamera.org/show_bug.cgi?id=233
 [126] https://bugzilla.opensuse.org/show_bug.cgi?id=1230850
 [127] https://build.opensuse.org/request/show/1202178
 [128] https://build.opensuse.org/request/show/1204160
 [129] https://github.com/mesonbuild/meson-python/issues/671
 [130] https://build.opensuse.org/request/show/1203216
 [131] https://github.com/NVIDIA/nvidia-persistenced/pull/12
 [132] https://build.opensuse.org/request/show/1203885
 [133] https://github.com/openSUSE/obs-build/issues/1030
 [134] https://bugzilla.opensuse.org/show_bug.cgi?id=1230137
 [135] https://build.opensuse.org/request/show/1202479
 [136] https://git.enlightenment.org/enlightenment/efl/issues/41
 [137] https://github.com/PyGithub/PyGithub/pull/3045
 [138] https://github.com/sphinx-doc/sphinx/issues/6714
 [139] https://build.opensuse.org/request/show/1202316
 [140] https://github.com/Instagram/LibCST/pull/1213
 [141] https://github.com/pygraphviz/pygraphviz/issues/541
 [142] https://bugzilla.opensuse.org/show_bug.cgi?id=1230906
 [143] https://build.opensuse.org/request/show/1204725
 [144] https://bugzilla.opensuse.org/show_bug.cgi?id=1230361
 [145] https://gitlab.gnome.org/GNOME/seahorse/-/issues/394
 [146] https://build.opensuse.org/request/show/1203785
 [147] https://bugzilla.opensuse.org/show_bug.cgi?id=1230856
 [148] https://github.com/fedora-java/xmvn/commit/1f79bc89caf3a75556a72430a524df84a16bde2b

* Fridrich Strba:

    * ant [149] (jar mtime)
    * xmvn [150] (various fixes)

 [149] https://build.opensuse.org/request/show/1201917
 [150] https://github.com/fedora-java/xmvn/pull/298

* Chris Lamb:

    * #1082702 [151] filed against magic-wormhole-transit-relay [152].
    * #1082706 [153] filed against python-sphobjinv [154].
    * #1082707 [155] filed against lomiri-content-hub [156].
    * #1082796 [157] filed against python-mt-940 [158].
    * #1082806 [159] filed against tree-puzzle [160].
    * #1083053 [161] filed against muon-meson [162].

 [151] https://bugs.debian.org/1082702
 [152] https://tracker.debian.org/pkg/magic-wormhole-transit-relay
 [153] https://bugs.debian.org/1082706
 [154] https://tracker.debian.org/pkg/python-sphobjinv
 [155] https://bugs.debian.org/1082707
 [156] https://tracker.debian.org/pkg/lomiri-content-hub
 [157] https://bugs.debian.org/1082796
 [158] https://tracker.debian.org/pkg/python-mt-940
 [159] https://bugs.debian.org/1082806
 [160] https://tracker.debian.org/pkg/tree-puzzle
 [161] https://bugs.debian.org/1083053
 [162] https://tracker.debian.org/pkg/muon-meson

* James Addison:

    * guake [163] (fix a parallelism/timing-race build bug)
    * sphobjinv [164] (duplicates fix from Debian bug #1082706)

 [163] https://github.com/Guake/guake/pull/2257
 [164] https://github.com/bskinn/sphobjinv/issues/299

                                    §


Reproducibility testing framework
---------------------------------

The Reproducible Builds project operates a comprehensive testing
framework running primarily at tests.reproducible-builds.org [165] in
order to check packages and other artifacts for reproducibility. In
September, a number of changes were made by Holger Levsen, including:

 [165] https://tests.reproducible-builds.org

* Debian-related changes:

    * Upgrade the osuosl4 node to Debian trixie in anticipation of
      running debrebuild and rebuilderd there. [167][168][169]
    * Temporarily mark the osuosl4 node as offline due to ongoing
      xfs_repair filesystem maintenance. [170][171]
    * Do not warn about (very old) broken nodes. [172]
    * Add the risc64 architecture to the multiarch version skew tests
      for Debian trixie and sid. [173][174][175]
    * Mark the virt{32,64}b nodes as down. [176]

 [167] https://salsa.debian.org/qa/jenkins.debian.net/commit/bdae2a9b6
 [168] https://salsa.debian.org/qa/jenkins.debian.net/commit/95aae5420
 [169] https://salsa.debian.org/qa/jenkins.debian.net/commit/a01d57d6e
 [170] https://salsa.debian.org/qa/jenkins.debian.net/commit/ae7103edf
 [171] https://salsa.debian.org/qa/jenkins.debian.net/commit/a452842af
 [172] https://salsa.debian.org/qa/jenkins.debian.net/commit/5fd46f2ce
 [173] https://salsa.debian.org/qa/jenkins.debian.net/commit/592996dc8
 [174] https://salsa.debian.org/qa/jenkins.debian.net/commit/271d325b6
 [175] https://salsa.debian.org/qa/jenkins.debian.net/commit/e0d15de91
 [176] https://salsa.debian.org/qa/jenkins.debian.net/commit/2a4d655ac

* Misc changes:

    * Add support for powercycling OpenStack instances. [177]
    * Update the fail2ban [178] to ban hosts for 4 weeks in total
      [179][180] and take care to never ban our own Jenkins [181]
      instance. [182]

 [177] https://salsa.debian.org/qa/jenkins.debian.net/commit/74c2c0534
 [178] https://github.com/fail2ban/fail2ban
 [179] https://salsa.debian.org/qa/jenkins.debian.net/commit/7869acbc2
 [180] https://salsa.debian.org/qa/jenkins.debian.net/commit/30c12eb56
 [181] https://www.jenkins.io/
 [182] https://salsa.debian.org/qa/jenkins.debian.net/commit/ad7800062

In addition, Vagrant Cascadian recorded a disk failure for the virt32b
and virt64b nodes [183], performed some maintenance of the cbxi4a node
[184][185] and marked most armhf architecture systems as being
back online.

 [183] https://salsa.debian.org/qa/jenkins.debian.net/commit/919810c8b
 [184] https://salsa.debian.org/qa/jenkins.debian.net/commit/d4a48600d
 [185] https://salsa.debian.org/qa/jenkins.debian.net/commit/145c7969d


                                    §


Finally, If you are interested in contributing to the Reproducible
Builds project, please visit the Contribute [186] page on our website.
However, you can get in touch with us via:

 * IRC: #reproducible-builds on irc.oftc.net.

 * Mastodon: @reproducible_builds at fosstodon.org [187]

 * Mailing list: rb-general at lists.reproducible-builds.org [188]

 * Twitter: @ReproBuilds [189]

 [186] https://reproducible-builds.org/contribute/
 [187] https://fosstodon.org/@reproducible_builds
 [188] https://lists.reproducible-builds.org/listinfo/rb-general
 [189] https://twitter.com/ReproBuilds


-- 
      o
    ⬋   ⬊
   o     o     reproducible-builds.org 💠
    ⬊   ⬋
      o



More information about the Reproducible-builds mailing list