[Soc-coordination] GSoC 2015 Week 11: Move forward reproducible builds

Maria Valentina Marin marivalenm at gmail.com
Mon Aug 10 03:48:51 UTC 2015


This week I have been working on the following problems:

1. doxygen

There was a new Debian doxygen release in unstable so I refreshed the
version in the reproducible builds git repository and package repository.

This took a bit longer because of the current libstdc++6 transition [1]
which broke my system (I had to go use snapshot.d.o for a while) and
because of two bugs I found in the process:

- https://bugs.debian.org/794745
- https://bugs.debian.org/794758

2. camitk

This package was wrongly tagged as suffering from
timestamps_in_manpages_generated_by_doxygen [2]. The timestamps found in
manpages were generated from a cmake script which has now been patched
to use the environment variable $SOURCE_DATE_EPOCH [3] and packages.yml
has been updated

- https://bugs.debian.org/794740

3. gperf, maxima, and python-xlib

These package were not affected by the latest texi2html release in
unstable. When further investigated I found that they contained an
embedded code copy of texi2html and they did not build-depend on the
Debian texi2html. The copyright information of texi2html was missing
from their debian/copyright.

Package: gperf
- https://bugs.debian.org/794955
Package: maxima
- https://bugs.debian.org/795056
Package: python-xlib
- https://bugs.debian.org/795057

4. texi2html

I modified the patch made by Juan Picca for texi2html to use
$SOURCE_DATE_EPOCH when it produces its timestamps [4], I have also
patched texi2html to sort its hash values, which solves the issue
randomness_in_html_generated_by_texi2html [5].
The package has been QA uploaded to unstable with these fixes.

- https://bugs.debian.org/783475

I scheduled 19 packages affected by texi2html. Out of these 2 became
immediately reproducible, up till now 3 were found to not build-depend
on texi2html but include an embedded code copy (see above) and the rest
do not use dh or CDBS as their build system and therefore
$SOURCE_DATE_EPOCH does not get exported and cannot be used by
texi2html. Individual patches are needed for these packages.

5. Unfinished

I have been working on making bash reproducible and discovered that it
produces unreproducible pdf through a mechanism that has not been
inventoried yet. It uses dvipdfm. I will work on this issue more this week.

I am also working on making the timestamps produced by pdftex be
timezone independent. This will complete my initial pdftex patch to make
the CreationDate, ModDate and ID field deterministic in pdf generated by
latex [6]

Kind Regards,

[1] https://release.debian.org/transitions/html/libstdc++6.html
[3] https://wiki.debian.org/ReproducibleBuilds/TimestampsProposal

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/soc-coordination/attachments/20150810/5d5e076d/attachment.sig>

More information about the Soc-coordination mailing list