[ Chris Lamb suggested to post the weekly reports that has been so far ] [ available on Planet Debian to the mailing-list. Please tell us if ] [ you think that's not a good idea. ]
What happened in the [1]reproducible builds effort this week: Media coverage Motherboard published an [2]article on the project inspired by the [3]talk at the Chaos Communication 15. Journalists [4]sadly rarely pick their headlines. The sensationalist “How Debian Is Trying to Shut Down the CIA” got started a few rants here and there. [5]One from OpenBSD developper Ted Unangst lead to a good email contact and some [6]thorough comments. Toolchain fixes * Emmanuel Bourg uploaded maven-ant-helper/7.11 which improved the reproducibility of the Javadoc by removing the timestamps and using the English locale. * Thomas Schmitt uploaded libisoburn/1.4.0-2 which adds to the ISO image creator xorriso new flags for -alter_date to avoid update ctimes. [7]Report by Daniel Kahn Gillmor. * Florian Schlichting uplodaded libmodule-build-perl/0.421400-2 which makes linked file ordering deterministic. [8]Original patch by Niko Tyni. The modified version of gettext has been [9]removed from the experimental toolchain. Fixing individual package seems a better approach for now. Chris Lamb sent two patches for abi-compliance-checker: one to [10]drop the timestamp from generated HTML reports and another to [11]make umask and timestamps deterministic in the abi tarball. [12]Bugs submitted by Dhole lead to a discussion on the best way to adapt pod2man now that we have [13]SOURCE_DATE_EPOCH specified. There is really a whole class of issues that are currently undiscovered waiting for tests running on a different date. This is likely to should happen soon. Chris Lamb uploaded a new version of debhelper in the [14]“reproducible” repository, cherry-picking a fix for interactions between ddebs and udebs. Packages fixed The following packages became reproducible due to changes in their build dependencies: aspic, django-guardian, erlang-sqlite3, etcd, libnative-platform-java, mingw-ocaml, nose2, oar, obexftp, py3cairo, python-dugong, python-secretstorage, python-setuptools, qct, qdox, recutils, s3ql, wine. The following packages became reproducible after getting fixed: * bochs/2.6-4 by Santiago Vila. * codec2/0.4-3 by A. Maitland Bottoms. * coquelicot/0.9.4-1 by Lunar. * criticalmass/1:1.0.0-3 by Santiago Vila. * ekg/1:1.9~pre+r2855-3 by Santiago Vila. * eterm/0.9.6-3 by Santiago Vila. * fbi/2.10-2 by Moritz Muehlenhoff. * fsvs/1.2.6-2 by Santiago Vila. * glhack/1.2-3 by Santiago Vila. * httraqt/1.4.6-2 by Anton Gladky. * libapache-authznetldap-perl/0.07-6 by gregor herrmann, [15]original patch by Dhole. * libkinosearch1-perl/1.01-3 uploaded by Florian Schlichting, [16]original patch by Niko Tyni. * liblucy-perl/0.3.3-6 uploaded by Florian Schlichting, [17]original patch by Niko Tyni. * slony1-2/2.2.4-1 by Christoph Berg. * slrn/1.0.2-3 uploaded by Moritz Muehlenhoff, [18]original patch by Dmitry Bogatov. * svtplay-dl/0.10.2015.08.24-1 uploaded by Olof Johansson, fixed upstream. * swh-plugins/0.4.15+1-8 uploaded by Jaromír Mikeš, [19]original patch by Chris Lamb. * sysstat/11.1.6-2 uploaded by Robert Luberda, [20]original patch by Chris Lamb. * uhd/3.9.0-3 by A. Maitland Bottoms. * volk/1.1-3 by A. Maitland Bottoms. * yadifa/2.1.3-2 uploaded by Markus Schade, [21]original patch by Santiago Vila. Some uploads fixed some reproducibility issues but not all of them: * dict-jargon/4.4.7-3 uploaded by Ruben Molina, [22]original patch by Dhole. * ferret-vis/6.9.3-3 uploaded by Alastair McKinstry, [23]original patch by Chris Lamb. Patches submitted which have not made their way to the archive yet: * 798366 on lilo by Dmitry Bogatov: remove usage of __TIME__ and __DATE__ macros. * 798557 on libapache-dbi-perl by Dhole: set date of the manpage to the latest debian/changelog entry. * 798776 on testdisk by [24]upstream! reproducible.debian.net The configuration of all remote armhf and amd64 nodes in now finished. The remaining reproducibility tests running on the Jenkins host has been removed. armhf results and graphs are now visible in [25]dashboard. We can now test the whole archive in 2-3 weeks using the current 12 amd64 jobs and 3 months using the current 6 armhf builders. We will be looking at improving the armhf sitation, maybe using more native systems or via arm64. (h01ger) The Jenkins UI is now more responsive since all jobs building packages have been moved to remote hosts. (h01ger) [26]A new job has been added to collect information about build nodes to be included in the [27]variation table. (h01ger) The “currently scheduled” page has been split for [28]amd64 and [29]armhf. They now give an overview (refreshed every minute, thanks to Chris Lamb) of the packages currently being tested. (h01ger) Several cleanup and bugfixes have been made, especially in the remote building and maintenance scripts. They should now be more robust against network problems. The automatic scheduler is now also run closer to when schroots and pbuilders are updated. (h01ger, mapreri) Package reviews 16 [30]reviews have been removed, 54 added and 55 updated this week. Santiago Vila renamed lc_messages_randomness with the more descriptive [31]different_pot_creation_date_in_gettext_mo_files. New issues added this week: [32]timestamps_in_reports_generated_by_abi_compliance_checker, [33]umask_and_timestamp_variation_in_tgz_generated_by_abi_compl iance_checker, and [34]timestamps_added_by_blast2. 23 new FTBFS bugs have been filled by Chris Lamb, and Niko Tyni. Misc. Red Hat developper Mike McLean had a talk at Flock 2015 about [35]reproducible builds in Koji. [36]Slides and [37]video recording are available. [38]Koji is the build infrastructure used by Fedora, Red Hat and other distributions. It already keeps track of the environment used for a given build, so the required changes for handling the environment are smaller than the ones in Debian. Fedora is still missing a team effort to fix non-determinism in the package builds, but it is great to see Fedora moving forward. References 1. https://wiki.debian.org/ReproducibleBuilds 2. http://motherboard.vice.com/read/how-debian-is-trying-to-shut-down-the-cia-and-make-software-trustworthy-again 3. http://media.ccc.de/browse/conferences/camp2015/camp2015-6657-how_to_make_your_software_build_reproducibly.html 4. https://twitter.com/toholdaquill/status/640878186499207168 5. http://www.tedunangst.com/flak/post/reproducible-builds-are-a-waste-of-time 6. https://lobste.rs/s/5bbdbo/reproducible_builds_are_a_waste_of_time/comments/fpc69f#c_fpc69f 7. https://bugs.debian.org/787793 8. https://bugs.debian.org/797709 9. https://bugs.debian.org/792687#35 10. https://bugs.debian.org/798470 11. https://bugs.debian.org/798481 12. https://bugs.debian.org/798557 13. https://wiki.debian.org/ReproducibleBuilds/TimestampsProposal 14. https://wiki.debian.org/ReproducibleBuilds/ExperimentalToolchain 15. https://bugs.debian.org/798558 16. https://bugs.debian.org/797711 17. https://bugs.debian.org/796251 18. https://bugs.debian.org/798269 19. https://bugs.debian.org/792424 20. https://bugs.debian.org/798469 21. https://bugs.debian.org/798450 22. https://bugs.debian.org/792709 23. https://bugs.debian.org/797579 24. http://git.cgsecurity.org/cgit/testdisk/commit/?id=ebfc0ed789a852625121f67878db5e2a7526a5e3 25. https://reproducible.debian.net/reproducible.html 26. https://jenkins.debian.net/view/reproducible/job/reproducible_nodes_info/ 27. https://reproducible.debian.net/reproducible.html#variation 28. https://reproducible.debian.net/index_amd64_scheduled.html 29. https://reproducible.debian.net/index_armhf_scheduled.html 30. https://reproducible.debian.net/unstable/amd64/index_notes.html 31. https://reproducible.debian.net/issues/unstable/different_pot_creation_date_in_gettext_mo_files_issue.html 32. https://reproducible.debian.net/issues/unstable/timestamps_in_reports_generated_by_abi_compliance_checker_issue.html 33. https://reproducible.debian.net/issues/unstable/umask_and_timestamp_variation_in_tgz_generated_by_abi_compliance_checker_issue.html 34. https://reproducible.debian.net/issues/unstable/timestamps_added_by_blast2_issue.html 35. https://flock2015.sched.org/event/b536597132fdd3ffe72226c1972acc0d 36. https://mikem.fedorapeople.org/Talks/flock-2015-koji-reproducibility/ 37. https://www.youtube.com/watch?v=wxzGdX5iMgw 38. https://fedoraproject.org/wiki/Koji
signature.asc
Description: Digital signature
_______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds