Hi! DebConf14 [1] is now over. It was a very productive time for reproducible builds. Here's a tentative recap of what happened.
On August 26th, two events were scheduled: * a 45 minutes talk [2]: video [3], slides [4]; * a BoF to discussion solutions to identified issues [5]. I must admit I was nervous before doing the talk. Not so many things had seen progress since the talk at FOSDEM’14 in January, and I was unable to complete a new rebuild experiment following Stéphane Glondu’s advices with David Suárez. But the talk went well, and the reception was beyond my hopes. There has been no push back on the suggested solution on defining a canonical path where packages must be built. A couple of members of the Debian technical committee who attended the talk showed support and interest which is a good sign. In the evening, the BoF was attended by 20 people. We decided not to record it to avoid having to run a microphone around. The main objective of the discussion was to define the framework in which we could consider Debian package reproducible. We agreed that the time of the latest entry in `debian/changelog` was a sane source if binary packages needed to embed timestamps. In the course of the discussion, we realized that using `.changes` files [6] as the input of a rebuild process would be both impractical and abusing their intended meaning. So we started sketching the content of `.buildinfo` files which would be stored by the archive and would contain everything needed to perform a rebuild. We also discussed the choice of a canonical build path, the current set of patches that were used for the previous rebuild experiments, a post-processing addition to debhelper called “dh_strip_nondeterminism”, and sbuild support. What is pretty amazing is the amount of work that was done in the following day leveraging on the discussion: * The `.buildinfo` format has been specified [7] on the wiki, and reviewed by a couple of people. * The patches to make the file order in control and data archives stable (#719845) have been rebased and submitted again to the BTS [8]. * A new helper `dh_fixmtimes` was written and submitted to the BTS as #759886 [9]. This replaces the previous changes that were targetting `dpkg-deb` to achieve a similar result. * The patches which enables `dpkg-deb` to produce deterministic ar headers when used with `dpkg-buildpackage` has been rebased, updated, and submitted to the BTS as #759999 [10]. * An addition to `dh_strip` to remove non-determistic data from static libraries was written and submitted to the BTS as #759895 [11]. This will be used instead of building binutils with `--enable-deterministic-archives` which has potential to make some build systems highly unhappy. * A patch for `dh-python` has been written to get a stable order in the generated control fields. Submitted to the BTS as #759231 [12]. * `dh_genbuildinfo` [13] is a new helper that will use the output of `dpkg-genchanges` and `dh_buildinfo` [14] to generate almost correct `.buildinfo`. Good enough as a starting point for more tests. * A tool to remove non-determinism from Jar files, `sortjar` [15] is almost packaged. Some upstream clarifications are still missing. * `strip-nondetermism` [16] is meant to be called by debhelper and to remove non-deterministic data from various file formats. As it stands, it already supports gzip, zip and jar. * There has been a quick transmission on how to use the `cloud-scripts` [17] which make possible archive-wide rebuilds using EC2 VMs. * Discussions with Octave [18] and groff [19] upstreams have been started. * `pod2man` can now be made to have reproducible timestamps (#759405 [20]). * Discussions have happened on the base timestamp of files patched with dpkg 3.0 (quilt) format in #759404 [21]. That's a lot of great work (and I'm probably missing a thing or two), so congrats to everybody involved! We are close to be able to perform another archive-wide rebuild using the new set of patches and assumptions. What is missing is an (even half-working) `srebuild` script. To the best of my understanding, Geoffrey Thomas will be working on it. There's a new IRC channel, so feel free to join #debian-reproducible on OFTC. I have been trying to keep the TODO list [22] on the wiki page up-to-date. If you want to enjoy this new rush of energy, come and help! [1]: https://debconf14.debian.org/ [2]: https://summit.debconf.org/debconf14/meeting/78/reproducible-builds-for-debian/ [3]: http://meetings-archive.debian.net/pub/debian-meetings/2014/debconf14/webm/Reproducible_Builds_for_Debian_a_year_later.webm [4]: http://reproducible.alioth.debian.org/presentations/2014-08-26-DebConf14.pdf [5]: https://summit.debconf.org/debconf14/meeting/79/reproducible-builds-for-debian-finding-solutions/ [6]: https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-debianchangesfiles [7]: https://wiki.debian.org/ReproducibleBuilds#Recording_the_environment [8]: https://bugs.debian.org/719845#61 [9]: https://bugs.debian.org/759886 [10]: https://bugs.debian.org/759999 [11]: https://bugs.debian.org/759895 [12]: https://bugs.debian.org/759231 [13]: http://anonscm.debian.org/cgit/reproducible/debhelper.git/commit/?h=pu/reproducible_builds&id=a2a95893 [14]: https://tracker.debian.org/dh-buildinfo [15]: http://anonscm.debian.org/cgit/reproducible/sortjar.git [16]: http://anonscm.debian.org/cgit/reproducible/strip-nondeterminism.git/ [17]: http://anonscm.debian.org/cgit/collab-qa/cloud-scripts.git [18]: https://savannah.gnu.org/bugs/?43087 [19]: https://lists.gnu.org/archive/html/groff/2014-08/msg00112.html [20]: https://bugs.debian.org/759405 [21]: https://bugs.debian.org/759404 [22]: https://wiki.debian.org/ReproducibleBuilds#Useful_things_you_.28yes.2C_you.21.29_can_do -- Lunar .''`. lu...@debian.org : :Ⓐ : # apt-get install anarchism `. `'` `-
signature.asc
Description: Digital signature
_______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds