A good amount of the Debian reproducible builds team had the chance to enjoy face-to-face interactions during DebConf15.

Names in red and blue were all present at DebConf15
Picture of the “reproducible builds” talk during DebConf15

Hugging people with whom one has been working tirelessly for months gives a lot of warm-fuzzy feelings. Several recorded and hallway discussions paved the way to solve the remaining issues to get “reproducible builds” part of Debian proper. Both talks from the Debian Project Leader and the release team mentioned the effort as important for the future of Debian.

A forty-five minutes talk presented the state of the “reproducible builds” effort. It was then followed by an hour long “roundtable” to discuss current blockers regarding dpkg, .buildinfo and their integration in the archive.

Picture of the “reproducible builds” roundtable during DebConf15

Toolchain fixes

  • Kenneth J. Pronovici uploaded epydoc/3.0.1+dfsg-12 which makes class and modules ordering predictable (#795835) and fixes __repr__ so memory addresses don't appear in docs (#795826). Patches by Val Lorentz.
  • Sergei Golovan uploaded erlang/1:18.0-dfsg-2 which adds support for SOURCE_DATE_EPOCH to erlc. Patch by Chris West (Faux) and Chris Lamb.
  • Dmitry Shachnev uploaded sphinx/1.3.1-5 which make grammar, inventory, and JavaScript locales generation deterministic. Original patch by Val Lorentz.
  • Stéphane Glondu uploaded ocaml/4.02.3-2 to experimental, making startup files and native packed libraries deterministic. The patch adds deterministic .file to the assembler output.
  • Enrico Tassi uploaded lua-ldoc/1.4.3-3 which now pass the -d option to txt2man and add the --date option to override the current date.

Reiner Herrmann submitted a patch to make rdfind sort the processed files before doing any operation. Chris Lamb proposed a new patch for wheel implementing support for SOURCE_DATE_EPOCH instead of the custom WHEEL_FORCE_TIMESTAMP. akira sent one making man2html SOURCE_DATE_EPOCH aware.

Stéphane Glondu reported that dpkg-source would not respect tarball permissions when unpacking under a umask of 002.

After hours of iterative testing during the DebConf workshop, Sandro Knauß created a test case showing how pdflatex output can be non-deterministic with some PNG files.

Packages fixed

The following 65 packages became reproducible due to changes in their build dependencies: alacarte, arbtt, bullet, ccfits, commons-daemon, crack-attack, d-conf, ejabberd-contrib, erlang-bear, erlang-cherly, erlang-cowlib, erlang-folsom, erlang-goldrush, erlang-ibrowse, erlang-jiffy, erlang-lager, erlang-lhttpc, erlang-meck, erlang-p1-cache-tab, erlang-p1-iconv, erlang-p1-logger, erlang-p1-mysql, erlang-p1-pam, erlang-p1-pgsql, erlang-p1-sip, erlang-p1-stringprep, erlang-p1-stun, erlang-p1-tls, erlang-p1-utils, erlang-p1-xml, erlang-p1-yaml, erlang-p1-zlib, erlang-ranch, erlang-redis-client, erlang-uuid, freecontact, givaro, glade, gnome-shell, gupnp, gvfs, htseq, jags, jana, knot, libconfig, libkolab, libmatio, libvsqlitepp, mpmath, octave-zenity, openigtlink, paman, pisa, pynifti, qof, ruby-blankslate, ruby-xml-simple, timingframework, trace-cmd, tsung, wings3d, xdg-user-dirs, xz-utils, zpspell.

The following packages became reproducible after getting fixed:

Uploads that might have fixed reproducibility issues:

Some uploads fixed some reproducibility issues but not all of them:

Patches submitted which have not made their way to the archive yet:

  • #795861 on fakeroot by Val Lorentz: set the mtime of all files to the time of the last debian/changelog entry.
  • #795870 on fatresize by Chris Lamb: set build date to the time of the latest debian/changelog entry.
  • #795945 on projectl by Reiner Herrmann: sort with LC_ALL set to C.
  • #795977 on dahdi-tools by Dhole: set the timezone to UTC before calling asciidoc.
  • #795981 on x11proto-input by Dhole: set the timezone to UTC before calling asciidoc.
  • #795983 on dbusada by Dhole: set the timezone to UTC before calling asciidoc.
  • #795984 on postgresql-plproxy by Dhole: set the timezone to UTC before calling asciidoc.
  • #795985 on xorg by Dhole: set the timezone to UTC before calling asciidoc.
  • #795987 on pngcheck by Dhole: set the date in the man pages to the latest debian/changelog entry.
  • #795997 on python-babel by Val Lorentz: make build timestamp independent from the timezone and remove the name of the build system locale from the documentation.
  • #796092 on a7xpg by Reiner Herrmann: sort with LC_ALL set to C.
  • #796212 on bittornado by Chris Lamb: remove umask-varying permissions.
  • #796251 on liblucy-perl by Niko Tyni: generate lib/Lucy.xs in a deterministic order.
  • #796271 on tcsh by Reiner Herrmann: sort with LC_ALL set to C.
  • #796275 on hspell by Reiner Herrmann: remove timestamp from aff files generated by mk_he_affix.
  • #796324 on fftw3 by Reiner Herrmann: remove date from documentation files.
  • #796335 on nasm by Val Lorentz: remove extra timestamps from the build system.
  • #796360 on libical by Chris Lamb: removes randomess caused Perl in generated icalderivedvalue.c.
  • #796375 on wcd by Dhole: set the date in the man pages to the latest debian/changelog entry.
  • #796376 on mapivi by Dhole: set the date in the man pages to the latest debian/changelog entry.
  • #796527 on vserver-debiantools by Dhole: set the date in the man pages to the latest debian/changelog entry.

Stéphane Glondu reported two issues regarding embedded build date in omake and cduce.

Aurélien Jarno submitted a fix for the breakage of make-dfsg test suite. As binutils now creates deterministic libraries by default, Aurélien's patch makes use of a wrapper to give the U flag to ar.

Reiner Herrmann reported an issue with pound which embeds random dhparams in its code during the build. Better solutions are yet to be found.

reproducible.debian.net

Package pages on reproducible.debian.net now have a new layout improving readability designed by Mattia Rizzolo, h01ger, and Ulrike. The navigation is now on the left as vertical space is more valuable nowadays.

armhf is now enabled on all pages except the dashboard. Actual tests on armhf are expected to start shortly. (Mattia Rizzolo, h01ger)

The limit on how many packages people can schedule using the reschedule script on Alioth has been bumped to 200. (h01ger)

mod_rewrite is now used instead of JavaScript for the form in the dashboard. (h01ger)

Following the rename of the software, “debbindiff” has mostly been replaced by either “diffoscope” or “differences” in generated HTML and IRC notification output.

Connections to UDD have been made more robust. (Mattia Rizzolo)

diffoscope development

diffoscope version 31 was released on August 21st. This version improves fuzzy-matching by using the tlsh algorithm instead of ssdeep.

New command line options are available: --max-diff-input-lines and --max-diff-block-lines to override limits on diff input and output (Reiner Herrmann), --debugger to dump the user into pdb in case of crashes (Mattia Rizzolo).

jar archives should now be detected properly (Reiner Herrman). Several general code cleanups were also done by Chris Lamb.

strip-nondeterminism development

Andrew Ayer released strip-nondeterminism version 0.010-1. Java properties file in jar should now be detected more accurately. A missing dependency spotted by Stéphane Glondu has been added.

Testing directory ordering issues: disorderfs

During the “reproducible builds” workshop at DebConf, participants identified that we were still short of a good way to test variations on filesystem behaviors (e.g. file ordering or disk usage). Andrew Ayer took a couple of hours to create disorderfs. Based on FUSE, disorderfs in an overlay filesystem that will mount the content of a directory at another location. For this first version, it will make the order in which files appear in a directory random.

Documentation update

Dhole documented how to implement support for SOURCE_DATE_EPOCH in Python, bash, Makefiles, CMake, and C.

Chris Lamb started to convert the wiki page describing SOURCE_DATE_EPOCH into a Freedesktop-like specification in the hope that it will convince more upstream to adopt it.

Package reviews

44 reviews have been removed, 192 added and 77 updated this week.

New issues identified this week: locale_dependent_order_in_devlibs_depends, randomness_in_ocaml_startup_files, randomness_in_ocaml_packed_libraries, randomness_in_ocaml_custom_executables, undeterministic_symlinking_by_rdfind, random_build_path_by_golang_compiler, and images_in_pdf_generated_by_latex.

117 new FTBFS bugs have been reported by Chris Lamb, Chris West (Faux), and Niko Tyni.

Misc.

Some reproducibility issues might face us very late. Chris Lamb noticed that the test suite for python-pykmip was now failing because its test certificates have expired. Let's hope no packages are hiding a certificate valid for 10 years somewhere in their source!

Pictures courtesy and copyright of Debian's own paparazzi: Aigars Mahinovs.