If you see someone on the Debian ReproducibleBuilds project, buy him/her a beer. This work is awesome.

What happened in the reproducible builds effort this week:

Media coverage

Nathan Willis covered our DebConf15 status update in Linux Weekly News. Access to non-LWN subscribers will be given on Thursday 24th.

Linux Journal published a more general piece last Tuesday.

Unexpected praise for reproducible builds appeared this week in the form of several iOS applications identified as including spyware. The malware was undetected by Apple screening. This actually happened because application developers had simply downloaded a trojaned version of XCode through an unofficial source. While reproducible builds can't really help users of non-free software, this is exactly the kind of attacks that we are trying to prevent in our systems.

Toolchain fixes

Niko Tyni wrote and uploaded a better patch for the source order problem in libmodule-build-perl.

Tristan Seligmann identified how the code generated by python-cffi could be emitted in random order in some cases. Upstream has already fixed the problem.

Packages fixed

The following 24 packages became reproducible due to changes in their build dependencies: apache-curator, checkbox-ng, gant, gnome-clocks, hawtjni, jackrabbit, jersey1, libjsr305-java, mathjax-docs, mlpy, moap, octave-geometry, paste, pdf.js, pyinotify, pytango, python-asyncssh, python-mock, python-openid, python-repoze.who, shadow, swift, tcpwatch-httpproxy, transfig.

The following packages became reproducible after getting fixed:

Some uploads fixed some reproducibility issues but not all of them:

Patches submitted which have not made their way to the archive yet:

reproducible.debian.net

Tests for Coreboot, OpenWrt, NetBSD, and FreeBSD now runs weekly (instead of monthly).

diffoscope development

Python 3 offers new features (namely yield from and concurrent.futures) that could help implement parallel processing. The clear separation of bytes and unicode strings is also likely to reduce encoding related issues.

Mattia Rizolo thus kicked the effort of porting diffoscope to Python 3. tlsh was the only dependency missing a Python 3 module. This got quickly fixed by a new upload.

The rest of the code has been moved to the point where only incompatibilities between Python 2.7 and Pyhon 3.4 had to be changed. The commit stream still require some cleanups but all tests are now passing under Python 3.

Documentation update

The documentation on how to assemble the weekly reports has been updated. (Lunar)

The example on how to use SOURCE_DATE_EPOCH with CMake has been improved. (Ben Beockel, Daniel Kahn Gillmor)

The solution for timestamps in man pages generated by Sphinx now uses SOURCE_DATE_EPOCH. (Mattia Rizzolo)

Package reviews

45 reviews have been removed, 141 added and 62 updated this week.

67 new FTBFS reports have been filled by Chris Lamb, Niko Tyni, and Lisandro Damián Nicanor Pérez Meyer.

New issues added this week: randomness_in_r_rdb_rds_databases, python-ply_compiled_parse_tables.

Misc.

The prebuilder script is now properly testing umask variations again.

Santiago Villa started a discussion on debian-devel on how binNMUs would work for reproducible builds.