What happened in the reproducible builds effort between December 20th to December 26th:

Toolchain fixes

Mattia Rizzolo rebased our experimental versions of debhelper (twice!) and dpkg on top of the latest releases.

Reiner Herrmann submited a patch for mozilla-devscripts to sort the file list in generated preferences.js files.

To be able to lift the restriction that packages must be built in the same path, translation support for the __FILE__ C pre-processor macro would also be required. Joerg Sonnenberger submitted a patch back in 2010 that would still be useful today.

Chris Lamb started work on providing a deterministic mode for debootstrap.

Packages fixed

The following packages have become reproducible due to changes in their build dependencies: bouncycastle, cairo-dock-plug-ins, darktable, gshare, libgpod, pafy, ruby-redis-namespace, ruby-rouge, sparkleshare.

The following packages became reproducible after getting fixed:

Some uploads fixed some reproducibility issues, but not all of them:

Patches submitted which have not made their way to the archive yet:

reproducible.debian.net

Statistics for package sets are now visible for the armhf architecture. (h01ger)

The second build now has a longer timeout (18 hours) than the first build (12 hours). This should prevent wasting resources when a machine is loaded. (h01ger)

Builds of Arch Linux packages are now done using a tmpfs. (h01ger)

200 GiB have been added to jenkins.debian.net (thanks to ProfitBricks!) to make room for new jobs. The current count is at 962 and growing!

diffoscope development

Aside from some minor bugs that have been fixed, a one-line change made huge memory (and time) savings as the output of transformation tool is now streamed line by line instead of loaded entirely in memory at once.

disorderfs development

Andrew Ayer released disorderfs version 0.4.2-1 on December 22th. It fixes a memory corruption error when processing command line arguments that could cause command line options to be ignored.

Documentation update

Many small improvements for the documentation on reproducible-builds.org sent by Georg Koppen were merged.

Package reviews

666 (!) reviews have been removed, 189 added and 162 updated in the previous week.

151 new fail to build from source reports have been made by Chris West, Chris Lamb, Mattia Rizzolo, and Niko Tyni.

New issues identified: unsorted_filelist_in_xul_ext_preferences, nondeterminstic_output_generated_by_moarvm.

Misc.

Steven Chamberlain drew our attention to one analysis of the Juniper ScreenOS Authentication Backdoor: “Whilst this may have been added in source code, it was well-disguised in the disassembly and just 7 instructions long. I thought this was a good example of the current state-of-the-art, and why we'd like our binaries and eventually, installer and VM images reproducible IMHO.

Joanna Rutkowska has mentioned possible ways for Qubes to become reproducible on their development mailing-list.