---
layout: blog
week: 136
published: 2017-12-05 14:12:34
---

Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday, November 26 and Saturday, December 2, 2017:

Media coverage
--------------

* Jelle van der Waa [wrote about Reproducible Arch Linux](http://vdwaa.nl/arch/linux/reproducible/builds/security/reproducible-builds-arch/). ([HN thread](https://news.ycombinator.com/item?id=15820356))

* On October 31st 2017, Ludovic Courtès wrote a [summary about the status of Reproducible Guix](https://gnu.org/software/guix/news/reproducible-builds-a-status-update.html), which even led to desirable side-effects such as faster downloads.

Arch Linux imap key leakage
---------------------------

A [security issue was found in the imap package](https://bugs.archlinux.org/task/56484) in Arch Linux [thanks to the reproducible builds effort](https://tests.reproducible-builds.org/archlinux/) in that distribution.

Due to a hardcoded key-generation routine in the `build()` step of `imap`'s `PKGBUILD` (the standard packaging file for Arch Linux packages), a default secret key was generated and leaked on all `imap` installations. This was prompty reviewed, confirmed and fixed by the package maintainers.

This mirrors similar security issues found in Debian, such as [#833885](https://bugs.debian.org/833885).

Debian packages reviewed and fixed, and bugs filed
-------------------------------------------

* Adrian Bunk:
    * [#882955](https://bugs.debian.org/882955) filed against [ufo-filters](https://tracker.debian.org/pkg/ufo-filters).
    * [#883100](https://bugs.debian.org/883100) filed against [ksudoku](https://tracker.debian.org/pkg/ksudoku).
    * [#883353](https://bugs.debian.org/883353) filed against [cc65](https://tracker.debian.org/pkg/cc65).
* Bernhard M. Wiedemann:
  * [systemtap](https://sourceware.org/ml/systemtap/2017-q4/msg00155.html) (drop date)
  * [python-fs](https://github.com/PyFilesystem/pyfilesystem2/pull/114) (merged, fix build in 2018)
  * [openSUSE/ltrace](https://build.opensuse.org/request/show/546771) drop test results
* Chris Lamb:
    * [#882727](https://bugs.debian.org/882727) filed against [libffi-platypus-perl](https://tracker.debian.org/pkg/libffi-platypus-perl).
    * [#882818](https://bugs.debian.org/882818) filed against [fswatch](https://tracker.debian.org/pkg/fswatch) (timestamps, [upstream](https://github.com/emcrisostomo/fswatch/pull/192))
    * [#883244](https://bugs.debian.org/883244) filed against [simavr](https://tracker.debian.org/pkg/simavr).
    * [#883339](https://bugs.debian.org/883339) filed against [properties-cpp](https://tracker.debian.org/pkg/properties-cpp).
    * [#883348](https://bugs.debian.org/883348) filed against [psychtoolbox-3](https://tracker.debian.org/pkg/psychtoolbox-3).
    * [#883359](https://bugs.debian.org/883359) filed against [at-spi2-core](https://tracker.debian.org/pkg/at-spi2-core).

In addition, 73 FTBFS bugs were detected and reported by Adrian Bunk.

Reviews of unreproducible Debian packages
----------------------------------

83 package reviews have been added, 41 have been updated and 33 have been removed in this week,
adding to our knowledge about [identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).

1 issue type was updated:

- [timestamps\_in\_source\_generated\_by_rcc](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/d86ea540)


LEDE / OpenWrt packages updates:
---------------------------------

- lynxis:
    - [lpc21isp: remove build timestamp](https://github.com/openwrt/packages/pull/5215)
    - [ddns-scripts: remove gzip timestamp](https://github.com/openwrt/packages/pull/5214)
    - [open-plc-utils: remove build timestamp](https://github.com/openwrt/packages/pull/5213)
    - [libdbi-drivers: remove build timestamp](https://github.com/openwrt/packages/pull/5207)
    - [sysstat: remove build timestamp](https://github.com/openwrt/packages/pull/5205)
    - [smcroute: make build id optional](https://github.com/openwrt-routing/packages/pull/331)
    - [mrd6: remove build timestamp](https://github.com/openwrt-routing/packages/pull/330)


diffoscope development
----------------------

- Chris Lamb:
    - [Handle case where a file to be "fuzzy" matched does not contain enough entropy (#882981)](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8599873)
    - [Make cleanup of placeholders idempotent](https://salsa.debian.org/reproducible-builds/diffoscope/commit/893a1e7)
- Mike Hommey:
    - [Extract libarchive contents with a file extension](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a7c1d23)
- Ximin Luo:
    - Bug fixes:
        - [Run zipinfo on /dev/stdin instead of a variable path (Closes: #879011)](https://salsa.debian.org/reproducible-builds/diffoscope/commit/25fee28)
        - [Looser matching for .deb archive members (Closes: #881937)](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e5dc438)
    - Features/cleanup:
        - [Allow non-text formats to output an empty diff](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0670bc0)
        - [Add a Difference.from\_command\_exc to distinguish excluded commands from empty diff](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f148615)
        - [Simplify feed\_stdin into a simple stdin() instead](https://salsa.debian.org/reproducible-builds/diffoscope/commit/dcf2d40)
    - tests:
        - [Enable accidentally-disabled tests](https://salsa.debian.org/reproducible-builds/diffoscope/commit/40fd9f5)
        - Fix tests for new zipinfo behaviour [[1](https://salsa.debian.org/reproducible-builds/diffoscope/commit/9f9d8e1), [2](https://salsa.debian.org/reproducible-builds/diffoscope/commit/87d3050)]
        - [Remove the .egg file when cleaning & fix tests by adding PYTHONPATH](https://salsa.debian.org/reproducible-builds/diffoscope/commit/aef3b3d)


reprotest development
---------------------

Version [0.7.4](https://tracker.debian.org/news/889957) was uploaded to unstable by Ximin Luo.
It included [contributions](https://salsa.debian.org/reproducible-builds/reprotest/commits/debian/0.7.4)
already covered by posts of the previous weeks as well as new ones from:

- Ximin Luo:
    - New features:
        - [Allow the user to select a different diffoscope](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=6de8df5)
        - [Allow injection of experiment variables into diffoscope\_args](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=1d07fb0)
    - Bug fixes:
        - [Fix the time variation to actually make the time constant](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=acff508)
        - [fix diffoscope\_args defaults for new behaviour](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=71a5182)
        - [Make --no-clean-on-error more reliable](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=131e918)
        - [Don't conflict --min-cpus with --auto-build etc](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=8f84d01)
    - Tests:
        - [Use double quotes to work around autopkgtest (see #870098)](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=c02e74e)
        - Suppress some warnings [[1](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=4245a2a), [2](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=9d9dd04)]
        - Autopkgtest work [[1](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=4426c5e), [2](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=789132f), [3](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=56e1b44)]
    - Documentation:
        - [Fix syntax drop old comments](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=c44773b)
        - [Move main package description to README.rst](https://salsa.debian.org/reproducible-builds/reprotest.git/commit/?id=fbb1b6a)


reproducible-website development
--------------------------------

* kpcyrd [added a blog link to the navigation](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2fc5f6b).


tests.reproducible-builds.org
-----------------------------

- Holger Levsen:
    - A huge effort was made in [introducing Archlinux to our testing framework](https://tests.reproducible-builds.org/archlinux/archlinux.html), including:
        - Scheduler:
            - [Add an extremely simple scheduler](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=e901d066)
            - [Check for new packages every day (instead of every 2)](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=368d055b)
            - [Schedule newer versions automatically](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=e6346092)
            - [Prefer manually triggered packages over new packages](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=5c2b989a)
            - [Detect versions of packages of `any` arch](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=2809fdde)
            - [Schedule 'old' packages which haven't been tested yet](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=735a2b36)
        - Features:
            - [Generate graphs](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=5fc61d7c)
            - [Introduce IRC notifications for unreproducible packages](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=d46390f6)
            - Improve summary page ([1](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=ac1e8f8f), [2](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=75c22af3))
        - Bug fixes:
            - [Use 'undetermined' if we cannot determine the version...](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=812e249a)
            - [Detect SSL verify failures within bzr](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=30ab7bd0)
            - [Atomically update repositories](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=710a3d04)
        - Logging/Output:
            - [Merge test date+duration and build1+build2.log into one column](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=e1a21009)
            - [Always log amounts](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=30ff0113)
            - [Improve job output](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=b38ad949)
            - [Record version being built and include prefer this when later determining version](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=ee0eaca9)
            - Sort packages ([1](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=c310bae7), [2](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=d374bb24))
            - [Include timestamp since when the package is building](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=4f7af90d)
            - [Write yesterdays stats today if they don't exist yet](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=5c1bf7ff)
            - [Improve test duration formatting](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=df6293ff)
            - [Record and display test duration](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=6a6c44ba)
        - Documentation:
            - [Outline further work on html and scheduler](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=f5d95f36)
            - [Explain that actually hour/minute variations are also more likely](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=044bece8)
            - [Emphasize the build path is not varied yet](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=64e51c31)
    - General:
        - [The hostname is varied in LEDE, Arch Linux and OpenWrt](https://salsa.debian.org/reproducible-builds/jenkins.debian.net.git/commit/?id=bf259eee)
    - Debian reproducibility:
        - [Disable APT's pdiffs](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=94b54a2e)
    - Misc:
        - [Be more verbose when deploying jobs](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=76b11fd8)
        - [Ignore some warnings in commit messages](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=261a781d)
        - [Emit IRC notifications to `#lede-dev` on Freenode](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=bbbb35ed)

- Chris Lamb:
    - [Ignore "warning" etc. in commit messages](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=70f4d6a9)

- Hans-Christoph Steiner continued his work on reproducible [F-Droid](https://f-droid.org/en/):
    - [Always wait for successful `git fetch`](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=715102a8)
    - [Include new Python dependencies](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=fb94269b)

- lynxis:
    - [Update references to `sources.debian.org`](https://anonscm.debian.org/git/qa/jenkins.debian.net.git/commit/?id=abe238c3)

Misc.
-----

This week's edition was written by Alexander Couzens, Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Santiago Torres-Arias, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.