---
layout: blog
week: 168
published: 2018-07-17 11:51:13
---

Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday July 8 and Saturday July 14 2018:

* Derek Zimmer wrote a post entitled [Solving an Old Open Source Problem to Improve Security](https://www.privateinternetaccess.com/blog/2018/07/reproducible-builds-solving-an-old-open-source-problem-to-improve-security/) on the [PrivateinternetAccess](https://www.privateinternetaccess.com) blog.

* Mathias Clasen wrote a short text about [reproducing flatpacks from source](https://blogs.gnome.org/mclasen/2018/07/07/flatpak-making-contribution-easy/)


* Ross Vandegrift posted to [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general) asking a [question about the doxygen documentatin generators's `$year` variable and `SOURCE_DATE_EPOCH`](https://lists.reproducible-builds.org/pipermail/rb-general/2018-July/001075.html).

* Chris Lamb added a link to our website's [resources](https://reproducible-builds.org/resources/) page to add a video link for the talk he gave on Wednesday 13th June at [foss-backstage.de](https://foss-backstage.de) in Berlin, Germany on reproducible builds and [how they prevent developers being targets for malicious attacks](https://foss-backstage.de/session/think-youre-not-target-tale-3-developers).

* Vagrant Cascadian [removed various `armhf` systems with only 1GB of RAM](https://salsa.debian.org/qa/jenkins.debian.net/commit/91e179d9) from the [Reproducible Builds testing framework](http://tests.reproducible-builds.org/).

* There was significant progress on Debian bug [#894476](https://bugs.debian.org/894476) ("rcc: please honour `SOURCE_DATE_EPOCH`")

* Vagrant Cascadian worked on [Debian packaging for Mes](https://bugs.debian.org/902174), with help from Jan Nieuwenhuizen.

* 6 package reviews were added, 3 have been updated and 6 were removed in this week, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). In addition, two issue types ([variations\_from\_march\_native](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/89029ae8) and [randomness\_in\_documentation\_generated\_by\_lua\_ldoc](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/06fc7acd)) were added. Lastly, two new classes of issue were added to [theunreproduciblepackage](https://github.com/bmwiedemann/theunreproduciblepackage/tree/master/compile-time-check/).


Packages reviewed and fixed, and bugs filed
-------------------------------------------

* Bernhard M. Wiedemann:
    * [bash](https://bugzilla.opensuse.org/show_bug.cgi?id=1100488) (strcpy memory corruption, [sent upstream](http://lists.gnu.org/archive/html/bug-bash/2018-07/msg00010.html))
    * [courier-imap](https://github.com/svarshavchik/courier-libs/pull/10) (merged, date, use `SOURCE_DATE_EPOCH`)
    * [dapl](https://build.opensuse.org/request/show/622857) (date, use `SOURCE_DATE_EPOCH`)
    * [dosemu](https://build.opensuse.org/request/show/622368) (merged, [submitted and merged upstream](https://github.com/stsp/dosemu2/pull/640) date, use `SOURCE_DATE_EPOCH`)
    * [fflas-ffpack](https://build.opensuse.org/request/show/622370) (compile time CPU detection)
    * [form](https://build.opensuse.org/request/show/621791) (drop `march=native`)
    * [givaro](https://build.opensuse.org/request/show/622366) (compile time CPU detection)
    * [glucat](https://build.opensuse.org/request/show/621954) (drop `march=native` ([bug](https://bugzilla.opensuse.org/show_bug.cgi?id=1100520)))
    * [infinipath-psm](https://build.opensuse.org/request/show/622529) (date, use `SOURCE_DATE_EPOCH`)
    * [lam](https://build.opensuse.org/request/show/621765) (fix date and hostname)
    * [legion](https://build.opensuse.org/request/show/621947) (drop march=native)
    * [librsb](https://build.opensuse.org/request/show/622196) (don't store compile CPU cache details)
    * [linux-glibc-devel](https://build.opensuse.org/request/show/622351) (`uname -r`)
    * [lv2](https://build.opensuse.org/request/show/621773) (use upstreamed patches)
    * [opa-fm](https://build.opensuse.org/request/show/622572) (date, use `SOURCE_DATE_EPOCH`)
    * [openSUSE build env](https://github.com/openSUSE/post-build-checks/pull/20) (fix all `pdflatex` timestamps)
    * [pidentd](https://build.opensuse.org/request/show/622364) (`uname -r`)
    * [python-annoy](https://build.opensuse.org/request/show/621794) (drop march=native)
    * [python-libsass](https://build.opensuse.org/request/show/622824) (sort `readdir(2)`)
    * [qore](https://build.opensuse.org/request/show/622345) (`uname -a`)
    * [redis](https://build.opensuse.org/request/show/622155) (date and hostname)
    * [sudo](https://build.opensuse.org/request/show/622342) (build races?)
    * [trigger-rally](https://build.opensuse.org/request/show/621952) (drop `march=native` and `mtune=native`)
    * [tuxpaint-config](https://build.opensuse.org/request/show/622524) (date, use `SOURCE_DATE_EPOCH`)
    * [tuxpaint](https://build.opensuse.org/request/show/622523) (date, use `SOURCE_DATE_EPOCH`; [submitted upstream](https://sourceforge.net/p/tuxpaint/tuxpaint/merge-requests/4/))

* Chris Lamb:
    * [#903442](https://bugs.debian.org/903442) filed against [ogdi-dfsg](https://tracker.debian.org/pkg/ogdi-dfsg).

* Evgeny Kapun:
    * [#903580](https://bugs.debian.org/903580) filed against [aegisub](https://tracker.debian.org/pkg/aegisub).


diffoscope development
----------------------

[diffoscope](https://diffoscope.org) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. This week, diffoscope version `99` was [uploaded to Debian unstable](https://tracker.debian.org/news/971762/accepted-diffoscope-99-source-into-unstable/) by Mattia Rizzolo. It [includes contributions already covered in previous weeks](https://salsa.debian.org/reproducible-builds/diffoscope/commits/99) as well as new ones from:


* `anthraxx`:
    * [Add compatibility with `python-libarchive` >= 2.8](https://salsa.debian.org/reproducible-builds/diffoscope/commit/5ed8e48).

* Chris Lamb:
    * [Support `.deb` archives that contain an uncompressed `data.tar`](https://salsa.debian.org/reproducible-builds/diffoscope/commit/185077c). ([#903401](https://bugs.debian.org/903401))
    * [Support `.deb` archives that contain an uncompressed `control.tar`](https://salsa.debian.org/reproducible-builds/diffoscope/commit/dc9ee98). ([#903391](https://bugs.debian.org/903391))

* Mattia Rizzolo:
    * [Do not shadow original import errors when loading comparators](https://salsa.debian.org/reproducible-builds/diffoscope/commit/90028d4).
    * [Fix `override_dh_clean-does-not-call-dh_clean` Lintian warning](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c0ebadd).
    * [Autogenerate `debian/tests/control` with all the recommends listed as dependencies](https://salsa.debian.org/reproducible-builds/diffoscope/commit/58ec1c7).
    * [Add a build-dependency on `procyon-decompiler` to run the tests](https://salsa.debian.org/reproducible-builds/diffoscope/commit/3c05e56).
    * [Always clean the line before printing a log message](https://salsa.debian.org/reproducible-builds/diffoscope/commit/615095a).
    * [Clean the terminal line before printing a traceback](https://salsa.debian.org/reproducible-builds/diffoscope/commit/fd6eff9).
    * [Remove terminal line cleaning; it is handled by the logging module](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e75be7e).
    * [Fix a test if `/sbin` contains a directory](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8c2b079).


reprotest development
---------------------

`reprotest` is our "end-user" tool to build arbitrary software and check it for reproducibility. This week, version `0.7.8` was [uploaded to Debian unstable](https://tracker.debian.org/news/972031/accepted-reprotest-078-source-into-unstable/) by Mattia Rizzolo. It [includes contributions already covered in previous weeks](https://salsa.debian.org/reproducible-builds/reprotest/commits/debian/0.7.8) as additional contributions from Mattia, including:

* [Don't `Recommend` `diffutils`  as it is an `Essential:yes` package](https://salsa.debian.org/reproducible-builds/reprotest/commit/823d543).
* [Point `debian/watch` towards our new release archive](https://salsa.debian.org/reproducible-builds/reprotest/commit/c614a3c).
* [Fix spelling errors in documentation strings](https://salsa.debian.org/reproducible-builds/reprotest/commit/7173f93).
* [Use `/usr/share/dpkg/pkg-info.m` to avoid shelling out to `dpkg-parsechangelog`](https://salsa.debian.org/reproducible-builds/reprotest/commit/d08174f).
* [Recommend `diffoscope` by itself instead as an alternative to `diffutils`](https://salsa.debian.org/reproducible-builds/reprotest/commit/f32a30c).


Misc.
-----

This week's edition was written by Bernhard M. Wiedemann, Chris Lamb & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.