---
layout: blog
week: 172
published: 2018-08-14 06:17:52
---

Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday August 5 and Saturday August 11 2018:


* The [Prototype Fund](https://prototypefund.de/) noted in a Tweet how [two of its newly-supported projects complement each other](https://twitter.com/prototypefund/status/1027088342071029761), one of them being the Reproducible Builds and the other being the [Briar Project](https://briarproject.org/), a secure messaging platform intended to "create safe spaces to debate any topic, plan events, and organise social movements."

* Levente Polyak's proposal to [make rubygems set `SOURCE_DATE_EPOCH` by default to make all gems reproducible](https://github.com/rubygems/rubygems/issues/2290) was re-opened after it was previously closed as "wontfix".

* [Mes](https://gitlab.com/janneke/mes), a Scheme-based compiler for our "sister" [bootstrappable builds](http://bootstrappable.org) effort, [announced their 0.17 release](https://lists.reproducible-builds.org/pipermail/rb-general/2018-August/001106.html).

* The [Briar Project](https://briarproject.org/) wrote about their [effort to make their Android app build reproducibly](https://blog.grobox.de/2018/building-briar-reproducible-and-why-it-matters/); their one remaining issue regards `readdir` order influencing an `.arsc` file.

* Ryan Scott [fixed the `--extra-build` flag](https://salsa.debian.org/reproducible-builds/reprotest/commit/65960de) in `reprotest`, our "end-user" tool to build arbitrary software and check it for reproducibility.

* Vagrant Cascadian [opened a wishlist request](https://github.com/lamby/buildinfo.debian.net/issues/49) against [buildinfo.debian.net](https://buildinfo.debian.net/) (our experiment into how to process, store and distribute `.buildinfo` files after the Debian package management tools have generated them) to try and find a solution to checking matches against the actual Debian archive.

* There were a number of changes to our [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org/), including Chris Lamb submitting a merge request to [ensure that we print "0" (and not an empty) string when a division denominator is zero](https://salsa.debian.org/qa/jenkins.debian.net/merge_requests/9) and Mattia Rizzolo [modifying Jekyll to run in incremental mode](https://salsa.debian.org/qa/jenkins.debian.net/commit/5b2360df) to improve the caching of [our website](https://reproducible-builds.org/).

* On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general), Arnout Engelen started two discussions around [comparing the Debian and Archlinux approaches to `.buildinfo` files](https://lists.reproducible-builds.org/pipermail/rb-general/2018-August/001105.html) which came from a [previous discussion about filename conventions](https://lists.reproducible-builds.org/pipermail/rb-general/2018-August/001103.html).

* New sources of non-determinism regarding [inode numbers](https://en.wikipedia.org/wiki/Inode), `ctime` and certain filesystem-dependent sizes have been added to Bernhard Wiedemann's [theunreproduciblepackage](https://github.com/bmwiedemann/theunreproduciblepackage).

* 14 package reviews were added, 10 were updated and 16 were removed in this week, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).

* Holger renewed the [reproducible-builds.org](https://reproducible-builds.org) domain name for the fourth year and Chris Lamb added the recent [DebConf18](https://debconf18.debconf.org/) presentations with metadata to our website's [Resources](https://reproducible-builds.org/resources/) page [(commit)](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/608b904).

* Don't forget that a number of Reproducible Builds team were presenting at [DebConf18](https://debconf18.debconf.org/) the annual Debian Developers conference: Benjamin Hof gave a talk titled [Software transparency: package security beyond signatures and reproducible builds](https://debconf18.debconf.org/talks/104-software-transparency-package-security-beyond-signatures-and-reproducible-builds/)" and there was also a status update from the team entitled "[Reproducible Buster and beyond](https://debconf18.debconf.org/talks/80-reproducible-buster-and-beyond/)". These, and many more talks, are available [Resources](https://reproducible-builds.org/resources/) section of our website. Finally, the conference also featured the performance of a cover which to the best of our knowledge is the first time song lyrics [refer to reproducible builds](https://salsa.debian.org/holger/under-DFSG/blob/master/under-DFSG.txt#L30).


Packages reviewed and fixed, and bugs filed
-------------------------------------------

* Toolchain patches:
    * The [GNU make](https://www.gnu.org/software/make/) project [merged a patch to have sorted globs again](https://savannah.gnu.org/bugs/?52076), helping to make many packages more reproducible.
    * util-linux [made it easier to disable ASLR](https://github.com/karelzak/util-linux/issues/668) with `setarch -R $PROGRAM`.

* In addition, Bernhard M. Wiedemann worked on:
    * [gcompris](https://build.opensuse.org/request/show/627391) (date)
    * [splint](https://build.opensuse.org/request/show/627757) (username, `uname -a`)
    * [libheimdal](https://build.opensuse.org/request/show/627941) (hostname, date)
    * [docker](https://build.opensuse.org/request/show/628476) (date)
    * [syncthing](https://build.opensuse.org/request/show/628525) ([date](https://github.com/syncthing/syncthing/commit/c51365c634c9687009778caf097ba059b88f8805) via a version update to `0.14.49`)
    * [gromacs](https://gerrit.gromacs.org/8156) (CPU-detection, host, user)
    * [fwnn](https://osdn.net/projects/freewnn/ticket/38482) (orphaned, fix hostname,date, inode, random)
    * [gtranslator](https://gitlab.gnome.org/GNOME/gtranslator/merge_requests/3) (merged, date)

* Simon Schricker:
    * [systemtap](https://build.opensuse.org/request/show/627384) ([drop date](https://sourceware.org/ml/systemtap/2017-q4/msg00166.html) via version update)
    * cleaned up [reproducibleopensuse scripts](https://github.com/bmwiedemann/reproducibleopensuse/pull/1)
    * fixed a Bashism in [theunreproduciblepackage](https://github.com/bmwiedemann/theunreproduciblepackage/pull/5)

diffoscope development
----------------------

There were a handful of updates to [diffoscope](https://diffoscope.org), our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages:

* Chris Lamb:
    * [Don't include the filename in the `llvm-bcanalyzer` output](https://salsa.debian.org/reproducible-builds/diffoscope/commit/1599b01). ([#905598](https://bugs.debian.org/905598))

* Mattia Rizzolo:
    * [Explicitly add `file` to the dependencies of the autopkgtests to have the tests triggered whenever the `file` package changes](https://salsa.debian.org/reproducible-builds/diffoscope/commit/fc0ae56).

* Ricardo Gaviria:
    * [Handle error when encrypted archive file is extracted.](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a6beb04). ([#904685](https://bugs.debian.org/904685))

jenkins.debian.net development
------------------------------



Misc.
-----

This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.