---
layout: blog
week: 183
published: 2018-10-30 12:50:17
---

**If you are interested in attending the Reproducible Builds summit in Paris between 11th—13th December please see [the event page](https://reproducible-builds.org/events/paris2018/).** In the meantime, here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday October 21 and Saturday October 27 2018:

* Allen "Gunner" Gunn — the facilitator at our summit meetings — discussed the Reproducible Builds [on a recent episode of The Changelog podcast](https://changelog.com/podcast/bonus-sustainoss-2018) at about 12m00s.

* [Lisa Neigut](https://basicbitch.software/) wrote a blog post entitled "[Reproducible builds with Bitcoin, Tor and Turtles](https://basicbitch.software/posts/2018-10-25-Reproducible-builds-with-Bitcoin-Tor-and-turtles.html)" referencing the [Turtles](https://github.com/theuni/turtles) project by Cory Fields as well as [Tor](https://www.torproject.org/).

* Bernhard M. Wiedemann posted a status update to the [opensuse-factory mailing list](https://lists.opensuse.org/opensuse-factory/) on the [current state of reproducible builds](https://lists.opensuse.org/opensuse-factory/2018-10/msg00242.html) in [openSUSE](https://www.opensuse.org/).

* Vagrant Cascadian [announced](https://lists.reproducible-builds.org/pipermail/rb-general/2018-October/001227.html) that he has [begun uploading `.buildinfo` files from the Debian archive](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862073#39) to the experimental [buildinfo.debian.net](https://buildinfo.debian.net/) service.

* David A. Wheeler started a thread on [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general) enquiring on the [status of core reproducibility in Debian](https://lists.reproducible-builds.org/pipermail/rb-general/2018-October/001215.html).

* It was [announced](https://twitter.com/SFScon/status/1055071106552475648) that Chris Lamb will be presenting in on Reproducible Builds at the [SFScon](https://www.sfscon.it) conference in Bozen, Italy on [reproducible builds and how they can prevent developers from becoming targets of various attacks](https://www.sfscon.it/talks/you-think-youre-not-a-target-a-tale-of-three-developers/). In addition, Arnout Engelen and Jelle van der Waa will present at [HackerHotel](https://hackerhotel.nl/) in mid-February 2019 on ["Improving Open Source Security with Reproducible Builds"](https://hackerhotel.nl/index.php/lectures/).

* The [CMake](https://cmake.org) build system documented a new [`BUILD_RPATH_USE_ORIGIN`](https://cmake.org/cmake/help/git-master/prop_tgt/BUILD_RPATH_USE_ORIGIN.html) flag that determines whether to use (typically unreproducible) absolute build paths versus relative ones in the [`rpath`](https://en.wikipedia.org/wiki/Rpath) library search path header found in executables on UNIX systems.

* Chris Lamb added a [Salsa ribbon](https://lamby.pages.debian.net/salsa-ribbons/) to the [diffoscope.org](https://diffoscope.org/) website. [[...](https://salsa.debian.org/reproducible-builds/diffoscope-website/commit/114e8ef)]

* Bernhard M. Wiedemann gave an [update on the openSUSE reproducible builds status](https://lists.opensuse.org/opensuse-factory/2018-10/msg00242.html), including details on remaining issues with 57 important packages.

* Jelle van der Waa [held an IRC meeting](https://lists.reproducible-builds.org/pipermail/rb-general/2018-October/001213.html) on 23th of October.

* 44 Debian package reviews were added, 6 were updated and 15 were removed in this week, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).


Packages reviewed and fixed, and bugs filed
-------------------------------------------

* Bernhard M. Wiedemann:

    * [ant/jar](http://bugzilla.opensuse.org/show_bug.cgi?id=1110024) — `noarch`, rebuild-counter)
    * [daps/release-notes-openSUSE](https://github.com/openSUSE/daps/issues/482) — date, time & other
    * [docker/cobra](https://github.com/spf13/cobra/pull/735) — merged, date
    * [gnome-builder](https://build.opensuse.org/request/show/644025) — drop `environment.pickle`
    * [infinipath-psm](https://build.opensuse.org/request/show/644077) — date
    * [libressl](https://build.opensuse.org/request/show/643837) — FTBFS-j1
    * [open-iscsi](https://build.opensuse.org/request/show/644084) — fix date in manpages
    * [python-Kivy](https://github.com/kivy/kivy/pull/6008) — merged, date
    * [qpid-proton](https://build.opensuse.org/request/show/644081) — sort Python [glob](https://en.wikipedia.org/wiki/Glob_(programming)) / `readdir(2)`
    * [qt5-qtbase](https://codereview.qt-project.org/243636) — use [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/specs/source-date-epoch/) as the file modification time
    * [xen](https://build.opensuse.org/request/show/644624) — date, time, random, [tried to upstream](https://lists.xenproject.org/archives/html/xen-devel/2018-10/msg01850.html) the patch to drop the `.efi` [Portable Executable](https://en.wikipedia.org/wiki/Portable_Executable) (PE) timestamps, and then try to address it in [binutils](https://sourceware.org/ml/binutils/2018-10/msg00279.html) (use `SOURCE_DATE_EPOCH` for PE timestamp)

* Chris Lamb:
    * [#911804](https://bugs.debian.org/911804) filed against [wit](https://tracker.debian.org/pkg/wit) — buildpath.
    * [#911757](https://bugs.debian.org/911757) filed against [zsh-antigen](https://tracker.debian.org/pkg/zsh-antigen) — timestamps.

* Marina Moore:
    * [librabbitmq](https://github.com/alanxz/rabbitmq-c/pull/535) — Use `CMAKE_SYSTEM_NAME` instead of `CMAKE_SYSTEM`.
    * [golang-go-flags](https://salsa.debian.org/go-team/packages/golang-go-flags/merge_requests/1) — Use `SOURCE_DATE_EPOCH`.


diffoscope development
----------------------

[diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. This week, version `104` was [uploaded to Debian unstable](https://tracker.debian.org/news/998089/accepted-diffoscope-104-source-into-unstable/) by Mattia Rizzolo. It [included contributions already covered in previous weeks](https://salsa.debian.org/reproducible-builds/diffoscope/commits/104) as well as new ones from:

* Chris Lamb:
    * [Prevent test failures when running under `stretch-backports` by checking the OCaml version number.](https://salsa.debian.org/reproducible-builds/diffoscope/commit/554c9a2). ( [#911846](https://bugs.debian.org/911846))
    * [Add support for comparing PDF metadata using PyPDF2](https://salsa.debian.org/reproducible-builds/diffoscope/commit/4e7ba71). ([#911446](https://bugs.debian.org/911446))
    * [Correct "didnt" typo in test utilities](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f5b3a7a).
    * [Regenerate `debian/tests/control` with no material changes to "add" a regeneration comment](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f8fc0ba).

* Mattia Rizzolo:
    * [Compute the test coverage on GitLab](https://salsa.debian.org/reproducible-builds/diffoscope/commit/65a2cba).
    * [Reinstate Build-Depends and Test-Depends for `apktool` as it is now back in Debian "buster"](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f4a93c1).
    * [Declare compatibility with Python 3.7 for PyPI metadata](https://salsa.debian.org/reproducible-builds/diffoscope/commit/11ed843).
    * [Clean up `.pytest_cache`](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a56a234).
    * [Ensure the correct fallback from `procyon` to `javap` also when procyon exists but doesn't return any output](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c8f1ccc)


disorderfs development
----------------------

disorderfs (our [FUSE](https://github.com/libfuse/libfuse)-based filesystem that deliberately introduces non-determinism into filesystems) version `0.5.5-1` was [uploaded to Debian unstable](https://tracker.debian.org/news/997902/accepted-disorderfs-055-1-source-amd64-into-unstable/) by Chris Lamb. It [included contributions already covered in previous weeks](https://salsa.debian.org/reproducible-builds/disorderfs/commits/debian/0.5.5-1) as well as new ones from:

* Bernhard M. Wiedemann:
    * [Include and use a `run-parts.sh` for tests](https://salsa.debian.org/reproducible-builds/disorderfs/commit/1e163ac) as this a Debian-specific utility.
    * Use [lazy unmount](https://salsa.debian.org/reproducible-builds/disorderfs/commit/6c21d49) and [`-q` for `fusermount`](https://salsa.debian.org/reproducible-builds/disorderfs/commit/863487e) when running the testsuite.

* Chris Lamb:
    * [Inform FUSE that we wrap and thus accept the `UTIME_OMIT` (and `UTIME_NOW`) magic values to ensure that `touch -m …` and `touch -a …` work as expected](https://salsa.debian.org/reproducible-builds/disorderfs/commit/e58c31a). ([#911281](https://bugs.debian.org/911281))
    * [Failing an "XFail" test should be a failure](https://salsa.debian.org/reproducible-builds/disorderfs/commit/80402ea).
    * [Tidy tests](https://salsa.debian.org/reproducible-builds/disorderfs/commit/fb34e61).


reproducible-website development
--------------------------------

* Chris Lamb:
    * Add [step-by-step instructions and screenshots](https://reproducible-builds.org/contribute/salsa) on how to signup to our project on [Salsa](https://salsa.debian.org/). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/56681cf)]
    * Migrate the [TimestampsProposal](https://wiki.debian.org/ReproducibleBuilds/TimestampsProposal) page on the Debian Wiki [to our website](https://reproducible-builds.org/specs/source-date-epoch/). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c2a6e6a)]
    * [Update logo to "real" white background, not a colour very close to white](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/802bedf).

* Holger Levsen:

    * Update the [Paris 2018 summit page](https://reproducible-builds.org/events/paris2018/) to [improve some language](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/79aba5a) and to add a [add a remark about the schedule](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a82716a).

* Vagrant Cascadian:

    * Fix broken `DebianPts` links to use [tracker.debian.org](https://tracker.debian.org/) after an import from the Debian Wiki on the "[Contribute](https://reproducible-builds.org/contribute/) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/646f14b).]
    * [Note that we longer need a logo; we have one](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/24bb690).


Test framework development
--------------------------

There were a number of updates to our [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org/) by Holger Levsen this week, including:

* Notify the `#reprodudicible-builds` IRC channel on "notes" job failures. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cfe1a303)]
* Fix the [F-Droid](https://f-droid.org/) development package set. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2d0aafcd)]
* Send IRC "notifications" to the `#reproducible-builds` channel. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/34494763)]
* Attempt to fix the `disorderfs` and `reprotests` jobs. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/94c170f1)]
* Ignore [diffoscope](https://diffoscope.org/) jobs in health view as they are already covered in the node health view. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/35681ad2)]
* Correctly calculate the percentage of reproducible packages and images in [OpenWrt](https://openwrt.org/). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f67e6260)]

Chris Lamb also [suppressed some warnings from the cryptsetup initramfs hook](https://salsa.debian.org/qa/jenkins.debian.net/commit/b22a4ea7) which were causing some builds to be marked as "unstable".

---

This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Jelle van der Waa, Marina Moore, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.