---
layout: blog
week: 186
published: 2018-11-20 13:16:40
---

Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday November 11 and Saturday November 17 2018:

* Code review for the [LLVM](https://llvm.org/) compiler to [support the `-fmacro-prefix-map` argument](https://reviews.llvm.org/D49466) is currently in progress. Like the `-fdebug-prefix-map` flag, this argument replaces a string prefix for the `FILE` [pre-processor macro](https://en.wikipedia.org/wiki/C_preprocessor).

* Kyle Rankin, the Chief Security Officer of [Puri.sm](https://puri.sm/posts/protecting-the-digital-supply-chain/) authored a blog post entitled "[Protecting the Digital Supply Chain](https://puri.sm/posts/protecting-the-digital-supply-chain/)" which describes how with Reproducible Builds you can show that no malicious code was injected in software supply chains:

    > *Think of it like the combination of a food safety inspector and an independent lab that verifies the nutrition claims on a box of cereal all rolled into one.*

* Chris Lamb gave a presentation at the [SFScon](https://www.sfscon.it) conference in Bozen, Italy on [reproducible builds and how they can prevent developers from becoming targets of various attacks](https://www.sfscon.it/talks/you-think-youre-not-a-target-a-tale-of-three-developers/).

* Holger Levsen updated our website to add the [Tor](https://www.torproject.org/) project as a participant at [our upcoming Paris Summit](https://reproducible-builds.org/events/paris2018/). In addition, Bernhard M. Wiedemann applied a sitewide change to use consistent capitalisation for [openSUSE](https://www.opensuse.org/) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1bd9083)].

* 38 Debian package reviews were added, 4 were updated and 19 were removed in this week, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). The `nondeterminstic_output_in_pkgconfig_files_generated_by_meson` was removed as a fix was applied upstream [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/e1cf42dc)], and the note for the `randomness_in_binaries_generated_by_golang` issue was updated. ([1](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/0efa6b16), [2](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/8139ba15))

* [diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. This week, [Marius Gedminas](https://gedmin.as/) provided a patch to add a `python_requires` field to diffoscope's `setup.py` [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8e5e9b8)] and Mattia Rizzolo sorted the list of recommended Python modules in `debian/tests/control` [[...]](https://salsa.debian.org/reproducible-builds/diffoscope/commit/b618777).

* Chris Lamb's previously-authored patches for [GNU mtools](https://www.gnu.org/software/mtools/) to ensure the [Debian Installer](https://www.debian.org/devel/debian-installer/) images could become reproducible which were sent upstream last week ([1](http://lists.gnu.org/archive/html/info-mtools/2018-10/msg00003.html) & [2](http://lists.gnu.org/archive/html/info-mtools/2018-10/msg00004.html)) are now available in upstream's [4.0.20 release](http://lists.gnu.org/archive/html/info-mtools/2018-11/msg00004.html).

* Upstream `chromium-70` now builds reproducibly in [openSUSE](https://opensuse.org) (with a admittedly-normalised build environment) since [it uses the Git commit date](https://chromium-review.googlesource.com/c/chromium/src/+/1167913).

* Chris Lamb uploaded `strip-nondeterminism` (our tool to post-process files to remove known non-deterministic output) version `0.45.0-1` [to Debian unstable](https://tracker.debian.org/news/1002630/accepted-strip-nondeterminism-0450-1-source-all-into-unstable/) in order that [catch invalid ZIP "local" field lengths](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/e5f5008) — we were previously blindly trusting the value supplied in the ZIP file ([#803503](https://bugs.debian.org/803503)). As part of this upload he moved the utility to the [SemVer](https://semver.org) versioning scheme.

* We have received more than 45 registrations for the upcoming [Reproducible Builds summit in Paris](https://reproducible-builds.org/events/paris2018/) between 11th—13th December 2018 and have now closed registrations. Very much looking forward to seeing you there!


Packages reviewed and fixed, and bugs filed
-------------------------------------------

* Bernhard M. Wiedemann:
    * [kvirc](https://github.com/kvirc/KVIrc/pull/2411) (drop `uname -r`), Also submitted to openSUSE ([...](https://build.opensuse.org/request/show/649892))
    * [libpt2](https://build.opensuse.org/request/show/649968) (drop `uname -r`)

* Christoph Berg posted some work-in-progress patches for [postgresql-hll](https://github.com/citusdata/postgresql-hll) (a [PostgreSQL](https://www.postgresql.org/) extension adding [HyperLogLog data structures](https://en.wikipedia.org/wiki/HyperLogLog) as a native data type) to make their build reproducible [to the upstream mailing list](https://www.postgresql.org/message-id/20181113104005.GA32154%40msg.credativ.de).

Test framework development
--------------------------

There were a large number of updates to our [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org/) by Holger Levsen this week, including:

* [Arch Linux](https://www.archlinux.org/)-specific changes:

    * Make `sed(1)` calls for modifying `pacman.conf` more robust, fixing building in the future as well as using proxies for downloading package dependencies. ([1](https://salsa.debian.org/qa/jenkins.debian.net/commit/be8fc3f5)
    * Improve the documentation of a multi-line [sed(1)](https://www.gnu.org/software/sed/manual/sed.html) statement. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/243d7312)]
    * Perform some administration on the package blacklists. ([1](https://salsa.debian.org/qa/jenkins.debian.net/commit/dbe42fac), [2](https://salsa.debian.org/qa/jenkins.debian.net/commit/02f5df90))
    * Move to using [sudo(8)](https://www.sudo.ws/) for cleaning old `/tmp` files left by package builds. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9a931cf7)]

* [Debian](https://www.debian.org/)-specific changes:

    * Add two new [cloud-image](https://tests.reproducible-builds.org/debian/buster/amd64/pkg_set_cloud-image.html) and [cloud-image_build-depends](https://tests.reproducible-builds.org/debian/buster/amd64/pkg_set_cloud-image_build-depends.html) package sets.
    * Perform some node maintenance. ([1](https://salsa.debian.org/qa/jenkins.debian.net/commit/39ddce21), [2](https://salsa.debian.org/qa/jenkins.debian.net/commit/81815405), [3](https://salsa.debian.org/qa/jenkins.debian.net/commit/adf8ae17))
    * Install [munin](http://munin-monitoring.org/) from the "[Backports](https://backports.debian.org/) repositories. ([1](https://salsa.debian.org/qa/jenkins.debian.net/commit/093ff284), [2](https://salsa.debian.org/qa/jenkins.debian.net/commit/0c013bbf))
    * Strip architecture from packages in the [grml](https://grml.org/) package sets. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/bea13e74)]

* Misc/generic changes:

    * Ensure all ProfitBricks (`amd64` and `i386`) nodes in Karlsruhe use `pb1` as a proxy and all nodes in Frankfurt use `pb10`. This might have produced some build failures but fixed issues with [Squid](http://www.squid-cache.org/) running in the future. This complements [previous work for the `arm64` architecture](https://bugs.debian.org/909838).
    * Filed [#913658](https://bugs.debian.org/913658): ("*Broken links on packages pages*")
    * Document that the proxy setting for chroot installs are actually correct. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4fa6f14f)]

In addition, Alexander Couzens provided workaround for an OpenWrt build system bug [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4a97c4c0)], Eli Schwartz refactored our [Arch Linux](https://www.archlinux.org/) support [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/539f38b8)] and Mattia Rizzolo performed some node maintenance.


---

This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.