--- layout: blog week: 188 published: 2018-12-05 07:20:49 --- Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday November 25 and Saturday December 1 2018: * [Andrew Martin](https://www.binarysludge.com/) gave a talk at [OWASP Norway Day](https://owaspnorwayday.org/) entitled [*The State of Your Supply Chain*](https://www.youtube.com/watch?v=o4ZedASTVFM&t=0s&list=PLUyk8TFqGpianCUx68eJpXz6QSlLhBmyP&index=3). The section on reproducible builds starts at 15:05. * On [LWN](https://lwn.net/) this week, [Jake Edge](http://www.edge2.net/) commented that: > *The [flatmap-stream NPM package](https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/) had an extra file added into it that was not in the GitHub repository* [[...](https://lwn.net/SubscriberLink/773121/c05141ddae21da8b/)] ... a clear use-case for reproducible builds. * [Chris Lamb](https://chris-lamb.co.uk/) fixed `strip-nondeterminism` (our tool to post-process files to remove known non-deterministic output) version to ignore encrypted ZIP files as we can never normalise them ([#852207](https://bugs.debian.org/852207)). * [Hervé Boutemy](http://people.apache.org/~hboutemy/) started a productive thread on [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) about [*Reproducible Java builds with Maven*](https://lists.reproducible-builds.org/pipermail/rb-general/2018-November/thread.html#1273). * [diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. This week, Chris Lamb fixed an outstanding issue where a large number of warnings were generated if `getfacl(1)` was not available making the behaviour consistent with `lsattr(1)`'s presence. ([#902369](https://bugs.debian.org/902369)) * [Holger Levsen](http://layer-acht.org/) updated our website project to add [Google Open Source Research](https://opensource.google.com/) as a sponsor at [our upcoming Paris Summit](https://reproducible-builds.org/events/paris2018/) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/25b6602)] and clarified that the registration is closed [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/cdfcf44)]. * Chris Lamb added [`tagpending` integration](https://wiki.debian.org/Salsa/Doc\#Dealing_with_Debian_BTS_from_commit_messages) to some of [our repositories hosted on Salsa](https://salsa.debian.org/reproducible-builds). * Various organisation and administrativa around [our upcoming Reproducible Builds summit in Paris](https://reproducible-builds.org/events/paris2018/) between 11th—13th December. * 59 Debian package reviews were added, 7 were updated and 11 were removed in this week, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). A new [`ffile_prefix_map_passed_to_clang`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/c334f5cf) issue was added by Adrian Bunk. Patches filed ------------- * Bernhard M. Wiedemann: * [deepin-qt-dbus-factory](https://cr.deepin.io/#/c/dde/dde-qt-dbus-factory/+/40105) (filesystem ordering, merged) * [python-xmlsec](https://github.com/mehcode/python-xmlsec/pull/91) (filesystem ordering, merged) * [openmpi](https://github.com/open-mpi/ompi/pull/5653) (user & host, [submitted to openSUSE](https://build.opensuse.org/request/show/652140), finally merged) * [xpra](http://xpra.org/trac/ticket/2062) (date, time, host & user, merged) * Chris Lamb: * [#914672](https://bugs.debian.org/914672) filed against [netcdf-parallel](https://tracker.debian.org/pkg/netcdf-parallel). * Niko Tyni: * [#915209](https://bugs.debian.org/915209) filed against [perl](https://tracker.debian.org/pkg/perl). Test framework development -------------------------- There were a number of updates to our [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org/) this week, including: * Chris Lamb [prepared a merge request](https://salsa.debian.org/qa/jenkins.debian.net/merge_requests/17) to generate and serve [diffoscope](https://diffoscope.org/) JSON output in addition to the existing HTML and text formats ([example output](https://tests.reproducible-builds.org/debian/dbdjson/buster/arm64/continuity_0.0~git20180216.d8fb858-1.diffoscope.json.gz)). This required Holger Levsen to increase the partition holding `/var/lib/jenkins/userContent/reproducible` from 255G to 400G. Thanks to [Profitbricks](https://www.profitbricks.co.uk/) for sponsoring this virtual hardware for more than 6 years now. * Holger Levsen and [Jelle van der Waa](https://vdwaa.nl/) started to add integrate new [Arch Linux](https://www.archlinux.org/) build nodes, namely `repro1.pkgbuild.com` and `repro2.pkgbuild.com`, * In addition, Holger Levsen installed the `needrestart` package everywhere [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/00bd6ac1)] updated an interface to always use short hostname [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/91a936f8)], explained what some nodes were doing [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/dbd40692)] as well as performed the usual node maintenance ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0abf968a)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ec0b9929)], [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/00451113)], etc.). * Jelle van der Waa also fixed a number of issues in the Arch Linux integration including showing the language in the first build [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ae55ece3)] and setting `LANG/LC_ALL` in the first build [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a0927060)]. --- This week's edition was written by [Bernhard M. Wiedemann](https://lizards.opensuse.org/author/bmwiedemann/), [Chris Lamb](https://chris-lamb.co.uk/), [Holger Levsen](http://layer-acht.org/), [Jelle van der Waa](https://vdwaa.nl/) & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.