---
layout: blog
week: 198
published: 2019-02-12 12:30:58
---

Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday February 3rd and Saturday February 9th 2019:

* The Reproducible Builds project intends to participate in [Google Summer of Code](https://summerofcode.withgoogle.com/) in 2019. If you are interested in becoming a student or mentor please see [our entry on the wiki page](https://wiki.debian.org/SummerOfCode2019/Projects#SummerOfCode2019.2FProjects.2FReproducibleBuilds.Reproducible_Builds).

* In a blog post entitled "[Huawei case demonstrates importance of Free Software for security](https://fsfe.org/news/2019/news-20190205-01.en.html)" the [FSFE](https://fsfe.org) raised their voice in the [recent wider discussions regarding Huawei and 5G](https://www.zdnet.com/article/huawei-will-need-5-years-and-2b-to-resolve-uk-security-concerns-report/):

  > To establish trust in critical infrastructure like 5G, it is a crucial precondition that all software code powering those devices is published under a Free and Open Source Software licence" and furthermore points out that in case of binary distribution it is "necessary that there are reproducible builds".

* Reproducible Builds were present at both [FOSDEM 2019](https://fosdem.org/2019/schedule/) and [CopyLeftConf](https://2019.copyleftconf.org/) handing out t-shirts to a number of contributors. The latter event was run under the auspices of the [Software Freedom Conservancy](https://sfconservancy.org/) who also act as the Reproducible Builds project fiscal sponsor and are a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom. If you like the work of the Conservancy or the Reproducible Builds project, please consider [becoming an official supporter](https://sfconservancy.org/supporter/).

* [diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. This week, Chris Lamb adjust the behaviour to not look for adjacent `-dbgsym` Debian package files automatically anymore to align better with users' expectations. The existing behaviour can be re-enabled by specifying the new `--use-dbgsym` flag ([#44](https://salsa.debian.org/reproducible-builds/diffoscope/issues/44) / [#920701](https://bugs.debian.org/920701)).

   Chris then [released and uploaded this as part of version `110`](https://tracker.debian.org/news/1028027/accepted-diffoscope-110-source-all-into-unstable/) but it was then reported that this introduced a regression where we had stopped using the `-dbgsym` packages when comparing `.buildinfo` or `.changes files`. This was subsequently fixed via [issue #46](https://salsa.debian.org/reproducible-builds/diffoscope/issues/46).

* Bernhard M. Wiedemann a wrote [script to export CSV data](https://github.com/bmwiedemann/reproducibleopensuse/blob/master/rbplot.pl) of [openSUSE](https://opensuse.org) reproducibility statistics over time and [graphed it](https://rb.zq1.de/compare.factory/graph.png) using [Debian's graphing tool](https://salsa.debian.org/qa/jenkins.debian.net/blob/master/bin/make_graph.py).

* The [Nix](https://nixos.org/nix) "purely functional package manager" published a new [r13y.com](https://r13y.com/) "single-page" website that documents the current state of reproducibility in that distribution, a possible partner to [isdebianreproducibleyet.com](https://isdebianreproducibleyet.com/).

* On Tuesday 26th February Chris Lamb will speak at [Speck&Tech 31 "Open Security"](https://www.eventbrite.com/e/specktech-31-open-security-tickets-53503912643) on Reproducible Builds in Trento, Italy.

* Holger uploaded [koji version `1.16.1-1` to Debian](https://tracker.debian.org/news/1028398/accepted-koji-1161-1-source-into-unstable/) in order to package a new upstream version.

* Ten Debian package reviews were added, eleven were updated and nineteen were removed in this week, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Two issue types were updated by Chris Lamb, adding a fix for the [`randomness_in_documentation_underscore_downloads_generated_by_sphinx`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/9e2153f8) toolchain issue and also categorising a new [`randomness_in_documentation_graphviz_generated_by_sphinx`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/41675a8d) toolchain issue.

* Hervé Boutemy made more updates to the [reproducible-builds.org](https://reproducible-builds.org) project website, including specifying the implications of using `-Dline.separator` with respect to UNIX line endings [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3fdaa2f)]. In addition, Holger Levsen added a link to the "[who]({{ "/who/" | relative_url }})" page for the tests page for [NixOS](https://nixos.org/nix/) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/9093f6c)] and Mykola Nikishov fixed a dead link to [how-to contribute]({{ "/contribute/" | relative_url }}) page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/b7ac922)].

* Whilst reproducing [Arch Linux](https://www.archlinux.org/) packages Jelle van der Waa and Santiago Torres discovered that the size field in [pacman](https://wiki.archlinux.org/index.php/pacman)'s package metadata is not reproducible on different filesystems. For example building on `tmpfs` versus `ext4` results a different package size. More information may be found be found on the [associated bug report](https://bugs.archlinux.org/task/61717).

## Packages reviewed and fixed, and bugs filed

* Bernhard M. Wiedemann:
    * [gnome-weather](https://build.opensuse.org/request/show/671146) (`libdir` made a `noarch` package vary between architectures)
    * [kiwi](https://github.com/openSUSE/kiwi/pull/672) (sort perl readdir)
    * [kiwi-ng](https://github.com/SUSE/kiwi/pull/938) (sort python readdir)

* Chris Lamb:
    * [#921511](https://bugs.debian.org/921511) filed against [python-octaviaclient](https://tracker.debian.org/pkg/python-octaviaclient) (forwarded and merged upstream [on GitHub](https://github.com/openstack/python-octaviaclient/pull/1) and [Gerrit](https://review.openstack.org/635194)).
    * [#921513](https://bugs.debian.org/921513) filed against [sphinx](https://tracker.debian.org/pkg/sphinx) ([forwarded upstream](https://github.com/sphinx-doc/sphinx/pull/6028)).
* Steffen Winterfeldt:
    * [gfxboot](https://github.com/openSUSE/gfxboot/pull/35) (avoid variations in `mtime` values embedded in [cpio](https://en.wikipedia.org/wiki/Cpio) archives)

## Test framework development

We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). This week, Holger Levsen made a large number of improvements including:

* [Arch Linux](https://www.archlinux.org/)-specific changes:
    * Correct information about the hostnames used. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/83eaf481)]
    * Document that the kernel is not currently varied on rebuilds. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8d6d94d6)]
    * Improve IRC messages. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f9791397)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f7019d9a)]

* [Debian](https://www.debian.org/)-specific changes:
    * Perform a large number of cleanups, updating documentation to match. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9c099966)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/3975ac64)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/25c9960b)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ae0b90e5)]
    * Avoid unnecessary `apt install` calls on every deployment run. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6de8b742)]

* [LEDE](https://en.wikipedia.org/wiki/LEDE)/OpenWrt-specific changes:
    * Attempt to build all the packages again. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/13e62b27)]
    * Mark a workaround for an `iw` issue in a better way. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/328dc131)]

* Misc/generic changes:
    * Clarify where [NetBSD](https://www.netbsd.org/) is actually built. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/3cb41677)]
    * Improve jobs to check the version of [diffoscope](https://diffoscope.org/) relative to upstream in various distributions. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2a00fdfd)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/68d43d67)]
    * Render the artificial date correctly in the [build variation](https://tests.reproducible-builds.org/debian/index_variations.html) tables. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7ea459db)]
    * Work around a rare and temporary problem when restarting [Munin](http://munin-monitoring.org/). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8efeaf25)]
    * Drop code relating to [OpenSSH](https://openssh.org) client ports as this is handled via `~/ssh/config` now. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/874a6e23)]
    * Fix various bits of documentation. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b6b2b020)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/56d78d7a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1193a073)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/052e30fe)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/707c70eb)]

* [Fedora](https://getfedora.org/)-specific changes:
    * Correctly note that testing Fedora is currently disabled. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/025a59ad)]
    * Abstract some behaviour to make possible testing of other distributions easier. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ebbb8dce)]
    * Only update `mock` on build nodes. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cd3a475d)]


In addition, Mattia Rizzolo updated the configuration for `df_inode` [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6cfb5db5)] and reverted a change to our [pbuilder](https://wiki.debian.org/PbuilderTricks) setup [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/676d63a8)] whilst Bernhard M. Wiedemann ported `make_graph` to using Python 3 [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1ce73fcb)].

---

This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Jelle van der Waa & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.