---
layout: blog
week: 201
published: 2019-03-05 13:14:43
---

Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday February 24 and Saturday March 2 2019:

* On Tuesday 26th Chris Lamb spoke at [Speck&Tech 31 "Open Security"](https://www.eventbrite.com/e/specktech-31-open-security-tickets-53503912643) on Reproducible Builds.

* On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this week:
    * Eric Myhre [posted about the developer of Dwarf Fortress reporting](https://lists.reproducible-builds.org/pipermail/rb-general/2019-February/001473.html) some "butterfly-effect style" bugs in deterministic world generation in a post titled [*Reproducible builds: it's not just for compilers, it's for dwarfs too.  And their entire universe...!*](http://www.bay12games.com/dwarves/#2019-02-21).
    * Holger Levsen posted an update after he calculated that [Debian is 54% reproducible in practice](https://lists.reproducible-builds.org/pipermail/rb-general/2019-March/001479.html). This also revealed that 12% of all binary packages in `buster/amd64` are unreproducible because they were built by binNMUs ([#894441](https://bugs.debian.org/894441)).

* On Saturday 3rd Holger participated in a panel at the demo day of the [4th round of the Prototype Fund](https://prototypefund.de/projects/round4/) were he talked about [Reproducible Builds in reality](https://prototypefund.de/project/reproducible-builds-in-der-wirklichkeit/) which is summarised below:
    ![]({{ "/images/blog/201/reproducible-builds-PTF-demo-day-20190302.png" | relative_url }})

* Alexander "*lynxis*" Couzens [announced the first release](https://bugs.debian.org/918480#42) of [`squashfskit`](https://github.com/squashfskit/squashfskit), a set of utilities that create and manipulate read-only compressed file systems that was forked from `squashfs-tools`.

* Bernhard M. Wiedemann [posted his monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-02/msg00599.html) for the [openSUSE](https://opensuse.org/) distribution. This includes some verification of official builds, where 81.2%-similar (NB. not yet bit-identical build results were achieved.

* Graham Christensen corrected some broken links on the [reproducible-builds.org](https://reproducible-builds.org) project website.&nbsp;[[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/43ba1a1)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a691971)]

* Holger uploaded version `1.16.2-1` of [koji](https://pagure.io/koji) — the RPM building and tracking system — to Debian, fixing [CVE-2018-1002161](https://security-tracker.debian.org/tracker/CVE-2018-1002161) to address a SQL injection attack. ([#922922](https://bugs.debian.irg/922922))

* A tool to [compare the differences between between two versions of the same Node "npm" package](https://diff.intrinsic.com/) was released, speaking to the same concerns for code provenance that the Reproducible Builds project has.

* 15 Debian package reviews were added, 3 were updated and 14 were removed in this week, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).

## diffoscope development

[![]({{ "/images/blog/201/diffoscope.svg" | relative_url }})](https://diffoscope.org)

[diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. This week:

* Chris Lamb:
    * Improved the displayed comment when falling back to a binary diff to include the file type.&nbsp;[(#49)](https://salsa.debian.org/reproducible-builds/diffoscope/issues/49)
    * Tidied definition of "no file-specific differences were detected" message suffix.&nbsp;[[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a671bfb)]
    * Corrected a "recurse" typo.&nbsp;[[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d41f09b)]

* Vagrant Cascadian updated diffoscope in [GNU Guix](https://www.gnu.org/software/guix/).&nbsp;[[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6dacaa70a0874662cbdabfc6df987cd5a09a518c)]

## Packages reviewed and fixed, and bugs filed

* Bernhard M. Wiedemann:
    * [scons](https://github.com/SCons/scons/pull/3312) (merged, hostname)
    * [nfs-ganesha](https://build.opensuse.org/request/show/679666) (hostname)
    * [openstack-manila](https://build.opensuse.org/request/show/680412) (hostname)
    * [eigen3](https://build.opensuse.org/request/show/679669) (drop LaTeX `.log`, [partially submitted and merged upstream](https://bitbucket.org/eigen/eigen/pull-requests/598/do-not-keep-latex-logs/diff))
    * [python-HTTPolice](https://github.com/vfaronov/httpolice/pull/9) (merged, fix FTBFS-2021)
    * [python-keystoneclient](https://review.openstack.org/640024) (fix FTBFS-2020)
    * [cassandra](https://issues.apache.org/jira/browse/CASSANDRA-15039) (fix date/copyright year)
    * [various openstack rpms](https://review.openstack.org/640293) (drop `.pickl` files)
    * [heimdal](https://github.com/heimdal/heimdal/issues/529) (report FTBFS with `-j1`)

* Chris Lamb:
    * [#923169](https://bugs.debian.org/923169) filed against [node-lunr](https://tracker.debian.org/pkg/node-lunr).
    * [#923170](https://bugs.debian.org/923170) filed against [heudiconv](https://tracker.debian.org/pkg/heudiconv).

In addition, one of Chris Lamb's previous patches for the [Sphinx](https://sphinx-doc.org) documentation system [was merged upstream](https://github.com/sphinx-doc/sphinx/pull/6028#issuecomment-467885608). He also [updated his branch against](https://github.com/shadow-maint/shadow/pull/146#issuecomment-468750829) the `shadow` password utility.

## Test framework development

We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). This week, Holger Levsen made the following improvements:

* Improve the output of the Debian reproducible "SHA1" checker [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5a50d32f)], also including stats for non-reproducible binNMUs, `arch:all` and `arch:amd64` packages [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/151b4f00)].
* Deal with zero results in the SHA1 checker.&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/38bf9944)]
* Move SHA1 checker to `osuosl173` node.&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2d0205d5)]
* Add `setup_schroot_buster_diffoscope` job on `osuosl173` node.&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8532fd178)]
* Node maintenance.&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/efbe90df)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2d0205d5)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b700d342)]

In addition, Mattia Rizzolo performed some `armhf` node maintenance.&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/50f250b9)]

---

This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.