---
layout: blog
week: 202
published: 2019-03-13 14:24:20
---

Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday March 3 and Saturday March 9 2019:

* On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this week Holger Levsen explained why [Debian Buster will only be 54% reproducible](https://lists.reproducible-builds.org/pipermail/rb-general/2019-March/001492.html) (in short: due to Debian bugs [#894441](https://bugs.debian.org/894441) and [#900837](https://bugs.debian.org/900837)). There was some follow-up discussion on [Reddit](https://www.reddit.com/r/linux/comments/axxkov/debian_buster_will_only_be_54_reproducible_while/) and [Hacker News](https://news.ycombinator.com/item?id=19310638).

* Russ Cox and Filippo Vasorda submitted a [formal change proposal](https://go.googlesource.com/proposal/) to the [Go programming language](https://golang.org/) entitled [*Secure the Public Go Module Ecosystem with the Go Notary*](https://go.googlesource.com/proposal/+/master/design/25530-notary.md) which speaks to reproducible builds and their impact on code provenance.

* [Wireshark](https://www.wireshark.org/) (the popular network protocol analyser) [revealed in their 3.0.0 release notes](https://www.wireshark.org/docs/relnotes/wireshark-3.0.0.html) that their build system now produces reproducible builds.&nbsp;([#15163](https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15163)).

* 5 Debian package reviews were added, 6 were updated and 13 were removed in this week adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Two issue types were identified by Chris Lamb: [`timestamps_in_pdf_generated_by_daps`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/f4953e97) and [`randomness_in_postgres_opcodes`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/dd1186d4).

* Holger Levsen updated the top-level navigation on the [reproducible-builds.org project website](https://reproducible-builds.org) to link [tests.reproducible-builds.org](https://tests.reproducible-builds.org) more prominently.&nbsp;[[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/58291d3)]

## diffoscope development

[![]({{ "/images/blog/202/diffoscope.svg" | relative_url }})](https://diffoscope.org)

[diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. This week:

Chris Lamb [uploaded version `113` to Debian unstable](https://tracker.debian.org/news/1033884/accepted-diffoscope-113-source-all-into-unstable/) fixing a long list of issues. It [included contributions already covered in previous weeks](https://salsa.debian.org/reproducible-builds/diffoscope/commits/113) as well as new ones by Chris, including:

* Provide explicit help when the libarchive system package is missing or "incomplete". ([#50](https://salsa.debian.org/reproducible-builds/issues/50))
* Explicitly mention when the guestfs module is missing at runtime and we are falling back to a binary diff. ([#45](https://salsa.debian.org/reproducible-builds/diffoscope/issues/45))

Vagrant Cascadian made the corresponding update to [GNU Guix](https://www.gnu.org/software/guix/).&nbsp;[[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=11599cff1e0335797deab8f48d1fe8741d7eeb11)]

## Packages reviewed and fixed, and bugs filed

* Bernhard M. Wiedemann:
    * [python-django-filter](https://github.com/carltongibson/django-filter/issues/1050) (report `FTBFS-2019-03-10`)
    * [python-apache-libcloud](https://github.com/apache/libcloud) ([fix `FTBFS-2031`](https://github.com/apache/libcloud/pull/1279) & [report `FTBFS-2038`](https://issues.apache.org/jira/browse/LIBCLOUD-1038))
    * [utox](https://github.com/uTox/uTox/pull/1334) (merged, date)
    * [vimb](https://github.com/fanglingsu/vimb/pull/542) (merged, date)
    * [pcp](https://build.opensuse.org/request/show/682435) (fix date and [PGO](https://en.wikipedia.org/wiki/Profile-guided_optimization)-like effects from `gcc --coverage`)

* Chris Lamb
    * [#924003](https://bugs.debian.org/924003) filed against [splint](https://tracker.debian.org/pkg/splint).

## Test framework development

We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). This week, Holger Levsen made the following improvements:

* Analyse node maintenance job runs to determine whether to mark nodes offline.&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0276c1f9)]
* Detect hanging health check runs, not just failed ones.&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b9941d09)]
* Allow members of the `jenkins` UNIX group to [`sudo(8)`](https://en.wikipedia.org/wiki/Sudo) to the `jenkins` user&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/71d44a9f)] and simplify adding users to said group&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b7131499)].
* Improve the "SHA1 checker" script to deal with packages with more than one version&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/05db9170)] and to re-download [buildinfo.debian.net](https://buildinfo.debian.net/)'s files if they are older than two weeks.&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5740acdc)]
* Node maintenance.&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/db541e4e)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/28cb883b)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/37544eb9)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/23ae81fb)]
* In the version checker, correctly deal with a rare situation when several, say, [diffoscope](https://diffoscope.org) versions are available in one Debian suite at the same time. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f9a5c2c8)]

In addition, Alexander "*lynxis*" Couzens, made a number of changes to our [OpenWrt](https://en.wikipedia.org/wiki/OpenWrt) support, including:

* Add OpenWrt support to our database.&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b556fbf7)]
* Adding a `reproducible_openwrt_package_parser.py` script.&nbsp;[[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/02dd59fd)]
* Strip unreproducible certificates from images. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/74fc1f1d)]

## Outreachy

Don't forget that Reproducible Builds is part of May/August 2019 round of [Outreachy](https://www.outreachy.org/). Outreachy provides internships to work free software. Internships are open to applicants around the world, working remotely and are not required to move. Interns are paid a stipend of $5,500 for the three month internship and have an additional $500 travel stipend to attend conferences/events.

So far, we received more than ten initial requests from candidates. The closing date for applicants is April 2nd. More information is available [on the application page](https://www.outreachy.org/may-2019-august-2019-outreachy-internships/communities/debian/).


---

This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.