---
layout: blog
week: 59
published: 2016-06-15 23:06:12
---

What happened in the [Reproducible
Builds](https://wiki.debian.org/ReproducibleBuilds) effort between June 5th and June 11th 2016:

Media coverage
--------------

Ed Maste gave a talk at [BSDCan 2016](https://www.bsdcan.org/2016/) on
reproducible builds
([slides](https://www.bsdcan.org/2016/schedule/events/714.en.html),
[video](https://www.youtube.com/watch?v=z7pDnBO5wSM&t=337m0s)).

GSoC and Outreachy updates
--------------------------

Weekly reports by our participants:

- [Scarlett Clark](http://scarlettgatelyclark.com/2016/debian-reproducible-builds-week-2/)
  worked on making some packages reproducible, focusing on KDE backend and
  utility programs.
- [Ceridwen](https://reproducible.alioth.debian.org/blog/posts/people/ceridwen/reprotest_week2/)
  published an initial design for the interface for `reprotest`, including a
  discussion on different types of build variations and the difficulties of
  specifying certain types of variations.
- [Valerie Young](http://www.spectranaut.cc/?p=17) improved documentation for
  building our tests website, began migrating Debian-specific pages into a new
  namespace, and planned future work around its navigation.

Documentation update
--------------------

<a name="FORCE_SOURCE_DATE" />
- Ximin Luo [proposed a modification](https://salsa.debian.org/reproducible-builds/source-date-epoch-spec.git/commit/?h=force-source-date&id=4b9da6b7f1aae38b82eaf29deb51bbe150204c76)
  to our `SOURCE_DATE_EPOCH` spec explaining `FORCE_SOURCE_DATE`.

  Some upstream build tools (e.g. TeX, see below) have expressed a desire to
  control which cases of embedded timestamps should obey `SOURCE_DATE_EPOCH`.
  They were not convinced by our arguments on why this is a bad idea, so we
  agreed on an environment variable `FORCE_SOURCE_DATE` for them to implement
  their desired behaviour - named generically, so that at least we can set it
  centrally. For more details, see the text just linked. However, we strongly
  urge most build tools *not* to use this, and instead obey `SOURCE_DATE_EPOCH`
  *unconditionally in all cases*.

Toolchain fixes
---------------

- TeX Live 2016 [released](https://www.preining.info/blog/2016/06/tex-live-2016-released/)
  with `SOURCE_DATE_EPOCH` support for all engines except LuaTeX and original TeX.
- [Continued discussion](https://www.tug.org/pipermail/tex-k/2016-June/002721.html)
  ([alternative archive](https://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20160606/005698.html))
  with TeX upstream, about `SOURCE_DATE_EPOCH` corner cases, eventually
  resulting in the `FORCE_SOURCE_DATE` proposal from above.
- [gcc-5](https://tracker.debian.org/pkg/gcc-5)/5.4.0-4 by Matthias Klose now avoids storing
  `-fdebug-prefix-map` in `DW_AT_producer`, thanks to [#819176](https://bugs.debian.org/819176) by
  Daniel Kahn Gillmor.
- [sphinx](https://tracker.debian.org/pkg/sphinx)/1.4.3-1 by Dmitry Shachnev now drops Debian-specific patches
  relating to `SOURCE_DATE_EPOCH` applied upstream, [#820895](https://bugs.debian.org/820895) by Alexis
  Bienvenüe.
- [asciidoctor](https://tracker.debian.org/pkg/asciidoctor)/1.5.4-2 by Cédric Boutillier now supports
  `SOURCE_DATE_EPOCH`, thanks to [#820435](https://bugs.debian.org/820435) by Alexis Bienvenüe.
- [dh-python](https://tracker.debian.org/pkg/dh-python)/1.5.4-2 by Piotr Ożarowski now behaves better in some
  cases, thanks to [#804339](https://bugs.debian.org/804339) by Chris Lamb.

Packages fixed
--------------

The following 16 packages have become reproducible due to changes in their
build-dependencies:
[apertium-dan-nor](https://tracker.debian.org/pkg/apertium-dan-nor)
[apertium-swe-nor](https://tracker.debian.org/pkg/apertium-swe-nor)
[asterisk-prompt-fr-armelle](https://tracker.debian.org/pkg/asterisk-prompt-fr-armelle)
[blktrace](https://tracker.debian.org/pkg/blktrace)
[canl-c](https://tracker.debian.org/pkg/canl-c)
[code-saturne](https://tracker.debian.org/pkg/code-saturne)
[coinor-symphony](https://tracker.debian.org/pkg/coinor-symphony)
[dsc-statistics](https://tracker.debian.org/pkg/dsc-statistics)
[frobby](https://tracker.debian.org/pkg/frobby)
[libphp-jpgraph](https://tracker.debian.org/pkg/libphp-jpgraph)
[paje.app](https://tracker.debian.org/pkg/paje.app)
[proxycheck](https://tracker.debian.org/pkg/proxycheck)
[pybit](https://tracker.debian.org/pkg/pybit)
[spip](https://tracker.debian.org/pkg/spip)
[tircd](https://tracker.debian.org/pkg/tircd)
[xbs](https://tracker.debian.org/pkg/xbs)

The following 5 packages are new in Debian and appear to be reproducible so
far:
[golang-github-bowery-prompt](https://tracker.debian.org/pkg/golang-github-bowery-prompt)
[golang-github-pkg-errors](https://tracker.debian.org/pkg/golang-github-pkg-errors)
[golang-gopkg-dancannon-gorethink.v2](https://tracker.debian.org/pkg/golang-gopkg-dancannon-gorethink.v2)
[libtask-kensho-perl](https://tracker.debian.org/pkg/libtask-kensho-perl)
[sspace](https://tracker.debian.org/pkg/sspace)

The following packages had older versions which were reproducible, and
their latest versions are now reproducible again after being fixed:

 * [excellent-bifurcation](https://tracker.debian.org/pkg/excellent-bifurcation)/0.0.20071015-8 by Vincent Cheng, [#826427](https://bugs.debian.org/826427) by Reiner Herrmann.
 * [gnurobbo](https://tracker.debian.org/pkg/gnurobbo)/0.68+dfsg-2 by Stephen Kitt, [#826424](https://bugs.debian.org/826424) by Reiner Herrmann.

The following packages have become reproducible after being fixed:

 * [gdbm](https://tracker.debian.org/pkg/gdbm)/1.8.3-14 by Matthias Klose, [#774394](https://bugs.debian.org/774394) by Jérémy Bobbio.
 * [miceamaze](https://tracker.debian.org/pkg/miceamaze)/4.2.1-3 by Sarah COUDERT, [#825634](https://bugs.debian.org/825634) by Reiner Herrmann.
 * [netcdf](https://tracker.debian.org/pkg/netcdf)/1:4.4.1~rc2-1~exp3 by Bas Couwenberg.
 * [osmo-bts](https://tracker.debian.org/pkg/osmo-bts)/0.4.0-2 by Ruben Undheim.
 * [pd-hcs](https://tracker.debian.org/pkg/pd-hcs)/0.1-3 by IOhannes m zmölnig.
 * [pd-hid](https://tracker.debian.org/pkg/pd-hid)/0.7-2 by IOhannes m zmölnig.
 * [python-certbot](https://tracker.debian.org/pkg/python-certbot)/0.8.0-1 by Harlan Lieberman-Berg, [#824452](https://bugs.debian.org/824452) by Chris Lamb.
 * [python-csb](https://tracker.debian.org/pkg/python-csb)/1.2.3+dfsg-3 by Sascha Steinbiss.
 * [python-osprofiler](https://tracker.debian.org/pkg/python-osprofiler)/1.3.0-2 by Thomas Goirand.
 * [usb-modeswitch-data](https://tracker.debian.org/pkg/usb-modeswitch-data)/20160112-3 by Didier Raboud, [#826343](https://bugs.debian.org/826343) by intrigeri.

Some uploads have fixed some reproducibility issues, but not all of them:

 * [bzr](https://tracker.debian.org/pkg/bzr)/2.7.0-7 by Jelmer Vernooij.
 * [clanlib](https://tracker.debian.org/pkg/clanlib)/1.0~svn3827-5 by Stephen Kitt, [#790357](https://bugs.debian.org/790357) by Chris Lamb.
 * [dwarfutils](https://tracker.debian.org/pkg/dwarfutils)/20160507+git20160523.9086738-1 by Fabian Wolff.
 * [fakeroot](https://tracker.debian.org/pkg/fakeroot)/1.20.2-2 by Clint Adams, [#795861](https://bugs.debian.org/795861).
 * [fastqtl](https://tracker.debian.org/pkg/fastqtl)/2.184+dfsg-2 by Dylan Aïssi, [#826209](https://bugs.debian.org/826209) by Chris Lamb.
 * [gnuplot](https://tracker.debian.org/pkg/gnuplot)/5.0.3+dfsg3-3 by Anton Gladky.
 * [lazarus](https://tracker.debian.org/pkg/lazarus)/1.6+dfsg-3 by Paul Gevers.
 * [python-pygit2](https://tracker.debian.org/pkg/python-pygit2)/0.24.0-3 by Ondřej Nový.

Patches submitted that have not made their way to the archive yet:

 * [#806331](https://bugs.debian.org/806331) against [xz-utils](https://tracker.debian.org/pkg/xz-utils) by Ximin Luo: make the selected POSIX shell stable across build environments
 * [#806494](https://bugs.debian.org/806494) against [gnupg](https://tracker.debian.org/pkg/gnupg) by intrigeri: Make man pages not embed a build-time dependent timestamp
 * [#806945](https://bugs.debian.org/806945) against [bash](https://tracker.debian.org/pkg/bash) by Reiner Herrmann and Ximin Luo: Use the system man2html, and set PGRP_PIPE unconditionally.
 * [#825857](https://bugs.debian.org/825857) against [python-setuptools](https://tracker.debian.org/pkg/python-setuptools) by Anton Gladky: sort libs in native_libs.txt
 * [#826408](https://bugs.debian.org/826408) against [brainparty](https://tracker.debian.org/pkg/brainparty) by Reiner Herrmann: Sort object files for deterministic linking order
 * [#826416](https://bugs.debian.org/826416) against [blockout2](https://tracker.debian.org/pkg/blockout2) by Reiner Herrmann: Sort the list of source files
 * [#826418](https://bugs.debian.org/826418) against [xgalaga++](https://tracker.debian.org/pkg/xgalaga++) by Reiner Herrmann: Sort source files to get a deterministic linking order
 * [#826423](https://bugs.debian.org/826423) against [kraptor](https://tracker.debian.org/pkg/kraptor) by Reiner Herrmann: Sort source files for deterministic linking order
 * [#826431](https://bugs.debian.org/826431) against [traceroute](https://tracker.debian.org/pkg/traceroute) by Reiner Herrmann: Sort lists of libraries/source/object files
 * [#826544](https://bugs.debian.org/826544) against [doc-debian](https://tracker.debian.org/pkg/doc-debian) by intrigeri: make the created files stable regardless of the locale
 * [#826676](https://bugs.debian.org/826676) against [python-openstackclient](https://tracker.debian.org/pkg/python-openstackclient) by Chris Lamb: make the build reproducible
 * [#826677](https://bugs.debian.org/826677) against [cadencii](https://tracker.debian.org/pkg/cadencii) by Chris Lamb: make the build reproducible
 * [#826760](https://bugs.debian.org/826760) against [dctrl-tools](https://tracker.debian.org/pkg/dctrl-tools) by Reiner Herrmann: Sort object files for deterministic linking order
 * [#826951](https://bugs.debian.org/826951) against [slicot](https://tracker.debian.org/pkg/slicot) by Alexis Bienvenüe: please make the build reproducible (fileordering)
 * [#826982](https://bugs.debian.org/826982) against [hoichess](https://tracker.debian.org/pkg/hoichess) by Reiner Herrmann: Sort object files for deterministic linking order

Package reviews
---------------

68 reviews have been added, 19 have been updated and 28 have been removed in this week. New and updated issues:

 * [cryptographic_signature](https://tests.reproducible-builds.org/issues/unstable/cryptographic_signature_issue.html)
 * [timestamps_in_maven_version_files](https://tests.reproducible-builds.org/issues/unstable/timestamps_in_maven_version_files_issue.html)
 * [ftbfs_build-indep_not_build_on_some_archs](https://tests.reproducible-builds.org/issues/unstable/ftbfs_build-indep_not_build_on_some_archs_issue.html)
 * [timestamps_added_by_xbean_spring](https://tests.reproducible-builds.org/issues/unstable/timestamps_added_by_xbean_spring_issue.html)
 * [timestamps_in_maven_metadata_local_xml_files](https://tests.reproducible-builds.org/issues/unstable/timestamps_in_maven_metadata_local_xml_files_issue.html)
 * [timestamps_in_documentation_generated_by_asciidoctor](https://tests.reproducible-builds.org/issues/unstable/timestamps_in_documentation_generated_by_asciidoctor_issue.html)

26 FTBFS bugs have been reported by Chris Lamb, 1 by Santiago Vila and 1 by Sascha Steinbiss.

diffoscope development
----------------------

- Mattia Rizzolo uploaded [diffoscope](https://tracker.debian.org/pkg/diffoscope)/54 to jessie-backports.

strip-nondeterminism development
--------------------------------

- Mattia uploaded [strip-nondeterminism](https://tracker.debian.org/pkg/strip-nondeterminism)/0.018-1 to jessie-backports, to
  support a [debhelper](https://tracker.debian.org/pkg/debhelper) backport.
- Andrew Ayer uploaded [strip-nondeterminism](https://tracker.debian.org/pkg/strip-nondeterminism)/0.018-2 fixing [#826700](https://bugs.debian.org/826700), a packaging improvement for Multi-Arch to ease cross-build
  situations.
- 2 days later Andrew released [strip-nondeterminism](https://tracker.debian.org/pkg/strip-nondeterminism)/0.019; now
  strip-nondeterminism is able to:
  - recursively normalize JAR files embedded within JAR files ([#823917](https://bugs.debian.org/823917))
  - clamp the timestamp, the same way tar >=1.28-2.2 can (for now available only  for gzip archives)

disorderfs development
----------------------

- Andrew Ayer released [disorderfs](https://tracker.debian.org/pkg/disorderfs)/0.4.3, fixing a issue with umask handling ([#826891](https://bugs.debian.org/826891))

tests.reproducible-builds.org
-----------------------

- Valerie Young namespaced the Debian-specific pages to [/debian/
  namespace](https://tests.reproducible-builds.org/debian), with redirects to
  for the previous URLs.
- Holger Levsen improved the reliability of build jobs: the availability of
  both build nodes (for a given build) is now being tested when a build job is
  started, to better cope when one of the 25 build nodes go down for some reason.
- Ximin Luo improved the [index of identified
  issues](https://tests.reproducible-builds.org/debian/index_issues.html) to
  include the total popcon scores of each issue, which is now also used for
  sorting that page.

Misc.
-----

Steven Chamberlain [submitted a patch to FreeBSD's
makefs](https://lists.freebsd.org/pipermail/freebsd-hackers/2016-June/049571.html)
to allow reproducible builds of the kfreebsd installer.

Ed Maste [committed a patch to FreeBSD's
binutils](https://svnweb.freebsd.org/ports?view=revision&revision=416639) to
enable deterministic archives by default in GNU ar.

Helmut Grohne
[experimented](https://anonscm.debian.org/cgit/users/helmutg/rebootstrap.git/commit/?id=12d820314bcb459131eebc55e22a48e545acb0b5)
[with](https://anonscm.debian.org/cgit/users/helmutg/rebootstrap.git/commit/?id=39277ab9347848073bcd310f98026177eee2ea66)
cross+native reproductions of [dash](https://tracker.debian.org/pkg/dash) with some success, using
[rebootstrap](https://wiki.debian.org/HelmutGrohne/rebootstrap).

This week's edition was written by Ximin Luo, Chris Lamb, Holger Levsen, Mattia
Rizzolo and reviewed by a bunch of Reproducible builds folks on IRC.