---
layout: report
year: "2019"
month: "06"
title: "Reproducible Builds in June 2019"
draft: false
date: 2019-07-05 13:58:08
---
[![]({{ "/images/reports/2019-06/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
**Welcome to the June 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In our reports we outline the most important things that we have been up to over the past month.
In order that everyone knows what this is about, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries. The motivation behind the reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
In June's report, we will cover:
* **Media coverage** — *Lego bricks, pizza and... Reproducible Builds‽*
* **Upstream news** — *Is Trusting Trust close to a 'rebuttal'?*
* **Events** — *What happened at MiniDebConf Hamburg, the OpenWrt Summit, etc.*
* **Software development** — *Patches patches patches, etc.*
* **Misc news** — *From our mailing list...*
* **Getting in touch**... *and how to contribute.*
---
## Media coverage
* The [Prototype Fund](https://prototypefund.de/en/), an initiative to "aid software developers, hackers and creatives in furthering their ideas from concept to demo" produced a video featuring Holger Levsen explaining Reproducible Builds... using Lego bricks and pizza!
[![]({{ "/images/reports/2019-06/prototypefund.png#center" | relative_url }})](https://www.youtube.com/watch?v=PSxm2DbDHG8)
* Joseph Devietti from [Cloudseal](https://www.cloudseal.io) published a post titled [*An introduction to reproducible builds*](https://www.cloudseal.io/blog/2019-05-15-introduction-to-reproducible-builds) on their blog. It gives a brief overview of the problem and what we are trying to solve, additionally noting the practical point that:
> One key motivation for reproducible builds is to enable peak efficiency for the build caches used in modern build systems.
* Carl Dong gave a presentation entitled [*Bitcoin Build System Security*](https://www.youtube.com/watch?v=I2iShmUTEl8) at the [Breaking Bitcoin](https://breaking-bitcoin.com/) conference in Amsterdam, Netherlands.
---
## Upstream news
* The [Monero](https://www.getmonero.org/) cryptocurrency now offers [full reproducibility for all compiled binaries](https://github.com/monero-project/monero/pull/5633), a feature [first requested in October 2017](https://github.com/monero-project/monero/issues/2641).
[![]({{ "/images/reports/2019-06/fedora.png#right" | relative_url }})](https://getfedora.org/)
* The [Fedora project](https://getfedora.org/) debated setting the [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/docs/source-date-epoch/) environment variable [in all builds via `rpm`](https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/57), an idea that was accepted and merged on the 27th by Igor Gnatenko.
* [Jeremiah Orians announced that version 1.0](https://lists.reproducible-builds.org/pipermail/rb-general/2019-June/001593.html) of the [`mescc-tools-seed`](https://github.com/oriansj/mescc-tools-seed) compiler has been released. For those not familiar with the project, it is the full bootstrap of a cross-platform compiler for the C programming language (written in C itself) from hex, the ultimate goal being able to demonstrate fully-bootstrapped compiler from hex to the [GCC GNU Compiler Collection](https://gcc.gnu.org/). This has many implications in and around [Ken Thompson](https://en.wikipedia.org/wiki/Ken_Thompson)'s [*Trusting Trust*](https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf) attack he outlined in his 1983 [Turing Award Lecture](https://amturing.acm.org/lectures.cfm).
---
## Events
[![]({{ "/images/reports/2019-06/debconf19.png#right" | relative_url }})](https://debconf19.debconf.org)
There were a number of events that included or incorporated members of the Reproducible Builds community this month. If you know of any others, please [do get in touch]({{ "/who/" | relative_url }}). In addition, a number of members of the Reproducible Builds project will be at [DebConf 2019](https://debconf19.debconf.org/) in Curitiba, Brazil and will [present on the status of their work](https://debconf19.debconf.org/talks/30-reproducible-builds-aiming-for-bullseye/).
### MiniDebConf Hamburg 2019
Holger Levsen, Jelle van der Waa, *kpcyrd* and Alexander Couzens attended [MiniDebConf Hamburg 2019](https://wiki.debian.org/DebianEvents/de/2019/MiniDebConfHamburg) and worked on Reproducible Builds. As part of this, Holger gave a status update on the Project with a talk entitled [*Reproducible Builds aiming for bullseye*](https://www.youtube.com/watch?v=vQv4fxDMMPs), referring to the [next Debian release name](https://lists.debian.org/debian-devel-announce/2016/07/msg00002.html):
[![]({{ "/images/reports/2019-06/aimingforbullseye.png#center" | relative_url }})](https://www.youtube.com/watch?v=vQv4fxDMMPs)
Jelle van der Waa kindly gifted Holger with a [Reproducible Builds display](https://github.com/jelly/reproduciblebuilds-display):
[![]({{ "/images/reports/2019-06/reprobuilds-display.jpeg#center" | relative_url }})](https://raw.githubusercontent.com/jelly/reproduciblebuilds-display/master/img/reprobuilds-display.jpeg)
In addition, Lukas Puehringer gave a talk titled [*Building reproducible builds into apt with in-toto*](https://www.youtube.com/watch?v=hbHa4OFv7Qo):
[![]({{ "/images/reports/2019-06/intoto.png#center" | relative_url }})](https://www.youtube.com/watch?v=hbHa4OFv7Qo)
As part of various hacking sessions:
* Jelle van der Waa:
* Improved the [`reproducible_json.py` script](https://salsa.debian.org/qa/jenkins.debian.net/commit/20a7b86ce0a26bd8f8718478c8e8a1612c0af87e) to generate distribution-specific JSON, leading to the availability of an [ArchLinux JSON file](https://tests.reproducible-builds.org/archlinux/reproducible.json).
* Investigated why the [Arch Linux](https://www.archlinux.org/) kernel package is not reproducible, finding out that `KBUILD_BUILD_HOST` and `KGBUILD_BUILD_TIMESTAMP` should be set. The enabling of `CONFIG_MODULE_SIG_ALL` causes the kernel modules to be signed with a (non-deterministic) build-time key if none is provided, leading to unreproducibility.
* [keyutils](https://www.archlinux.org/packages/core/x86_64/keyutils/) was fixed with respect to it embedding the build date in its binary. [[...](https://pkgbuild.com/~jelle/0001-Make-keyutils-reproducible.patch)]
* [nspr](https://www.archlinux.org/packages/core/x86_64/nspr/) was made reproducible in Arch Linux. [[...](https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/nspr&id=3696d15bba92ea14931f842b27654e318055e532)]
* *kpcyrd*:
* Created various Jenkins jobs to generate [Alpine](https://alpinelinux.org/) build chroots, schedule new packages and to ultimately build them. [[...](https://jenkins.debian.net/view/All/job/reproducible_setup_schroot_alpine_jenkins/)][[...](https://jenkins.debian.net/view/All/job/reproducible_alpine_scheduler/)][[...](https://jenkins.debian.net/job/reproducible_builder_alpine_1/)]
* Created an Alpine reproducible testing [overview page](https://tests.reproducible-builds.org/alpine/alpine.html).
* Provided a proof of concept [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/docs/source-date-epoch/) patch for `abuild` to fix timestamp issues in Alpine packages. [[...](https://github.com/kpcyrd/abuild/commit/ea1c11811eaf0a98b5b8ab9c57574a9895d56454.patch)]
* Alexander Couzens:
* Rewrote the database interaction routines for [OpenWrt](https://openwrt.org/).
* Migrated the OpenWrt package parser to use Python 3.x as [Python 2.x will be reaching end-of-life](https://pythonclock.org/) at the end of this year.
* Setup a test environment using a new `README.development` file.
Holger Levsen was on-hand to review and merge all the above commits, providing support and insight into the codebase. He additionally split out a `README.development` from the regular, more-generic `README` file.
### OpenWrt summit
[![]({{ "/images/reports/2019-06/openwrt.png#right" | relative_url }})](https://openwrt.org/)
The [OpenWrt](https://openwrt.org/) project is a Linux operating system targeting embedded devices, particularly wireless network routers. In June, they [hosted a summit](http://lists.infradead.org/pipermail/openwrt-adm/2019-March/001021.html) that [took place from 10th to 12th of the month](http://lists.infradead.org/pipermail/openwrt-adm/2019-March/001012.html).
Here, Holger participated in the discussions regarding `.buildinfo` build-attestation documents. As a result of this, Paul Spooren (*aparcar*) made [a pull request](https://github.com/openwrt/openwrt/pull/2121) to introduce/create a `feeds.buildinfo` (etc) for reproducibility in OpenWrt.
---
## Software development
#### [`buildinfo.debian.net`](https://buildinfo.debian.net)
[![]({{ "/images/reports/2019-06/buildinfo-debian-net.png#right" | relative_url }})](https://buildinfo.debian.net/)
Chris Lamb spent significant time working on [`buildinfo.debian.net`](https://buildinfo.debian.net), his experiment into how to process, store and distribute `.buildinfo` files after the Debian archive software has processed them. This included:
* Started making the move to Python 3.x (and [Django](https://www.djangoproject.com/) 2.x) [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/ef866349fab43000abd6e6115b1120e035f33bf9)][[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/c44c2eaf52defa599a67d1bc02e2e4a58a386e6e)][[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/d27540daeedab116f09e52e4bb186b97861e5d0e)][[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/9a68e9ab1aa13dd8550833dcab924c8818d3277f)][[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/ec475c64274e88244661f3f76374f453b562276c)][[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/c46e48bd52a89b0839a4a17728d6dd96be8a1bc5)][[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/0dcac1d682b151092bd2988b0bc442508c8bda17)] additionally performing a large number of adjacent cleanups including dropping the authentication framework [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/961be8b0b935f84f3c67804453c1508ff1751a5f)], fixing a number of [flake8](http://flake8.pycqa.org/) warnings [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/6f1257b82c89c639ec694c37d7aa6d76fcae38be)], adding a `setup.cfg` to silence some warnings [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/fc7bbc25b163c05a8ef1e74b3a77bf94a40ab30c)], moving to `__str__` and `str.format(...)` over `%`-style interpolation and `u"Unicode"` strings [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/afc77977fa2ad376f828009f532be2581e3bd9b7)], etc.
* Added a number of (as-yet unreleased…) features, including caching the expensive landing page queries. [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/79f5e03946b8550ed41bdee5d811ef6ae846ba52)]
* Took the opportunity to start migrating the hosting from [its current GitHub home](https://gitlab.com/lamby/buildinfo.debian.net) to a [more-centralised repository on salsa.debian.org](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net), moving from the [Travis](https://travis-ci.org/) to the [GitLab](https://docs.gitlab.com/ee/ci/) continuous integration platform, updating the URL to the source in the footer [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/6648cc81fd6243019c8a6e51f828ddfa55dbd758)] and many other related changes [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/24f785113b63a0c2ef159ffd3162be1be72c7561)].
* Applied the [Black](https://black.readthedocs.io/en/stable/) "uncompromising code formatter" to the codebase. [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/7d19e69ca93b1ac31d492f9b13e97f9fbd80870c)]
#### Project website
[![]({{ "/images/reports/2019-06/website.png#right" | relative_url }})](https://reproducible-builds.org/)
There was a significant amount of effort on [our website](https://reproducible-builds.org/) this month.
* Chris Lamb:
* Moved the remaining site to the newer website design. This was a long-outstanding task ([#2](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/2)) and required a huge number of changes, including moving all the event and documentation pages to the new design [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/acf3c33)] and migrating/merging the old `_layouts/page.html` into the new design [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3798f0a)] too. This could then allow for many cleanups including moving/deleting files into cleaner directories, dropping a bunch of example layouts [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c87784a)] and dropping the old "home" layout. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6862829)]
* Added reports to the homepage. ([#16](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/16))
* Re-ordered and merged various top-level sections of the site to make the page easier to parse/navigate [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0487cbb)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/22b6be0)] and updated the documentation for [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/docs/source-date-epoch/) to clarify that the alternative `-r` call to `date(1)` is for compatibility with [BSD](https://en.wikipedia.org/wiki/Berkeley_Software_Distribution) variants of UNIX [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e54666a)].
* Made a large number of visual fixups, particularly to accommodate the principles of [responsive web design](https://en.wikipedia.org/wiki/Responsive_web_design). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/80c0157)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7fed3e5)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/b1a90ca)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/db5d1b5)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/4bbc4c2)]
* Updated the [lint](https://en.wikipedia.org/wiki/Lint_\(software\)) functionality of the build system to check for URIs that are not using `{{ "/foo/" | relative_url }}`-style relative URLs. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ae43b80)]
* Jelle van der Waa updated the [Events]({{ "/events/" | relative_url }}) page to correct invalid [Markdown](https://daringfireball.net/projects/markdown/) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ce6fce8)] and fixed a typo of "distribution" on a previous event page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/824434b)].
* Thomas Vincent added a huge number of videos and slides to the [*Resources*]({{ "/resources/" | relative_url }}) page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/816d66a)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5ec6758)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8efe14a)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/334a2cf)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/303ecdb)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ad622a3)] etc. as well as added a button to link to subtitles [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/050a5f4)] and fixing a bug when displaying metadata links [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5e00011)].
In addition, Atharva Lele added the [Buildroot](https://buildroot.org/) embedded Linux project to the ["Who's involved"]({{ "/who/" | relative_url }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/34dc835)]
#### Test framework
We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). The following changes were done in the last month:
* Alexander Couzens ([OpenWrt](https://openwrt.org)):
* Rewrite the database interaction routines for [OpenWrt](https://openwrt.org/). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/380d632b)]
* Migrated the OpenWrt package parser to use Python 3.x as [Python 2.x will be reaching end-of-life](https://pythonclock.org/) at the end of this year. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/23a2c60e)]
* Use `IGNORE_ERRORS=n y m` similar to [Buildbot](https://buildbot.net/). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/961e44ec)]
* Holger Levsen:
* Show [Alpine](https://alpinelinux.org/)-related jobs on the job health page. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f3d0a03a)]
* Alpine needs the [`jq`](https://stedolan.github.io/jq/) command-line JSON processor for the new scheduler. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/518f4005)]
* Start a dedicated `README.development` file. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/db7a2b8d)]
* Add support for some nodes running Debian *buster* already. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/33fc2245)]
* Jelle van der Waa:
* Change [Arch Linux](https://www.archlinux.org/) and Alpine `BLACKLIST` status to `blacklist` [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0ab61da0)] and `GOOD` to `reproducible` [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5c62ea9d)] respectfully.
* Add a Jenkins job to generate Arch Linux HTML pages. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2f9aa5ab)]
* Fix the Arch Linux suites in the `reproducible.ini` file. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/fa8e9192)]
* Add an Arch JSON export Jenkins job. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/033bc3e7)]
* Create per-distribution reproducible JSON files. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/20a7b86c)]
* *kpcyrd* ([Alpine](https://alpinelinux.org/)):
* Start adding an Alpine theme. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1f5baa4d)]
* Add an Alpine website. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9a094dae)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ff75924c)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8f59af7b)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6f5b99c1)]
* Add `#alpine-reproducible` to the `KGB` chat bot. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d4f27f79)]
* Use the `apk` version instead of `vercmp`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/deb36b07)]
* Install/configure various parts of the chroot including passing in Git options [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/44a9116a)], adding the `abuild` group onto more servers [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/70b4466b)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/94e0e647)], installing [GnuPG](https://gnupg.org/) [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c057af34)]
* Build packages using its own scheduler. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/da75876e)] [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a4639713)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a9debc77)]
* Misc maintenance and fixups. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/439af034)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cc03efb5)]
* Mattia Rizzolo:
* Adjust the `setup_pbuilder` script to use `[check-valid-until=no]` instead of `Acquire::Check-Valid-Until` (re. ([#926242](https://bugs.debian.org/926242#92))). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5a51e8af)]
#### Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
* Bernhard M. Wiedemann:
* [argus-client](https://build.opensuse.org/request/show/708470) (Parallelism race condition and silent build failure)
* [benchmark](https://build.opensuse.org/request/show/710381) (Version upgrade, fixing failing to build from FTBFS with `-j1`)
* [ck](https://build.opensuse.org/request/show/710500) (FTBFS with `-j1`, [also fixed upstream](https://github.com/concurrencykit/ck/issues/141))
* [herbstluftwm](https://github.com/herbstluftwm/herbstluftwm/pull/553) (Embedded build date)
* [HSAIL-Tools](https://github.com/HSAFoundation/HSAIL-Tools/pull/54) (Sort Perl hash)
* [lcov](https://github.com/linux-test-project/lcov/pull/68) (A file's [modification time](https://en.wikipedia.org/wiki/Mtime) was being updated by [sed](https://en.wikipedia.org/wiki/Sed))
* [linphone](https://build.opensuse.org/request/show/708862) (Sort Python [`readdir(3)`](https://pubs.opengroup.org/onlinepubs/7908799/xsh/readdir.html), [submitted but ignored upstream](https://github.com/BelledonneCommunications/linphone/pull/112))
* [mypaint](https://build.opensuse.org/request/show/708828) (Sort call to [`readdir(3)`](https://pubs.opengroup.org/onlinepubs/7908799/xsh/readdir.html), [probably upstream](https://github.com/mypaint/libmypaint/pull/108))
* [MozillaFirefox+Thunderbird](https://bugzilla.opensuse.org/show_bug.cgi?id=1137970) (Report parallelism race condition)
* [ndpi](https://build.opensuse.org/request/show/707688) (Fix a date, [already merged upstream](https://github.com/ntop/nDPI/pull/662))
* [oyranos](https://build.opensuse.org/request/show/707785) (Drop build kernel version, [already merged upstream](https://github.com/oyranos-cms/oyranos/pull/52))
* [perl-Alien-SDL](https://build.opensuse.org/request/show/710903) (Sort Perl [`readdir(3)`](https://pubs.opengroup.org/onlinepubs/7908799/xsh/readdir.html)`, [orphaned upstream](https://github.com/PerlGameDev/Alien-SDL/pull/6))
* [perl-Email-Date-Format](https://build.opensuse.org/request/show/708857) (Fix a rare breakage)
* [perl-OLE-Storage\_Lite](https://build.opensuse.org/request/show/711588) (Fix FTBFS when built in 2020, [ignored upstream](https://rt.cpan.org/Public/Bug/Display.html?id=124513))
* [plowshare](https://build.opensuse.org/request/show/709255) (Date, [already upstream](https://github.com/mcrapet/plowshare/pull/98))
* [python-hyper](https://build.opensuse.org/request/show/711311) (Avoid build getting stuck with `-j1`, not upstream)
* [python-nautilus](https://github.com/GNOME/nautilus-python/pull/6) (Python date)
* [python-pgmagick](https://build.opensuse.org/request/show/711741) (Sort [`readdir(3)`](https://pubs.opengroup.org/onlinepubs/7908799/xsh/readdir.html) call, [already merged upstream](https://github.com/hhatto/pgmagick/pull/47))
* [python-qt5](https://build.opensuse.org/request/show/708180) (Sort a Python [`readdir(3)`](https://pubs.opengroup.org/onlinepubs/7908799/xsh/readdir.html) / [`os.walk`](https://docs.python.org/3/library/os.html#os.walk), [submitted upstream](https://www.riverbankcomputing.com/pipermail/pyqt/2019-June/041854.html))
* [python-xmlsec](https://build.opensuse.org/request/show/711589) (Sort a Python [glob](https://docs.python.org/3/library/glob.html) call, [already merged upstream](https://github.com/mehcode/python-xmlsec/pull/91))
* [rakkess](https://github.com/corneliusweig/rakkess/pull/31) (Fix a date and time call in `Makefile`)
* [rclone/cobra](https://github.com/ncw/rclone/pull/3289) (sort [Go programming language](https://golang.org/) hash)
* [rubygem-rice](https://build.opensuse.org/request/show/709984) (Drop unreproducible files)
* [sawfish](https://build.opensuse.org/request/show/709295) (Version update to get all upstream reproducibility fixes)
* [surfraw](https://build.opensuse.org/request/show/709175) (Fix a date, [already upstream](https://gitlab.com/surfraw/Surfraw/merge_requests/2))
* [terraform](https://github.com/hashicorp/terraform/issues/21727) (Report FTBFS when built in 2030)
* [thunarx-python](https://build.opensuse.org/request/show/708993) (Fix a date, not yet upstream)
* [uperf](https://build.opensuse.org/request/show/708992) (Date, [already upstream](https://github.com/uperf/uperf/pull/13))
* [vboot](https://build.opensuse.org/request/show/709449) (Uses a shell date, not yet upstream)
* [vtk](https://gitlab.kitware.com/vtk):
* [Fix a date date](https://gitlab.kitware.com/vtk/vtk/merge_requests/5633) (merged)
* [Sort a Perl hash](https://gitlab.kitware.com/vtk/vtk/merge_requests/5634) (merged)
* Report [a parallelism race](https://gitlab.kitware.com/vtk/vtk/issues/17619) from an unspecified dependency in [CMake](https://cmake.org/)
* [wine](https://bugzilla.opensuse.org/show_bug.cgi?id=1062303) (Report the use of random file names)
* Chris Lamb:
* [#930768](https://bugs.debian.org/930768) filed against [node-d3-fetch](https://tracker.debian.org/pkg/node-d3-fetch).
* [#930769](https://bugs.debian.org/930769) filed against [node-d3-contour](https://tracker.debian.org/pkg/node-d3-contour).
* [#930814](https://bugs.debian.org/930814) filed against [node-d3-hierarchy](https://tracker.debian.org/pkg/node-d3-hierarchy).
* [#930911](https://bugs.debian.org/930911) filed against [node-d3-scale-chromatic](https://tracker.debian.org/pkg/node-d3-scale-chromatic).
* [#931102](https://bugs.debian.org/931102) filed against [combblas](https://tracker.debian.org/pkg/combblas).
* Morten Linderud submitted a patch for [libpod](https://github.com/containers/libpod/pull/3390), a library used to create container pods to [fix a date-related reproducibility issue](https://github.com/containers/libpod/pull/3390) which has subsequently been merged.
* Richard Biener submitted a patch for the [GCC GNU Compiler Collection](https://gcc.gnu.org/) to [fix differences in the runtime debugging info between builds](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90778) in its [D programming language](https://dlang.org/) support.
#### Distribution work
[![]({{ "/images/reports/2019-06/debian.png#left" | relative_url }})](https://debian.org/)
In [Debian](https://www.debian.org/), 39 reviews of packages were added, 3 were updated and 8 were removed this month, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
Chris Lamb also did more work testing of the reproducibility status of [Debian Installer](https://www.debian.org/devel/debian-installer/) images. In particular, he was working around and patching an issue stemming from us testing builds far into the "future". ([#926242](https://bugs.debian.org/926242#92))
In addition, following discussions at [MiniDebConf Hamburg](https://wiki.debian.org/DebianEvents/de/2019/MiniDebConfHamburg), Ivo De Decker reviewed the situation around Debian bug [#869184](https://bugs.debian.org/869184) again ("*dpkg: source uploads including `_amd64.buildinfo` cause problems*") and updated the bug with some recommendations for the next Debian release cycle.
[![]({{ "/images/reports/2019-06/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
Bernhard M. Wiedemann posted his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-06/msg00429.html) for the [openSUSE](https://opensuse.org/) distribution.
#### Other tools
[![]({{ "/images/reports/2019-06/diffoscope.svg#right" | relative_url }})](https://diffoscope.org)
In [diffoscope](https://diffoscope.org) (our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues) Chris Lamb documented that `run_diffoscope` should not be considered a stable API [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/76319f9)] and adjusted the configuration to build [our Docker image](https://salsa.debian.org/reproducible-builds/diffoscope/container_registry) from the current Git checkout, not the Debian archive [[...](https://salsa.debian.org/reproducible-builds/diffoscope/issues/56)]
Lastly, Chris Lamb added support for the clamping of `tIME` chunks in `.png` files [[...](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/issues/7)] to [strip-nondeterminism](https://tracker.debian.org/pkg/strip-nondeterminism), our tool to remove specific non-deterministic results from a completed build.
---
## Misc news
On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this month [Lars Wirzenius](https://liw.fi/) continued conversation regarding [various questions about reproducible builds](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/001566.html) and their bearing on building a distributed continuous integration system which received many replies (thread index for [May](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/thread.html#1566) & [June](https://lists.reproducible-builds.org/pipermail/rb-general/2019-June/thread.html#1590)). In addition, Sebastian Huber asked whether [anyone has attempted a reproducible build of a GCC compiler itself](https://lists.reproducible-builds.org/pipermail/rb-general/2019-June/001580.html).
---
If you are interested in contributing the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
* IRC: `#reproducible-builds` on `irc.oftc.net`.
* Twitter: [**@ReproBuilds**](https://twitter.com/ReproBuilds)
* Mailing list: [`rb-general@lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
---
This month's report was written by Alexander Borkowski, Arnout Engelen, Bernhard M. Wiedemann, [Chris Lamb](https://chris-lamb.co.uk/), *heinrich5991*, Holger Levsen, Jelle van der Waa, *kpcyrd* & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.