---
layout: report
year: "2019"
month: "09"
title: "Reproducible Builds in September 2019"
draft: false
date: 2019-10-05 20:43:45
---

**Welcome to the September 2019 report from the [Reproducible Builds]({{ "/" | relative_url }}) project!**
{: .lead}

[![]({{ "/images/reports/2019-09/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})

In these reports we outline the most important things that we have been up to over the past month. As a quick refresher of what our project is about, whilst anyone can inspect the source code of free software for malicious changes, most software is distributed to end users or servers as precompiled binaries. The motivation behind the reproducible builds effort is to ensure zero changes have been introduced during these compilation processes. This is achieved by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

In September's report, we cover:

* **Media coverage & events** — *more presentations, preventing Stuxnet, etc.*
* **Upstream news** — *kernel reproducibility, grafana, systemd, etc.*
* **Distribution work** — *reproducible images in Arch Linux, policy changes in Debian, etc.*
* **Software development** — *yet more work on diffoscope, upstream patches, etc.*
* **Misc news & getting in touch** — *from our mailing list how to contribute, etc*

If you are interested in contributing to our project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.

---

## Media coverage & events

[![]({{ "/images/reports/2019-09/56nRFxA7lPY.jpg#right" | relative_url }})](https://www.youtube.com/watch?v=56nRFxA7lPY)

This month Vagrant Cascadian attended the [2019 GNU Tools Cauldron](https://gcc.gnu.org/wiki/cauldron2019) in Montréal, Canada and gave a presentation entitled [*Reproducible Toolchains for the Win*](https://gcc.gnu.org/wiki/cauldron2019#cauldron2019talks.Reproducible_Toolchains_For_The_Win) ([video](https://www.youtube.com/watch?v=56nRFxA7lPY)).

In addition, [our project was highlighted as part of a presentation](https://media.ccc.de/v/ASG2019-146-rootless-reproducible-hermetic-secure-container-build-showdown#t=407) by [Andrew Martin](https://twitter.com/sublimino) at the [All Systems Go](https://all-systems-go.io/) conference in Berlin titled [*Rootless, Reproducible & Hermetic: Secure Container Build Showdown*](https://cfp.all-systems-go.io/ASG2019/talk/PVYETJ/), and [Björn Michaelsen](https://en.wikipedia.org/wiki/Bj%C3%B6rn_Michaelsen) from the [Document Foundation](https://www.documentfoundation.org/) presented at the [2019 LibreOffice Conference](https://libocon.org/) in Almería in Spain on the status of reproducible builds in the [LibreOffice office suite](https://www.libreoffice.org/).

In academia, Anastasis Keliris and Michail Maniatakos from the [New York University Tandon School of Engineering](https://engineering.nyu.edu/) published a paper titled *ICSREF: A Framework for Automated Reverse Engineering of Industrial Control Systems Binaries* ([PDF](https://arxiv.org/pdf/1812.03478.pdf)) that speaks to concerns regarding the security of Industrial Control Systems (ICS) such as those attacked via [Stuxnet](https://en.wikipedia.org/wiki/Stuxnet). The paper outlines their [ICSREF](https://github.com/momalab/ICSREF) tool for reverse-engineering binaries from such systems and furthermore demonstrates a scenario whereby a commercial smartphone equipped with ICSREF could be easily used to compromise such infrastructure.

[![]({{ "/images/reports/2019-09/seagl.png#right" | relative_url }})](https://seagl.org/)

Lastly, It was announced that Vagrant Cascadian will present a talk at [SeaGL](https://seagl.org) in Seattle, Washington during November titled [*There and Back Again, Reproducibly*](https://osem.seagl.org/conferences/seagl2019/program/proposals/671).

---

## 2019 Summit

[![]({{ "/images/reports/2019-09/summit.jpg#right" | relative_url }})]({{ "/events/Marrakesh2019/" | relative_url }})

Registration for [our fifth annual Reproducible Builds summit]({{ "/events/Marrakesh2019/" | relative_url }}) that will take place between 1st → 8th December in Marrakesh, Morocco has opened and [personal invitations](https://lists.reproducible-builds.org/pipermail/rb-general/2019-September/001651.html) have been sent out.

Similar to previous incarnations of the event, the heart of the workshop will be three days of moderated sessions with surrounding "hacking" days and will include a huge diversity of participants from Arch Linux, coreboot, Debian, F-Droid, GNU Guix, Google, Huawei, in-toto, MirageOS, NYU, openSUSE, OpenWrt, Tails, Tor Project and many more. If you would like to learn more about the event and how to register, please visit our [our dedicated event page](https://reproducible-builds.org/events/Marrakesh2019/).


---

## Upstream news

Ben Hutchings [added documentation to the Linux kernel](https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=fe013f8bc160d79c6e33bb66d9bb0cd24949274c) regarding how to make the build reproducible. As he mentioned in the commit message, the kernel is "actually" reproducible but the end-to-end process was not previously documented in one place and thus Ben describes the workflow and environment needed to ensure a reproducible build.

[Daniel Edgecumbe](https://esotericnonsense.com) submitted [a pull request](https://github.com/systemd/systemd/pull/13482) which was subsequently merged to the logging/journaling component of [systemd](https://www.freedesktop.org/wiki/Software/systemd/) in order that the output of e.g. `journalctl --update-catalog` does not differ between subsequent runs despite there being no changes in the input files.

Jelle van der Waa noticed that if the [grafana](https://grafana.com/) monitoring tool was built within a source tree devoid of [Git](https://git-scm.com/) metadata then the current timestamp was used instead, leading to an unreproducible build. To avoid this, Jelle [submitted a pull request](https://github.com/grafana/grafana/pull/18953) in order that it use [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}) if available.

[Mes](https://gitlab.com/janneke/mes) (a Scheme-based compiler for our "sister" [bootstrappable builds](http://bootstrappable.org) effort) [announced their 0.20 release](https://lists.reproducible-builds.org/pipermail/rb-general/2019-September/001649.html).


---

### Distribution work

[![]({{ "/images/reports/2019-09/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)

Bernhard M. Wiedemann posted [his monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-09/msg00244.html) for the [openSUSE](https://opensuse.org/) distribution. [Thunderbird](https://www.thunderbird.net/) and `kernel-vanilla` packages will be among the larger ones to become reproducible soon and there were additional Python patches to help reproducibility issues of modules written in this language that have C bindings.

[![]({{ "/images/reports/2019-09/openwrt.png#right" | relative_url }})](https://openwrt.org/)

[OpenWrt](https://openwrt.org/) is a Linux-based operating system targeting embedded devices such as wireless network routers. This month, Paul Spooren (*aparcar*) switched the toolchain the use the [GCC](https://gcc.gnu.org/) version 8 by default in order to support the `-ffile-prefix-map=` which permits a varying build path without affecting the binary result of the build [[...](https://lists.infradead.org/pipermail/openwrt-devel/2019-September/019156.html)]. In addition, Paul [updated the `kernel-defaults` package](https://lists.infradead.org/pipermail/openwrt-devel/2019-September/019166.html) to ensure that the [`SOURCE_DATE_EPOCH` environment variable]({{ "/docs/source-date-epoch/" | relative_url }}) is considered when creating the the `/init` directory.

[![]({{ "/images/reports/2019-09/coreboot.png#right" | relative_url }})](https://www.coreboot.org/)

Alexander "*lynxis*" Couzens began working on [a set of build scripts](https://github.com/system-transparency/build.git) for creating firmware and operating system artifacts in the [*coreboot*](https://www.coreboot.org/) distribution.

Lukas Pühringer prepared an upload which was sponsored by Holger Levsen of [`python-securesystemslib` version 0.11.3-1](https://tracker.debian.org/news/1061049/accepted-python-securesystemslib-0113-1-source-all-into-unstable-unstable/) to Debian unstable. `python-securesystemslib` is a dependency of [in-toto](https://github.com/in-toto/in-toto), a framework to protect the integrity of software supply chains.

#### Arch Linux

[![]({{ "/images/reports/2019-09/archlinux.png#right" | relative_url }})](https://archlinux.org)

The `mkinitcpio` component of [Arch Linux](https://www.archlinux.org/) was updated by [Daniel Edgecumbe](https://esotericnonsense.com) in order that it generates reproducible [initramfs images](https://en.wikipedia.org/wiki/Initial_ramdisk) by default, meaning that two subsequent runs of `mkinitcpio` produces two files that are identical at the binary level. The [commit message](https://github.com/archlinux/mkinitcpio/pull/1/files) elaborates on its methodology:

> Timestamps within the initramfs are set to the Unix epoch of 1970-01-01. Note that in order for the build to be fully reproducible, the compressor specified (e.g. gzip, xz) must also produce reproducible archives. At the time of writing, as an inexhaustive example, the lzop compressor is incapable of producing reproducible archives due to the insertion of a runtime timestamp.

In addition, a bug was created to track progress on [making the Arch Linux ISO images reproducible](https://bugs.archlinux.org/task/63683?project=6).

#### Debian

[![]({{ "/images/reports/2019-09/debian.png#right" | relative_url }})](https://debian.org/)

In July, Holger Levsen [filed a bug against the underlying tool](https://bugs.debian.org/932849) that maintains the Debian archive ("[dak](https://wiki.debian.org/DebianDak)") after he noticed that `.buildinfo` metadata files were not being automatically propagated in the case that packages had to be manually approved in "[`NEW` queue](https://ftp-master.debian.org/new.html)". After it was pointed out that the files were being retained in a separate location, [Benjamin Hof proposed a patch](https://bugs.debian.org/932849#22) for the issue [that was merged and deployed this month](https://salsa.debian.org/ftp-team/dak/commit/e29d4c4dca77aea5555aac7a5ea7f665efec688f).

[Aurélien Jarno](https://www.aurel32.net/) filed a bug against the [Debian Policy](https://www.debian.org/doc/debian-policy/) ([#940234](https://bugs.debian.org/940234)) to request a section be added regarding the reproducibility of source packages. Whilst there is already a section about reproducibility in the Policy, it only mentions binary packages. Aurélien suggest that it:

> ... might be a good idea to add a new requirement that repeatedly building the source package in the same environment produces identical `.dsc` files.

In addition, 51 reviews of Debian packages were added, 22 were updated and 47 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Many issue types were added by Chris Lamb including [`buildpath_in_code_generated_by_bison`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/c0d9481b), [`buildpath_in_postgres_opcodes`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/6aacfd67) and [`ghc_captures_build_path_via_tempdir`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/5677943d).

## Software development

#### Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

* Bernhard M. Wiedemann:
    * [`blender`](https://developer.blender.org/D5756) (Python date)
    * [`buzztrax`](https://github.com/Buzztrax/buzztrax/pull/88) (shell date)
    * [`colobot-data`](https://build.opensuse.org/request/show/733640) (sort a Python `readdir`, [forwarded upstream](https://github.com/colobot/colobot-data/pull/41))
    * [`enblend-enfuse`](https://build.opensuse.org/request/show/731759) (date/host/user)
    * [`gmsh`](https://build.opensuse.org/request/show/731075) (hostname/username)
    * [`griefly`](https://build.opensuse.org/request/show/733637) (sort a Python `readdir`, [forwarded upstream](https://github.com/griefly/griefly/pull/508))
    * [`guile`](https://build.opensuse.org/request/show/732638) (disable parallelism)
    * [`latex2html`](https://build.opensuse.org/request/show/733232) (drop LaTeX log file with date)
    * [`MozillaFirefox`](https://build.opensuse.org/request/show/733089) (make [Profile-Guided Optimisation](https://en.wikipedia.org/wiki/Profile-guided_optimization) optional)
    * [`MozillaThunderbird`](https://build.opensuse.org/request/show/732106) (Python date)
    * [`ninja`](https://github.com/ninja-build/ninja/pull/1651) (build failure when build without parallelism)
    * [`python-futures`](https://github.com/agronholm/pythonfutures/pull/92) (fix build failure)
    * [`python-holidays`](https://github.com/dr-prodigy/python-holidays/pull/235) (fix build failure in 2020)
    * [`python-iminuit`](https://github.com/scikit-hep/iminuit/pull/355) (sort a Python [glob](https://docs.python.org/3/library/glob.html))
    * [`python-ioflo`](https://github.com/ioflo/ioflo/pull/41) (fix build failure via security certificate renewal)
    * [`python-keystoneauth1`](https://review.opendev.org/681103) (fix build failure in 2020)
    * [`python-openstackdocstheme`](https://build.opensuse.org/request/show/732328) (date issue)
    * [`python3`](https://build.opensuse.org/request/show/733152)/[`python`](https://build.opensuse.org/request/show/733188) (toolchain, sort `readdir`)
    * [`volk`](https://bugzilla.opensuse.org/show_bug.cgi?id=1152001) (report compile-time CPU-detection)
    * [`wget2`](https://gitlab.com/gnuwget/wget2/merge_requests/450) (drop a build date)

* Chris Lamb ("*lamby*"):
    * [#939546](https://bugs.debian.org/939546) filed against [`libnbd`](https://tracker.debian.org/pkg/libnbd) ([forwarded upstream](https://github.com/libguestfs/libnbd/pull/2))
    * [#939547](https://bugs.debian.org/939547) filed against [`libubootenv`](https://tracker.debian.org/pkg/libubootenv) ([forwarded upstream](https://github.com/sbabic/libubootenv/pull/3))
    * [#939548](https://bugs.debian.org/939548) filed against [`dsdp`](https://tracker.debian.org/pkg/dsdp).
    * [#939549](https://bugs.debian.org/939549) filed against [`sdaps`](https://tracker.debian.org/pkg/sdaps) ([forwarded upstream](https://github.com/sdaps/sdaps/pull/182))
    * [#939650](https://bugs.debian.org/939650) filed against [`libvdpau`](https://tracker.debian.org/pkg/libvdpau).
    * [#940013](https://bugs.debian.org/940013) filed against [`apophenia`](https://tracker.debian.org/pkg/apophenia).
    * [#940156](https://bugs.debian.org/940156) filed against [`pydantic`](https://tracker.debian.org/pkg/pydantic) ([forwarded upstream](https://github.com/samuelcolvin/pydantic/pull/805))
    * [#940639](https://bugs.debian.org/940639) filed against [`vala-panel`](https://tracker.debian.org/pkg/vala-panel).
    * [#941072](https://bugs.debian.org/941072) filed against [`kivy`](https://tracker.debian.org/pkg/kivy).
    * [#941116](https://bugs.debian.org/941116) filed against [`fathom`](https://tracker.debian.org/pkg/fathom).
    * Several [`libguestfs`](http://libguestfs.org/) components [have received a patch](https://www.redhat.com/archives/libguestfs/2019-September/msg00037.html) to support [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}).

* Rebecca N. Palmer:
    * [#941309](https://bugs.debian.org/941309) filed against [node-browserify-lite](https://tracker.debian.org/pkg/node-browserify-lite).

#### [Diffoscope](https://diffoscope.org)

[![]({{ "/images/reports/2019-09/diffoscope.svg#right" | relative_url }})](https://diffoscope.org)

[`diffoscope`](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. It is run countless times a day on [our testing infrastructure](https://tests.reproducible-builds.org/debian/reproducible.html) and is essential for identifying fixes and causes of non-deterministic behaviour.

This month, Chris Lamb uploaded versions `123`, `124` and `125` and made the following changes:

* New features:

    * Add `/srv/diffoscope/bin` to the Docker image path. ([#70](https://salsa.debian.org/reproducible-builds/diffoscope/issues/70))
    * When skipping tests due to the lack of installed tool, print the package that might provide it. [[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/e5b8268)]
    * Update the "no progressbar" logging message to match the parallel `missing tlsh module` warnings. [[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/c381c4a)]
    * Update "requires foo" messages to clarify that they are referring to Python modules. [[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/73ffcdc)]

* Testsuite updates:

    * The `test_libmix_differences` ELF binary test requires the `xxd` tool. ([#940645](https://bugs.debian.org/940645))
    * Build the OCaml test input files on-demand rather than shipping them with the package in order to prevent test failures with OCaml 4.08. ([#67](https://salsa.debian.org/reproducible-builds/diffoscope/issues/67))
    * Also conditionally skip the identification and "no differences" tests as we require the [OCaml](https://ocaml.org/) compiler to be present when building the test files themselves. ([#940471](https://bugs.debian.org/940471))
    * Rebuild our test [squashfs images](https://en.wikipedia.org/wiki/SquashFS) to exclude the character device as they requires root or [fakeroot](https://wiki.debian.org/FakeRoot) to extract. ([#65](https://salsa.debian.org/reproducible-builds/diffoscope/issues/65))

* Many code cleanups, including dropping some unnecessary control flow [[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/ff57b86)], dropping unnecessary `pass` statements [[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/e066e77)] and dropping explicitly inheriting from `object` class as it unnecessary in Python 3 [[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/7c21ed3)].

In addition, Marc Herbert completely overhauled the handling of ELF binaries particularly around many assumptions that were previously being made via file extensions, etc. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/ce6c03f)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/ec7b3ae)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/bee2a11)] and updated the testsuite to support a newer version of the [*coreboot*](https://www.coreboot.org/) utilities. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/29da4e4)]. Mattia Rizzolo then ensured that *diffoscope* does not crash when the progress bar module is missing but the functionality was requested [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/7294ff9)] and made our version checking code more lenient [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e07dfbe)]. Lastly, Vagrant Cascadian not only updated *diffoscope* to versions [123](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3ec8c0ca942409da6ce06c38f6d8b6ccfc2a943a) and [125](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3fb581ca9f18fe61e070195f4f8d1a670931b722), he enabled a more complete test suite in the [GNU Guix](https://guix.gnu.org/) distribution. [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3eb4adc2c41896c202f3d9131c36160c0a1311e6)][[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=68620d62f5cd49d6455c351f3a68e3c41dc6ce22)][[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6ec872231fdf746bd6e11b97f8a6b3a23498806c)][[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=af760990e9651be865ccd20b935863d85f605f2e)][[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4d83157cd806aeb864664ebb380c19f6be04648c)][[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=f315673d9e56f4f2398098590ebdc080b63ce8b1)]

#### Project website

[![]({{ "/images/reports/2019-09/website.png#right" | relative_url }})](https://reproducible-builds.org/)

There was yet more effort put into our [our website](https://reproducible-builds.org/) this month, including:

* Chris Lamb:
    * Add missing image for [in-toto](https://in-toto.io/) on the "[Who is Involved?](https://reproducible-builds.org/who/)" page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/70696b6)]
    * Don't align images when on "extra small" (i.e. mobile) devices as they make the text wrapping look suboptimal. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/cdc12ae)]
    * Use `{% raw %}{% raw %}{% endraw %}` to escape Markdown in templated [Jinja](https://palletsprojects.com/p/jinja/) code. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/ec7c692)]

* Holger Levsen:
    * Add a link to [our style guide](https://reproducible-builds.org/style/) on our "[tools]({{ "/tools/" | relative_url }})" page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/9a6975f)]
    * Rework the handling of news/events, including adding a [news archive page]({{ "/news-archive/" | relative_url }}) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f64c772)] and differentiating between news and reports on the homepage [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/40a6371)].
    * Large number of changes to the "[Who is Involved?]({{ "/who/" | relative_url }})" page, including adding a link to [F-Droid](https://f-droid.org/)'s [verification server](https://verification.f-droid.org/) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/50d4240)] and their verification tool for end-users [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/84d17e4)] as well as adding the [Civil Infrastructure Project](https://www.cip-project.org/) (CIP) as a sponsor [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a431302)]
    * Include a link to our [testing framework](https://tests.reproducible-builds.org/) in all navigation elements. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/692cd67)]
    * Add/improve a number of presentation entries on our [*Talks & Resources*]({{ "/resources/" | relative_url }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/32c861f)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f9b4d8a)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dbd7c7d)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/872cb04)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/37fd2c6)]

In addition, Cindy Kim added [in-toto](https://in-toto.io/) to our "[Who is Involved?]({{ "/who/" | relative_url }})" page, James Fenn updated [our homepage]({{ "/" | relative_url }}) to fix a number of spelling and grammar issues [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f7e9228)] and Peter Conrad added [BitShares](https://bitshares.org/) to our [list of projects interested in Reproducible Builds]({{ "/who/" | relative_url }}) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d16af27)].

#### strip-nondeterminism

[strip-nondeterminism](https://tracker.debian.org/pkg/strip-nondeterminism) is our tool to remove specific non-deterministic results from successful builds. This month, Marc Herbert made a huge number of changes including:

* GNU [ar](https://en.wikipedia.org/wiki/Ar_(Unix)) handler:
    * Don't corrupt the pseudo file mode of the symbols table.
    * Add test files for "symtab" (`/`) and long names (`//`).
    * Don't corrupt the SystemV/GNU table of long filenames.

* Add a new `$File::StripNondeterminism::verbose` global and, if enabled, tell the user that `ar(1)` could not set the symbol table's [mtime](https://en.wikipedia.org/wiki/Mtime).

In addition, Chris Lamb performed some issue investigation with the [Debian Perl Team](https://wiki.debian.org/Teams/DebianPerlGroup) regarding issues in the [`Archive::Zip`](https://metacpan.org/pod/Archive::Zip) module including a problem with [corruption of members that use `bzip` compression](https://github.com/redhotpenguin/perl-Archive-Zip/issues/26) as well as a regression  whereby [various metadata fields were not being updated](https://github.com/redhotpenguin/perl-Archive-Zip/issues/51) that was reported in/around Debian bug [#940973](https://bugs.debian.org/940973).

#### Test framework

[![]({{ "/images/reports/2019-09/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)

We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org).

* Alexander "*lynxis*" Couzens:
    * Fix missing `.xcompile` in the build system. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8b9bc6ba)]
    * Install the [GNAT](https://www.gnu.org/software/gnat/) Ada compiler on all builders. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/dd31f47c)]
    * Don't install the *iasl* [ACPI](https://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interface) power management compiler/decompiler. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/54aa6650)]

* Holger Levsen:
    * Correctly handle the `$DEBUG` variable in [OpenWrt](https://openwrt.org) builds. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e8342fda)]
    * Fefactor and notify the `#archlinux-reproducible` IRC channel for problems in this distribution. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7d94cf15)]
    * Ensure that only one mail is sent when rebooting nodes. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2d836061)]
    * Unclutter the output of a Debian maintenance job. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/afc2e2fe)]
    * Drop a "todo" entry as we vary on [a merged `/usr`](https://wiki.debian.org/UsrMerge) for some time now. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a489b705)]

In addition, Paul Spooren added an [OpenWrt](https://openwrt.org) snapshot build script which downloads `.buildinfo` and related checksums from the relevant download server and attempts to rebuild and then validate them for reproducibility. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/034491ea)]

The usual node maintenance was performed by Holger Levsen [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e7eb5714)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/764d6ce9)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1625e63b)], Mattia Rizzolo [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/47c6ee51)] and Vagrant Cascadian [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1f1c7218)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1036c5f3)].

#### reprotest

`reprotest` is our end-user tool to build same source code twice in different environments and then check the binaries produced by each build for differences. This month, a change by Dmitry Shachnev was merged to not use the `faketime` wrapper at all when asked to not vary time [[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/034efd8)] and Holger Levsen subsequently released this as version `0.7.9` as dramatically overhauling the packaging [[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/d768b04)][[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/da33646)].


---

## Misc news & getting in touch

On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) Rebecca N. Palmer started a thread titled [Addresses in IPython output](https://lists.reproducible-builds.org/pipermail/rb-general/2019-September/001657.html) which points out and attempts to find a solution to a problem with Python packages, whereby objects that don't have an explicit string representation have a default one that includes their memory address. This causes problems with reproducible builds if/when such output appears in generated documentation.

If you are interested in contributing the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website. However, you can get in touch with us via:

 * IRC: `#reproducible-builds` on `irc.oftc.net`.

 * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)

 * Mailing list: [`rb-general@lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)

<br>

---

This month's report was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Jelle van der Waa, Mattia Rizzolo and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.