--- layout: report year: "2020" month: "01" title: "Reproducible Builds in January 2020" draft: false date: 2020-02-10 17:33:36 --- [![]({{ "/images/reports/2020-01/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/) **Welcome to the January 2020 report from the [Reproducible Builds](https://reproducible-builds.org) project.** In our reports we outline the most important things that we have been up to. In this month's report, we cover: * **Upstream news & event coverage** — *Reproducing the Telegram messenger, etc.* * **Software development** — *Updates and improvements to our tooling* * **Distribution work** — *More work in Debian, openSUSE & friends* * **Misc news** — *From our mailing list & how to get in touch etc.* ##### What are reproducible builds? Whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries. The motivation behind the reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. If you are interested in contributing, please visit the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website. --- ## Upstream news & event coverage [![]({{ "/images/reports/2020-01/telegram.png#right" | relative_url }})](https://telegram.org) The [Telegram](https://telegram.org/) messaging application has documented [full instructions](https://core.telegram.org/reproducible-builds) for verifying that its original source code is exactly the same code that is used to build the versions available on the Apple App Store and Google Play. Reproducible builds were mentioned in a [panel on Software Distribution with Sam Hartman, Richard Fontana, & Eben Moglen](https://www.youtube.com/watch?v=rMinFopJMW0&t=2121s) at the [Software Freedom Law Center](https://www.softwarefreedom.org/)'s [15h Anniversary Fall Conference](https://www.softwarefreedom.org/events/2019/annual-conference/) (at ~35m21s). [![]({{ "/images/reports/2020-01/scale18x.png#right" | relative_url }})](https://www.socallinuxexpo.org/scale/18x) Vagrant Cascadian will present a talk at [SCALE 18x](https://www.socallinuxexpo.org/scale/18x) in Pasadena, California on March 8th titled [*There and Back Again, Reproducibly*](https://www.socallinuxexpo.org/scale/18x/presentations/there-and-back-again-reproducibly). [Matt Graeber](https://medium.com/@mattifestation) ([@mattifestation](https://twitter.com/mattifestation)) posted on Twitter that: > If you weren't aware of the reason [Portable Executable](https://en.wikipedia.org/wiki/Portable_Executable) timestamps in Win 10 binaries were nonsensical, Raymond's post explains the reason: to support reproducible builds. ... referencing [an article by Raymond Chen](https://devblogs.microsoft.com/oldnewthing/20180103-00/?p=97705) from January 2018 which, amongst other things, mentions: > One of the changes to the Windows engineering system begun in Windows 10 is the move toward reproducible builds. Jan Nieuwenhuizen [announced the release of GNU Mes 0.22](https://lists.reproducible-builds.org/pipermail/rb-general/2020-January/001787.html). Vagrant Cascadian subsequently uploaded this version to [Debian](https://debian.org) which produced a bit-for-bit identical `mescc-mes-static` binary with the `mes-rb5` package in [GNU Guix](https://guix.gnu.org/). ## Software development #### [diffoscope](https://diffoscope.org) [![]({{ "/images/reports/2020-01/diffoscope.png#right" | relative_url }})](https://diffoscope.org) [*diffoscope*](https://diffoscope.org) is our in-depth and content-aware diff-like utility that can locate and diagnose reproducibility issues. It is run countless times a day on [our testing infrastructure](https://tests.reproducible-builds.org/debian/reproducible.html) and is essential for identifying fixes and causes of nondeterministic behaviour. This month, *diffoscope* versions `135` and `136` were uploaded to Debian unstable by Chris Lamb. He also made the following changes to *diffoscope* itself, including: * New features: * Support external difference tools such as [Meld](https://meldmerge.org/), etc. similar to `git-difftool(1)`. ([#87](https://salsa.debian.org/reproducible-builds/diffoscope/issues/87)) * Extract `resources.arsc` files as well as `classes.dex` from Android `.apk` files to ensure that we show the differences there. ([#27](https://salsa.debian.org/reproducible-builds/diffoscope/issues/27)) * Fallback to the regular `.zip` container format for `.apk` files if `apktool` is not available. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/bbbb322)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6710868)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/85c2100)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/b1b9977)] * Drop `--max-report-size-child` and `--max-diff-block-lines-parent`; scheduled for removal in January 2018. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/fee25e5)] * Append a comment to a difference if we fallback to a less-informative container format but we are missing a tool. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0615036)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/88bc142)] * Bug fixes: * No longer raise a `KeyError` exception if we request an invalid member from a directory container. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/7765669)] * Documentation/workflow improvements: * Clarify that "install X" in various outputs actually refers to system-level packages. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c99cd9b)] * Add a note to the Contributing documentation to suggest enable concurrency when running the tests locally. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/9d88cda)] * Include the `CONTRIBUTING.md` file in the [PyPI.org](https://pypi.org/) release. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0e5a0c5)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/aa9db34)] * Logging improvements: * Log a debug-level message if we cannot open a file as container due to a missing tool to assist in diagnosing issues. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/5757c8b)] * Correct a debug message related to `compare_meta` calls to quote the arguments correctly. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/3e3a18d)] * Add the current `PATH` environment variable to the `Normalising locale...` debug-level message. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/600831b)] * Print the `Starting diffoscope $VERSION` line as the first line of the log as we are, well, starting diffoscope. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/9a200bc)] * If we don't know the HTML output name, don't emit an enigmatically truncated `HTML output for` debug message. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/b709d89)] * Tests: * Don't exhaustively output the entire HTML report when testing the regression for [#875281](https://bugs.debian.org/875281); parsing the JSON and pruning the tree should be enough. ([#84](https://salsa.debian.org/reproducible-builds/diffoscope/issues/84)) * Refresh and update the fixtures for the `.ico` tests to match the latest version of [Imagemagick](https://imagemagick.org/index.php) in Debian unstable. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/614b0d1)] * Code improvements: * Add a `.git-blame-ignore-revs` file to improve the output of `git-blame(1)` by ignoring large changes when introducing the [Black](https://black.readthedocs.io/en/stable/) source code reformatter and update the `CONTRIBUTING.md` guide on how to optionally use it locally. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/4e40f75)] * Add a `noqa` line to avoid a false-positive [Flake8](https://flake8.pycqa.org/en/latest/) "unused import" warning. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8993168)] * Move `logo.svg` to under the `doc/` directory [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f8f0d14)] and make `setup.py` executable [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/efb7bdc)]. * Tidy `diffoscope.main`'s `configure` method. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d377d3b)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d2e283c)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d658583)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8eb852a)] * Drop an assertion that is guaranteed by parallel `if` conditional [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/722d735)] and an unused "Difference" import from the APK comparator. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/026ff74)] * Turn down the "volume" for a recommendation in a comment. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/412fef1)] * Rename the `diffoscope.locale` module to `diffoscope.environ` as we are modifying things beyond just the locale (eg. calling [`tzset`](https://docs.python.org/3/library/time.html), etc.) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/786ff48)] * Factor-out the generation of `foo not available in path` comment messages into the exception that raises them [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/3a5f46d)] and factor out running all of our many `zipinfo` into a new method [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/3b94c0c)]. * [trydiffoscope](https://try.diffoscope.org) is the web-based version of diffoscope. This month, Chris Lamb fixed the [PyPI.org](https://pypi.org/) release by adding the `trydiffoscope` script itself to the `MANIFEST` file and performing another release cycle. [[...](https://salsa.debian.org/reproducible-builds/trydiffoscope/issues/1)] In addition, Marc Herbert adjusted the [`cbfstool`](https://www.coreboot.org/CBFS) tests to search for expected keywords in the output, rather than specific output [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d59dd2a)], fixed a misplaced debugging line [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c150ae8)] and added a "Testing" section to the `CONTRIBUTING.rst` [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0beddf1)] file. Vagrant Cascadian updated to diffoscope [135](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=a3bf43481902ff10d02934d252cfb7aaaf3873e6) in [GNU Guix](https://guix.gnu.org/). #### reprotest *reprotest* is our end-user tool to build same source code twice in widely differing environments and then checks the binaries produced by each build for any differences. This month, versions `0.7.11` and `0.7.12` were [uploaded to Debian unstable](https://tracker.debian.org/pkg/reprotest) by Holger Levsen. This month, Iñaki Malerba improved the version test to split on the `+` character [[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/dc67985)] and Ross Vandegrift updated the code to allow the user to override timeouts from the surrounding environment [[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/7f645f9)]. Holger Levsen also made the following additionally changes: * Drop the `short` timeout and use the `install` timeout instead. ([#897442](https://bugs.debian.org/897442)) * Use "real" [reStructuredText](https://docutils.sourceforge.io/rst.html) comments instead of using the `raw` directive. [[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/9eb1017)] * Update the [PyPI](https://pypi.org/) classifier to express we are using Python 3.7 now. [[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/19c6d5a)] #### Other tools * *disorderfs* is our [FUSE](https://en.wikipedia.org/wiki/Filesystem_in_Userspace)-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues. This month, Chris Lamb fixed an issue by ignoring the return values of `fsyncdir` to ensure (for example) `dpkg(1)` can "flush" `/var/lib/dpkg` correctly [[...](https://salsa.debian.org/reproducible-builds/disorderfs/commit/07c6e80)] and merged a change from Helmut Grohne to use the build architecture's version of [pkg-config](https://www.freedesktop.org/wiki/Software/pkg-config/) to permit cross-architecture builds [[...](https://salsa.debian.org/reproducible-builds/disorderfs/commit/520937a)]. * *strip-nondeterminism* is our tool to remove specific non-deterministic results from a completed build. This month, version `1.6.3-2` was [uploaded to Debian unstable](https://tracker.debian.org/news/1095745/accepted-strip-nondeterminism-163-2-source-into-unstable/) by Holger Levsen to bump the Standards-Version. [[...](https://salsa.debian.org/reproducible-builds/strip- nondeterminism/commit/fa551da)] #### Upstream development The Reproducible Builds project detects, dissects and attempts to fix as many unreproducible packages as possible. Naturally, we endeavour to send all of our patches upstream. This month, we wrote another large number of such patches, including: [![]({{ "/images/reports/2020-01/nixos.png#right" | relative_url }})](https://nixos.org/) * Arnout Engelen (for the [NixOS distribution](https://nixos.org)): * [`bash`](https://github.com/NixOS/nixpkgs/pull/77196) (enable `PGRP_PIPE` regardless of build-time kernel version) * [`jitterentropy`](https://github.com/NixOS/nixpkgs/pull/77202) (remove timestamps from [Gzip](https://www.gnu.org/software/gzip/manual/gzip.html)-compressed manpages, [already filed upstream](https://github.com/smuellerDD/jitterentropy-library/commit/0eca18fbd30318f5c2e927be307dc91e43c133b1)) * [`ms-sys`](https://github.com/NixOS/nixpkgs/pull/77096) (remove timestamps from `.gz` manpages, [already upstream](https://sourceforge.net/p/ms-sys/patches/7/)) * Bernhard M. Wiedemann (for the [openSUSE](https://www.opensuse.org/) distribution): * [`ImageMagick`](https://github.com/ImageMagick/ImageMagick/pull/1270) (toolchain, `.png` date) * [`brickv`](https://github.com/Tinkerforge/brickv/pull/23) (sort a Python `glob`/`readdir(3)`) * [`cpython`](https://bugs.python.org/issue34033) (`.pyc` reproducibility) * [`doxygen`](https://github.com/doxygen/doxygen/issues/7474) (merged a toolchain patch to prevent nondeterminism from ASLR) * [`fastjet-contrib`](https://github.com/alisw/fastjet/pull/6) (sort `find` / `readdir`) * [`openjfx`](https://github.com/openjdk/jfx/pull/99) (Java date) * [`ruby`](https://bugs.ruby-lang.org/issues/8709) (Reopen unsorted Ruby `glob` issue) * [`rubygem-sassc`](https://github.com/sass/sassc-ruby/pull/178) (sort a Ruby `readdir(3)`) * Chris Lamb: * [#948279](https://bugs.debian.org/948279) filed against [`python-gmusicapi`](https://tracker.debian.org/pkg/python-gmusicapi). * [#948582](https://bugs.debian.org/948582) filed against [`bochs`](https://tracker.debian.org/pkg/bochs). * [#948872](https://bugs.debian.org/948872) filed against [`pcbasic`](https://tracker.debian.org/pkg/pcbasic). * [#949379](https://bugs.debian.org/949379) filed against [`vmatch`](https://tracker.debian.org/pkg/vmatch). * [#949580](https://bugs.debian.org/949580) filed against [`pkg-js-tools`](https://tracker.debian.org/pkg/pkg-js-tools). * [#949684](https://bugs.debian.org/949684) filed against [`mcomix`](https://tracker.debian.org/pkg/mcomix). * [#949817](https://bugs.debian.org/949817) filed against [`shotcut`](https://tracker.debian.org/pkg/shotcut) ([forwarded upstream](https://github.com/mltframework/shotcut/pull/824)). * [#950138](https://bugs.debian.org/950138) filed against [`pikepdf`](https://tracker.debian.org/pkg/pikepdf) ([forwarded upstream](https://github.com/pikepdf/pikepdf/pull/76)). * Jelle van der Waa ([Arch Linux](https://archlinux.org)): * [`ardour`](https://github.com/ardour/ardour/pull/464/) (hash ordering) * [`drumkv1`](https://github.com/rncbc/drumkv1/pull/31) (remove timestamp from `.gz` manpage) * [`frotz`](https://gitlab.com/DavidGriffith/frotz/issues/189) (drop date) * [`frotz-dumb`](https://bugs.archlinux.org/task/65149) * [`gnutls`](https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/gnutls&id=ef86c4da049e4bdbcee9898a9b9702f4bd9618b5) (remove timestamps from `.gz` manpages) * [`samplv1`](https://github.com/rncbc/samplv1/pull/30) (remove timestamp from `.gz` manpage) * [`sane`](https://gitlab.com/sane-project/backends/issues/228) (date) * [`shards`](https://github.com/crystal-lang/shards/pull/314) (date) * Martin Liška: * [`gcc`](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93274) (toolchain, fixing randomness in some `.o` files, with Alexander Monakov & Richard Biener) * Vagrant Cascadian submitted a large number patches via the Debian bug tracking system targeting the packages [Civil Infrastructure Platform](https://www.cip-project.org/) as identified by the [CIP package set](https://tests.reproducible-builds.org/debian/bullseye/amd64/pkg_set_CIP.html) including: * [#948757](https://bugs.debian.org/948757) & [#948759](https://bugs.debian.org/948759) filed against [`apache2`](https://tracker.debian.org/pkg/apache2). * [#948771](https://bugs.debian.org/948771) filed against [`guile-2.2`](https://tracker.debian.org/pkg/guile-2.2). * [#949114](https://bugs.debian.org/949114) & [#949115](https://bugs.debian.org/949115) filed against [`alsa-tools`](https://tracker.debian.org/pkg/alsa-tools). * [#949270](https://bugs.debian.org/949270) & [#949271](https://bugs.debian.org/949271) filed against [`libtool`](https://tracker.debian.org/pkg/libtool). * [#949273](https://bugs.debian.org/949273) & [#949275](https://bugs.debian.org/949275) filed against [`geoip`](https://tracker.debian.org/pkg/geoip). * [#949324](https://bugs.debian.org/949324) filed against [`groff`](https://tracker.debian.org/pkg/groff). * [#949338](https://bugs.debian.org/949338) filed against [`gettext`](https://tracker.debian.org/pkg/gettext). * [#949341](https://bugs.debian.org/949341) filed against [`sqlite3`](https://tracker.debian.org/pkg/sqlite3). * [#949342](https://bugs.debian.org/949342) & [#949343](https://bugs.debian.org/949343) filed against [`flex`](https://tracker.debian.org/pkg/flex). * [#949346](https://bugs.debian.org/949346) & [#949348](https://bugs.debian.org/949348) filed against [`libnet`](https://tracker.debian.org/pkg/libnet). --- ### Distribution work #### [openSUSE](https://www.opensuse.org/) [![]({{ "/images/reports/2020-01/opensuse.png#right" | relative_url }})](https://www.opensuse.org/) In [openSUSE](https://www.opensuse.org/), Bernhard M. Wiedemann published his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2020-01/msg00296.html) and submitted the following bugs and patches: * [`doxygen`](https://build.opensuse.org/request/show/766399) (toolchain, [ASLR](https://en.wikipedia.org/wiki/Address_space_layout_randomization); already merged upstream) * [`frotz`](https://build.opensuse.org/request/show/765634) (version update & date) * [`gcc9`](https://bugzilla.opensuse.org/show_bug.cgi?id=1160986) (report unreproducible `.o` files, [forwarded upstream](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93274)) * [`mingw*`](https://bugzilla.opensuse.org/show_bug.cgi?id=1160672) (report random filename in `.a` files) * [`perl-TimeDate`](https://build.opensuse.org/request/show/762957) (fix a "year 2020" bug, [forwarded upstream](https://rt.cpan.org/Public/Bug/Display.html?id=124509)) * [`python-sherpa`](https://build.opensuse.org/request/show/760838) (CPU-detection via `--mtune=native`) * [`qpress`](https://build.opensuse.org/request/show/767311) (make PGO reproducible) * [`rubygem-sassc`](https://build.opensuse.org/request/show/763080) (CPU & `readdir`, partially [submitted upsteam](https://github.com/sass/sassc-ruby/pull/178)) * [`stgit`](https://build.opensuse.org/request/show/765317) (recreate unreproducible `.pyc files with fixed filesystem `readdir(3)` order) * [`xmvn`](https://bugzilla.opensuse.org/show_bug.cgi?id=1162112) (report nondeterminism from filesystem order and randomness) Many Python packages were updated to avoid writing `.pyc` files with an embedded random path, including [jupyter-jupyter-wysiwyg](https://build.opensuse.org/request/show/763685), [jupyter-jupyterlab-latex](https://build.opensuse.org/request/show/763683), [python-PsyLab](https://build.opensuse.org/request/show/763260), [python-hupper](https://build.opensuse.org/request/show/763287), [python-ipyevents](https://build.opensuse.org/request/show/763292) (don't rewrite `.zip` file), [python-ipyleaflet](https://build.opensuse.org/request/show/763285), [python-jupyter-require](https://build.opensuse.org/request/show/763266), [python-jupyter_kernel_test](https://build.opensuse.org/request/show/763282), [python-nbdime](https://build.opensuse.org/request/show/763281) (do not rewrite `.zip`, avoid time-based `.pyc`), [python-nbinteract](https://build.opensuse.org/request/show/763263), [python-plaster](https://build.opensuse.org/request/show/763261), [python-pythreejs](https://build.opensuse.org/request/show/763259), [python-sidecar](https://build.opensuse.org/request/show/763257) & [tensorflow](https://build.opensuse.org/request/show/763522) (use `pip install --no-compile`). #### [Debian](https://debian.org/) [![]({{ "/images/reports/2020-01/debian.png#right" | relative_url }})](https://debian.org/) There was yet more progress towards making the [Debian Installer](https://www.debian.org/devel/debian-installer/) images reproducible. Following-on from last months' efforts, Chris Lamb [requested a status update](https://bugs.debian.org/926242#157) on the [Debian bug in question](https://bugs.debian.org/926242). Daniel Schepler posted to the [`debian-devel`](https://lists.debian.org/debian-devel/) mailing list to ask whether "[running dpkg-buildpackage manually from the command line"](https://lists.debian.org/debian-devel/2020/01/msg00263.html) is supported, particularly with respect to having extra packages installed during the package was built either resulted in a failed build or even broken packages (eg. [#948522](https://bugs.debian.org/948522), [#887902](https://bugs.debian.org/887902), etc.). Our `.buildinfo` files could be one solution to this as they record the environment at the time of the package build. Holger disabled scheduling of packages from the "oldstable" *stretch* release on [tests.reproducible-builds.org](https://tests.reproducible-builds.org/). This is the first time since *stretch*'s existence that we are no longer testing this release. [OpenJDK](https://jdk.java.net), a free and open-source implementation of the Java Platform [was updated in Debian](https://tracker.debian.org/news/1094089/accepted-openjdk-11-110610-1-source-into-unstable/) to incorporate a number of patches from Emmanuel Bourg, including: * Make the generated character data source files reproducible. ([#933339](https://bugs.debian.org/933339)) * Make the generated `module-info.java` files reproducible. ([#933342](https://bugs.debian.org/933342)) * Make the generated copyright headers reproducible. ([#933349](https://bugs.debian.org/933349)) * Make the build user reproducible. ([#933373](https://bugs.debian.org/933373)) 83 reviews of Debian packages were added, 32 were updated and 96 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Many issue types were updated by Chris Lamb, including `timestamp`_in_casacore_tables`, `random_identifiers_in_epub_files_generated_by_asciidoc`, `nondeterministic_ordering_in_casacore_tables`, `captures_build_path_in_golang_compiler`, `captures_build_path_via_haskell_adddependentfile` & `png_generated_by_plantuml_captures_kernel_version_and_builddate`. Lastly, Mattia Rizzolo altered the permissions and shared the [`notes.git` repository](https://salsa.debian.org/reproducible-builds/reproducible-notes) which underpins the aforementioned package classifications with the entire "Debian" group on [Salsa](https://salsa.debian.org/), therefore giving all DDs write access to it. This is an attempt to invite more direct contributions instead of merge requests. #### Other distributions [![]({{ "/images/reports/2020-01/freebsd.png#right" | relative_url }})](https://freebsd.org/) The [FreeBSD Project](https://www.freebsd.org/) Tweeted that: > Reproducible builds are turned on by default for `-RELEASE` [[...](https://twitter.com/debdrup/status/1217488583503892480)] ... which targets the next released version of this distribution ([view revision](https://svnweb.freebsd.org/base?view=revision&revision=338642)). [Daniel Ebdrup](https://nullrouted.org/) followed-up to note that this option: > Used to be turned on in `-CURRENT` when it was being tested, but it has been turned off now that there's another branch where it's used, whereas `-CURRENT` has more need to have the revision printed in `uname` (which is one of the things that make a build unreproducible). [[...](https://twitter.com/debdrup/status/1217515991267184645)] [![]({{ "/images/reports/2020-01/alpine.png#right" | relative_url }})](https://alpinelinux.org/) For [Alpine Linux](https://alpinelinux.org/), Holger Levsen disabled the builders run by the Reproducible Builds project as our patch to the `abuild` utility (see [December's report]({{ "/reports/2019-12/" | relative_url }}) doesn't apply anymore and thus all builds have become unreproducible again. Subsequent to this, a patch was merged upstream. [[...](https://github.com/alpinelinux/abuild/pull/110#issuecomment-580195097)] In [GNU Guix](https://guix.gnu.org/), on January 14th, Konrad Hinsen posted a blog post entitled [*Reproducible computations with Guix*](http://guix.gnu.org/blog/2020/reproducible-computations-with-guix/) which, amongst other things remarks that: > The [`guix time-machine` command] machine actually downloads the specified version of Guix and passes it the rest of the command line. You are running the same code again. Even bugs in Guix will be reproduced faithfully! The [Yocto Project](https://www.yoctoproject.org/) reported that they have reproducible cross-built binaries that are independent of both the underlying host distribution the build is run on and independent of the path used for the build. This is now being continually tested on the Yocto Project's automated infrastructure to ensure this state is maintained in the future. #### Project website & documentation [![]({{ "/images/reports/2020-01/website.png#right" | relative_url }})](https://reproducible-builds.org/) There was more work performed on [our website](https://reproducible-builds.org/) this month, including: * Chris Lamb: * Python [`SOURCE_DATE_EPOCH`]({{ "/docs/SOURCE_DATE_EPOCH" | relative_url }}) documentation, clarifying that the second example generates a Python `str`-type, not a `datetime.datetime` [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8eda319)] * Correct word omissions in the report template. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7b54124)] * Link to our [mailing list overview page](https://lists.reproducible-builds.org/listinfo/rb-general) (and not the archives). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6e92676)] * Apply the [Black](https://black.readthedocs.io/en/stable/) source code reformatter to the draft generation script. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/9fdd1cb)] * Move continuous tests heading level to `

` (vs. `

`) to match the other pages. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e1fc0e8)] * Calculate the report authors dynamically. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/21da60b)] * Holger Levsen: * Add [Alpine Linux](https://alpinelinux.org/) to our [projects]({{ "/who/" | relative_url }}) and [testing]({{ "/citests/" | relative_url }}) pages. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/458ff5f)] * Add links to our [list of projects being tested]({{ "/citests/" | relative_url }}) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3fa3de8)] and mark [Fedora](https://getfedora.org/) as being disabled at this time [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/195b811)]. In addition, Arnout Engelen added a [Scala](https://www.scala-lang.org/) programming language example for the [`SOURCE_DATE_EPOCH`]({{ "/docs/SOURCE_DATE_EPOCH" | relative_url }}) environment variable [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/491fce1)], David del Amo updated the link to the [Software Freedom Conversancy](https://sfconservancy.org/) to remove some double parentheses [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f407ea2)] and Peter Wu added a Debian example for the `-ffile-prefix-map` argument to support [Clang](https://clang.llvm.org/) version 10 [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a9ce0b0)]. #### Testing framework [![]({{ "/images/reports/2020-01/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/) We operate a fully-featured and comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). This month, the following changes were made: * Adrian Bunk: * Use the `et_EE` locale/language instead of `fr_CH`. In Estonian, the *z* character is sorted between *s* and *t* which is contrary to common incorrect assumptions about the sorting order of [ASCII](https://en.wikipedia.org/wiki/ASCII) characters.. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d1f68a80)] * Add `ffile_prefix_map_passed_to_clang` to the list of issues filtered as these build failures should be ignored. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ea55e4bc)] * Remove the `ftbfs_build_depends_not_available_on_amd64` from the list of filtered issues as this specific problem no longer exists. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/64a062e3)] * Holger Levsen: * [Debian](https://debian.org/): * Always configure `apt` to ignore expired release files on hosts running in the future. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/30a71a97)] * Create an "oldsuites" page, showing suites we used to test in the past. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ffc13a29)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c1accbfb)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/13550757)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2545eba2)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d9b11c34)] * Schedule more old packages from the *buster* distribution. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e5ebb1fa)] * Deal with shell escaping and other options. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a35cc960)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/872453bb)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b5091f70)] * Reverse the suite ordering on the packages page. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d27e8d3f)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d495b88f)] * Show *bullseye* statistics on dashboard page, moving away from *buster* [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/db5cf9c0)] and additionally omit *stretch* [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5516f56f)]. * [F-Droid](https://f-droid.org/): * Document the increased diskspace requirements; we require over 700 GiB now. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a6a0a691)] * Misc: * Gracefully deal with `umount` problems. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a555f19e)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9f58a8df)] * Run code to show "todo" entries locally. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cdad9995)] * Use `mmdebstrap` instead of `debootstrap`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6ce1a757)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cab70212)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/464508f1)] * Jelle van der Waa ([Arch Linux](https://archlinux.org/)): * Set the `PACKAGER` variable to a valid string to avoid noise in the logging. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/66c8eee0)] * Add a link to the Arch Linux-specific package page in the overview table. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/95c9006e)] * Mattia Rizzolo: * Fix a hard-coded reference to the current year. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d61c0338)] * Ignore `No server certificate defined` warning messages when automatically parsing logfiles. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1919aa19)] * Vagrant Cascadian special-cased [`u-boot`](https://www.denx.de/wiki/U-Boot/) on the `armhf` architecture: First, do not build the `all` architecture as the dependencies are not available on this architecture [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/08ef4bae)] and also pass the `--binary-arch` argument to `pbuilder` too [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0c838739)]. The usual node maintenance was performed by Mattia Rizzolo [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0c6b7024)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e60be6d4)], Vagrant Cascadian [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/79dbfa03)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d2fcbfab)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d3d94fcc)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/19baf9e9)] and Holger Levsen. --- ## Misc news On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month: [![]({{ "/images/reports/2020-01/docker.png#right" | relative_url }})](https://www.docker.com/) * Chris Lamb [responded in-depth to a thread on *Reproducible system images*](https://lists.reproducible-builds.org/pipermail/rb-general/2020-January/001771.html) that was [started in December](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001750.html) by Lars Wirzenius. This then led to a sub-thread [regarding reproducible Docker images](https://lists.reproducible-builds.org/pipermail/rb-general/2020-January/001779.html). * Holger Levsen [posted a brief request for help](https://lists.reproducible-builds.org/pipermail/rb-general/2020-January/001783.html) regarding the bot that lives on our `#reproducible-builds` IRC channel that interfaces with [our Twitter handle](https://twitter.com/ReproBuilds). If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can also get in touch with us via: * IRC: `#reproducible-builds` on `irc.oftc.net`. * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds) * Reddit: [/r/ReproducibleBuilds](https://reddit.com/r/reproduciblebuilds) * Mailing list: [`rb-general@lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
--- This month's report was written by Arnout Engelen, Bernhard M. Wiedemann, Chris Lamb, `heinrich5991`, Holger Levsen, Jelle van der Waa, Mattia Rizzolo and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list. {: .small}