CINXE.COM

Reproducible Builds in September 2024 — reproducible-builds.org

<!DOCTYPE html> <html lang="en" dir="ltr"> <head> <meta charset="utf-8"> <title>Reproducible Builds in September 2024 &mdash; reproducible-builds.org</title> <link rel="stylesheet" href="/assets/styles/main.css?1739992063"> <link rel="shortcut icon" type="image/png" href="/assets/images/favicon.png"/> <link href="/assets/fonts/overpass.css" rel="stylesheet"> <link href="/assets/fonts/overpass-mono.css" rel="stylesheet"> <link rel="stylesheet" href="/assets/static/open-iconic-bootstrap.css" /> <link rel="stylesheet" href="/assets/static/bootstrap.min.css"> <link rel="alternate" type="application/rss+xml" title="Reproducible Builds - Posts" href="https://reproducible-builds.org/feed.xml" /> <link rel="alternate" type="application/rss+xml" title="Reproducible Builds - All News" href="https://reproducible-builds.org/blog/index.rss" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> </head> <body> <nav class="navbar navbar-expand-lg navbar-light sticky-top rb-navbar__top"> <a class="navbar-brand mr-5" href="/"> <img src="/assets/images/logo-text-white.png" height="30" width="auto" alt=""></img> </a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"> <span class="navbar-toggler-icon"></span> </button> <div class="collapse navbar-collapse" id="navbarSupportedContent"> <ul class="navbar-nav mr-auto"> <li class="nav-item"> <a class="nav-link" href="/news/">News</a> </li> <li class="nav-item"> <a class="nav-link" href="/docs/">Docs</a> </li> <li class="nav-item"> <a class="nav-link" href="/success-stories/">Success stories</a> </li> <li class="nav-item"> <a class="nav-link" href="/tools/">Tools</a> </li> <li class="nav-item"> <a class="nav-link" href="/who/">Who is involved?</a> </li> <li class="nav-item"> <a class="nav-link" href="/resources/">Talks</a> </li> <li class="nav-item"> <a class="nav-link" href="/events/">Events</a> </li> <li class="nav-item"> <a class="nav-link" href="/citests/">CI tests</a> </li> <li class="nav-item"> <a class="nav-link" href="/contribute/">Contribute</a> </li> </ul> </div> </nav> <div class="container"> <main role="main" class="content-scroll p-3"> <h1><a href="/reports/2024-09/">Reproducible Builds in September 2024</a></h1> <p>&larr; <a href="/news/">View all our monthly reports</a></p> <br> <div class="blog-post-content"> <p><a href="https://reproducible-builds.org/"><img src="/images/reports/2024-09/reproducible-builds.png#right" alt="" /></a></p> <p><strong>Welcome to the September 2024 report from the <a href="https://reproducible-builds.org">Reproducible Builds</a> project!</strong></p> <p>Our reports attempt to outline what we’ve been up to over the past month, highlighting news items from elsewhere in tech where they are related. As ever, if you are interested in contributing to the project, please visit our <a href="/contribute/"><em>Contribute</em></a> page on our website.</p> <p><strong>Table of contents:</strong></p> <ol> <li><a href="#new-binsider-tool-to-analyse-elf-binaries">New binsider tool to analyse ELF binaries</a></li> <li><a href="#unreproducibility-of-ghc-haskell-compiler-95-fixed">Unreproducibility of GHC Haskell compiler “95% fixed”</a></li> <li><a href="#mailing-list-summary">Mailing list summary</a></li> <li><a href="#towards-a-100-bit-for-bit-reproducible-os">Towards a 100% bit-for-bit reproducible OS…</a></li> <li><a href="#two-new-reproducibility-related-academic-papers">Two new reproducibility-related academic papers</a></li> <li><a href="#distribution-work">Distribution work</a></li> <li><a href="#diffoscope">diffoscope</a></li> <li><a href="#other-software-development">Other software development</a></li> <li><a href="#android-toolchain-core-count-issue-reported">Android toolchain core count issue reported</a></li> <li><a href="#new-gradle-plugin-for-reproducibility">New Gradle plugin for reproducibility</a></li> <li><a href="#website-updates">Website updates</a></li> <li><a href="#upstream-patches">Upstream patches</a></li> <li><a href="#reproducibility-testing-framework">Reproducibility testing framework</a></li> </ol> <hr /> <h3 id="new-binsider-tool-to-analyse-elf-binaries">New <a href="https://binsider.dev/"><code class="language-plaintext highlighter-rouge">binsider</code></a> tool to analyse ELF binaries</h3> <p><a href="https://binsider.dev/"><img src="/images/reports/2024-09/binsider.gif#right" alt="" /></a></p> <p>Reproducible Builds developer <a href="https://blog.orhun.dev/">Orhun Parmaksız</a> has announced a fantastic new tool to analyse the contents of <a href="https://en.wikipedia.org/wiki/Executable_and_Linkable_Format">ELF binaries</a>. According to the <a href="https://github.com/orhun/binsider#readme">project’s <code class="language-plaintext highlighter-rouge">README</code> page</a>:</p> <blockquote> <p>Binsider can perform static and dynamic analysis, inspect strings, examine linked libraries, and perform hexdumps, all within a user-friendly terminal user interface!</p> </blockquote> <p>More information about Binsider’s features and how it works can be found <a href="https://binsider.dev/usage/general-analysis/">within Binsider’s documentation pages</a>.</p> <p><br /></p> <h3 id="unreproducibility-of-ghc-haskell-compiler-95-fixed">Unreproducibility of GHC Haskell compiler “95% fixed”</h3> <p><a href="https://gitlab.haskell.org/ghc/ghc/-/issues/12935#note_583525"><img src="/images/reports/2024-09/ghc-diff.png#right" alt="" /></a></p> <p>A <a href="https://gitlab.haskell.org/ghc/ghc/-/issues/12935">seven-year-old bug</a> about the nondeterminism of object code generated by the <a href="https://www.haskell.org/ghc/">Glasgow Haskell Compiler</a> (GHC) received a <a href="https://gitlab.haskell.org/ghc/ghc/-/issues/12935#note_583525">recent update</a>, consisting of <a href="https://alt-romes.github.io/">Rodrigo Mesquita</a> noting that the issue is:</p> <blockquote> <p>95% fixed by [merge request] <a href="https://gitlab.haskell.org/ghc/ghc/-/merge_requests/12680">!12680</a> when <code class="language-plaintext highlighter-rouge">-fobject-determinism</code> is enabled. [<a href="https://gitlab.haskell.org/ghc/ghc/-/issues/12935#note_583525">…</a>]</p> </blockquote> <p>The <a href="https://gitlab.haskell.org/ghc/ghc/-/merge_requests/12680">linked merge request</a> has since been merged, and Rodrigo goes on to say that:</p> <blockquote> <p>After that patch is merged, there are some rarer bugs in both interface file determinism (eg. <a href="https://gitlab.haskell.org/ghc/ghc/-/issues/25170"><code class="language-plaintext highlighter-rouge">#25170</code></a>) and in object determinism (eg. <a href="https://gitlab.haskell.org/ghc/ghc/-/issues/25269"><code class="language-plaintext highlighter-rouge">#25269</code></a>) that need to be taken care of, but the great majority of the work needed to get there should have been merged already. When merged, I think we should close this one in favour of the more specific determinism issues like the two linked above.</p> </blockquote> <p><br /></p> <h3 id="mailing-list-summary">Mailing list summary</h3> <p>On <a href="https://lists.reproducible-builds.org/listinfo/rb-general/">our mailing list</a> this month:</p> <ul> <li> <p>Fay Stegerman <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003526.html">let everyone know</a> that she started a <a href="https://tech.lgbt/@obfusk/113081697577399562">thread on the Fediverse</a> about the problems caused by unreproducible <code class="language-plaintext highlighter-rouge">zlib</code>/<code class="language-plaintext highlighter-rouge">deflate</code> compression in <code class="language-plaintext highlighter-rouge">.zip</code> and <code class="language-plaintext highlighter-rouge">.apk</code> files and later <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003547.html">followed up</a> with the results of her subsequent investigation.</p> </li> <li> <p>Long-time developer <em>kpcyrd</em> wrote that “there has been <a href="https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/merge_requests/1">a recent public discussion</a> on the <a href="https://archlinux.org/">Arch Linux</a> GitLab [instance] about the challenges and possible opportunities for making the Linux kernel package reproducible”, all relating to the <code class="language-plaintext highlighter-rouge">CONFIG_MODULE_SIG</code> flag. [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003530.html">…</a>]</p> </li> <li> <p>Bernhard M. Wiedemann followed-up to an in-person conversation at our recent <a href="/events/hamburg2024/">Hamburg 2024 summit</a> on the potential presence for Reproducible Builds in recognised standards. [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003539.html">…</a>]</p> </li> <li> <p>Fay Stegerman also wrote about her worry about the “possible repercussions for RB tooling of Debian migrating from <code class="language-plaintext highlighter-rouge">zlib</code> to <code class="language-plaintext highlighter-rouge">zlib-ng</code>” as reproducibility requires identical compressed data streams. [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003543.html">…</a>]</p> </li> <li> <p><a href="https://www.monperrus.net/martin/">Martin Monperrus</a> wrote the list announcing the latest release of <a href="https://github.com/chains-project/maven-lockfile/"><code class="language-plaintext highlighter-rouge">maven-lockfile</code></a> that is designed aid “building Maven projects with integrity”. [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003544.html">…</a>]</p> </li> <li> <p>Lastly, Bernhard M. Wiedemann wrote about potential role of reproducible builds in combatting silent data corruption, as detailed in a <a href="https://x.com/petereliaskraft/status/1840011158347972765">recent Tweet</a> and <a href="https://dl.acm.org/doi/abs/10.1145/3458336.3465297">scholarly paper</a> on faulty CPU cores. [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003548.html">…</a>]</p> </li> </ul> <p><br /></p> <h3 id="towards-a-100-bit-for-bit-reproducible-os">Towards a 100% bit-for-bit reproducible OS…</h3> <p>Bernhard M. Wiedemann began writing on <a href="https://en.opensuse.org/openSUSE:Reproducible_openSUSE/Part1">journey towards a 100% bit-for-bit reproducible operating system</a> on the <a href="https://en.opensuse.org/Main_Page">openSUSE</a> wiki:</p> <blockquote> <p>This is a report of Part 1 of my journey: building 100% bit-reproducible packages for every package that makes up [openSUSE’s] <code class="language-plaintext highlighter-rouge">minimalVM</code> image. This target was chosen as the smallest useful result/artifact. The larger package-sets get, the more disk-space and build-power is required to build/verify all of them.</p> </blockquote> <p>This work was sponsored by <a href="https://nlnet.nl/">NLnet</a>’s <a href="https://nlnet.nl/NGI0/">NGI Zero</a> fund.</p> <p><br /></p> <h3 id="two-new-reproducibility-related-academic-papers">Two new reproducibility-related academic papers</h3> <p><a href="https://doi.org/10.5281/zenodo.13843189"><img src="/images/reports/2024-09/paper-10.5281-zenodo-13843189.png#right" alt="" /></a></p> <p><a href="https://strangfeld.io/">Marvin Strangfeld</a> published his bachelor thesis, “<a href="https://doi.org/10.5281/zenodo.13843189"><em>Reproducibility of Computational Environments for Software Development</em></a>” from <a href="https://www.rwth-aachen.de">RWTH Aachen University</a>. The author offers a more precise theoretical definition of computational environments compared to previous definitions, which can be applied to describe real-world computational environments. Additionally, Marvin provide a definition of reproducibility in computational environments, enabling discussions about the extent to which an environment can be made reproducible. The thesis is <a href="https://doi.org/10.5281/zenodo.13843189">available to browse or download in PDF format</a>.</p> <p><a href="https://mcis.cs.queensu.ca/publications/2024/ieeesw-shenyu.pdf"><img src="/images/reports/2024-09/paper.ieeesw-shenyu.png#right" alt="" /></a></p> <p>In addition, Shenyu Zheng, Bram Adams and Ahmed E. Hassan of <a href="https://www.queensu.ca/">Queen’s University, ON, Canada</a> have <a href="https://mcis.cs.queensu.ca/publications/2024/ieeesw-shenyu.pdf">published an article</a> on “hermeticity” in <a href="https://bazel.build/">Bazel</a>-based build systems:</p> <blockquote> <p>A hermetic build system manages its own build dependencies, isolated from the host file system, thereby securing the build process. Although, in recent years, new artifact-based build technologies like <a href="https://bazel.build/">Bazel</a> offer build hermeticity as a core functionality, no empirical study has evaluated how effectively these new build technologies achieve build hermeticity. This paper studies 2,439 non-hermetic build dependency packages of 70 Bazel-using open-source projects by analyzing 150 million Linux system file calls collected in their build processes. We found that none of the studied projects has a completely hermetic build process, largely due to the use of non-hermetic top-level toolchains. [<a href="https://mcis.cs.queensu.ca/publications/2024/ieeesw-shenyu.pdf">…</a>]</p> </blockquote> <p><br /></p> <h3 id="distribution-work">Distribution work</h3> <p><a href="https://debian.org/"><img src="/images/reports/2024-09/debian.png#right" alt="" /></a></p> <p>In Debian this month, 14 reviews of Debian packages were added, 12 were updated and 20 were removed, all adding to <a href="https://tests.reproducible-builds.org/debian/index_issues.html">our knowledge about identified issues</a>. A number of issue types were updated as well. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/7ee69bc5">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/5ade3942">…</a>]</p> <p>In addition, Holger opened 4 bugs against the <code class="language-plaintext highlighter-rouge">debrebuild</code> component of the <a href="https://salsa.debian.org/debian/devscripts"><em>devscripts</em></a> suite of tools. In particular:</p> <ul> <li><a href="https://bugs.debian.org/1081047"><code class="language-plaintext highlighter-rouge">#1081047</code></a>: Fails to download <code class="language-plaintext highlighter-rouge">.dsc</code> file.</li> <li><a href="https://bugs.debian.org/1081048"><code class="language-plaintext highlighter-rouge">#1081048</code></a>: Does not work with a proxy.</li> <li><a href="https://bugs.debian.org/1081050"><code class="language-plaintext highlighter-rouge">#1081050</code></a>: Fails to create a <code class="language-plaintext highlighter-rouge">debrebuild.tar</code>.</li> <li><a href="https://bugs.debian.org/1081839"><code class="language-plaintext highlighter-rouge">#1081839</code></a>: Fails with <code class="language-plaintext highlighter-rouge">E: mmdebstrap failed to run</code> error.</li> </ul> <p>Last month, an <a href="https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/368">issue was filed</a> to update the <a href="https://salsa.debian.org/salsa-ci-team/pipeline">Salsa CI pipeline</a> (used by 1,000s of Debian packages) to no longer test for reproducibility with <em>reprotest</em>’s <code class="language-plaintext highlighter-rouge">build_path</code> variation. Holger Levsen <a href="https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/368#note_520933">provided a rationale</a> for this change in the issue, which has already been made to the tests being performed by <a href="https://tests.reproducible-builds.org"><em>tests.reproducible-builds.org</em></a>. This month, <a href="https://salsa.debian.org/salsa-ci-team/pipeline/-/commit/3e772018954782b02114d8c95f9972bc950fde92">this issue was closed by Santiago R. R.</a>, nicely explaining that build path variation is no longer the default, and, if desired, how developers may enable it again.</p> <p><a href="https://www.opensuse.org/"><img src="/images/reports/2024-09/opensuse.png#right" alt="" /></a></p> <p>In openSUSE news, Bernhard M. Wiedemann <a href="https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/3CRGGASV7HFS5NQ4ECQ3DKPIJCCRKAYY/">published another report</a> for that distribution.</p> <p><br /></p> <h3 id="diffoscope"><a href="https://diffoscope.org"><em>diffoscope</em></a></h3> <p><a href="https://diffoscope.org/"><img src="/images/reports/2024-09/diffoscope.png#right" alt="" /></a></p> <p><a href="https://diffoscope.org">diffoscope</a> is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading version <code class="language-plaintext highlighter-rouge">278</code> to Debian:</p> <ul> <li> <p>New features:</p> <ul> <li>Add a helpful contextual message to the output if comparing Debian <code class="language-plaintext highlighter-rouge">.orig</code> tarballs within <code class="language-plaintext highlighter-rouge">.dsc</code> files without the ability to “fuzzy-match” away the leading directory.  [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/e748a477">…</a>]</li> </ul> </li> <li> <p>Bug fixes:</p> <ul> <li>Drop removal of calculated <code class="language-plaintext highlighter-rouge">os.path.basename</code> from GNU <code class="language-plaintext highlighter-rouge">readelf</code> output. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/74bd931d">…</a>]</li> <li>Correctly invert “X% similar” value and do not emit “100% similar”. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/7ec9db5d">…</a>]</li> </ul> </li> <li> <p>Misc:</p> <ul> <li>Temporarily remove <code class="language-plaintext highlighter-rouge">procyon-decompiler</code> from <code class="language-plaintext highlighter-rouge">Build-Depends</code> as it was removed from testing (via <a href="https://bugs.debian.org/1057532">#1057532</a>). (<a href="https://bugs.debian.org/1082636">#1082636</a>)</li> <li>Update copyright years. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/021d9cf8">…</a>]</li> </ul> </li> </ul> <p>For <a href="https://try.diffoscope.org"><em>trydiffoscope</em></a>, the command-line client for the web-based version of <em>diffoscope</em>, Chris Lamb also:</p> <ul> <li>Added an explicit <code class="language-plaintext highlighter-rouge">python3-setuptools</code> dependency. (<a href="https://bugs.debian.org/1080825">#1080825</a>)</li> <li>Bumped the <code class="language-plaintext highlighter-rouge">Standards-Version</code> to 4.7.0. [<a href="https://salsa.debian.org/reproducible-builds/trydiffoscope/commit/392e64d">…</a>]</li> </ul> <p><br /></p> <h3 id="other-software-development">Other software development</h3> <p><a href="https://tracker.debian.org/pkg/disorderfs"><em>disorderfs</em></a> is our <a href="https://en.wikipedia.org/wiki/Filesystem_in_Userspace">FUSE</a>-based filesystem that deliberately introduces non-determinism into system calls to reliably flush out reproducibility issues. This month, version <code class="language-plaintext highlighter-rouge">0.5.11-4</code> was <a href="https://tracker.debian.org/news/1570782/accepted-disorderfs-0511-4-source-into-unstable/">uploaded to Debian unstable</a> by Holger Levsen making the following changes:</p> <ul> <li>Replace build-dependency on the obsolete <code class="language-plaintext highlighter-rouge">pkg-config</code> package with one on <code class="language-plaintext highlighter-rouge">pkgconf</code>, following a <a href="https://wiki.debian.org/Lintian">Lintian</a> check. [<a href="https://salsa.debian.org/reproducible-builds/disorderfs/commit/0211d95">…</a>]</li> <li>Bump <code class="language-plaintext highlighter-rouge">Standards-Version</code> field to 4.7.0, with no related changes needed. [<a href="https://salsa.debian.org/reproducible-builds/disorderfs/commit/d500480">…</a>]</li> </ul> <p><br /></p> <p>In addition, <a href="https://salsa.debian.org/reproducible-builds/reprotest"><em>reprotest</em></a> is our tool for building the same source code twice in different environments and then checking the binaries produced by each build for any differences. This month, version <code class="language-plaintext highlighter-rouge">0.7.28</code> was <a href="https://tracker.debian.org/news/1561430/accepted-reprotest-0728-source-into-unstable/">uploaded to Debian unstable</a> by Holger Levsen including a change by Jelle van der Waa to move away from the <code class="language-plaintext highlighter-rouge">pipes</code> Python module to <code class="language-plaintext highlighter-rouge">shlex</code>, as the former will be removed in Python version 3.13 [<a href="https://salsa.debian.org/reproducible-builds/reprotest/commit/b7a2104">…</a>].</p> <p><br /></p> <h3 id="android-toolchain-core-count-issue-reported">Android toolchain core count issue reported</h3> <p>Fay Stegerman <a href="https://issuetracker.google.com/issues/366412380">reported an issue with the Android toolchain</a> where a part of the build system generates a different <code class="language-plaintext highlighter-rouge">classes.dex</code> file (and thus a different <code class="language-plaintext highlighter-rouge">.apk</code>) depending on the number of cores available during the build, thereby breaking Reproducible Builds:</p> <blockquote> <p>We’ve rebuilt <a href="https://github.com/TheLastProject/ShareToInputStick/releases/tag/v3.6.1">[tag <code class="language-plaintext highlighter-rouge">v3.6.1</code>]</a> multiple times (each time in a fresh container): with 2, 4, 6, 8, and 16 cores available, respectively:</p> <ul> <li>With 2 and 4 cores we always get an unsigned APK with SHA-256 <code class="language-plaintext highlighter-rouge">14763d682c9286ef…</code>.</li> <li>With 6, 8, and 16 cores we get an unsigned APK with SHA-256 <code class="language-plaintext highlighter-rouge">35324ba4c492760…</code> instead.</li> </ul> </blockquote> <p><br /></p> <h3 id="new-gradle-plugin-for-reproducibility"><a href="https://github.com/gradlex-org/reproducible-builds">New Gradle plugin for reproducibility</a></h3> <p><a href="https://github.com/gradlex-org/reproducible-builds"><img src="/images/reports/2024-09/gradle.png#right" alt="" /></a></p> <p>A new plugin for the <a href="https://gradle.org/">Gradle</a> build tool for Java has been released. This <a href="https://github.com/gradlex-org/reproducible-builds#usage">easily-enabled plugin</a> results in:</p> <blockquote> <p>reproducibility settings [being] applied to some of Gradle’s built-in tasks that should really be the default. Compatible with Java 8 and Gradle 8.3 or later.</p> </blockquote> <p><br /></p> <h3 id="website-updates">Website updates</h3> <p><a href="/"><img src="/images/reports/2024-09/website.png#right" alt="" /></a></p> <p>There were a rather substantial number of improvements made to our website this month, including:</p> <ul> <li> <p>Chris Lamb:</p> <ul> <li>Attempt to use GitLab CI to ‘artifact’ the website; hopefully useful for testing branches. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f1f98564">…</a>]</li> <li>Correct the linting rule whilst building the website. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e72d54fd">…</a>]</li> <li>Make a number of small changes to Kees’ post written by Vagrant. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f13914e5">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5ef0e7d3">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5eb0421d">…</a>]</li> <li>Add the <a href="https://www.cip-project.org/">Civil Infrastructure Platform</a> to the <a href="https://reproducible-builds.org/who/projects/"><em>Projects</em></a> page. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/33b4dfd5">…</a>]</li> <li>Miscellaneous administration of misfiled images. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8f252f66">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ebcb3ec0">…</a>]</li> </ul> </li> <li> <p>Evangelos Tzaras made a huge number of changes related to the recent <a href="/events/hamburg2024/">Hamburg 2024 summit</a> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3cbc7c7f">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1d1cdfb8">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f146906c">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6703515c">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/41bb491c">…</a>] as well as proposed an <a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8a12fdd3">infographic about which question Reproducible Builds is trying to answer</a>.</p> </li> <li> <p>Holger Levsen added his two presentations (<a href="https://debconf24.debconf.org/talks/18-reproducible-builds-the-first-eleven-years/"><em>Reproducible Builds: The First Eleven Years</em></a> and <a href="https://debconf24.debconf.org/talks/17-preserving-other-build-artifacts/"><strong><em>Preserving *other* build artifacts</em></strong></a>) to the website. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7a661236">…</a>]</p> </li> <li> <p>Jelle van der Waa completely modernised the <a href="/docs/system-images/">System Images</a> documentation, noting that “a lot has changed since 2017(!); <code class="language-plaintext highlighter-rouge">ext4</code>, <code class="language-plaintext highlighter-rouge">erofs</code> and <code class="language-plaintext highlighter-rouge">FAT</code> filesystems can now be made reproducible”. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/672c19a3">…</a>]</p> </li> <li> <p>Developer <em>RyanSquared</em> replaced the continuous integration test link for <a href="https://archlinux.org/">Arch Linux</a> on our <a href="/who/projects/">Projects</a> page with <a href="https://reproducible.archlinux.org/">an external instance</a> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/67d13a6c">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/eaa4ba9b">…</a>] as well as updated the documentation to reflect the dependencies required to build the website [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/634587d6">…</a>].</p> </li> <li> <p>Vagrant Cascadian pushed a <a href="https://reproducible-builds.org/news/2024/09/29/supporter-spotlight-kees-cook/">lengthy interview with Linux developer Kees Cook</a>. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/53a4b2f6">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f935cd0b">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2c1f10e7">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/04eb01ff">…</a>]</p> </li> </ul> <p><br /></p> <h3 id="upstream-patches">Upstream patches</h3> <p>The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:</p> <ul> <li> <p>Bernhard M. Wiedemann:</p> <ul> <li><a href="https://github.com/openSUSE/agama/pull/1576"><code class="language-plaintext highlighter-rouge">agama-integration-tests</code></a> (random)</li> <li><a href="https://build.opensuse.org/request/show/1203242"><code class="language-plaintext highlighter-rouge">contrast</code></a> (FTBFS-nocheck)</li> <li><a href="https://github.com/python/cpython/issues/124851"><code class="language-plaintext highlighter-rouge">cpython</code></a> (FTBFS-2038)</li> <li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1230281"><code class="language-plaintext highlighter-rouge">crash</code></a> (parallelism, race)</li> <li><a href="https://mail.gnu.org/archive/html/bug-ghostscript/2024-09/msg00000.html"><code class="language-plaintext highlighter-rouge">ghostscript</code></a> (toolchain date)</li> <li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1230879"><code class="language-plaintext highlighter-rouge">glycin-loaders</code></a> (FTBFS <code class="language-plaintext highlighter-rouge">-j1</code>)</li> <li><a href="https://gitlab.freedesktop.org/gstreamer/gst-plugins-rs/-/issues/599"><code class="language-plaintext highlighter-rouge">gstreamer-plugins-rs</code></a> (date, other)</li> <li><a href="https://lore.kernel.org/linux-doc/33018311-0bdf-4258-b0c0-428a548c710d@suse.de/T/#t"><code class="language-plaintext highlighter-rouge">kernel-doc/Sphinx</code></a> (toolchain bug, parallelism/race)</li> <li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1230414"><code class="language-plaintext highlighter-rouge">kernel</code></a> (parallelism in BTF)</li> <li><a href="https://bugs.libcamera.org/show_bug.cgi?id=233"><code class="language-plaintext highlighter-rouge">libcamera</code></a> (random key)</li> <li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1230850"><code class="language-plaintext highlighter-rouge">libgtop</code></a> (<code class="language-plaintext highlighter-rouge">uname -r</code>)</li> <li><a href="https://build.opensuse.org/request/show/1202178"><code class="language-plaintext highlighter-rouge">libsamplerate</code></a> (random temporary directory)</li> <li><a href="https://build.opensuse.org/request/show/1204160"><code class="language-plaintext highlighter-rouge">lua-luarepl</code></a> (FTBFS)</li> <li><a href="https://github.com/mesonbuild/meson-python/issues/671"><code class="language-plaintext highlighter-rouge">meson</code></a> (toolchain)</li> <li><a href="https://build.opensuse.org/request/show/1203216"><code class="language-plaintext highlighter-rouge">netty</code></a> (modification time in <code class="language-plaintext highlighter-rouge">.a</code>)</li> <li><a href="https://github.com/NVIDIA/nvidia-persistenced/pull/12"><code class="language-plaintext highlighter-rouge">nvidia-persistenced</code></a> (date)</li> <li><a href="https://build.opensuse.org/request/show/1203885"><code class="language-plaintext highlighter-rouge">nvidia-xconfig</code></a> (date-related issue)</li> <li><a href="https://github.com/openSUSE/obs-build/issues/1030"><code class="language-plaintext highlighter-rouge">obs-build</code></a> (build-tooling corruption)</li> <li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1230137"><code class="language-plaintext highlighter-rouge">perl</code></a> (Perl records kernel version)</li> <li><a href="https://build.opensuse.org/request/show/1202479"><code class="language-plaintext highlighter-rouge">pinentry</code></a> (make <a href="https://git.enlightenment.org/enlightenment/efl/issues/41">efl</a> droppable)</li> <li><a href="https://github.com/PyGithub/PyGithub/pull/3045"><code class="language-plaintext highlighter-rouge">python-PyGithub</code></a> (FTBFS 2024-11-25)</li> <li><a href="https://github.com/sphinx-doc/sphinx/issues/6714"><code class="language-plaintext highlighter-rouge">python-Sphinx</code></a> (parallelism/race)</li> <li><a href="https://build.opensuse.org/request/show/1202316"><code class="language-plaintext highlighter-rouge">python-chroma-hnswlib</code></a> (CPU)</li> <li><a href="https://github.com/Instagram/LibCST/pull/1213"><code class="language-plaintext highlighter-rouge">python-libcst</code></a></li> <li><a href="https://github.com/pygraphviz/pygraphviz/issues/541"><code class="language-plaintext highlighter-rouge">python-pygraphviz</code></a> (random timing)</li> <li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1230906"><code class="language-plaintext highlighter-rouge">python312</code></a> (<code class="language-plaintext highlighter-rouge">.pyc</code> embeds modification time)</li> <li><a href="https://build.opensuse.org/request/show/1204725"><code class="language-plaintext highlighter-rouge">python312</code></a> (drop <code class="language-plaintext highlighter-rouge">.pyc</code> from documentation time)</li> <li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1230361"><code class="language-plaintext highlighter-rouge">scap-security-guide</code></a> (date)</li> <li><a href="https://gitlab.gnome.org/GNOME/seahorse/-/issues/394"><code class="language-plaintext highlighter-rouge">seahorse</code></a> (parallelism)</li> <li><a href="https://build.opensuse.org/request/show/1203785"><code class="language-plaintext highlighter-rouge">subversion</code></a> (minor Java <code class="language-plaintext highlighter-rouge">.jar</code> modification times)</li> <li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1230856"><code class="language-plaintext highlighter-rouge">xen/acpica</code></a> (date-related issue in toolchain)</li> <li><a href="https://github.com/fedora-java/xmvn/commit/1f79bc89caf3a75556a72430a524df84a16bde2b"><code class="language-plaintext highlighter-rouge">xmvn</code></a> (random)</li> </ul> </li> <li>Fridrich Strba: <ul> <li><a href="https://build.opensuse.org/request/show/1201917"><code class="language-plaintext highlighter-rouge">ant</code></a> (jar mtime)</li> <li><a href="https://github.com/fedora-java/xmvn/pull/298"><code class="language-plaintext highlighter-rouge">xmvn</code></a> (various fixes)</li> </ul> </li> <li> <p>Chris Lamb:</p> <ul> <li><a href="https://bugs.debian.org/1082702">#1082702</a> filed against <a href="https://tracker.debian.org/pkg/magic-wormhole-transit-relay"><code class="language-plaintext highlighter-rouge">magic-wormhole-transit-relay</code></a>.</li> <li><a href="https://bugs.debian.org/1082706">#1082706</a> filed against <a href="https://tracker.debian.org/pkg/python-sphobjinv"><code class="language-plaintext highlighter-rouge">python-sphobjinv</code></a>.</li> <li><a href="https://bugs.debian.org/1082707">#1082707</a> filed against <a href="https://tracker.debian.org/pkg/lomiri-content-hub"><code class="language-plaintext highlighter-rouge">lomiri-content-hub</code></a>.</li> <li><a href="https://bugs.debian.org/1082796">#1082796</a> filed against <a href="https://tracker.debian.org/pkg/python-mt-940"><code class="language-plaintext highlighter-rouge">python-mt-940</code></a>.</li> <li><a href="https://bugs.debian.org/1082806">#1082806</a> filed against <a href="https://tracker.debian.org/pkg/tree-puzzle"><code class="language-plaintext highlighter-rouge">tree-puzzle</code></a>.</li> <li><a href="https://bugs.debian.org/1083053">#1083053</a> filed against <a href="https://tracker.debian.org/pkg/muon-meson"><code class="language-plaintext highlighter-rouge">muon-meson</code></a>.</li> </ul> </li> <li> <p>James Addison:</p> <ul> <li><a href="https://github.com/Guake/guake/pull/2257"><code class="language-plaintext highlighter-rouge">guake</code></a> (fix a parallelism/timing-race build bug)</li> <li><a href="https://github.com/bskinn/sphobjinv/issues/299"><code class="language-plaintext highlighter-rouge">sphobjinv</code></a> (duplicates fix from Debian bug #1082706)</li> </ul> </li> </ul> <p><br /></p> <h3 id="reproducibility-testing-framework">Reproducibility testing framework</h3> <p><a href="https://tests.reproducible-builds.org/"><img src="/images/reports/2024-09/testframework.png#right" alt="" /></a></p> <p>The Reproducible Builds project operates a comprehensive testing framework running primarily at <a href="https://tests.reproducible-builds.org"><em>tests.reproducible-builds.org</em></a> in order to check packages and other artifacts for reproducibility. In September, a number of changes were made by Holger Levsen, including:</p> <ul> <li> <p><a href="https://debian.org/">Debian</a>-related changes:</p> <ul> <li>Upgrade the <code class="language-plaintext highlighter-rouge">osuosl4</code> node to Debian <em>trixie</em> in anticipation of running <code class="language-plaintext highlighter-rouge">debrebuild</code> and <code class="language-plaintext highlighter-rouge">rebuilderd</code> there. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/bdae2a9b6">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/95aae5420">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/a01d57d6e">…</a>]</li> <li>Temporarily mark the <code class="language-plaintext highlighter-rouge">osuosl4</code> node as offline due to ongoing <code class="language-plaintext highlighter-rouge">xfs_repair</code> filesystem maintenance. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/ae7103edf">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/a452842af">…</a>]</li> <li>Do not warn about (very old) broken nodes. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/5fd46f2ce">…</a>]</li> <li>Add the <code class="language-plaintext highlighter-rouge">risc64</code> architecture to the multiarch version skew tests for Debian <em>trixie</em> and <em>sid</em>. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/592996dc8">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/271d325b6">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/e0d15de91">…</a>]</li> <li>Mark the <code class="language-plaintext highlighter-rouge">virt{32,64}b</code> nodes as down. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/2a4d655ac">…</a>]</li> </ul> </li> <li> <p>Misc changes:</p> <ul> <li>Add support for powercycling OpenStack instances. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/74c2c0534">…</a>]</li> <li>Update the <a href="https://github.com/fail2ban/fail2ban"><code class="language-plaintext highlighter-rouge">fail2ban</code></a> to ban hosts for 4 weeks in total [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/7869acbc2">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/30c12eb56">…</a>] and take care to never ban our own <a href="https://www.jenkins.io/">Jenkins</a> instance. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/ad7800062">…</a>]</li> </ul> </li> </ul> <p>In addition, Vagrant Cascadian recorded a disk failure for the <code class="language-plaintext highlighter-rouge">virt32b</code> and <code class="language-plaintext highlighter-rouge">virt64b</code> nodes [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/919810c8b">…</a>], performed some maintenance of the <code class="language-plaintext highlighter-rouge">cbxi4a</code> node [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/d4a48600d">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/145c7969d">…</a>] and marked most <code class="language-plaintext highlighter-rouge">armhf</code> architecture systems as being back online.</p> <p><br /></p> <hr /> <p>Finally, If you are interested in contributing to the Reproducible Builds project, please visit our <a href="https://reproducible-builds.org/contribute/"><em>Contribute</em></a> page on our website. However, you can get in touch with us via:</p> <ul> <li> <p>IRC: <code class="language-plaintext highlighter-rouge">#reproducible-builds</code> on <code class="language-plaintext highlighter-rouge">irc.oftc.net</code>.</p> </li> <li> <p>Mastodon: <a href="https://fosstodon.org/@reproducible_builds">@reproducible_builds@fosstodon.org</a></p> </li> <li> <p>Mailing list: <a href="https://lists.reproducible-builds.org/listinfo/rb-general"><code class="language-plaintext highlighter-rouge">rb-general@lists.reproducible-builds.org</code></a></p> </li> <li> <p>Twitter: <a href="https://twitter.com/ReproBuilds">@ReproBuilds</a></p> </li> </ul> </div> <br> <br> <hr> <p>&larr; <a href="/reports/">View all our monthly reports</a></p> </main> </div> <div class="row footer mb-5 mx-4"> <div class="col-lg-3 px-lg-5 col-md-12 d-none d-sm-block"> <p class="text-muted small"> We are proud to be <a href="/sponsors/">sponsored by</a> </p> <div class="d-flex justify-content-between align-items-center flex-row flex-lg-column flex-xl-row"> <a href="https://www.opentech.fund/" name="Open Technology Fund"> <img class="pt-lg-2" src="/assets/images/sponsors/opentechfund.svg" height="auto" width="100" alt="Open Technology Fund"/> </a> <a href="https://sovereigntechfund.de/" name="Sovereign Tech Found"> <img class="pt-lg-2" src="/assets/images/sponsors/STF-black.svg" height="auto" width="100" alt="Sovereign Tech Found"/> </a> </div> </div> <div class="col-lg-6 col-md-12 py-3 py-lg-0"> <span class="text-muted small d-none d-sm-inline align-bottom"> Follow us on Twitter <a href="https://twitter.com/ReproBuilds">@ReproBuilds</a>, Mastodon <a href="https://fosstodon.org/@reproducible_builds">@reproducible_builds@fosstodon.org</a> &amp; <a href="https://reddit.com/r/reproduciblebuilds">Reddit</a> and please consider <a href="/sponsor/">making a donation</a>. &bull; Content licensed under <a href="https://creativecommons.org/licenses/by-sa/4.0/" class="rb-link" target="_blank">CC BY-SA 4.0</a>, style licensed under <a href="https://opensource.org/licenses/MIT" class="rb-link" title="MIT" target="_blank">MIT</a>. Templates and styles based on the <a href="https://styleguide.torproject.org/" target="_blank">Tor Styleguide</a>. Logos and trademarks belong to their respective owners. &bull; Patches for this website welcome <a href="https://salsa.debian.org/reproducible-builds/reproducible-website">via our Git repository</a> (<a href="/contribute/salsa/">instructions</a>) or via <a href="https://lists.reproducible-builds.org/listinfo/rb-general">our mailing list</a>. &bull; <a href="/who/">Full contact info</a> </span> </div> <div class="col-lg-3 px-lg-5 col-md-12 d-flex justify-content-between align-items-center flex-row flex-lg-column flex-xl-row"> <a href="https://sfconservancy.org"> <img src="/assets/images/footer/conservancy.png" height="45" width="auto" alt="software freedom conservancy"/> </a> <a href="/"> <img src="/images/logos/rb.svg" height="45" width="auto" alt="Reproducible Builds"/> </a> </div> </div> <script src="/assets/javascript/jquery-3.3.1.slim.min.js"></script> <script src="/assets/javascript/bootstrap.min.js"></script> <script type="text/javascript" src="/assets/javascript/index.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10