Here’s what happened in the Reproducible Builds effort between Sunday November 4 and Saturday November 10 2018:

We are excited to announce that the Reproducible Builds project has joined the Software Freedom Conservancy! Conservancy is a not-for-profit organisation that helps promote, develop and defend free software projects. We can now can take directed donations and the Conservancy can also provide projects us with basic legal services. The Reproducible Builds project is delighted and honoured to be associated with Conservancy’s outreach work and other work of the project and look forward to a long and mutually beneficial relationship.

The month-long session of students from the Application Security course at New York University, cataloguing, submitting and merging reproduciblity bugs concluded this week. This year, students made 55 tags and issues for Debian and Arch Linux packages and sent 18 pull requests upstream of which 4 have been merged.

Richard Parkins posted a detailed message to our mailing list on the topic of algorithms used for comparing binary files in a way that makes the result easily consumable by humans. Most binary file comparators just compare bytes and thus do not semantically detect deletions or insertions. This is relevant to our work on diffoscope. He linked to some example code on GitHub.

There was further discussion on Debian bug #869184 which relates to dpkg generating source uploads that include architecture in the name of the .buildinfo file (eg. _amd64.buildinfo ). This week, Salvatore Bonaccorso reported that the Debian Security Team were hit by this issue again.

On Tuesday 6th November, Chris Lamb hosted a seminar and a lengthy Q&A session at the William Gates Building at the University of Cambridge on reproducible builds as part of the Computer Laboratory NetOS Group.

Simon McVittie kindly provided a patch to our Jenkins-based testing framework that powers tests.reproducible-builds.org to vary whether we apply the “merged /usr ” directory scheme between builds. This is where the /{bin,sbin,lib}/ directories are symbolic links to /usr/{bin,sbin,lib}/ . It was subsequently merged by Holger Levsen and resulted in some variations in (at least) quilt and systemd.

Agustin Henze announced in a mail to the debian-devel mailing list that the new Debian CI pipeline includes support testing for reproducibility using reprotest . These tests are currently available on-demand and need to be set up individually.

33 Debian package reviews were added, 14 were updated and 33 were removed in this week, adding to our knowledge about identified issues. Chris Lamb also updated the dc_created_timestamp_in_javadoc issue and added a new cflags_recorded_in_in_ada_ali_files toolchain issue.