Free software activities in December 2018

  • 31 December, 2018

Here is my monthly update covering what I have been doing in the free software world during December 2018 (previous month):

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month I:

I also made the following changes to our tooling:


diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

  • Compare .zip file comments with zipnote(1). (#901757)
  • Fix a test_mozzip_compressed_files failure under Alpine Linux. (#916353)
  • Use file_header to simplify magic detection and version parsing. [...][...][...]
  • Calculate the path to test .icc file to avoid a error with new versions of Pytest. (#916226)
  • Drop old debbindiff Breaks/Replaces. [...]
  • Correct a "positives" typo. [...]


strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.

  • Remove javaproperties handler after Emmanuel Bourg's patch was shipped in OpenJDK 11. (#914289)
  • Drop .ar handler; binutils output should now be reproducible. (#781262, #843811)
  • Ignore encrypted .zip files; we can never normalise them. (#852207)


Patches contributed

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.


  • redis:

    • 5:5.0.3-1 — New upstream release.
    • 5:5.0.3-2 — Pass --no-as-needed to ensure linking to the Lua libraries on systems where this the default. (#916831)
  • python-django:

    • 1.11.16-4 — Cherry-pick two patches from upstream to fix test failures under Python 3.7. (#891753)
    • 1.11.17-1 — New upstream bugfix release.
    • 2.1.4-1 — New upstream release.
    • 1.11.17-2 & 2.1.4-2 — Apply patch from upstream to fix compatibility with SQLite 3.26. (#915626)
  • libfiu (0.98-1) — New upstream release.

  • python-hiredis (0.3.0-1 & 0.3.1-1) — New upstream releases.

  • python-redis (3.0.1-2 & 3.0.1-3) — Mark a number of failing autopkgtests as XFAIL.

  • lastpass-cli (1.3.1-6) — Add missing pkg-config to Build-Depends. (#916268)

  • creoleparser (0.7.4-2) & django-pagination (1.0.7-2) — Completely overhaul packaging.

  • adminer (4.7.0-2) — Additionally depend on the php-fpm virtual package. (#906692)

Debian bugs filed

  • ITS (Intent to Salvage): mtools. (#916127)

  • busybox: "Too many levels of symbolic links". (#915830)

  • dpkg-mergechangelogs: Strips vim modelines. (#916056)

  • fonts-roboto: Please ship .woff files (eg. Roboto-Light-webfont.woff). (#915360)

  • Lintian test jobs have not run since November. (#917119)

  • Please add a Homepage field. (#917233)

  • python-envs: Please replace Homepage: reference. (#917230)

  • usrmerge: Please handle aborted conversions more gracefully. (#917226)

I also filed bugs against packages that use vendor-specific patch series files for deluge, fail2ban, filezilla, hexchat, libfreenect, libxfce4util, liferea, mate-power-manager, mate-terminal, mixxx, numix-gtk-theme, packagekit, smuxi, xchat & xfce4-smartbookmark-plugin.

FTP Team

As a Debian FTP assistant I ACCEPTed 141 packages: ansible, bambootracker, birdtray, bitlbee-mastodon, blis, capnproto, centreon-broker, chargebee-python, chargebee2-python, dar, darknet, dask-sphinx-theme, dav4tbsync, davs2, displaycal, django-anymail, dsmidiwifi, eas4tbsync, emerald, emerald-themes, erlang-horse, fusion-icon, ghostwriter, gitlab, go-cpe-dictionary, go-exploitdb, golang-1.12, golang-github-datadog-zstd, golang-github-justinas-alice, golang-github-namsral-flag, google-compute-image-packages, grim, grpc, haskell-gi-atk, haskell-gi-cairo, haskell-gi-dbusmenu, haskell-gi-dbusmenugtk3, haskell-gi-gdk, haskell-gi-gdkpixbuf, haskell-gi-gdkx11, haskell-gi-gio, haskell-gi-glib, haskell-gi-gobject, haskell-gi-gtk, haskell-gi-gtk-hs, haskell-gi-pango, haskell-gi-vte, haskell-gi-xlib, haskell-gtk-sni-tray, haskell-gtk-strut, haskell-status-notifier-item, haskell-system-posix-redirect, haskell-termonad, haskell-xml-html-qq, i3pystatus, jaxb, lablgtk3, libcloudflare-client-perl, libconfig-model-backend-yaml-perl, libcpan-common-index-perl, libhostfile-manager-perl, libhttp-tinyish-perl, libjs-jquery-center, libjs-jquery-markitup, libmenlo-legacy-perl, libmenlo-perl, libmoox-locale-passthrough-perl, libnewlib-nano, libnss-unknown, liborcus, libparse-binary-perl, librtr, libsearch-elasticsearch-client-1-0-perl, libsearch-elasticsearch-client-2-0-perl, libtie-handle-offset-perl, libzstd, lvm2, matplotlib2, med-fichier, meep, meep-lam4, meep-mpi-default, meep-mpich2, meep-openmpi, mir-core, mle, movim,, node-lunr, node-ramda, node-react-audio-player, nodejs, oakleaf, olive, openrazer, puppet-module-heini-wait-for, puppet-module-octavia, puppet-module-voxpupuli-ssh-keygen, pylibtiff, pymilter, pyspectral, python-cytoolz, python-dpkt, python-envs, python-flask-cors, python-geotiepoints, python-glad, python-hgapi, python-ifaddr, python-internetarchive, python-markdown2, python-msgpack-numpy, python-netdisco, python-pipx, python-project-generator, python-project-generator-definitions, python-pywebview, python-sparkpost, python-sshoot, python-thinc, python-tornado4, pytroll-schedule, rcm, redberry-pipe, ruby-kitchen-salt, ruby-vcr, rust-crossbeam-channel, rust-crossbeam-utils-0.5, rust-ena, rust-hyphenation, slurp, theme-d-gnome, ticcutils, trollimage, trollsift, ulfius, vim-puppet, vland, voluptuous-serialize, vulkan-tools & xavs2.

I additionally filed 11 RC bugs against packages that had potentially-incomplete debian/copyright files against centreon-broker, dav4tbsync, eas4tbsync, emerald, i3pystatus, lvm2, olive, python-pywebview, ruby-kitchen-salt, rust-crossbeam-channel & trollsift.