Free software activities in June 2019

  • 30 June, 2019

Here is my monthly update covering what I have been doing in the free software world during June 2019 (previous month):

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom. Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month:

I then spent significant time working on, my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them. This included:

  • Started making the move to Python 3.x (and Django 2.x) [...][...][...][...][...][...][...], additionally performing a large number of adjacent cleanups including dropping the authentication framework [...], fixing a number of flake8 warnings [...], adding a setup.cfg to silence some warnings [...], moving to __str__ and str.format(...) over %-style interpolation and u"unicode" strings [...], etc.

  • I also added a number of (as-yet unreleased…) features, including caching the expensive landing page queries. [...]

  • Took the opportunity to start migrating the hosting from its current GitHub home to a more-centralised repository on, moving from the Travis to the GitLab continuous integration platform, updating the URL to the source in the footer [...] and many other related changes [...].

  • Applied the Black "uncompromising code formatter" to the codebase. [...]

I also made the following changes to our tooling:

  • strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build. This month, I added support for the clamp#ing of tIME chunks in .png files. [...]

  • In diffoscope (our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues) I documented that run_diffoscope should not be considered a stable API [...] and adjusted the configuration to build our the Docker image from the current Git checkout, not the Debian archive [...]

Finally, I spent significant amount of time working on our website this month, including:

  • Move the remaining site to the newer website design. This was a long-outstanding task (#2) and required a huge number of changes, including moving all the event and documentation pages to the new design [...] and migrating/merging the old _layouts/page.html into the new design [...] too. This could then allow for many cleanups including moving/deleting files into cleaner directories, dropping a bunch of example layouts [...] and dropping the old "home" layout. [...]

  • Adding reports to the homepage. (#16)

  • I also took the opportunity to re-order and merge various top-level sections of the site to make the page easier to parse/navigate [...][... and I updated the documentation for SOURCE_DATE_EPOCH to clarify that the alternative -r call to date(1) is for compatibility with BSD variants of UNIX [...].

  • Made a large number of visual fixups, particularly to accommodate the principles of responsive web design. [...][...][...][...][...]

  • Updated the lint functionality of the build system to check for URIs that are not using {{ "/foo/" | prepend: site.baseurl }}-style relative URLs. [...]



Even more hacking on the Lintian static analysis tool for Debian packages, including the following new features:

  • Warn about files referencing /usr/bin/foo if the binary is actually installed under /usr/sbin/foo. (#930702)
  • Support --suppress-tags-from-file in the configuration file. (#930700)

… and the following bug fixes:

Debian LTS

This month I have worked 17 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.