Reproducible builds for Debian and free software
Description of the project: We want to provide Debian users with a verifiable path between the binaries we ship and their source code. With “reproducible builds” independent parties should be able to create byte-for-byte identical packages from the same source. ReproducibleBuilds are about trust, quality assurance, and having free software up to its promises. Good progress has been made over the course of the past year, but a good amount of work remain on individual packages, toolchain issues, infrastructure, debugging tools, and documentation.
Confirmed Mentor: Mattia Rizzolo
How to contact the mentor: mattia@debian.org (mapreri on IRC)
Confirmed co-mentors: Holger Levsen (h01ger)
**UN**Confirmed co-mentors: Ximin Luo (infinity0)
Deliverables: There is room for more than one intern, probably we can mentor up to three people, as there are small and bigger tasks to work on; each of it will have a specific mentor to follow the work:
Improve test and debugging tools:
Improve diffoscope. Examples: allow users to ignore arbitrary differences, perform fuzzy-matching accross archives, finish parallel processing
Improve reprotest. Currently it does not work well - it has bugs and the configuration/usage is quite heavy. We'd like it to work much more smoothly, so that it can be used in more situations, including from inside higher-level scripts such as debrepatch.
Application tasks: clone the git repository, perform a full build of the program including tests, also in a Debian chroot. Choose a simple bug, work on it and sent a patch.
Improve our test infrastructure
Improve tests.reproducible-builds.org (?also some of these bugs): allow more distributions to be tested easily, create web pages for all distros from the same codebased in conjuction with a db, improve the web design and user experience
Application tasks: clone the jenkins.d.n git repository, set up a test infrastructure (ask for help as it's undocumented!), solve one of the issues listed above.
Improving reproducibility of Debian packages:
Analyzing why packages are not reproducible.
Fixes for identified issues: both their root cause and easy to use work-arounds; we recently identified a new source of randomness (build-path variations) and that will require quite some work on several toolchain packages
- Patches for individual Debian packages.
Application tasks: set up a Debian packaging development, including pbuilder/sbuild for build packages. Try to use reprotest with it. Fix one of the simple unreproducible packages and open a bug with a patch for it
Improving Debian infrastructure:
Implement support for .buildinfo files in dak
Help collaboration accross distributions
Design and implement a shared database for package status and common issues.
Desirable skills: We are a diverse team, ready to help with knowledge in many different areas. The following list of skills is both incomplete and too long, but anyway, useful skills are:
- To improve Debian packages: basic understanding of how packages are made, a thrill for investigations, a taste for fun hacks.
- Python for diffoscope.
- Perl for strip-nondeterminism.
- Shell and Python for tests.reproducible-builds.org.
- Web design to enhance tests.reproducible-builds.org.
- Basic web editing (Markdown, HTML) for documentation.
What the intern will learn:
- A lot about the many different ways software can be built.
- How to make build systems reproducible.
- Many details (that you might regret learning) about how our plumbing tools work.
- How to interact with other Debian developers and research suitable solutions with them.
- How to design easy-to-use development tools.
Related urls: