18:00:03 #startmeeting 18:00:03 Meeting started Tue Jan 3 18:00:03 2017 UTC. The chair is lamby. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:03 Useful Commands: #action #agreed #help #info #idea #link #topic. 18:00:08 Evening all. 18:00:15 Hello! 18:00:21 hello 18:00:22 #topic Introductions 18:00:34 So, who's about? :) 18:00:38 * emaste_ waves from FreeBSD-landia 18:00:46 * vagrantc waves 18:00:51 Hi bmwiedemann 18:00:51 * brett is here. 18:01:04 Hey vagrantc, brett, emaste_ 18:01:11 * bmwiedemann waved the openSUSE flag 18:01:34 Good grief, the Debian folks might finally be outnumbered… 18:01:51 Hello. 18:01:58 Heh. That's probably a good thing! 18:02:01 Indeed. 18:02:02 lamby: Good problems to have. :) 18:02:11 * StevenC99 waves 18:02:23 (FYI I'm on a train; so if I cut out for a long time, that's probably why & continue without me) 18:02:29 Hey siamezzze & StevenC99 18:02:45 We'll give it a couple more minutes then we'll crack on. 18:03:05 The agenda is here: https://pad.riseup.net/p/reproducible-irc-meeting-6 18:04:21 lamby: should someone else presumably work meetbot, then? 18:04:36 * vagrantc forgets if multiple people can control it 18:06:20 hello 18:06:48 if people can be sure to put there name next to proposed agenda items, that would help ensure we have a point-person to talk to to drive the conversation 18:08:10 ... is lamby here ? 18:08:14 vagrantc: I'll keep it for now. 18:08:22 Hi danielsh 18:08:24 Let's go. 18:08:29 evening 18:08:43 #topic What's the right procedure to submit non-bug improvements to diffoscope? (brett) 18:08:47 brett: ^ gogo 18:08:55 Sure. 18:09:01 * dkg waves 18:09:23 So I've gotten some bugfixes into diffoscope by sending patches to the bugs but when I'm doing more subjective stuff I'm not sure what the right process is. 18:09:36 There are currently two ways; either by emailing the diffoscope mailing list (yes, there is one), or by creating bugs in Debian. 18:09:39 "Subjective2 18:09:45 * "Subjective" ? 18:09:57 Recently I was reading the --help output and got a little confused by it, so I used the source and then tweaked it to my taste, but admittedly it's subjective. 18:10:17 Since it's mostly editing English rather than code. :) 18:10:26 English bugs are still bugs. :) 18:10:47 can still improve the user experience - similar to a good UI 18:10:51 The "best" thing would just be to file a bug against the Debian package. Very very unlikely to get lost there. 18:11:07 It's also multiple commits (two! so technically). Patches still work but I wasn't sure if that's how people want to review them. 18:11:14 a bug can always be closed if it's deemed invalid or whatever. 18:11:17 On the BTS is fine. 18:11:28 Sure, that works for me, will do. Thanks. 18:11:32 brett, I would do 'git format-patch' and attach the two resulting files to a bug. 18:11:36 It's a meta-problem that you are not aware and/or were blocked on this. Perhaps we should add something to the --help - anyone want to take that 18:11:49 Sure, I can add that to the branch. :) 18:11:54 thanks 18:12:14 #action brett to add "reporting bugs" (or similar…) to --help output of diffoscope 18:12:22 #topic jenkins.debian.org psuedopackage 18:12:37 So, we have a new pseudopackage in the BTS for reporting issues against the testing framework. 18:13:10 So, if you want something added/fixed on tests.reproducible-builds.org, you can/should file it against the "jenkins.debian.org" package in the Debian BTS. 18:13:20 thanks to mapreri for pushing this! 18:13:53 woo, nice! 18:14:13 (More of an announcement really) 18:14:14 ... that should be said somewhere on t.r-b.o, too. 18:14:23 danielsh: good idea. fancy taking an action item to add that? 18:14:50 lamby, already looking at it... the footer points to jenkins-dev@ 18:14:56 if action is needed sure, at me 18:14:57 cool thanks 18:15:01 #action danielsh to mention on t.r-b.o how to file bugs using the new pseudopackage (in the footer…?) 18:15:36 #topic CI guidelines for setting reproducibility workarounds (e.g. S_D_E) (emaste) 18:15:40 emaste_: ^ gogo 18:16:03 For ongoing CI we want to build the latest out of some VCS, and there might not be a convenient date to use as input to a build. 18:16:09 I wonder where folks feel the line is between things that may be set in the CI infrastructure itself to achieve reproducibility, vs being an integral part of the project under test. 18:16:15 I'll use FreeBSD as an example here although the idea/question applies generally. 18:16:18 Almost all of the binaries in the FreeBSD base system now build reproducibly, but their timestamps in the resulting packages are not reproducible. 18:16:22 For release builds we may have a conveinent release date that can be used as a SOURCE_DATE_EPOCH for the build. 18:16:25 For ongoing CI is it reasonable to set SOURCE_DATE_EPOCH in the CI environment? 18:17:05 is there a VCS commit you could use the date of? 18:17:13 ("For release builds" → You use the release date?) 18:17:17 emaste_: some people always set SOURCE_DATE_EPOCH=1 because they dont care 18:17:55 vagrantc: Debian's Jenkins building FreeBSD fetches the source from git and could pick up the date of the last commit there 18:18:03 if you set S_D_E you ought to state somewhere the value used 18:18:16 (I would say it was fine as a final fallback, but you surely have *some* kind of date somewhere…? Like in Git as mentioned.) 18:18:18 ... so that others can reproduce it 18:18:26 lamby: we don't yet have a release that's using the packaged base 18:19:05 okay 18:19:11 does the buildinfo capture SOURCE_DATE_EPOCH? 18:19:16 so it's "will use the release date" 18:19:49 vagrantc: yes as part of the env 18:20:08 sorry - do FreeBSD builds generate a buildinfo...? 18:20:19 vagrantc: in FreeBSD now we haven't used buildinfo because it is implicitly provided by the build infrastructure (FreeBSD base system and ports svn rev captures the toolchain, all dependencies, etc.) 18:20:31 StevenC99: If not, at least just echo it during build… :) 18:21:06 I feel that some kind of buildinfo should explain what value was used for S_D_E 18:21:14 sure 18:21:27 even if that's the only thing you put in the buildinfo right now 18:21:33 you could construct a .buildinfo oujt of the freebsd logs or something as a big hack 18:21:46 I'll bring up specifics on the mailing list, but it's more of a philosophical question: how much should CI report on waht is reproducible out of the box, vs what can be reproduced (with the appropriate buildinfo, etc.) 18:21:54 nod nod 18:22:01 h01ger, j.d.n [PATCH] 6d703e05b0b6 thanks :) 18:22:03 Good idea to take specifics to the list; lets do that. 18:22:32 #topic is there a proper download URL for strip-nondeterminism tar? (bmwiedemann) 18:22:35 emaste_, you should include svn branch in the buildinfo too, no? 18:22:49 emaste_: for comparison the proposed rpm-buildinfo generator https://ftp.qubes-os.org/~woju/rb/rpmbuildinfo 18:22:50 danielsh: thanks, deploying 18:22:50 danielsh: yes 18:23:13 bmwiedemann: thank you 18:23:32 for strip-nondeterminism, I found that it is nice to have a proper download url where the tarball does not vanish once the next version arrives 18:24:17 is there such a thing? 18:24:20 you could probably use snapshot.debian.org, presuming there's no other "upstream" 18:24:53 would also be nice to make a proper upstream, even if it is re-using the debian bugtracker and MLs 18:25:43 somewhat similar to the earlier diffoscope question. 18:26:08 could just use a proxy-redirector that uses snapshot.debian.org as a backend... 18:26:12 bmwiedemann: Canonically, the tarball is in git via pristine-tar. 18:26:16 cgit doesn't seem to have a tarball/zip link ? 18:26:18 oooh. 18:26:45 This seems like a specific pain point of the more general problem of generic tools being a bit too "Debian". 18:27:06 pristine-tar still doesn't seem to have a "download .tar" link anywhere 18:27:13 danielsh: "git archive --format=tar --prefix=${pkgname}-${upstreamversion} | gzip -9n" 18:27:31 in general, if you want people to use your tools, make it easy to find, get, patch, build, contribute etc 18:27:32 dkg, Sure. But that's still not a link :) 18:27:46 bmwiedemann: Oh, I completely understand that :3 18:27:50 dkg: does that build reproducibly? 18:27:58 vagrantc: it appears to 18:28:05 So long as you use the same gzip version 18:28:08 i don't know whether git upstream has committed to that being reproducible 18:28:13 (we've had problems in the past with bzip2 differing across vendors) 18:28:28 Can we leave the git-archive specifics for the mailing list or similar? :) 18:28:35 sure sure, sorry! 18:29:00 bmwiedemann: As a stop-gap, would publishing the tarballs in some HTTP directory be okay for you? 18:29:15 If so, I'll do that and adjust all release docs. 18:29:21 would be nice, if it was some future-proof URL 18:29:29 ack 18:29:53 #action lamby to publish generic tools somewhere (future-proof URL) and to update release docs 18:29:59 also, where is that git repo? 18:30:13 https://anonscm.debian.org/git/reproducible/strip-nondeterminism.git 18:30:25 cool. thanks. 18:30:31 #topic upstreaming reproducibility fixes (e.g. avfs done by bmwiedemann) 18:31:22 I have been re-building our 8000 openSUSE packages once again and found packages like avfs that have S_D_E patched on debian, but not upstream, so I upstreamed the debian patch 18:31:32 and wondered why nobody had done that before 18:31:39 * vagrantc cheers on bmwiedemann 18:32:20 Basically, because we are writing a *lot* of pathces. :/ 18:32:20 it might be as simple as someone having not done it 18:32:26 sometimes we were a bit lazy with upstreaming S_D_E patches, or upstream were slow at accepting them, or various other reasons https://wiki.debian.org/ReproducibleBuilds/TimestampsProposal#Reading_the_variable 18:32:27 I'm upstreaming them more and more these days. 18:32:52 one reason might be that the upstream was not exactly easy to find a communication channel. 18:33:09 do we have a sensible way to track outstanding upstreamable Debian patches? 18:33:10 might scale better, if we ask package maintainers to upstream patches? 18:33:57 in the past, we removed entries in notes.git when it was fixed in debian ... maybe we should wait till it's fixed upstream? 18:34:40 vagrantc: or at least change the note to fixed-in-debian and only remove when upstream took the patch 18:34:41 in a similar vein, moving notes.git into the multi-distro format? 18:35:29 I assume all of the above applies to non-reproducibility debian package patches, too 18:35:48 the debian qa guys may have (at least partly) solved this problem... ? 18:36:04 btw: this is often quite helpful: https://anonscm.debian.org/git/reproducible/notes.git/tree/packages.yml 18:36:19 Maintainers should be sending patches upstream, yes. And avfs is likely just one example of … 500-600 packages in the same situation, alas. 18:37:19 Does anyone have any concrete suggestions right now beyond "lets just upstream them whenever possible" ? 18:37:39 "ask debian-qa if they have tooling to solve this which we can piggyback on" 18:37:46 inevitably, maintains aren't going to submit all patches upstream all of the time, so if we want to push reproducible-builds... we might have to come up with that ourselves 18:37:50 lamby: tracking in notes patches in debian vs patches upstream 18:37:57 (track patches without "Forwarded: yes" DEP-3 metadata, by age, and so forth) 18:38:08 danielsh: Fancy looking into that? 18:38:23 lamby, would rather not shepherd this one, sorry 18:38:42 No worries 18:39:25 #idea < danielsh> (track patches without "Forwarded: yes" DEP-3 metadata, by age, and so forth) 18:39:37 (so we don't lose it) 18:39:46 (DEP-3 is a distro-agnostic patch metadata format: http://dep.debian.net/deps/dep3/) 18:40:34 The "D" /totally/ stands for "distro-agnostic" … :) 18:40:47 #link http://dep.debian.net/deps/dep3/ 18:40:49 :) 18:41:09 a Anything else on this? I feel it's somewhat of "lets try and be 'good' more" when writing patches. 18:41:11 and don't let the description of DEP-3 fool you... 18:41:24 #topic Any other business? 18:41:44 you skipped one topic 18:41:50 That topic is slightly related to the previous one. I found a package (forgot which one) that used a custom env var to override build date and debian build scripts were using S_D_E to set that, but openSUSE like everyone else would need to duplicate this. So I wondered if we should try to convert these to S_D_E upstream 18:42:17 Yes, definitely. 18:42:21 More upstream the better. 18:42:28 :) 18:42:49 RWS2 reimbursement instructions; h01ger: ping? 18:42:49 so we try to make S_D_E the one and only way to override build date 18:42:50 bmwiedemann: as in a package has some sort of "OVERRIDE_THE_DATE" existing env var? 18:42:52 If the package uses S_D_E I assume whoever wrote it that way had a reason 18:42:58 emaste_: yes 18:43:03 (because upstream declined S_D_E, or had a precedent for a different name, whatever) 18:43:43 then ideally we at least can convince them to support compatibility with S_D_E as well ? 18:43:50 danielsh: maybe it was done before S_D_E was standardized? 18:43:55 I think it is worth suggesting upstream adopt S_D_E, perhaps as a fallback if the existing/primary one is not set 18:44:28 I think we're all in agreement. 18:44:34 Upstream should be asked to use S_D_E if they haven't already been asked to. 18:44:59 and if they're stubborn and refuse ... do we need to track it somewhere cross-distro? 18:45:06 asking again doesnt hurt to suggest there are more people interested in it ;-) 18:45:12 or do we just assume we will eventually wear them down? 18:45:39 indeed 18:45:40 vagrantc: at least have a hint in notes 18:45:44 agreed 18:46:02 Hint what, exactly? That it should be patched upstream…? 18:46:26 that currently there is a custom-date-override needed in debian 18:46:37 if upstream refused the patch to support S_D_E, we should keep track of that, so we know previous attempts to upstream it? 18:46:42 might as well start a distropatches.org for sharing all kinds of distro patches, not just S_D_E :) 18:46:50 true 18:47:05 same for dead upstreams 18:47:07 interesting idea 18:47:41 e.g. django rejected my backports to EOL branches, which prevents re-use by others. 18:47:45 it's certainly been discussed before... 18:48:03 it kind of comes down to who will set up the service? 18:48:43 I guess, much of the time a github org / repo could already do the trick 18:48:50 +1 18:49:09 create a repository, decide on a mapping between short names and upstream project names, wait for pull requests 18:49:11 or fork the existing upstream github project 18:49:24 StevenC99: under a single organization? 18:49:30 So "easy" :) 18:49:34 github.com/patches <- is it taken? :) 18:49:56 github.com/distropatches is free 18:49:57 joined apr 27 2010 18:50:00 vagrantc: if it's possible, I don't know 18:50:08 * vagrantc suspects so 18:50:28 that could/would cover a lot of projects... 18:50:30 Okay all, as chair I'm going to end the meeting here as we're off on a different (but interesting and v. useful concept!)… and I must leave. 18:50:37 the danger is someone starts using it as upstream :) 18:50:41 AoB? 18:50:45 Thanks all for being here o/ 18:50:51 * vagrantc thanks lamby 18:51:14 lamby, One more thing before adjournment - 18:51:21 go ahead 18:51:27 next meeting it would be great if agenda topics were added more time ahead of the meeting 18:51:31 FIN 18:51:32 :) 18:51:35 yes. 18:52:01 #idea github organisation to collate r-b patches against github-hosted upstreams 18:52:03 that would need the URL published earlier ;-) 18:52:13 meetbot tracks all URLs 18:52:13 danielsh: Error: "tracks" is not a valid command. 18:52:21 meetbot parses too leniently 18:52:21 danielsh: Error: "parses" is not a valid command. 18:52:28 Mm, yes, please add them earlier everyone. :) 18:52:41 * emaste_ guilty, will try next time :) 18:52:50 #endmeeting