:Author: Holger Levsen
:Authorinitials: holger
:lang: en
:Doctype: article
== About is a tool for automated quality monitoring of Debian. It is *work in progress* despite being in existence since October 15th 2012.
Get the source by running `git clone git://`. It's all in there, no (relevant) manual setup has been done besides what's in this git repository. (The irrelevant bits are some very simple configuration files containing passwords.)
The (virtualized) hardware is sponsored since October 2012 by - currently it's using more than hundred cores and almost 300 GB memory, thanks a lot!
Some stats are available using link:[munin-plugins for jenkins].
Three persons have shell access (incl. root) to the machine:[Holger Levsen],[Helmut Grohne] and[Mattia Rizzolo]. All of them have also access to the web intereface, where tasks like stopping and scheduling job runs can be done, also they have the rights to edit the jenkins scripts (i.e. what jenkins executes) directly, though this is limited to cases like firefighting (IOW deploying changes via the git repository are the norm). The deploying of changes is still limited to people with root powers. is a QA resource for the whole Debian project. Please contact us (via #debian-qa on IRC or via the debian-qa mailinglist) If you / your project is interested to run tests in this setup!
If you notice some jobs has problems and you want to find out why, read <<debug,debug certain jobs>> to learn how to do debug jobs locally.
== Notifications
There are two types of notifications being used: email and IRC. At the end of each builds console log it says to where notifications have been sent. An address of the form 'jenkins-foo' means an IRC notification has been sent to the #foo IRC channel.

All job result notifications should be sent to and optionally to other recipients as well.
== Jobs being run
There are over 1600 jobs being run currently. If you can think of ways to improve the usefulness of certain jobs, please do give feedback!
These jobs are deprecated, in future we will use instead.
Installation tests with g-i, the graphical version of d-i, the debian-installer.
* 'g-i-installation_debian_sid_daily-rescue'
** boot of rescue system with daily build sid image
* 'g-i-installation_debian_sid_daily-lxde' and '-xfce' and '-kfreebsd' and '-hurd'
** sid installation of Xfce/LXDE desktop with daily build sid image
* 'g-i-installation_debian_jessie_lxde','-xfce','-kde' and '-gnome' and '-kfreebsd'
** jessie installation of Xfce/LXDE/KDE desktop and kfreebsd install with weekly build jessie image
* 'g-i-installation_debian_wheezy_lxde','-xfce','-kde' and '-gnome' and '-kfreebsd'
** wheezy installation of Xfce/LXDE/KDE desktop and kfreebsd install with wheezy release image
=== debian-installer jobs
** there is one job for each git repo referred to in
** each job pdebuilds the master branch of its git repo on every git push in a sid environment. (If the architecture(s) specified in debian/control are not amd64,all or any the build exits cleanly.)
** while these jobs are triggered on commits, the SCM is only polled every 6min to see if there are new commits.
** builds the full installation-guide package with pdebuild in sid on every commit to svn:// matching suitable patterns.
** while this job is triggered on commits, the SCM is only polled every 15min to see if there are new commits.
** builds a language (on jessie) on every commit of svn/trunk/manual/$LANG with `make languages=$LANG architectures=amd64 formats=html`.
** while these jobs are triggered on commits, the SCM is only polled every 15min to see if there are new commits.
* 'd_i_parse_build_logs' - parses logs from daily, to give them a bit more exposure.
=== chroot-installation jobs
Installation tests inside chroot environments.
* 'chroot-installation_maintenance_$distro':
** make sure chroots have been cleaned up properly
** runs daily at 05:00 UTC and triggers the $distro specific bootstrap job on success
** wheezy is only triggered on the 4th day and 18th of each month (as it was released on the 4th)
* $distro-bootstrap jobs:
** just `debootstrap $distro` (install a base Debian distribution $distro)
** there is one job for *sid*, one for *wheezy* and one for *jessie*: 'chroot-installation_sid_bootstrap', 'chroot-installation_wheezy_bootstrap' and 'chroot-installation_jessie_bootstrap'
** on successful run of the bootstrap job, six $distro-install(+upgrade) jobs are triggered.
* $distro-install jobs (and $distro-install+upgrade jobs):
** `debootstrap $distro`, install a *$set_of_packages* (and upgrade to *$2nd_distro*)
** these $set_of_packages exist: 'gnome', 'kde', 'kde-full', 'lxde', 'lxqt', 'xfc', 'full_desktop' (all six desktops plus `vlc evince iceweasel chromium cups build-essential devscripts wine texlive-full asciidoc vim emacs` and (`libreoffice virt-manager mplayer` (stretch/sid) and 'develop'
*** install is done with `apt-get install`, except for 'develop' where `apt-get build-dep` is used to install the build dependencies of these packages.
** Then there are also all the corresponding upgrade jobs, eg 'chroot-installation_wheezy_install_gnome_upgrade_to_jessie'
=== Debian Edu related jobs
* All Debian Edu related jobs can be seen at these two URLs:
** about Debian Edu Jessie
** about Debian Edu Wheezy
* Then there are three types of jobs:
*** tests installation of a profile with preseeding in the graphical installer,
*** screenshots and logs are preserved and a movie created,
*** testing clients against the main-server is planned too, for some time...
** 'chroot-installation_$(distro)_install_$(education-metapackage)':
*** tests apt installation of a metapackage in a specific distro.
** builds one of the six debian-edu packages ('debian-edu', 'debian-edu-config', 'debian-edu-install', 'debian-edu-doc', 'debian-edu-artwork', 'debian-edu-archive-keyring' on every push to it's git master branch
** and whenever 'debian-edu-doc' is build, get's updated automatically afterwards too.
=== related jobs
* There are jobs for lintian and for piuparts:
** they simply run a build and/or the tests of the master branch of their git repository on every commit against sid. If that succeeds, the same source will be built on stretch, then on jessie and - in the lintian case only - also for wheezy.
* There are also jobs related to link:[UDD]:
** they check for multiarch version screws in various suites or issues with orphaned packages without the correct the relevant bug.
*** the UDD schema is available at
* Last but not least, dpkg related jobs:
** they tests for trigger cycles using data from the archive and
* See for more information about those jobs.
* See for more information about these jobs.
* See to learn more about "Reproducible Builds" in Debian and beyond.
* Several jobs are being used to assemble the website which is actually a collection of static html and log files (and very few images) being served from this host. Besides the logfiles data is stored in a database which can be downloaded from (That copy is updated daily.)
* The (current) purpose of is to show the potential of reproducible builds for Debian - and six other projects currently. This is research, showing what could (and should) be done... check for the real status of the project for Debian!
* For Debian, four suites, 'stretch', 'buster', 'unstable' and 'experimental', are tested on four architectures: 'amd64', 'i386', 'arm64' and 'armhf'. The tests are done using 'pbuilder' through several concurrent workers: 40 for 'amd64', 24 for 'i386', 32 for 'arm64' and 52 for 'armhf', which are each constantly testing packages and saving the results of these tests. There's a single link:[systemd service] starting all of these link:[workers] which in turn launch the actual link:[build script]. (So the actual builds and tests are happening outside the jenkins service.)
** To shutdown all the workers use: `sudo systemctl stop reproducible_build@startup.service ; /srv/jenkins/bin/`
** To start all the workers use: `sudo systemctl start reproducible_build@startup.service`

* These builds on remote nodes run on very different hardware:
** for 'amd64' we are using four virtual machines, profitbricks-build(1+5+11+15)-amd64, which have 15 or 16 cores and 48gb ram each. These nodes are sponsored by link:[Profitbricks].
** for 'i386' we are also using four virtual machines, profitbricks-build(2+6+12+16)-i386, which have 10 or 9 cores and 36gb ram each. pb2+12 run emulated AMD Opteron CPUs and pb6+16 Intel Xeon CPUs. These nodes are also sponsored by link:[Profitbricks].
** for 'arm64' we are using eight "moonshot" sleds, codethink-sled9-15-arm64, which have 8 cores and 64gb ram each. These nodes are sponsored by link:[Codethink].
** To test 'armhf' we are using 29 small boards hosted by vagrant@d.o:
*** six quad-cores (cbxi4a, cbxi4b, ff4a, jtx1a, jtx1b, jtx1c) with 4gb ram,
*** one hexa-core (ff64a) with 2gb ram,
*** three octo-cores (odxu4a, odxu4b and odxu4c) with 2gb ram,
*** twelve quad-cores (wbq0, cbxi4pro0, ff2a, ff2b, odu3a, opi2a, opi2b, opi2c, jtk1a, jtk1b, p64b and p64c) with 2gb ram,
*** two dual-core (bbx15 and cb3a) with 2gb ram and,
*** two quad-cores (rpi2b and rpi2c) with 1gb ram and
*** three dual-cores (bpi0, hb0 and wbd0) with 1gb ram, each.

* We would love to have more or more powerful ARM hardware in the future, if you can help, please talk to us!
* Packages to be build are scheduled in the database via a scheduler job, which runs every hour and if the queue is below a certain threshold schedules four types of packages:
** new untested packages (either uploaded to 'unstable' or 'experimental' or migrated to 'buster' or 'stretch'),
** new versions of existing packages, which were already tested - these are always scheduled, no matter how full the queue is
** old versions, already tested (at least two weeks ago)
** and also some old versions which failed to build (at least ten days ago), if no bug has been filed.
* Several other jobs exist to build the HTML pages and to create two JSON files which can be downloaded from and The 1st one has all the data (except history) and the 2nd has all the data we consider relevant to bother maintainers with, that is, some ftbfs isses are excluded.
* Information from is incorporated on pushes to that git repo.
* There are suite specific jobs to create the pbuilder base.tgz's per suite, which have the reproducible apt repo added. Similarly there's another job per suite to create the schroots used by the builder jobs to download the packages sources to build.
* Then there are two more jobs to create sid and testing schroots to run diffoscope on the the two results. This is necessary since to investigate haskell binaries, diffoscope needs access to the same haskell compiler version as the investigated packages have been built with.
* For making sure things are considerably under control at any time, there is a maintenance job running every 3h, mostly doing cleanups.
* The jenkins job overview at probably makes it clearer how the job scheduling works in practice.
Mattia Rizzolo
* If you are in the reproducible team you can reschedule packages by yourself:
** log into via ssh, in the team home (/home/groups/reproducible/) there is a script you can call. Use the --help switch to get the online help.
** The team IRC channel will get a notification about the scheduling and optionally when the build finishes too.
Mattia Rizzolo
* If you are not in the reproducible team or if you want to reschedule big sets of packages please ask for a manual rescheduling in the '#debian-reproducible' IRC channel on OFTC. Those with shell access to jenkins can bypass the limitations imposed to remote calls, which are limited to 500 schedulings per day, which should be plenty for normal usage.
Mattia Rizzolo
jenkins@jenkins:~$ /srv/jenkins/bin/ $suite $package1
* We support sending automatic link:[email notification] for status changes to maintainers. Enabling/disabling these notifications can be done by people with shell access to jenkins:
Mattia Rizzolo
jenkins@jenkins:~$ /srv/jenkins/bin/ -h
usage: [-h] [-o] [-p PACKAGES [PACKAGES ...]]
-h, --help show this help message and exit
-o, --deactivate Deactivate the notifications
list of packages for which activate notifications
email address of a maintainer
Mattia Rizzolo
* Job configuration is at the usual location for '': there's a 'job-cfg/reproducible.yaml' defining all the jobs and lots of scripts in 'bin/reproducible_*.(sh|py)', plus a few config files like for 'sudo' or 'apache2'.
* Finally, there are also jobs testing the link:[coreboot], link:[LEDE], link:[OpenWrt], link:[NetBSD] and[FreeBSD] projects. The results of the tests can be seen respectively at,, and
=== torbrowser-launcher jobs
link:[Tor Browser] is not part of Debian. To easily and securely use it, one can run <pre>sudo apt-get install torbrowser-launcher</pre> and then run torbrowser-launcher which will download Tor Browser and well, launch it. And this sometimes breaks, when things change, which is rather frequently the case…
There is a link:[graphical status overview of torbrowser tests on Debian] which are tests installing torbrowser-launcher on and from sid, stretch, jessie-backports, jessie and wheezy-backports, which first download torbrowser via https and via tor, then launches it to finally connect to a debian mirror via an onion-address and then to In addition to these there are also tests installing the package from stretch on jessie as well as the package from sid on stretch and jessie. Finally there are also tests for building the package from our git branches for various suites and finally there's a daily build of the package based on the upstream git master branch merged with our sid packaging.
There are 17 different tests currently and they are configured in just two files, a 220 line link:[yaml file defining the jenkins jobs] and 528 lines of link:[bash script containing the actual test code].
These tests are executed either daily or weekly (those testing the package from ftp.d.o) or on every commit and at least once every month (those testing the package build from git).
These are jobs for making sure is running smoothly.
* In principle the shell commands from the various jobs should run on any Debian system just fine. Please use a test system though, as all your data might be eaten.
** A good first step is to use this git repo as a Debian source package, build it and then install the jenkins.d.n-debug package and all it's recommends on your test system. NOTE: this ain't as helpful as it used to be as many depends have only been added to '' and not to 'debian/control'.
We love to get feedback on this! Either by sending an email to or by joining #debian-qa on and expressing yourself there. The best way is to link:[report bugs], even better if accompanied by patches or pull requests. But really, all feedback is appreciated!
See link:[INSTALL].
There is still a lot of work left, check the current link:[ToDo list].
=== Thanks
See link:[THANKS].
** GPLv2, see link:[LICENSE].