[Git][reproducible-builds/reproducible-website][master] 2025-03: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Tue Apr 8 18:41:27 UTC 2025
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
bffd58d5 by Chris Lamb at 2025-04-08T11:40:37-07:00
2025-03: Initial draft
- - - - -
18 changed files:
- _reports/2025-02.md
- _reports/2025-03.md
- + images/reports/2025-03/debian.png
- + images/reports/2025-03/diffoscope.png
- + images/reports/2025-03/fedora.png
- + images/reports/2025-03/fenrisk.png
- + images/reports/2025-03/icse-ds.png
- + images/reports/2025-03/ieee-10942514.png
- + images/reports/2025-03/izzyondroid.png
- + images/reports/2025-03/nixos.png
- + images/reports/2025-03/opensuse.png
- + images/reports/2025-03/phdunige_4323013.png
- + images/reports/2025-03/python.png
- + images/reports/2025-03/reproduce.png
- + images/reports/2025-03/reproducible-builds.png
- + images/reports/2025-03/simplex-chat.png
- + images/reports/2025-03/testframework.png
- + images/reports/2025-03/website.png
Changes:
=====================================
_reports/2025-02.md
=====================================
@@ -267,9 +267,9 @@ There were a large number of improvements made to our website this month, includ
### Reproducibility testing framework
-[![]({{ "/images/reports/2025-01/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+[![]({{ "/images/reports/2025-02/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
-The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In January, a number of changes were made by Holger Levsen, including:
+The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In February, a number of changes were made by Holger Levsen, including:
* [*reproduce.debian.net*](https://reproduce.debian.net)-related:
=====================================
_reports/2025-03.md
=====================================
@@ -6,120 +6,290 @@ title: "Reproducible Builds in March 2025"
draft: true
---
-- [FIXME: Jochen Sprickerhof upload sbuild (0.88.5) with this relevant change:
+[![]({{ "/images/reports/2025-03/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
- - build_as_root_when_needed: support older dpkg](https://tracker.debian.org/news/1622951/accepted-sbuild-0885-source-into-unstable/)
+**Welcome to the third report in 2025 from the [Reproducible Builds]({{ "/" | relative_url }}) project.** Our monthly reports outline what we've been up to over the past month, and highlight items of news from elsewhere in the increasingly-important area of software supply-chain security. As usual, however, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-- [FIXME](https://tesidottorato.depositolegale.it/bitstream/20.500.14242/193708/1/phdunige_4323013.pdf)
+<!--
-- Starting from [version 6.3](https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html),
- SimpleX Chat, a messaging platform designed without user identifiers to ensure complete privacy, has implemented
- reproducible builds for its server components. This advancement allows anyone to verify that the distributed binaries
- match the source code, bolstering transparency and trustworthiness.
+**Table of contents:**
-## debian-repro-status
+FIXME
-- [kpcyrd released debian-repro-status 0.2.1-1](https://tracker.debian.org/news/1626706/accepted-rust-debian-repro-status-021-1-source-into-unstable/) which fixes [arch:all package status queries (Debian Bug #1098440)](https://bugs.debian.org/1098440).
+-->
-- Holger Levsen reported three issues:
- - [debian-repro-status / issue #12: outputs to stdout and stderr](https://github.com/kpcyrd/debian-repro-status/issues/12)
- - [debian-repro-status / issue #13: --summary-only option or some such](https://github.com/kpcyrd/debian-repro-status/issues/13)
- - [debian-repro-status / issue #14: machine readable output](https://github.com/kpcyrd/debian-repro-status/issues/14)
-- Paul Gevers reported one issue:
- - [debian-repro-status / bug #1100804: reports on removed but not purged packages](https://bugs.debian.org/1100804)
+---
-## Upstream patches
+### Debian bookworm live images now fully reproducible
-- Robin Candau:
- - [`clifm`](https://github.com/leo-arch/clifm/pull/332) (timestamp / compressed man pages in upstream build system)
- - [`lidm`](https://github.com/javalsai/lidm/pull/27) (timestamp / compressed man pages in upstream build system)
+[![]({{ "/images/reports/2025-03/debian.png#right" | relative_url }})](https://lists.reproducible-builds.org/pipermail/rb-general/2025-March/003675.html)
-## fedora updates
+On the general [Reproducible Builds mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, [Roland Clobus announced](https://lists.reproducible-builds.org/pipermail/rb-general/2025-March/003675.html) that all major desktop variants (ie. Gnome, KDE, etc.) build reproducibly with Debian *bullseye*, *bookworm* and *trixie*.
-* FIXME: to quote the summary from https://fedoraproject.org/wiki/Changes/Package_builds_are_expected_to_be_reproducible
-<quote begin>
-Over the last few releases, we changed our build infrastructure to make package builds reproducible. This is enough to reach 90%. The remaining issues need to be fixed in individual packages. After this Change, package builds are expected to be reproducible. Bugs will be filed against packages when an irreproducibility is detected. The goal is to have no fewer than 99% of package builds reproducible.
+In response, Roland's announcement generated both congratulations as well as some exacting wrestling with the terms employed: a full outline of the replies can be found [here](https://lists.reproducible-builds.org/pipermail/rb-general/2025-March/thread.html#3675).
-A public service with package rebuild statistics and reports for individual packages is made available. (An instance of rebuilderd.) A script to make local rebuilds of historic koji builds is made available (fedora-repro-build).
- Targeted release: Fedora Linux 43
- Owner:
- Name: Zbigniew Jędrzejewski-Szmek
- Name: Davide Cavalca
- Name: Jelle van der Waa
-<quote end>
-also see
-mailing list discussion: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/3OGIBZWPBB43QEVDXPEHNYEYJWMRPJ4E/
-discourse discussion: https://discussion.fedoraproject.org/t/f43-change-proposal-package-builds-are-expected-to-be-reproducible-system-wide/147320
+The news was [also picked up by Linux Weekly News](https://lwn.net/Articles/1015402/) (LWN) as [well as to Hacker News](https://news.ycombinator.com/item?id=43484520).
+<br>
-## izzy on droid updates
+### [*How NixOS and reproducible builds could have detected the `xz` backdoor*](https://luj.fr/blog/how-nixos-could-have-detected-xz.html)"
-```
-> The [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) Android APK
-> repository reached another milestone in March, crossing the 40%
-> coverage: More than 42% of the apps in their repository are now
-> reproducible.
->
-> Thanks to funding by NLnet/Mobifree, they were also able to put more
-> time into their tooling. So if you want to run your own verification
-> builder for Android apps, their
-> [rbuilder_setup](https://codeberg.org/IzzyOnDroid/rbuilder_setup) will
-> make it easy for you to get started, having your builder set up in less
-> than 5 minutes. It currently supports Debian based systems, but a PR to
-> support RPM based systems is ready and waits for testers. Be welcome to
-> chime in!
->
-> More is [in the
-> pipeline](https://codeberg.org/IzzyOnDroid/-/projects/13002) already,
-> especially documentation, guidelines and helpers for debugging failed
-> RBs.
-```
+[![]({{ "/images/reports/2025-03/nixos.png#right" | relative_url }})](https://luj.fr/blog/how-nixos-could-have-detected-xz.html)
-* [FIXME](https://fenrisk.com/supply-chain-attacks)
+Julien Malka aka *luj* published an in-depth blog post this month with the highly-stimulating title "[How NixOS and reproducible builds could have detected the xz backdoor for the benefit of all](https://luj.fr/blog/how-nixos-could-have-detected-xz.html)".
-* [FIXME](https://algomaster99.github.io/publications/build-and-runtime/icse-ds.pdf)
+Starting with an dive into the relevant technical details of the [XZ Utils backdoor](https://en.wikipedia.org/wiki/XZ_Utils_backdoor), Julien's article goes on to describe how we might avoid the `xz` "catastrophe" in the future by building software from trusted sources and building trust into untrusted release tarballs by way of comparing sources and leveraging bitwise reproducibility, i.e. applying the practices of Reproducible Builds.
-* [FIXME](https://luj.fr/blog/how-nixos-could-have-detected-xz.html)
- https://news.ycombinator.com/item?id=43448075
+The article generated [significant discussion on Hacker News](https://news.ycombinator.com/item?id=43448075) as [well as on Linux Weekly News](https://lwn.net/Articles/1015095/) (LWN).
-* [FIXME](https://blog.josefsson.org/2025/03/24/reproducible-software-releases/)
+<br>
-* [FIXME](https://lwn.net/Articles/1015402/)
+### LWN: *Fedora change aims for 99% package reproducibility*
-* [FIXME](https://news.ycombinator.com/item?id=43484520)
+[![]({{ "/images/reports/2025-03/fedora.png#right" | relative_url }})](https://lwn.net/SubscriberLink/1014979/8f538e14bf589a72/)
-* [FIXME](https://lwn.net/Articles/1015095/#Comments)
+[Linux Weekly News](https://lwn.net/) (LWN) contributor Joe Brockmeier has published a detailed round-up on how [*Fedora change aims for 99% package reproducibility*](https://lwn.net/SubscriberLink/1014979/8f538e14bf589a72/). The article opens by mentioning that although [Debian](https://debian.org/) has "been working toward reproducible builds for more than a decade", the [Fedora](https://fedoraproject.org/) project has now:
-* https://lwn.net/Articles/1014979/
+> …progressed far enough that the project is now considering a [change proposal](https://fedoraproject.org/wiki/Changes/Package_builds_are_expected_to_be_reproducible) for the Fedora 43 development cycle, expected to be released in October, with a goal of making 99% of Fedora's package builds reproducible. So far, reaction to the proposal seems favorable and focused primarily on how to achieve the goal—with minimal pain for packagers—rather than whether to attempt it.
-* [FIXME](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10942514)
+The [Change Proposal itself](https://fedoraproject.org/wiki/Changes/Package_builds_are_expected_to_be_reproducible) is worth reading:
-* [FIXME](https://blog.josefsson.org/2025/03/31/on-binary-distribution-rebuilds/)
+> Over the last few releases, we [Fedora] changed our build infrastructure to make package builds reproducible. This is enough to reach 90%. The remaining issues need to be fixed in individual packages. After this Change, package builds are expected to be reproducible. Bugs will be filed against packages when an irreproducibility is detected. The goal is to have no fewer than 99% of package builds reproducible.
-* Python: PEP-751 has been accepted: https://peps.python.org/pep-0751/
- Python now has a lock file standard that can act as an export target for all tools that can create some sort of lock file. And for some tools the format can act as their primary lock file format as well instead of some proprietary format.
- Source: https://fosstodon.org/@brettcannon/114259151263031733
+Further discussion can be found [on the Fedora mailing list](https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/3OGIBZWPBB43QEVDXPEHNYEYJWMRPJ4E/) as well as on [Fedora's Discourse instance](https://discussion.fedoraproject.org/t/f43-change-proposal-package-builds-are-expected-to-be-reproducible-system-wide/147320).
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/EZV6JBSOWKHQHTBG2VMA2FULA5XWXXLE/)
+<br>
+
+### Python adopts PEP standard for specifying package dependencies
+
+[![]({{ "/images/reports/2025-03/python.png#right" | relative_url }})](https://peps.python.org/pep-0751/)
+
+Python developer [Brett Cannon](https://snarky.ca/) [reported on Fosstodon](https://fosstodon.org/@brettcannon/114259151263031733) that [PEP 751](https://peps.python.org/pep-0751/) was recently accepted. This [design document](https://peps.python.org/pep-0001/) has the purpose of describing "a file format to record Python dependencies for installation reproducibility". As the abstract of the proposal writes:
+
+> This PEP proposes a new file format for specifying dependencies to enable reproducible installation in a Python environment. The format is designed to be human-readable and machine-generated. Installers consuming the file should be able to calculate what to install without the need for dependency resolution at install-time.
+
+The PEP, which itself supersedes [PEP 665](https://peps.python.org/pep-0665/), mentions that "there are at least five well-known solutions to this problem in the community".
+
+<br>
+
+### SimpleX Chat server components now reproducible
+
+[![]({{ "/images/reports/2025-03/simplex-chat.png#right" | relative_url }})](https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html)
+
+[SimpleX Chat](https://simplex.chat/) is a privacy-oriented decentralised messaging platform that eliminates user identifiers and metadata, offers end-to-end encryption and has a unique approach to decentralised identity. Starting from version 6.3, however, Simplex has [implemented reproducible builds for its server components](https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html). This advancement allows anyone to verify that the binaries distributed by SimpleX match the source code, improving transparency and trustworthiness.
+
+<br>
+
+### Three new scholarly papers
+
+[![]({{ "/images/reports/2025-03/icse-ds.png#right" | relative_url }})](https://algomaster99.github.io/publications/build-and-runtime/icse-ds.pdf)
+
+Aman Sharma of the [KTH Royal Institute of Technology](https://www.kth.se/en) of Stockholm, Sweden published a paper on [*Build and Runtime Integrity for Java*](https://algomaster99.github.io/publications/build-and-runtime/icse-ds.pdf) (PDF). The paper's abstract notes that "Software Supply Chain attacks are increasingly threatening the security of software systems" and goes on to compare build- and run-time integrity:
+
+> Build-time integrity ensures that the software artifact creation process, from source code to compiled binaries, remains untampered. Runtime integrity, on the other hand, guarantees that the executing application loads and runs only
+trusted code, preventing dynamic injection of malicious components.
+
+Aman's paper explores solutions to safeguard Java applications and proposes some novel techniques to detect malicious code injection. A [full PDF](https://algomaster99.github.io/publications/build-and-runtime/icse-ds.pdf) of the paper is available.
+
+<br>
+
+[![]({{ "/images/reports/2025-03/ieee-10942514.png#right" | relative_url }})](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10942514)
+
+In addition, Hamed Okhravi and Nathan Burow of [Massachusetts Institute of Technology (MIT) Lincoln Laboratory](https://www.ll.mit.edu/) along with [Fred B. Schneider](https://www.cs.cornell.edu/fbs/) of [Cornell University](https://www.cornell.edu/) published a paper in the most recent edition of [IEEE *Security & Privacy*](https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=8013) on [*Software Bill of Materials as a Proactive Defense*](https://ieeexplore.ieee.org/document/10942514):
+
+> The recently mandated software bill of materials (SBOM) is intended to help mitigate software supply-chain risk. We discuss extensions that would enable an SBOM to serve as a basis for making trust assessments thus also serving as a proactive defense.
+
+A [full PDF of the paper](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10942514) is available.
+
+<br>
+
+[![]({{ "/images/reports/2025-03/phdunige_4323013.png#right" | relative_url }})](https://tesidottorato.depositolegale.it/bitstream/20.500.14242/193708/1/phdunige_4323013.pdf)
+
+Lastly, congratulations to [Giacomo Benedetti](https://giacomobenedetti.github.io/) of the [University of Genoa](https://unige.it/en) for publishing their PhD thesis. Titled *Improving Transparency, Trust, and Automation in the Software Supply Chain*, Giacomo's thesis:
+
+> addresses three critical aspects of the software supply chain to enhance security: transparency, trust, and automation. First, it investigates transparency as a mechanism to empower developers with accurate and complete insights into the software components integrated into their applications. To this end, the thesis introduces SUNSET and PIP-SBOM, leveraging modeling and SBOMs (Software Bill of Materials) as foundational tools for transparency and security. Second, it examines software trust, focusing on the effectiveness of reproducible builds in major ecosystems and proposing solutions to bolster their adoption. Finally, it emphasizes the role of automation in modern software management, particularly in ensuring user safety and application reliability. This includes developing a tool for automated security testing of GitHub Actions and analyzing the permission models of prominent platforms like GitHub, GitLab, and BitBucket.
+
+<br>
+
+### Distribution roundup
+
+[![]({{ "/images/reports/2025-03/debian.png#right" | relative_url }})](https://debian.org/)
+
+In **Debian** this month:
+
+* *kpcyrd* [released and uploaded `debian-repro-status` version 0.2.1-1](https://tracker.debian.org/news/1626706/accepted-rust-debian-repro-status-021-1-source-into-unstable/) which fixes an [issue related to querying architecture-independent packages](https://bugs.debian.org/1098440). In addition, Holger Levsen identified three issues surrounding outputs to standard output and standard error [[...](https://github.com/kpcyrd/debian-repro-status/issues/12)] as well as a request for summarised [[...](https://github.com/kpcyrd/debian-repro-status/issues/13)] and machine-readable [[...](https://github.com/kpcyrd/debian-repro-status/issues/14)].
+
+* [Debian](https://debian.org) developer Simon Josefsson published two reproducibility-related blog posts this month. The first was on the topic of [*Reproducible Software Releases*](https://blog.josefsson.org/2025/03/24/reproducible-software-releases/) which discusses some techniques and gotchas that can be encountered when generating reproducible source packages — ie. ensuring that the source code archives that open-source software projects release can be reproduced by others. Simon's second post builds on his [earlier experiments with reproducing parts of Trisquel/Debian](https://blog.josefsson.org/2024/07/10/towards-idempotent-rebuilds/). Titled [*On Binary Distribution Rebuilds*](https://blog.josefsson.org/2025/03/31/on-binary-distribution-rebuilds/), it discusses potential methods to "bootstrap a binary distribution like Debian from some other bootstrappable environment like [Guix](https://guix.gnu.org/).
+
+* Jochen Sprickerhof uploaded `sbuild` version 0.88.5 with a change relevant to reproducible builds: specifically, the `build_as_root_when_needed` functionality still supports older versions of `dpkg`(1). [[...](https://tracker.debian.org/news/1622951/accepted-sbuild-0885-source-into-unstable/)]
+
+* Lastly, 16 reviews of Debian packages were added, 11 were updated and 11 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). One new toolchain issue, [`tempdir_in_cython_cythonize`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/7263825d) was identified by Chris Lamb as well.
+
+<br>
+
+[![]({{ "/images/reports/2025-03/izzyondroid.png#right" | relative_url }})](https://apt.izzysoft.de/fdroid/)
+
+The [**IzzyOnDroid**](https://apt.izzysoft.de/fdroid/) Android APK repository reached another milestone in March, crossing the 40% coverage mark — specifically, more than 42% of the apps in the repository is now reproducible
+
+Thanks to funding by [NLnet](https://nlnet.nl/)/[Mobifree](https://mobifree.org/), the project was also to put more
+time into their tooling. For instance, developers can now run [easily their own verification builder](https://codeberg.org/IzzyOnDroid/rbuilder_setup) in "less than 5 minutes". This currently supports [Debian](https://www.debian.org/)-based systems, but support for RPM-based systems is incoming. [Future work in the pipeline](https://codeberg.org/IzzyOnDroid/-/projects/13002), including documentation, guidelines and helpers for debugging.
+
+<br>
+
+[![]({{ "/images/reports/2025-03/fedora.png#right" | relative_url }})](https://fedoraproject.org/)
+
+[**Fedora**](https://fedoraproject.org/) developer [Zbigniew Jędrzejewski-Szmek](https://github.com/keszybz) announced a work-in-progress script called [`fedora-repro-build`](https://github.com/keszybz/fedora-repro-build) which attempts to reproduce an existing package within a [*Koji*](https://pagure.io/koji/) build environment. Although [the project's `README` file](https://github.com/keszybz/fedora-repro-build#readme) lists a number of "fields will always or almost always vary" (and there are a non-zero [list of other known issues](https://pagure.io/fedora-reproducible-builds/project/issues?tags=irreproducibility)), this is an excellent first step towards full Fedora reproducibility (see above for more information).
+
+<br>
+
+[![]({{ "/images/reports/2025-03/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Lastly, in [**openSUSE**](https://www.opensuse.org/) news, Bernhard M. Wiedemann posted another [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/EZV6JBSOWKHQHTBG2VMA2FULA5XWXXLE/) for his work there.
+
+<br>
+
+### An overview of *Supply Chain Attacks on Linux distributions*
+
+[![]({{ "/images/reports/2025-03/fenrisk.png#right" | relative_url }})](https://fenrisk.com/supply-chain-attacks)
+
+[Fenrisk](https://fenrisk.com/en/), a cybersecurity risk-management company, has published a lengthy overview of [*Supply Chain Attacks on Linux distributions*](https://fenrisk.com/supply-chain-attacks). Authored by [Maxime Rinaudo](https://x.com/MaxRio13), the article asks:
+
+> [What] would it take to compromise an entire Linux distribution directly through their public infrastructure? Is it possible to perform such a compromise as simple security researchers with no available resources but time?
+
+<br>
+
+### [*diffoscope*](https://diffoscope.org) & *strip-nondeterminism*
+
+[![]({{ "/images/reports/2025-03/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[diffoscope](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions `290`, `291`, `292` and `293` and `293` to Debian:
+
+* Bug fixes:
+
+ * `file(1)` version 5.46 now returns `XHTML document` for `.xhtml` files such as those found nested within our `.epub` tests. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0eafad2a)]
+ * Also consider `.aar` files as APK files, at least for the sake of *diffoscope*. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/75b82281)]
+ * Require the new, upcoming, version of `file(1)` and update our [quine](https://en.wikipedia.org/wiki/Quine_(computing))-related testcase. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/b448a4eb)]
+
+* Codebase improvements:
+
+ * Ensure all calls to `our_check_output` in the ELF comparator have the potential `CalledProcessError` exception caught. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d688b9a4)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c1827a11)]
+ * Correct an import masking issue. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6cb11741)]
+ * Add a missing `subprocess` import. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/ba827474)]
+ * Reformat `openssl.py`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/cb33c13f)]
+ * Update copyright years. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/3afece54)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/7752dc71)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f0a81da9)]
+
+In addition, Ivan Trubach contributed a change to ignore the `st_size` metadata entry for directories as it is essentially arbitrary and introduces unnecessary or even spurious changes. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6a848187)]
+
+<br>
+
+### Website updates
+
+[![]({{ "/images/reports/2025-03/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+Once again, there were a number of improvements made to our website this month, including:
+
+* Benedikt Ritter added the [Reproducible Builds Gradle Plugin](https://github.com/gradlex-org/reproducible-builds) to our [*Tools*]({{ "/tools/" | relative_url }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a99359bc)]
+
+* Chris Lamb added a [Meson](https://mesonbuild.com/) alternative for generating `SOURCE_DATE_EPOCH` that calls out to Python to the [`SOURCE_DATE_EPOCH` documentation]({{ "/docs/source-date-epoch/" | relative_url }}). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1e2be408)]
+
+* Hervé Boutemy updated the [*JVM documentation*]({{ "/docs/jvm/" | relative_url }}) to clarify that the target is rebuild attestation. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0357fc3b)]
+
+* Lastly, Holger Levsen added Julien Malka and Zbigniew Jędrzejewski-Szmek to our [*Involved people*]({{ "/who/people/" | relative_url }}) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/43feb729)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/91fe1179)] as well as replaced suggestions to follow us on Twitter/X to [follow us on Mastodon](https://fosstodon.org/@reproducible_builds) instead [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f4e10ec1)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d606c0dd)].
+
+<br>
+
+### Reproducibility testing framework
+
+[![]({{ "/images/reports/2025-03/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In March, a number of changes were made by Holger Levsen, including:
+
+* [*reproduce.debian.net*](https://reproduce.debian.net)-related:
+
+ * Add links to two related bugs about [*buildinfos.debian.net*](https://buildinfos.debian.net/). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b32979051)]
+ * Add an extra sync to the database backup. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/de1701228)]
+ * Overhaul description of what the service is about. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/64c68c638)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9629d2a55)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a407cace0)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/36931ac3e)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0006d529b)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/06012d7c3)]
+ * Improve the documentation to indicate that need to fix syncronisation pipes. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0995de563)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f6a87edd2)]
+ * Improve the statistics page by breaking down output by architecture. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cefd12cb0)]
+ * Add a copyright statement. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2d7a440ef)]
+ * Add a space after the package name so one can search for specific packages more easily. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6a2ac88c3)]
+ * Add a script to work around/implement a missing feature of `debrebuild`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2db5e9850)]
+
+* Misc:
+
+ * Run `debian-repro-status` at the end of the `chroot-install` tests. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b39a8a930)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/30a957c74)]
+ * Document that we have unused diskspace at [Ionos](https://www.ionos.com/). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d976c3a20)]
+
+In addition:
+
+* James Addison made a number of changes to the [*reproduce.debian.net*](https://reproduce.debian.net) homepage. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ce9d0caa5)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/77470511c)].
+
+* Jochen Sprickerhof updated the statistics generation to catch "No space left on device" issues. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a3eed6a26)]
+
+* Mattia Rizzolo added a better command to stop the builders [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b1427f9ff)] and fixed the [reStructuredText](https://docutils.sourceforge.io/rst.html) syntax in the [`README.infrastructure`](https://salsa.debian.org/qa/jenkins.debian.net/-/blob/HEAD/README.infrastructure) file. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e3379a162)]
+
+And finally, node maintenance was performed by Holger Levsen [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9e5698436)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/54f378c00)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e5d54ad30)] and Mattia Rizzolo [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/edf2b0c6e)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/736f5ca3e)].
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
+
+* Baptiste Daroussin:
+
+ * [`FreeBSD` pkgbase](https://cgit.freebsd.org/src/commit/Makefile.inc1?id=8e99c8ad8fd41d3befae62f9eee59d8c5c60a539)
-* Fridrich Strba:
- * [`xmlgraphics-fop`](https://build.opensuse.org/request/show/1250478) (date)
* Bernhard M. Wiedemann:
- * [`difftastic`](https://build.opensuse.org/request/show/1251169) (race)
- * [`wrk`](https://build.opensuse.org/request/show/1251668) (use luajit -bd)
- * [`sad`](https://build.opensuse.org/request/show/1252059) (random, version update to get upstream fix)
- * [`gawk`](https://build.opensuse.org/request/show/1254398) (PGO)
- * [`bash`](https://build.opensuse.org/request/show/1251745) (PGO)
- * [`m4`](https://build.opensuse.org/request/show/1254473) (PGO)
- * [`python3-espressomd`](https://build.opensuse.org/request/show/1255097) (date)
- * [`kbd`](https://build.opensuse.org/request/show/1265349) (gzip mtime)
- * [`deepin-daemon`](https://bugzilla.opensuse.org/show_bug.cgi?id=1238196) (FTBFS)
- * [`libcorrect`](https://bugzilla.opensuse.org/show_bug.cgi?id=1238370) (CPU)
- * [`cobra`](https://github.com/spf13/cobra/pull/2246) (date,toolchain for warewulf4)
- * [`cpython`](https://github.com/python/cpython/issues/130979) (https://github.com/sphinx-doc/sphinx/issues/13419 report Sphinx toolchain race affecting python31x)
- * [`python-nanobind`](https://bugzilla.opensuse.org/show_bug.cgi?id=1239153) (FTBFS-j1)
- * [`firefox-esr`](https://bugzilla.opensuse.org/show_bug.cgi?id=1239446) (FTBFS-race)
- * [`os-autoinst`](https://bugzilla.opensuse.org/show_bug.cgi?id=1239686) (FTBFS)
- * [`fritzing`](https://bugzilla.opensuse.org/show_bug.cgi?id=1239967) (random)
-* Baptiste Daroussin
- * [`FreeBSD` pkgbase](https://cgit.freebsd.org/src/commit/Makefile.inc1?id=8e99c8ad8fd41d3befae62f9eee59d8c5c60a539) (threads)
+
+ * [`bash`](https://build.opensuse.org/request/show/1251745)
+ * [`cobra`](https://github.com/spf13/cobra/pull/2246)
+ * [`cpython`](https://github.com/python/cpython/issues/130979)
+ * [`deepin-daemon`](https://bugzilla.opensuse.org/show_bug.cgi?id=1238196)
+ * [`difftastic`](https://build.opensuse.org/request/show/1251169)
+ * [`firefox-esr`](https://bugzilla.opensuse.org/show_bug.cgi?id=1239446)
+ * [`fritzing`](https://bugzilla.opensuse.org/show_bug.cgi?id=1239967)
+ * [`gawk`](https://build.opensuse.org/request/show/1254398)
+ * [`kbd`](https://build.opensuse.org/request/show/1265349)
+ * [`libcorrect`](https://bugzilla.opensuse.org/show_bug.cgi?id=1238370)
+ * [`m4`](https://build.opensuse.org/request/show/1254473)
+ * [`os-autoinst`](https://bugzilla.opensuse.org/show_bug.cgi?id=1239686)
+ * [`python-nanobind`](https://bugzilla.opensuse.org/show_bug.cgi?id=1239153)
+ * [`python3-espressomd`](https://build.opensuse.org/request/show/1255097)
+ * [`sad`](https://build.opensuse.org/request/show/1252059)
+ * [`wrk`](https://build.opensuse.org/request/show/1251668)
+
+* Chris Lamb:
+
+ * [#1099516](https://bugs.debian.org/1099516) filed against [`sphinxcontrib-googleanalytics`](https://tracker.debian.org/pkg/sphinxcontrib-googleanalytics).
+ * [#1100016](https://bugs.debian.org/1100016) filed against [`hx`](https://tracker.debian.org/pkg/hx).
+ * [#1100018](https://bugs.debian.org/1100018) filed against [`yaramod`](https://tracker.debian.org/pkg/yaramod).
+ * [#1100115](https://bugs.debian.org/1100115) filed against [`font-manager`](https://tracker.debian.org/pkg/font-manager).
+ * [#1100977](https://bugs.debian.org/1100977) filed against [`python-moto`](https://tracker.debian.org/pkg/python-moto).
+ * [#1101740](https://bugs.debian.org/1101740) filed against [`jenkins-job-builder`](https://tracker.debian.org/pkg/jenkins-job-builder).
+ * [#1101741](https://bugs.debian.org/1101741) filed against [`isync`](https://tracker.debian.org/pkg/isync).
+ * [#1101742](https://bugs.debian.org/1101742) filed against [`python-pytest-shell-utilities`](https://tracker.debian.org/pkg/python-pytest-shell-utilities).
+ * [#1101743](https://bugs.debian.org/1101743) filed against [`oss4`](https://tracker.debian.org/pkg/oss4).
+
+* Fridrich Strba:
+
+ * [`xmlgraphics-fop`](https://build.opensuse.org/request/show/1250478)
+
+* Jochen Sprickerhof:
+
+ * [#1100051](https://bugs.debian.org/1100051) filed against [`suricata`](https://tracker.debian.org/pkg/suricata).
+
+* Robin Candau:
+
+ * [`clifm`](https://github.com/leo-arch/clifm/pull/332)
+ * [`lidm`](https://github.com/javalsai/lidm/pull/27)
+
+<br>
+
+Finally, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
=====================================
images/reports/2025-03/debian.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/debian.png differ
=====================================
images/reports/2025-03/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/diffoscope.png differ
=====================================
images/reports/2025-03/fedora.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/fedora.png differ
=====================================
images/reports/2025-03/fenrisk.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/fenrisk.png differ
=====================================
images/reports/2025-03/icse-ds.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/icse-ds.png differ
=====================================
images/reports/2025-03/ieee-10942514.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/ieee-10942514.png differ
=====================================
images/reports/2025-03/izzyondroid.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/izzyondroid.png differ
=====================================
images/reports/2025-03/nixos.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/nixos.png differ
=====================================
images/reports/2025-03/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/opensuse.png differ
=====================================
images/reports/2025-03/phdunige_4323013.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/phdunige_4323013.png differ
=====================================
images/reports/2025-03/python.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/python.png differ
=====================================
images/reports/2025-03/reproduce.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/reproduce.png differ
=====================================
images/reports/2025-03/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/reproducible-builds.png differ
=====================================
images/reports/2025-03/simplex-chat.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/simplex-chat.png differ
=====================================
images/reports/2025-03/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/testframework.png differ
=====================================
images/reports/2025-03/website.png
=====================================
Binary files /dev/null and b/images/reports/2025-03/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/bffd58d576b57d530deeceb5a32395ba5471695c
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/bffd58d576b57d530deeceb5a32395ba5471695c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250408/2c83b397/attachment.htm>
More information about the rb-commits
mailing list