[Git][reproducible-builds/reproducible-website][master] 2 commits: More changes prior to publication.

Wed Aug 6 20:56:16 UTC 2025


Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
2f33be93 by Chris Lamb at 2025-08-06T13:56:01-07:00
More changes prior to publication.

- - - - -
c5dab4b5 by Chris Lamb at 2025-08-06T13:56:07-07:00
published as https://reproducible-builds.org/reports/2025-07/

- - - - -


5 changed files:

- _reports/2025-07.md
- + images/reports/2025-07/gosst.png
- + images/reports/2025-07/izzyondroid.png
- images/reports/2025-07/never-mind-the-checkboxes-2.jpg
- + images/reports/2025-07/opensuse-lg.png


Changes:

=====================================
_reports/2025-07.md
=====================================
@@ -3,22 +3,32 @@ layout: report
 year: "2025"
 month: "07"
 title: "Reproducible Builds in July 2025"
-draft: true
+draft: false
+date: 2025-08-06 20:56:07
 ---
 
 [![]({{ "/images/reports/2025-07/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
 
 **Welcome to the seventh report from the [Reproducible Builds]({{ "/" | relative_url }}) project in 2025.** Our monthly reports outline what we've been up to over the past month, and highlight items of news from elsewhere in the increasingly-important area of software supply-chain security. If you are interested in contributing to the Reproducible Builds project, please see the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
 
-<!--
 **In this report:**
 
-0. FIXME automatically generated upon publication
--->
+0. [**Reproducible Builds Summit 2025**](#reproducible-builds-summit-2025)
+0. [Reproducible Builds an official goal for SUSE Enterprise Linux](#reproducible-builds-an-official-goal-for-suse-enterprise-linux)
+0. [Reproducible Builds at FOSSY 2025](#reproducible-builds-at-fossy-2025)
+0. [New OSS Rebuild project from Google](#new-oss-rebuild-project-from-google)
+0. [New extension of Python `setuptools` to support reproducible builds](#new-extension-of-python-setuptools-to-support-reproducible-builds)
+0. [*diffoscope*](#diffoscope)
+0. [New library to patch system functions for reproducibility](#new-library-to-patch-system-functions-for-reproducibility)
+0. [*Independently Reproducible Git Bundles*](#independently-reproducible-git-bundles)
+0. [Website updates](#website-updates)
+0. [Distribution work](#distribution-work)
+0. [Reproducibility testing framework](#reproducibility-testing-framework)
+0. [Upstream patches](#upstream-patches)
 
 ---
 
-### [Next Reproducible Builds Summit dates announced]({{ "/events/vienna2025/" | relative_url }})
+### [Reproducible Builds Summit 2025]({{ "/events/vienna2025/" | relative_url }})
 
 [![]({{ "/images/reports/2025-07/summit.jpg#right" | relative_url }})]({{ "/events/vienna2025/" | relative_url }})
 
@@ -28,17 +38,18 @@ We are thrilled to host the eighth edition of this exciting event, following the
 
 During this enriching event, participants will have the opportunity to engage in discussions, establish connections and exchange ideas to drive progress in this vital field. Our aim is to create an inclusive space that fosters collaboration, innovation and problem-solving.
 
-If you're interesting in joining us this year, please make sure to [read the event page]({{ "/events/vienna2025/" | relative_url }}) which has more details about the event and location. We are very much looking forward to seeing many readers of these reports there!
+If you're interesting in joining us this year, please make sure to [read the event page]({{ "/events/vienna2025/" | relative_url }}) which has more details about the event and location. Registration is open until 20th September 2025, and we are very much looking forward to seeing many readers of these reports there!
 
 <br>
 
-### New extension of Python `setuptools` to support reproducible builds
+### [Reproducible Builds an official goal for SUSE Enterprise Linux](https://lists.reproducible-builds.org/pipermail/rb-general/2025-July/003846.html)
 
-Wim Jeantine-Glenn has written a [PEP 517 Build backend](https://peps.python.org/pep-0517/#build-backend-interface) in order to enable reproducible builds when building Python projects that use [setuptools](https://setuptools.pypa.io/en/latest/).
+[![]({{ "/images/reports/2025-07/opensuse-lg.png#right" | relative_url }})](https://lists.reproducible-builds.org/pipermail/rb-general/2025-July/003846.html)
 
-Called [`setuptools-reproducible`](https://pypi.org/project/setuptools-reproducible/), the project's [README file](https://github.com/wimglenn/setuptools-reproducible/blob/main/README.md) contains the following:
+On [our mailing list this month](https://lists.reproducible-builds.org/listinfo/rb-general), Bernhard M. Wiedemann revealed the big news that [reproducibility is now an official goal for SUSE Linux Enterprise Server (SLES) 16](https://lists.reproducible-builds.org/pipermail/rb-general/2025-July/003846.html):
 
-> Setuptools can create reproducible wheel archives (`.whl`) by setting `SOURCE_DATE_EPOCH` at build time, but setting the env var is insufficient for creating reproducible sdists (`.tar.gz`). `setuptools-reproducible` [therefore] wraps the hooks `build_sdist` `build_wheel` with some modifications to make reproducible builds by default.
+> [Everything] changed earlier this year when reproducible-builds for SLES-16 became an official goal for the product. More people are talking about 
+digital sovereignty and supply-chain security now. […] Today, only 9 of 3319 (source) packages have significant problems left (plus 7 with pending fixes), so 99.5% of packages have reproducible builds.
 
 <br>
 
@@ -58,18 +69,36 @@ Vagrant and Chris also staffed a table, where they will be available to answer a
 
 <br>
 
-### New library to patch system functions for reproducibility
+### [New OSS Rebuild project from Google](https://security.googleblog.com/2025/07/introducing-oss-rebuild-open-source.html)
 
-[Nicolas Graves](https://git.sr.ht/~ngraves) has written and published [libfate](https://github.com/nicolas-graves/libfate), a simple collection of tiny libraries to patch system functions deterministically using `LD_PRELOAD`. According to the [project's `README`](https://github.com/nicolas-graves/libfate/blob/master/README.md):
+[![]({{ "/images/reports/2025-07/gosst.png#right" | relative_url }})](https://security.googleblog.com/2025/07/introducing-oss-rebuild-open-source.html)
 
-> libfate provides deterministic replacements for common non-deterministic system functions that can break reproducible builds. Instead of relying on complex build systems or apps or extensive patching, libfate uses the LD_PRELOAD trick to intercept system calls and return fixed, predictable values.
+The Google Open Source Security Team (GOSST) published an [article this month announcing OSS Rebuild](https://security.googleblog.com/2025/07/introducing-oss-rebuild-open-source.html), "a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts." As [the post](https://security.googleblog.com/2025/07/introducing-oss-rebuild-open-source.html) itself documents, the new project comprises four facets:
 
-Describing why he wrote it, Nicolas writes:
+> * **Automation** to derive declarative build definitions for existing PyPI (Python), npm (JS/TS), and Crates.io (Rust) packages.
+> * **[SLSA](https://slsa.dev/) Provenance** for thousands of packages across our supported ecosystems, meeting SLSA Build Level 3 requirements with no publisher intervention.
+> * **Build observability and verification tools** that security teams can integrate into their existing vulnerability management workflows.
+> * **Infrastructure definitions** to allow organizations to easily run their own instances of OSS Rebuild to rebuild, generate, sign, and distribute provenance.
 
-> I originally used the OpenSUSE [dettrace](https://github.com/dettrace/dettrace) approach to make Emacs reproducible in Guix. But when Guix switch to GCC at 14, dettrace stopped working as expected. dettrace is a complex piece of software, my need was much less heavy: I don't need to systematically patch all sources of nondetermism, just the ones that make a process/binary unreproducible in a container/chroot.
+One difference with most projects that aim for bit-for-bit reproducibility, OSS Rebuild aims for a kind of "semantic" reproducibility:
+
+> Through automation and heuristics, we determine a prospective build definition for a target package and rebuild it. We semantically compare the result with the existing upstream artifact, normalizing each one to remove instabilities that cause bit-for-bit comparisons to fail (e.g. archive compression).
+
+The extensive post includes examples about how to access OSS Rebuild attestations using the Go-based command-line interface.
+
+<br>
+
+### New extension of Python `setuptools` to support reproducible builds
+
+Wim Jeantine-Glenn has written a [PEP 517 Build backend](https://peps.python.org/pep-0517/#build-backend-interface) in order to enable reproducible builds when building Python projects that use [setuptools](https://setuptools.pypa.io/en/latest/).
+
+Called [`setuptools-reproducible`](https://pypi.org/project/setuptools-reproducible/), the project's [README file](https://github.com/wimglenn/setuptools-reproducible/blob/main/README.md) contains the following:
+
+> Setuptools can create reproducible wheel archives (`.whl`) by setting `SOURCE_DATE_EPOCH` at build time, but setting the env var is insufficient for creating reproducible sdists (`.tar.gz`). `setuptools-reproducible` [therefore] wraps the hooks `build_sdist` `build_wheel` with some modifications to make reproducible builds by default.
 
 <br>
 
+
 ### [*diffoscope*](https://diffoscope.org)
 
 [![]({{ "/images/reports/2025-07/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
@@ -105,6 +134,18 @@ Elsewhere in our tooling, however, [*reprotest*](https://salsa.debian.org/reprod
 
 <br>
 
+### New library to patch system functions for reproducibility
+
+[Nicolas Graves](https://git.sr.ht/~ngraves) has written and published [libfate](https://github.com/nicolas-graves/libfate), a simple collection of tiny libraries to patch system functions deterministically using `LD_PRELOAD`. According to the [project's `README`](https://github.com/nicolas-graves/libfate/blob/master/README.md):
+
+> libfate provides deterministic replacements for common non-deterministic system functions that can break reproducible builds. Instead of relying on complex build systems or apps or extensive patching, libfate uses the LD_PRELOAD trick to intercept system calls and return fixed, predictable values.
+
+Describing why he wrote it, Nicolas writes:
+
+> I originally used the OpenSUSE [dettrace](https://github.com/dettrace/dettrace) approach to make Emacs reproducible in Guix. But when Guix switch to GCC at 14, dettrace stopped working as expected. dettrace is a complex piece of software, my need was much less heavy: I don't need to systematically patch all sources of nondetermism, just the ones that make a process/binary unreproducible in a container/chroot.
+
+<br>
+
 ### "[*Independently Reproducible Git Bundles*](https://blog.josefsson.org/2025/07/31/independently-reproducible-git-bundles/)"
 
 [Simon Josefsson](https://blog.josefsson.org/) has published another interesting article this month. Titled [*Independently Reproducible Git Bundles*](https://blog.josefsson.org/2025/07/31/independently-reproducible-git-bundles/), the blog post describes the advantages of why you might a reproducible bundle, and the pitfalls that can arise when trying to create them:
@@ -150,6 +191,12 @@ In [**Debian**](https://debian.org/) this month:
 
 <br>
 
+[![]({{ "/images/reports/2025-07/izzyondroid.png#right" | relative_url }})](https://apt.izzysoft.de/fdroid/)
+
+The [**IzzyOnDroid**](https://apt.izzysoft.de/fdroid/) Android APK repository made further progress in July, crossing the [50% reproducibility threshold](https://apt.izzysoft.de/fdroid) — congratulations. Furthermore, a new release of the [Neo Store](https://apt.izzysoft.de/packages/com.machiav3lli.fdroid) was released, which [exposes the reproducible status directly next to the version of each app](https://floss.social/@IzzyOnDroid/114954919343237344).
+
+<br>
+
 [![]({{ "/images/reports/2025-07/guix.png#right" | relative_url }})](https://guix.gnu.org)
 
 In [**GNU Guix**](https://guix.gnu.org/), a [series of patches intended to fix the reproducibility for the Mono programming language](https://codeberg.org/guix/guix/pulls/507) was merged, fixing reproducibility in Mono versions 1.9 [[…](https://codeberg.org/guix/guix/commit/69d8d749e14d5c3c17628946f0b523529d041680)], 2.4 [[…](https://codeberg.org/guix/guix/commit/f0b8657c429dadeee7dda7bb1a071bac41f3e354)] and 2.6 [[…](https://codeberg.org/guix/guix/commit/52df09e31bc342c18369844991b2e5f70d2c36a4)].
@@ -158,7 +205,7 @@ In [**GNU Guix**](https://guix.gnu.org/), a [series of patches intended to fix t
 
 [![]({{ "/images/reports/2025-07/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
 
-Lastly, in [**openSUSE**](https://www.opensuse.org/) news, Bernhard M. Wiedemann posted another [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/NJNQL5ZX7E3QPYAO5WXEMOY4YGYB5GZ6/) for their work there.
+Lastly, in addition to the news that [**openSUSE**](https://www.opensuse.org/) news, Bernhard M. Wiedemann posted another [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/NJNQL5ZX7E3QPYAO5WXEMOY4YGYB5GZ6/) for their work there.
 
 
 <br>


=====================================
images/reports/2025-07/gosst.png
=====================================
Binary files /dev/null and b/images/reports/2025-07/gosst.png differ


=====================================
images/reports/2025-07/izzyondroid.png
=====================================
Binary files /dev/null and b/images/reports/2025-07/izzyondroid.png differ


=====================================
images/reports/2025-07/never-mind-the-checkboxes-2.jpg
=====================================
Binary files a/images/reports/2025-07/never-mind-the-checkboxes-2.jpg and b/images/reports/2025-07/never-mind-the-checkboxes-2.jpg differ


=====================================
images/reports/2025-07/opensuse-lg.png
=====================================
Binary files /dev/null and b/images/reports/2025-07/opensuse-lg.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/cf54e2e211c71773a2233bf136ee0fc6f8d3aa63...c5dab4b5f9217ac4c2e916d2603e50c89fb746d4

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/cf54e2e211c71773a2233bf136ee0fc6f8d3aa63...c5dab4b5f9217ac4c2e916d2603e50c89fb746d4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250806/b8f0b91c/attachment.htm>
