[Git][reproducible-builds/reproducible-website][master] 2 commits: 2025-11: Add link to https://docs.pypi.org/trusted-publishers/
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Wed Dec 3 20:28:34 UTC 2025
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
727890a8 by Chris Lamb at 2025-12-03T12:26:40-08:00
2025-11: Add link to https://docs.pypi.org/trusted-publishers/
- - - - -
c463533c by Chris Lamb at 2025-12-03T12:28:10-08:00
published as https://reproducible-builds.org/reports/2025-11/
- - - - -
1 changed file:
- _reports/2025-11.md
Changes:
=====================================
_reports/2025-11.md
=====================================
@@ -3,7 +3,8 @@ layout: report
year: "2025"
month: "11"
title: "Reproducible Builds in November 2025"
-draft: true
+draft: false
+date: 2025-12-03 20:28:10
---
**Welcome to the report for November 2025 from the [Reproducible Builds](https://reproducible-builds.org) project!**
@@ -13,11 +14,15 @@ draft: true
These monthly reports outline what we've been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As always, if you are interested in contributing to the Reproducible Builds project, please see the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-<!--
-
**In this report:**
--->
+0. ["10 years of Reproducible Build" at SeaGL](#10-years-of-reproducible-builds-at-seagl-2025)
+0. [Distribution work](#distribution-work)
+0. [Tool development](#tool-development)
+0. [Website updates](#website-updates)
+0. [Miscellaneous news](#miscellaneous-news)
+0. [*Software Supply Chain Security of Web3*](#software-supply-chain-security-of-web3)
+0. [Upstream patches](#upstream-patches)
---
@@ -68,7 +73,7 @@ from independent builders, laying the groundwork for further tooling.
### Tool development
-**diffoscope** version `307` was [uploaded to Debian unstable](https://tracker.debian.org/news/1687430/accepted-diffoscope-308-source-into-unstable/) (as well as [version `309`](https://tracker.debian.org/news/1689307/accepted-diffoscope-309-source-into-unstable/)). These changes included further attempts to automatically attempt to deploy to [PyPI](https://pypi.org/) by liaising with the PyPI developers/maintainers (with this experimental feature). [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/82df6d3f)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/811a72eb)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8ba9c2ce)]
+**diffoscope** version `307` was [uploaded to Debian unstable](https://tracker.debian.org/news/1687430/accepted-diffoscope-308-source-into-unstable/) (as well as [version `309`](https://tracker.debian.org/news/1689307/accepted-diffoscope-309-source-into-unstable/)). These changes included further attempts to automatically attempt to deploy to [PyPI](https://pypi.org/) by liaising with the PyPI developers/maintainers (with this [experimental feature](https://docs.pypi.org/trusted-publishers/)). [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/82df6d3f)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/811a72eb)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8ba9c2ce)]
In addition, **reprotest** versions `0.7.31` and `0.7.32` were uploaded to Debian *unstable* by Holger Levsen, who also made the following changes:
@@ -99,18 +104,6 @@ Once again, there were a number of improvements made to our website this month i
<br>
-### [*Software Supply Chain Security of Web3*](https://arxiv.org/abs/2511.12274)
-
-[![]({{ "/images/reports/2025-11/2511.12274.png#right" | relative_url }})](https://arxiv.org/abs/2511.12274)
-
-Via our [mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/), [Martin Monperrus let us know](https://lists.reproducible-builds.org/pipermail/rb-general/2025-November/003929.html) about their recently-published page on the [*Software Supply Chain Security of Web3*](https://arxiv.org/abs/2511.12274). The abstract of their paper is as follows:
-
-> Web3 applications, built on blockchain technology, manage billions of dollars in digital assets through decentralized applications (dApps) and smart contracts. These systems rely on complex, software supply chains that introduce significant security vulnerabilities. This paper examines the software supply chain security challenges unique to the Web3 ecosystem, where traditional Web2 software supply chain problems intersect with the immutable and high-stakes nature of blockchain technology. We analyze the threat landscape and propose mitigation strategies to strengthen the security posture of Web3 systems.
-
-Their paper lists reproducible builds as one of the mitigating strategies. A [PDF](https://arxiv.org/pdf/2511.12274) of the full text is available to download.
-
-<br>
-
### Miscellaneous news
* It was noticed that the [*Comparison of Linux distributions*](https://en.wikipedia.org/wiki/Comparison_of_Linux_distributions) Wikipedia page now has a "Reproducible builds" column.
@@ -131,6 +124,18 @@ Their paper lists reproducible builds as one of the mitigating strategies. A [PD
<br>
+### [*Software Supply Chain Security of Web3*](https://arxiv.org/abs/2511.12274)
+
+[![]({{ "/images/reports/2025-11/2511.12274.png#right" | relative_url }})](https://arxiv.org/abs/2511.12274)
+
+Via our [mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/), [Martin Monperrus let us know](https://lists.reproducible-builds.org/pipermail/rb-general/2025-November/003929.html) about their recently-published page on the [*Software Supply Chain Security of Web3*](https://arxiv.org/abs/2511.12274). The abstract of their paper is as follows:
+
+> Web3 applications, built on blockchain technology, manage billions of dollars in digital assets through decentralized applications (dApps) and smart contracts. These systems rely on complex, software supply chains that introduce significant security vulnerabilities. This paper examines the software supply chain security challenges unique to the Web3 ecosystem, where traditional Web2 software supply chain problems intersect with the immutable and high-stakes nature of blockchain technology. We analyze the threat landscape and propose mitigation strategies to strengthen the security posture of Web3 systems.
+
+Their paper lists reproducible builds as one of the mitigating strategies. A [PDF](https://arxiv.org/pdf/2511.12274) of the full text is available to download.
+
+<br>
+
### Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/4f30a3aa69ca45791e9dcb30c1520a2e6c77abad...c463533c74b63fbef519ac3dcfdb822ed7700f42
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/4f30a3aa69ca45791e9dcb30c1520a2e6c77abad...c463533c74b63fbef519ac3dcfdb822ed7700f42
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20251203/9d190bb6/attachment.htm>
More information about the rb-commits
mailing list