[Git][reproducible-builds/reproducible-website][master] 2025-06: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Thu Jul 10 00:49:32 UTC 2025
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
4d50d2bf by Chris Lamb at 2025-07-09T17:49:15-07:00
2025-06: Initial draft
- - - - -
14 changed files:
- _reports/2025-05.md
- _reports/2025-06.md
- + images/reports/2025-06/debian.png
- + images/reports/2025-06/diffoscope.png
- + images/reports/2025-06/fdroid.png
- + images/reports/2025-06/fossy2025.png
- + images/reports/2025-06/guix.png
- + images/reports/2025-06/izzyondroid.png
- + images/reports/2025-06/nixos.png
- + images/reports/2025-06/opensuse.png
- + images/reports/2025-06/reproduce.png
- + images/reports/2025-06/reproducible-builds.png
- + images/reports/2025-06/testframework.png
- + images/reports/2025-06/website.png
Changes:
=====================================
_reports/2025-05.md
=====================================
@@ -231,10 +231,7 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
* Bernhard M. Wiedemann:
- * [`cmake/musescore`](https://gitlab.kitware.com/cmake/cmake/-/issues/26957)
- * [`netdiscover`](https://github.com/netdiscover-scanner/netdiscover/pull/38)
- * [`autotrace`](https://build.opensuse.org/request/show/1277438), [`ck`](https://build.opensuse.org/request/show/1279009), [`cmake`](https://build.opensuse.org/request/show/1280975), [`crash`](https://src, opensuse.org/kernel-kdump/crash/pulls/2), [`cvsps`](https://build.opensuse.org/request/show/1277441), [`gexif`](https://build.opensuse.org/request/show/1277447), [`gq`](https://build.opensuse.org/request/show/1277448), [`gtkam`](https://build.opensuse.org/request/show/1277463), [`ibus-table-others`](https://build.opensuse.org/request/show/1277450), [`krb5-appl`](https://build.opensuse.org/request/show/1277456), [`ktoblzcheck-data`](https://build.opensuse.org/request/show/1279038), [`leafnode`](https://build.opensuse.org/request/show/1277080), [`lib2geom`](https://build.opensuse.org/request/show/1280894), [`libexif-gtk`](https://build.opensuse.org/request/show/1277460), [`libyui`](https://github.com/libyui/libyui/pull/116), [`linkloop`](https://build.opensuse.org/request/show/1277459), [`meson`](https://github.com/mesonbuild/meson/pull/14580), [`MozillaFirefox`](https://build.opensuse.org/request/show/1277922), [`ncurses`](https://build.opensuse.org/request/show/1277853), [`notify-sharp`](https://build.opensuse.org/request/show/1277465), [`pcsc-acr38`](https://build.opensuse.org/request/show/1279024), [`pcsc-asedriveiiie-serial`](https://build.opensuse.org/request/show/1279029), [`pcsc-asedriveiiie-usb`](https://build.opensuse.org/request/show/1279030), [`pcsc-asekey`](https://build.opensuse.org/request/show/1279031), [`pcsc-eco5000`](https://build.opensuse.org/request/show/1277482), [`pcsc-reflex60`](https://build.opensuse.org/request/show/1279025), [`perl-Crypt-RC`](https://build.opensuse.org/request/show/1276293), [`python-boto3`](https://build.opensuse.org/request/show/128082), [`python-gevent`](https://build.opensuse.org/request/show/1276306), [`python-pytest-localserver`](https://build.opensuse.org/request/show/1280876), [`qt6-tools`](https://build.opensuse.org/request/show/1279420), [`seamonkey`](https://build.opensuse.org/request/show/1280974), [`seq24`](https://build.opensuse.org/request/show/1277472), [`smictrl`](https://build.opensuse.org/request/show/1277471), [`sobby`](https://build.opensuse.org/request/show/1277473), [`solfege`](https://build.opensuse.org/request/show/1277476), [`urfkill`](https://build.opensuse.org/request/show/1277477), [`uwsgi`](https://build.opensuse.org/request/show/1277483), [`wsmancli`](https://build.opensuse.org/request/show/1277478), [`xine-lib`](https://build.opensuse.org/request/show/1277479), [`xkeycaps`](https://build.opensuse.org/request/show/1277480), [`xquarto`](https://build.opensuse.org/request/show/1277481), [`yast-control-center`](https://github.com/yast/yast-control-center/pull/62), [`yast-ruby-bindings`](https://github.com/yast/yast-ruby-bindings/pull/294) and [`yast`](https://github.com/yast/yast-devtools/pull/178)
- * [`libmfx-gen`](https://build.opensuse.org/request/show/1276727), [`libmfx`](https://build.opensuse.org/request/show/1276079), [`liboqs`](https://build.opensuse.org/request/show/1276690)
+ * [`autotrace`](https://build.opensuse.org/request/show/1277438), [`ck`](https://build.opensuse.org/request/show/1279009), [`cmake`](https://build.opensuse.org/request/show/1280975), [`cmake/musescore`](https://gitlab.kitware.com/cmake/cmake/-/issues/26957), [`crash`](https://src, opensuse.org/kernel-kdump/crash/pulls/2), [`cvsps`](https://build.opensuse.org/request/show/1277441), [`gexif`](https://build.opensuse.org/request/show/1277447), [`gq`](https://build.opensuse.org/request/show/1277448), [`gtkam`](https://build.opensuse.org/request/show/1277463), [`ibus-table-others`](https://build.opensuse.org/request/show/1277450), [`krb5-appl`](https://build.opensuse.org/request/show/1277456), [`ktoblzcheck-data`](https://build.opensuse.org/request/show/1279038), [`leafnode`](https://build.opensuse.org/request/show/1277080), [`lib2geom`](https://build.opensuse.org/request/show/1280894), [`libexif-gtk`](https://build.opensuse.org/request/show/1277460), [`libmfx`](https://build.opensuse.org/request/show/1276079), [`libmfx-gen`](https://build.opensuse.org/request/show/1276727), [`liboqs`](https://build.opensuse.org/request/show/1276690), [`libyui`](https://github.com/libyui/libyui/pull/116), [`linkloop`](https://build.opensuse.org/request/show/1277459), [`meson`](https://github.com/mesonbuild/meson/pull/14580), [`MozillaFirefox`](https://build.opensuse.org/request/show/1277922), [`ncurses`](https://build.opensuse.org/request/show/1277853), [`netdiscover`](https://github.com/netdiscover-scanner/netdiscover/pull/38), [`notify-sharp`](https://build.opensuse.org/request/show/1277465), [`pcsc-acr38`](https://build.opensuse.org/request/show/1279024), [`pcsc-asedriveiiie-serial`](https://build.opensuse.org/request/show/1279029), [`pcsc-asedriveiiie-usb`](https://build.opensuse.org/request/show/1279030), [`pcsc-asekey`](https://build.opensuse.org/request/show/1279031), [`pcsc-eco5000`](https://build.opensuse.org/request/show/1277482), [`pcsc-reflex60`](https://build.opensuse.org/request/show/1279025), [`perl-Crypt-RC`](https://build.opensuse.org/request/show/1276293), [`python-boto3`](https://build.opensuse.org/request/show/128082), [`python-gevent`](https://build.opensuse.org/request/show/1276306), [`python-pytest-localserver`](https://build.opensuse.org/request/show/1280876), [`qt6-tools`](https://build.opensuse.org/request/show/1279420), [`seamonkey`](https://build.opensuse.org/request/show/1280974), [`seq24`](https://build.opensuse.org/request/show/1277472), [`smictrl`](https://build.opensuse.org/request/show/1277471), [`sobby`](https://build.opensuse.org/request/show/1277473), [`solfege`](https://build.opensuse.org/request/show/1277476), [`urfkill`](https://build.opensuse.org/request/show/1277477), [`uwsgi`](https://build.opensuse.org/request/show/1277483), [`wsmancli`](https://build.opensuse.org/request/show/1277478), [`xine-lib`](https://build.opensuse.org/request/show/1277479), [`xkeycaps`](https://build.opensuse.org/request/show/1277480), [`xquarto`](https://build.opensuse.org/request/show/1277481), [`yast-control-center`](https://github.com/yast/yast-control-center/pull/62), [`yast-ruby-bindings`](https://github.com/yast/yast-ruby-bindings/pull/294) and [`yast`](https://github.com/yast/yast-devtools/pull/178)
* Chris Hofstaedtler:
=====================================
_reports/2025-06.md
=====================================
@@ -6,191 +6,192 @@ title: "Reproducible Builds in June 2025"
draft: true
---
-## Upstream patches
-
-- Robin Candau:
- - [`gramps`](https://github.com/gramps-project/gramps/pull/2078) (use `SOURCE_DATE_EPOCH` when compressing man pages)
-
-* FIXME reproducibility issues with run-time cpu differences and workaround https://lists.gnu.org/archive/html/help-guix/2025-06/msg00081.html
-
-* FIXME: it's possible now to bootstrap Debian with 100% reproduced package
-
-(I've sadly no good idea how to represent this in the blog...)
-
-```
-$ mmdebstrap --variant=apt --include=debian-repro-status --chrooted-customize-hook=debian-repro-status trixie /dev/null
-I: automatically chosen mode: unshare
-I: chroot architecture amd64 is equal to the host's architecture
-I: finding correct signed-by value...
-done
-I: automatically chosen format: null
-I: using /tmp/mmdebstrap.e6GeTY5SW4 as tempdir
-W: Host system does not have a /etc/hostname to copy into the rootfs.
-I: running apt-get update...
-done
-I: downloading packages with apt...
-done
-I: extracting archives...
-done
-I: installing essential packages...
-done
-I: installing remaining packages inside the chroot...
-done
-done
-done
-I: running --chrooted-customize-hook in shell: sh -c 'debian-repro-status'
-[+] apt amd64 3.0.2 GOOD
-[+] base-files amd64 13.8 GOOD
-[+] base-passwd amd64 3.6.7 GOOD
-[+] bash amd64 5.2.37-2+b3 GOOD
-[+] bsdutils amd64 1:2.41-5 GOOD
-[+] ca-certificates all 20250419 GOOD
-[+] coreutils amd64 9.7-3 GOOD
-[+] dash amd64 0.5.12-12 GOOD
-[+] debconf all 1.5.91 GOOD
-[+] debian-archive-keyring all 2025.1 GOOD
-[+] debian-repro-status amd64 0.3.1-2 GOOD
-[+] debianutils amd64 5.23.1 GOOD
-[+] diffutils amd64 1:3.10-4 GOOD
-[+] dpkg amd64 1.22.20 GOOD
-[+] findutils amd64 4.10.0-3 GOOD
-[+] gcc-14-base amd64 14.2.0-19 GOOD
-[+] grep amd64 3.11-4 GOOD
-[+] gzip amd64 1.13-1 GOOD
-[+] hostname amd64 3.25 GOOD
-[+] init-system-helpers all 1.68 GOOD
-[+] libacl1 amd64 2.3.2-2+b1 GOOD
-[+] libapt-pkg7.0 amd64 3.0.2 GOOD
-[+] libattr1 amd64 1:2.5.2-3 GOOD
-[+] libaudit-common all 1:4.0.2-2 GOOD
-[+] libaudit1 amd64 1:4.0.2-2+b2 GOOD
-[+] libblkid1 amd64 2.41-5 GOOD
-[+] libbz2-1.0 amd64 1.0.8-6 GOOD
-[+] libc-bin amd64 2.41-9 GOOD
-[+] libc6 amd64 2.41-9 GOOD
-[+] libcap-ng0 amd64 0.8.5-4+b1 GOOD
-[+] libcap2 amd64 1:2.75-8 GOOD
-[+] libcrypt1 amd64 1:4.4.38-1 GOOD
-[+] libdb5.3t64 amd64 5.3.28+dfsg2-9 GOOD
-[+] libdebconfclient0 amd64 0.278 GOOD
-[+] libgcc-s1 amd64 14.2.0-19 GOOD
-[+] libgmp10 amd64 2:6.3.0+dfsg-3 GOOD
-[+] libhogweed6t64 amd64 3.10.1-1 GOOD
-[+] liblastlog2-2 amd64 2.41-5 GOOD
-[+] liblz4-1 amd64 1.10.0-4 GOOD
-[+] liblzma5 amd64 5.8.1-1 GOOD
-[+] libmd0 amd64 1.1.0-2+b1 GOOD
-[+] libmount1 amd64 2.41-5 GOOD
-[+] libnettle8t64 amd64 3.10.1-1 GOOD
-[+] libpam-modules amd64 1.7.0-3 GOOD
-[+] libpam-modules-bin amd64 1.7.0-3 GOOD
-[+] libpam-runtime all 1.7.0-3 GOOD
-[+] libpam0g amd64 1.7.0-3 GOOD
-[+] libpcre2-8-0 amd64 10.45-1 GOOD
-[+] libseccomp2 amd64 2.6.0-2 GOOD
-[+] libselinux1 amd64 3.8.1-1 GOOD
-[+] libsmartcols1 amd64 2.41-5 GOOD
-[+] libsqlite3-0 amd64 3.46.1-6 GOOD
-[+] libssl3t64 amd64 3.5.0-2 GOOD
-[+] libstdc++6 amd64 14.2.0-19 GOOD
-[+] libsystemd0 amd64 257.6-1 GOOD
-[+] libtinfo6 amd64 6.5+20250216-2 GOOD
-[+] libudev1 amd64 257.6-1 GOOD
-[+] libuuid1 amd64 2.41-5 GOOD
-[+] libxxhash0 amd64 0.8.3-2 GOOD
-[+] libzstd1 amd64 1.5.7+dfsg-1 GOOD
-[+] mawk amd64 1.3.4.20250131-1 GOOD
-[+] ncurses-base all 6.5+20250216-2 GOOD
-[+] ncurses-bin amd64 6.5+20250216-2 GOOD
-[+] openssl amd64 3.5.0-2 GOOD
-[+] openssl-provider-legacy amd64 3.5.0-2 GOOD
-[+] perl-base amd64 5.40.1-3 GOOD
-[+] sed amd64 4.9-2 GOOD
-[+] sqv amd64 1.3.0-3 GOOD
-[+] sysvinit-utils amd64 3.14-4 GOOD
-[+] tar amd64 1.35+dfsg-3.1 GOOD
-[+] util-linux amd64 2.41-5 GOOD
-[+] zlib1g amd64 1:1.3.dfsg+really1.3.1-1+b1 GOOD
- INFO debian-repro-status > All packages have been reproduced!
- INFO debian-repro-status > Your system has 100.00% been reproduced.
-I: cleaning package lists and apt cache...
-done
-done
-I: removing tempdir /tmp/mmdebstrap.e6GeTY5SW4...
-I: success in 17.6105 seconds
-
-```
-
-* reproduce.debian.net: FIXME: Holger installed rebuilderd 0.24 from unstable on osuosl5 to make use of the new compression feature (added by Jarl Gullberg) for the database, which resulted in massive decrease of the sqlite databases:
- 79G -> 2.8G all/rebuilderd.db
- 84G -> 3.2G amd64/rebuilderd.db
- 75G -> 2.9G arm64/rebuilderd.db
- 45G -> 2.1G armel/rebuilderd.db
- 48G -> 2.2G armhf/rebuilderd.db
- 73G -> 2.8G i386/rebuilderd.db
- 72G -> 2.7G ppc64el/rebuilderd.db
- 45G -> 2.1G riscv64/rebuilderd.db
- or combined from 521G down to 20.8G! And while this is more or less an internal implementation detail of rebuilderd, this change a.) reduces the requirements to run a rebuilderd instance (for everyone) and b.) will allow us to add more suites to r.d.n. soon.
-
-Chris Riches:
- * [`rpm`](https://github.com/rpm-software-management/rpm/commit/bc0b94026bc5651435819043394cbe9a766a4fd5) (sort)
-
-* Bernhard M. Wiedemann
- * [`mp`](https://build.opensuse.org/request/show/1281890) (date+tar)
- * [`timescaledb`](https://build.opensuse.org/request/show/1282546) (uname -r)
- * [`qt6-datavis3d`](https://build.opensuse.org/request/show/1282734) (race)
- * [`qt6-declarative`](https://build.opensuse.org/request/show/1283382) (race)
- * [`qt6-sensors`](https://build.opensuse.org/request/show/1283386) (race)
- * [`qt6-virtualkeyboard`](https://build.opensuse.org/request/show/1283396) (race)
- * [`zoxide`](https://build.opensuse.org/request/show/1283367) (FTBFS-nocheck)
- * [`python-reportlab`](https://build.opensuse.org/request/show/1284762) (FTBFS-nocheck)
- * several issues with how rpmbuild expanded `%jobs` into the .src.rpm header:
- * [`suitesparse`](https://build.opensuse.org/request/show/1283654)
- * [`python-convertdate`](https://build.opensuse.org/request/show/1283764)
- * [`MozillaThunderbird`](https://build.opensuse.org/request/show/1283963)
- * [`firefox-esr`](https://build.opensuse.org/request/show/1283964)
- * [`webkit2gtk3`](https://build.opensuse.org/request/show/1283990)
- * [`gnome-keyring-sharp`](https://build.opensuse.org/request/show/1283991)
- * [`gtk2-engines`](https://build.opensuse.org/request/show/1284006)
- * [`gtk2-engine-cleanice`](https://build.opensuse.org/request/show/1284149)
- * [`mozc`](https://build.opensuse.org/request/show/1284192)
- * [`libreoffice`](https://build.opensuse.org/request/show/1284193)
- * [`libqt5-qtlocation`](https://build.opensuse.org/request/show/1284198)
- * [`edk2`](https://build.opensuse.org/request/show/1284200)
- * [`perl-XML-Entities`](https://build.opensuse.org/request/show/1284220)
- * [`perl-MooseX-Meta-TypeConstraint-ForceCoercion`](https://build.opensuse.org/request/show/1284221)
- * [`perl-Getopt-ArgvFile`](https://build.opensuse.org/request/show/1284223)
- * [`perl-DateTime-Calendar-Mayan`](https://build.opensuse.org/request/show/1284224)
- * [`gtk2-engine-aurora`](https://src.opensuse.org/lxde/gtk2-engine-aurora/pulls/1)
- * [`lxmenu-data`](https://src.opensuse.org/lxde/lxmenu-data/pulls/1)
- * [`luabind`](https://src.opensuse.org/lua/luabind/pulls/1)
- * [`chromium`](https://src.opensuse.org/chromium/chromium/pulls/1)
- * [`cmake`](https://build.opensuse.org/request/show/1283475)
- * [`perl`](https://build.opensuse.org/request/show/1284187) (%jobs, uname -r)
- * [`llvm20`](https://build.opensuse.org/request/show/1284969) (LTO, %jobs)
- * [`dpdk`](https://build.opensuse.org/request/show/1283587) (by Clemens random Sphinx doc)
- * [`nvidia-open-driver-G06-signed`](https://build.opensuse.org/request/show/1284004) (host+date)
- * [`pcre2`](https://build.opensuse.org/request/show/1284321) (PGO/unknown)
- * [`scummvm`](https://build.opensuse.org/request/show/1284696) (ASLR)
- * [`arandr`](https://build.opensuse.org/request/show/1286168) (gzip mtime (python))
- * [`latex2html`](https://build.opensuse.org/request/show/1287226) (nocheck-mtime)
- * [`perl-XML-LibXML`](https://build.opensuse.org/request/show/1288338) (nocheck-mtime)
- * [`rage-encryption`](https://build.opensuse.org/request/show/1285623) (random rust HashMap order = https://github.com/str4d/rage/issues/568 )
- * [`dpdk`](https://bugs.dpdk.org/show_bug.cgi?id=1718) (random)
- * [`obs`](https://github.com/openSUSE/obs-build/pull/1076) (product-composer toolchain tar)
- * [`ovmf`](https://bugzilla.suse.com/show_bug.cgi?id=1244218) (private bug)
- * [`eww`](https://github.com/elkowar/eww/issues/1334) (rust)
- * [`python313`](https://bugzilla.opensuse.org/show_bug.cgi?id=1244680) (nogil-base random)
- * [`gnucash`](https://bugs.gnucash.org/show_bug.cgi?id=799623) (FTBFS-2038)
- * [`curl`](https://github.com/curl/curl/pull/17665) (FTBFS-2036)
- * [`gramps`](https://github.com/gramps-project/gramps/pull/2081) (gzip mtime (python))
-
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/U55TFJTYPTDALD4NB7KV4SRFSLGGJKRV/)
-
-* Vagrant Cascadian updated *diffoscope* in [GNU Guix](https://guix.gnu.org/) to version 299 [[…](https://codeberg.org/guix/guix/pulls/561)][[…](https://codeberg.org/guix/guix/commit/0a5d93cdfed44937f3b97196ce4c2af1e58a1d61)] and 300 [[…](https://codeberg.org/guix/guix/pulls/886)][[…](https://codeberg.org/guix/guix/commit/dd7e39ccfdd23a388dfa6b7665de466691bc6cda)].
-
-* Vagrant Cascadian and will be presenting
-Never Mind the Checkboxes, Here's Reproducible Builds!
-https://2025.fossy.us/schedule/presentation/327/ at FOSSY this year.
-
-* Vagrant Cascadian and Chris Lamb will be tabling at FOSSY this year.
+[![]({{ "/images/reports/2025-06/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
+
+**Welcome to the 6th report from the [Reproducible Builds]({{ "/" | relative_url }}) project in 2025.** Our monthly reports outline what we've been up to over the past month, and highlight items of news from elsewhere in the increasingly-important area of software supply-chain security. If you are interested in contributing to the Reproducible Builds project, please see the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
+
+<!--
+
+**In this report:**
+
+0.
+
+-->
+
+---
+
+### [Reproducible Builds at FOSSY 2025](https://2025.fossy.us/schedule/presentation/327/)
+
+[![]({{ "/images/reports/2025-06/fossy2025.png#right" | relative_url }})](https://2025.fossy.us/)
+
+On Saturday 2nd August, Vagrant Cascadian and Chris Lamb will be presenting at this year's [FOSSY 2025](https://2025.fossy.us/). Their talk, titled [*Never Mind the Checkboxes, Here's Reproducible Builds!*](https://2025.fossy.us/schedule/presentation/327/), is being introduced as follows:
+
+> There are numerous policy compliance and regulatory processes being developed that target software development... but do they solve actual problems? Does it improve the quality of software? Do Software Bill of Materials (SBOMs) actually give you the information necessary to verify how a given software artifact was built? What is the goal of all these compliance checklists anyways... or more importantly, what *should* the goals be? If a software object is signed, who should be trusted to sign it, and can they be trusted ... forever?
+
+The talk will introduce the audience to Reproducible Builds as a set of best practices which allow users and developers to verify that software artifacts were built from the source code, but also allows auditing for license compliance, providing security benefits, and removes the need to trust arbitrary software vendors.
+
+Hosted by the [Software Freedom Conservancy](https://sfconservancy.org/) and taking place in Portland, Oregon, USA, FOSSY aims to be a community-focused event: "Whether you are a long time contributing member of a free software project, a recent graduate of a coding bootcamp or university, or just have an interest in the possibilities that free and open source software bring, FOSSY will have something for you". More information on the event is available [on the FOSSY 2025 website](https://2025.fossy.us/about/), including the [full programme schedule](https://2025.fossy.us/schedule/).
+
+Vagrant and Chris will also be staffing a table this year, where they will be available to answer any questions about Reproducible Builds and discuss collaborations with other projects.
+
+<br>
+
+---
+
+### Distribution work
+
+[![]({{ "/images/reports/2025-06/debian.png#right" | relative_url }})](https://debian.org/)
+
+In [**Debian**](https://debian.org/) this month:
+
+* Holger Levsen has discovered that it is now possible to bootstrap a minimal Debian *trixie* using 100% reproducible packages. This result can itself be reproduced, using the `debian-repro-status` tool and `mmdebstrap`'s support for hooks:
+
+ ```
+ $ mmdebstrap --variant=apt --include=debian-repro-status \
+ --chrooted-customize-hook=debian-repro-status \
+ trixie /dev/null 2>&1 | grep "Your system has"
+ INFO debian-repro-status > Your system has 100.00% been reproduced.
+ ```
+
+* On our [mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this month, Helmut Grohne wrote an extensive message raising an issue related to [*Uploads with conflicting buildinfo filenames*](https://lists.reproducible-builds.org/pipermail/rb-general/2025-June/003803.html):
+
+ > Having several `.buildinfo` files for the same architecture is something
+ > that we plausibly want to have eventually. Imagine running two sets of
+ > buildds and assembling a single upload containing buildinfo files from
+ > both buildds in the same upload. In a similar vein, as a developer I may
+ > want to supply several `.buildinfo` files with my source upload (e.g. for
+ > multiple architectures). Doing any of this is incompatible with current
+ > incoming processing and with `reprepro`.
+
+* 5 reviews of Debian packages were added, 4 were updated and 8 were removed this month adding to [our ever-growing knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
+
+<br>
+
+[![]({{ "/images/reports/2025-06/guix.png#right" | relative_url }})](https://guix.gnu.org/)
+
+In [**GNU Guix**](https://guix.gnu.org/), Timothee Mathieu reported that a long-standing issue with reproducibility of shell containers across different host operating systems has been solved. In their message, Timothee mentions:
+
+> I discovered that *pytorch* (and maybe other dependencies) has a reproducibility problem of order 1e-5 when on [AVX512](https://en.wikipedia.org/wiki/AVX-512) compared to [AVX2](https://en.wikipedia.org/wiki/Advanced_Vector_Extensions). I first tried to solve the problem by disabling AVX512 at the level of *pytorch*, but it did not work. The dev of *pytorch* said that it may be because some components dispatch computation to MKL-DNN, I tried to disable AVX512 on MKL, and still the results were not reproducible, I also tried to deactivate in openmpi without success. I finally concluded that there was a problem with AVX512 somewhere in the dependencies graph but I gave up identifying where, as this seems very complicated.
+
+<br>
+
+[![]({{ "/images/reports/2025-06/izzyondroid.png#right" | relative_url }})](https://apt.izzysoft.de/fdroid/)
+
+The [**IzzyOnDroid**](https://apt.izzysoft.de/fdroid/) Android APK repository made more progress in June. Not only have they just passed [48% reproducibility coverage](https://apt.izzysoft.de/fdroid), Ben started making their reproducible builds more visible, by offering [rbtlog shields](https://shields.rbtlog.dev/), a kind of badge that has been quickly picked up by many developers who are proud to present their applications' reproducibility status.
+
+<br>
+
+[![]({{ "/images/reports/2025-06/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Lastly, in [**openSUSE**](https://www.opensuse.org/) news, Bernhard M. Wiedemann posted another [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/U55TFJTYPTDALD4NB7KV4SRFSLGGJKRV/) for their work there.
+
+<br>
+
+### [*diffoscope*](https://diffoscope.org)
+
+[![]({{ "/images/reports/2025-06/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[diffoscope](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions `298`, `299` and `300` to Debian:
+
+* Add `python3-defusedxml` to the `Build-Depends` in order to include it in the Docker image. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f430bec0)]
+* Handle the RPM format's `HEADERSIGNATURES` and `HEADERIMMUTABLE` as a special-case to avoid unnecessarily large diffs. Thanks to Daniel Duan for the report and suggestion. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/1e9f288d)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/5c93c759)]
+* Update copyright years. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/ec0d9315)]
+
+In addition, [@puer-robustus](https://salsa.debian.org/puer-robustus) fixed a regression [introduced in an earlier commit](https://salsa.debian.org/puer-robustus/diffoscope/-/commit/5b187ad563526412fb5a5b328464f13047a49eff) which resulted in some differences being lost. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c8426f05)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0c2b31a4)]
+
+Lastly, Vagrant Cascadian updated *diffoscope* in [GNU Guix](https://guix.gnu.org/) to version 299 [[…](https://codeberg.org/guix/guix/pulls/561)][[…](https://codeberg.org/guix/guix/commit/0a5d93cdfed44937f3b97196ce4c2af1e58a1d61)] and 300 [[…](https://codeberg.org/guix/guix/pulls/886)][[…](https://codeberg.org/guix/guix/commit/dd7e39ccfdd23a388dfa6b7665de466691bc6cda)].
+
+<br>
+
+### Website updates
+
+[![]({{ "/images/reports/2025-06/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+Once again, there were a number of improvements made to our website this month including:
+
+* Arnaud Brousseau added [Stageˣ](https://stagex.tools/), a new Linux distribution, to our [*Tools*]({{ "/tools/" | relative_url }}) page.
+
+* Chris Lamb improved the `docker` instructions on the [*diffoscope* website](https://diffoscope.org/). [[…](https://salsa.debian.org/reproducible-builds/diffoscope-website/commit/fee0467)]
+
+---
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
+
+* Chris Riches:
+
+ * [`rpm`](https://github.com/rpm-software-management/rpm/commit/bc0b94026bc5651435819043394cbe9a766a4fd5)
+
+* Bernhard M. Wiedemann:
+
+ * [`arandr`](https://build.opensuse.org/request/show/1286168), [`curl`](https://github.com/curl/curl/pull/17665), [`dpdk`](https://bugs.dpdk.org/show_bug.cgi?id=1718), [`dpdk`](https://build.opensuse.org/request/show/1283587), [`eww`](https://github.com/elkowar/eww/issues/1334), [`gnucash`](https://bugs.gnucash.org/show_bug.cgi?id=799623), [`gramps`](https://github.com/gramps-project/gramps/pull/2081), [`latex2html`](https://build.opensuse.org/request/show/1287226), [`llvm20`](https://build.opensuse.org/request/show/1284969), [`mp`](https://build.opensuse.org/request/show/1281890), [`nvidia-open-driver-G06-signed`](https://build.opensuse.org/request/show/1284004), [`obs`](https://github.com/openSUSE/obs-build/pull/1076), [`ovmf`](https://bugzilla.suse.com/show_bug.cgi?id=1244218), [`pcre2`](https://build.opensuse.org/request/show/1284321), [`perl-XML-LibXML`](https://build.opensuse.org/request/show/1288338), [`perl`](https://build.opensuse.org/request/show/1284187), [`python-reportlab`](https://build.opensuse.org/request/show/1284762), [`python313`](https://bugzilla.opensuse.org/show_bug.cgi?id=1244680), [`qt6-datavis3d`](https://build.opensuse.org/request/show/1282734), [`qt6-declarative`](https://build.opensuse.org/request/show/1283382), [`qt6-sensors`](https://build.opensuse.org/request/show/1283386), [`qt6-virtualkeyboard`](https://build.opensuse.org/request/show/1283396), [`rage-encryption`](https://build.opensuse.org/request/show/1285623), [`scummvm`](https://build.opensuse.org/request/show/1284696), [`timescaledb`](https://build.opensuse.org/request/show/1282546) & [`zoxide`](https://build.opensuse.org/request/show/1283367).
+ * Plus several issues with how `rpmbuild` expands the `%jobs` variable in the `.src.rpm` header, including: [`chromium`](https://src.opensuse.org/chromium/chromium/pulls/1), [`cmake`](https://build.opensuse.org/request/show/1283475), [`edk2`](https://build.opensuse.org/request/show/1284200), [`firefox-esr`](https://build.opensuse.org/request/show/1283964), [`gnome-keyring-sharp`](https://build.opensuse.org/request/show/1283991), [`gtk2-engine-aurora`](https://src.opensuse.org/lxde/gtk2-engine-aurora/pulls/1), [`gtk2-engine-cleanice`](https://build.opensuse.org/request/show/1284149), [`gtk2-engines`](https://build.opensuse.org/request/show/1284006), [`libqt5-qtlocation`](https://build.opensuse.org/request/show/1284198), [`libreoffice`](https://build.opensuse.org/request/show/1284193), [`luabind`](https://src.opensuse.org/lua/luabind/pulls/1), [`lxmenu-data`](https://src.opensuse.org/lxde/lxmenu-data/pulls/1), [`mozc`](https://build.opensuse.org/request/show/1284192), [`MozillaThunderbird`](https://build.opensuse.org/request/show/1283963), [`perl-DateTime-Calendar-Mayan`](https://build.opensuse.org/request/show/1284224), [`perl-Getopt-ArgvFile`](https://build.opensuse.org/request/show/1284223), [`perl-MooseX-Meta-TypeConstraint-ForceCoercion`](https://build.opensuse.org/request/show/1284221), [`perl-XML-Entities`](https://build.opensuse.org/request/show/1284220), [`python-convertdate`](https://build.opensuse.org/request/show/1283764), [`suitesparse`](https://build.opensuse.org/request/show/1283654) & [`webkit2gtk3`](https://build.opensuse.org/request/show/1283990)
+
+* Robin Candau:
+
+ * [`gramps`](https://github.com/gramps-project/gramps/pull/2078) (use `SOURCE_DATE_EPOCH` when compressing man pages)
+
+* Chris Lamb:
+
+ * [#1108273](https://bugs.debian.org/1108273) filed against [`tree-puzzle`](https://tracker.debian.org/pkg/tree-puzzle).
+ * [#1108281](https://bugs.debian.org/1108281) filed against [`cctools`](https://tracker.debian.org/pkg/cctools).
+ * [#1108532](https://bugs.debian.org/1108532) filed against [`python-django-import-export`](https://tracker.debian.org/pkg/python-django-import-export).
+
+<br>
+
+--
+
+### Reproducibility testing framework
+
+[![]({{ "/images/reports/2025-06/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In June, however, a number of changes were made by Holger Levsen, including:
+
+<br>
+
+* [*reproduce.debian.net*](https://reproduce.debian.net)-related:
+
+ * Installed and deployed *rebuilderd* version 0.24 from Debian *unstable* in order to make use of the new compression feature added by Jarl Gullberg for the database. This resulted in massive decrease of the [SQLite](https://www.sqlite.org/) databases:
+
+ * 79G → 2.8G (`all`)
+ * 84G → 3.2G (`amd64`)
+ * 75G → 2.9G (`arm64`)
+ * 45G → 2.1G (`armel`)
+ * 48G → 2.2G (`armhf`)
+ * 73G → 2.8G (`i386`)
+ * 72G → 2.7G (`ppc64el`)
+ * 45G → 2.1G (`riscv64`)
+
+ … for a combined saving from 521G → 20.8G. This naturally reduces the requirements to run an independent *rebuilderd* instance and will permit us to add more Debian suites as well.
+
+ * During migration to the latest version of *rebuilderd*, make sure several services are not started. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/25bab2166)]
+ * Actually run *rebuilderd* from `/usr/bin`. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/2176ebbd2)]
+ * Raise temperatures for NVME devices on some `riscv64` nodes that should be ignored. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/bd5ff0280)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/dfd191024)]
+ * Use a 64KB kernel page size on the `ppc64el` architecture (see [#1106757](https://bugs.debian.org/1106757)). [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a42f1a078)]
+ * Improve ordering of some "failed to reproduce" statistics. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f45c1e40f)]
+ * Detect a number of potential causes of build failures within the statistics. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/67e7b1084)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/87246a8ad)]
+ * Add support for manually scheduling for the `any` architecture. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/661fa05e6)]
+
+* Misc:
+
+ * Update the [Codethink](https://www.codethink.co.uk/) nodes as there are now many kernels installed. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/06f4ef6fa)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/cb29e917f)]
+ * Install `linux-sysctl-defaults` on Debian *trixie* systems as we need `ping` functionality. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0dfc74251)]
+ * Limit the `fs.nr_open` kernel turnable. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0fae0daf0)]
+ * Stop submitting results to deprecated *buildinfo.debian.net* service. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/1c8c0361c)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ef7e702cf)]
+
+In addition, Jochen Sprickerhof greatly improved the statistics and the logging functionality, including adopting to the new database format of *rebuilderd* version 0.24.0 [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/9fd922a3a)] and temporarily increasing maximum log size in order to debug a nettlesome build [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/c61c40cc8)]. Jochen also dropped the `CPUSchedulingPolicy=idle` *systemd* flag on the workers. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/54d37b5ef)]
+
+<br>
+<br>
+
+Finally, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
+
=====================================
images/reports/2025-06/debian.png
=====================================
Binary files /dev/null and b/images/reports/2025-06/debian.png differ
=====================================
images/reports/2025-06/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2025-06/diffoscope.png differ
=====================================
images/reports/2025-06/fdroid.png
=====================================
Binary files /dev/null and b/images/reports/2025-06/fdroid.png differ
=====================================
images/reports/2025-06/fossy2025.png
=====================================
Binary files /dev/null and b/images/reports/2025-06/fossy2025.png differ
=====================================
images/reports/2025-06/guix.png
=====================================
Binary files /dev/null and b/images/reports/2025-06/guix.png differ
=====================================
images/reports/2025-06/izzyondroid.png
=====================================
Binary files /dev/null and b/images/reports/2025-06/izzyondroid.png differ
=====================================
images/reports/2025-06/nixos.png
=====================================
Binary files /dev/null and b/images/reports/2025-06/nixos.png differ
=====================================
images/reports/2025-06/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2025-06/opensuse.png differ
=====================================
images/reports/2025-06/reproduce.png
=====================================
Binary files /dev/null and b/images/reports/2025-06/reproduce.png differ
=====================================
images/reports/2025-06/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2025-06/reproducible-builds.png differ
=====================================
images/reports/2025-06/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2025-06/testframework.png differ
=====================================
images/reports/2025-06/website.png
=====================================
Binary files /dev/null and b/images/reports/2025-06/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/4d50d2bfc4a38eb2b0f656128e74987b30a6f1db
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/4d50d2bfc4a38eb2b0f656128e74987b30a6f1db
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250710/2e08c602/attachment.htm>
More information about the rb-commits
mailing list