[Git][reproducible-builds/reproducible-website][master] 2025-05: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Wed Jun 4 21:03:29 UTC 2025
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
db46c3aa by Chris Lamb at 2025-06-04T14:02:54-07:00
2025-05: Initial draft
- - - - -
21 changed files:
- _reports/2025-05.md
- + images/reports/2025-05/SRL-reproducible_builds-baseline_assurance-report-final.png
- − images/reports/2025-05/bookworm_stats_pkg_state.png
- − images/reports/2025-05/bullseye_stats_pkg_state.png
- − images/reports/2025-05/buster_stats_pkg_state.png
- + images/reports/2025-05/debian.png
- + images/reports/2025-05/diffoscope.png
- − images/reports/2025-05/experimental_stats_pkg_state.png
- + images/reports/2025-05/fdroid.png
- + images/reports/2025-05/nixos.png
- + images/reports/2025-05/opensuse.png
- + images/reports/2025-05/paper-2503.21705.png
- + images/reports/2025-05/paper-2505.02521.png
- + images/reports/2025-05/reproduce.png
- + images/reports/2025-05/reproducible-builds.png
- − images/reports/2025-05/stats_builds_per_day_i386.png
- − images/reports/2025-05/stretch_stats_pkg_state.png
- + images/reports/2025-05/testframework.png
- − images/reports/2025-05/trixie_stats_pkg_state.png
- − images/reports/2025-05/unstable_stats_pkg_state.png
- + images/reports/2025-05/website.png
Changes:
=====================================
_reports/2025-05.md
=====================================
@@ -6,32 +6,210 @@ title: "Reproducible Builds in May 2025"
draft: true
---
-* [FIXME](https://combinatorialpress.com/article/jcmcc/Volume%20127/127bp2/Optimizing%20Software%20Supply%20Chain%20Vulnerability%20Mining%20and%20Remediation%20Paths%20Using%20Deep%20Learning%20Techniques.pdf)
+[![]({{ "/images/reports/2025-05/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-* [FIXME](https://arxiv.org/pdf/2504.21679)
+**Welcome to our 5th report from the [Reproducible Builds]({{ "/" | relative_url }}) project in 2025!** Our monthly reports outline what we've been up to over the past month, and highlight items of news from elsewhere in the increasingly-important area of software supply-chain security. Lastly, if you are interested in contributing to the Reproducible Builds project, please do visit the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-* [FIXME](https://bugs.debian.org/1104854)
+<!--
-* [FIXME](https://arxiv.org/pdf/2505.02521)
+**Table of contents:**
-* [FIXME](https://www.opentech.fund/security-safety-audits/reproducible-builds-security-audit/)
+FIXME
-* [FIXME](https://github.com/libarchive/libarchive/pull/2601)
+-->
-* [FIXME](https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/1291)
+---
+
+### Security audit of Reproducible Builds tools published
+
+[![]({{ "/images/reports/2025-05/SRL-reproducible_builds-baseline_assurance-report-final.png#right" | relative_url }})](https://www.opentech.fund/security-safety-audits/reproducible-builds-security-audit/)
+
+The [Open Technology Fund](https://www.opentech.fund/)'s (OTF) security partner [Security Research Labs](https://www.srlabs.de/) recently an conducted audit of some specific parts of tools developed by Reproducible Builds. This form of security audit, sometimes called a "whitebox" audit, is a form testing in which auditors have complete knowledge of the item being tested. They auditors assessed the various codebases for resilience against hacking, with key areas including differential report formats in [*diffoscope*](https://diffoscope.org/), common client web attacks, command injection, privilege management, hidden modifications in the build process and attack vectors that might enable denials of service.
+
+The audit focused on three core Reproducible Builds tools: [*diffoscope*](https://diffoscope.org/), a Python application that unpacks archives of files and directories and transforms their binary formats into human-readable form in order to compare them; *strip-nondeterminism*, a Perl program that improves reproducibility by stripping out non-deterministic information such as timestamps or other elements introduced during packaging; and *reprotest*, a Python application that builds source code multiple times in various environments in order to to test reproducibility.
+
+[OTF's announcement](https://www.opentech.fund/security-safety-audits/reproducible-builds-security-audit/) contains more of an overview of the audit, and [the full 24-page report](https://www.opentech.fund/wp-content/uploads/2025/05/SRL-reproducible_builds-baseline_assurance-report-final.pdf) is available in PDF form as well.
+
+<br>
+
+### "[*When good pseudorandom numbers go bad*](https://blog.djnavarro.net/posts/2025-05-18_multivariate-normal-sampling-floating-point/)"
+
+[Danielle Navarro](https://djnavarro.net/) published an interesting and amusing article on their blog on [*When good pseudorandom numbers go bad*](https://blog.djnavarro.net/posts/2025-05-18_multivariate-normal-sampling-floating-point/). Danielle sets the stage as follows:
+
+> [Colleagues] approached me to talk about a reproducibility issue they'd been having with some [R](https://www.r-project.org/) code. They'd been running simulations that rely on generating samples from a multivariate normal distribution, and despite doing the prudent thing and using [`set.seed()`](https://www.rdocumentation.org/packages/simEd/versions/2.0.1/topics/set.seed) to control the state of the random number generator (RNG), the results were not computationally reproducible. The same code, executed on different machines, would produce different random numbers. *The numbers weren't "just a little bit different" in the way that we've all wearily learned to expect when you try to force computers to do mathematics. They were painfully, brutally, catastrophically, irreproducible different. Somewhere, somehow, something broke.*
+
+Thanks to David Wheeler for [posting about this article](https://lists.reproducible-builds.org/pipermail/rb-general/2025-May/003795.html) on [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/)
+
+<br>
+
+### Academic articles
+
+There were two scholarly articles published this month that related to reproducibility:
+
+[![]({{ "/images/reports/2025-05/paper-2505.02521.png#right" | relative_url }})](https://arxiv.org/abs/2505.02521)
+
+Daniel Hugenroth and Alastair R. Beresford of the [University of Cambridge](https://www.cam.ac.uk/) in the United Kingdom and Mario Lins and René Mayrhofer of [Johannes Kepler University](https://www.jku.at/en) in Linz, Austria published an article titled [*Attestable builds: compiling verifiable binaries on untrusted systems using trusted execution environments*](https://arxiv.org/abs/2505.02521). In their paper, they:
+
+> present attestable builds, a new paradigm to provide strong source-to-binary correspondence in software artifacts. We tackle the challenge of opaque build pipelines that disconnect the trust between source code, which can be understood and audited, and the final binary artifact, which is difficult to inspect. **Our system uses modern trusted execution environments (TEEs) and sandboxed build containers to provide strong guarantees that a given artifact was correctly built from a specific source code snapshot.** As such it complements existing approaches like reproducible builds which typically require time-intensive modifications to existing build configurations and dependencies, and require independent parties to continuously build and verify artifacts.
+
+The authors compare "attestable builds" with reproducible builds by noting an attestable build requires "only minimal changes to an existing project, and offers nearly instantaneous verification of the correspondence between a given binary and the source code and build pipeline used to construct it", and proceed by determining that t"he overhead (42 seconds start-up latency and 14% increase in build duration) is small in comparison to the overall build time."
+
+<br>
+
+[![]({{ "/images/reports/2025-05/paper-2503.21705.png#right" | relative_url }})](https://arxiv.org/abs/2503.21705)
+
+Timo Pohl, Pavel Novák, Marc Ohm and Michael Meier have published a paper called [*Towards Reproducibility for Software Packages in Scripting Language Ecosystems*](https://arxiv.org/abs/2503.21705). The authors note that past research into Reproducible Builds has focused primarily on compiled languages and their ecosystems, with a further emphasis on Linux distribution packages:
+
+> However, the popular scripting language ecosystems potentially face unique issues given the systematic difference in distributed artifacts. This [Systemization of Knowledge ](https://www.jsys.org/type_SoK/) (SoK) [paper] provides an overview of existing research, aiming to highlight future directions, as well as chances to transfer existing knowledge from compiled language ecosystems. To that end, we work out key aspects in current research, systematize identified challenges for software reproducibility, and map them between the ecosystems.
+
+Ultimately, the three authors find that the literature is "sparse", focusing on few individual problems and ecosystems, and therefore identify space for more critical research.
+
+<br>
+
+### Distribution work
+
+[![]({{ "/images/reports/2025-05/debian.png#right" | relative_url }})](https://debian.org/)
+
+In **Debian** this month:
+
+* Ian Jackson [filed a bug against the `debian-policy` package](https://bugs.debian.org/1104854) in order to delve into an issue affecting Debian's support for [cross-architecture compilation](https://wiki.debian.org/CrossCompiling), [multiple-architecture systems](https://wiki.debian.org/CategoryMultiarch), reproducible builds' [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}") environment variable and the ability to recompile already-uploaded packages to Debian with a new/updated toolchain ([binNMUs](https://wiki.debian.org/binNMU)). Ian identifies a specific case, specifically in the `libopts25-dev` package, involving a manual page that had interesting downstream effects, potentially affecting backup systems. The bug generated a large number of replies, some of which have references to similar or overlapping issues, [such as this one from 2016/2017](https://bugs.debian.org/843773#132).
+
+* Chris Hofstaedtler filed a bug against the [*metasnap.debian.net*](http://metasnap.debian.net/) service to note that [some packages are not available in *metasnap* API](https://salsa.debian.org/metasnap-team/metasnap/-/issues/4).
+
+* 22 reviews of Debian packages were added, 24 were updated and 11 were removed this month, all adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
+
+<br>
+
+[![]({{ "/images/reports/2025-05/fdroid.png#right" | relative_url }})](https://f-droid.org)
+
+Hans-Christoph Steiner of the [**F-Droid**](https://f-droid.org/en/) catalogue of open source applications for the Android platform published a blog post on [*Making reproducible builds visible*](https://f-droid.org/2025/05/21/making-reproducible-builds-visible.html). Noting that "Reproducible builds are essential in order to have trustworthy software", Hans also mentions that "[F-Droid has been delivering reproducible builds since 2015](https://f-droid.org/en/2015/02/11/complete-reproducible-app-distribution-achieved.html)". However:
+
+> There is now a "[Reproducibility Status](https://verification.f-droid.org/packages/com.nextcloud.client/)" link for each app on `f-droid.org`, listed on every app’s page. Our verification server shows ✔️️ or 💔 based on its build results, where ✔️️ means our rebuilder reproduced the same APK file and 💔 means it did not. The [*IzzyOnDroid*](https://apt.izzysoft.de/fdroid/) repository has developed a more elaborate system of badges which displays a ✅ for each rebuilder. Additionally, there is a sketch of a five-level graph to represent some aspects about which processes were run.
+
+Hans compares the approach with projects such as [Arch Linux](https://archlinux.org/) and [Debian](https://debian.org/) that "provide developer-facing tools to give feedback about reproducible builds, but do not display information about reproducible builds in the user-facing interfaces like the package management GUIs."
+
+<br>
+
+[![]({{ "/images/reports/2025-05/nixos.png#right" | relative_url }})](https://nixos.org/)
+
+[Arnout Engelen](https://engelen.eu/) of the [**NixOS**](https://nixos.org/) project has been working on [reproducing the minimal installation ISO image](https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756/11). This month, Arnout has managed to reproduce the minimal image again and that "some of the workarounds above are no longer needed, so the process has become simpler" as well.
+
+<br>
+
+[![]({{ "/images/reports/2025-05/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Lastly, in [**openSUSE**](https://www.opensuse.org/) news, Bernhard M. Wiedemann posted another [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/KNEXPQPSII46VM3C62LFZ3ODK6OZPXPL/) for their work there.
+
+<br>
+
+
+### [*diffoscope*](https://diffoscope.org) & *disorderfs*
+
+[![]({{ "/images/reports/2025-05/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[diffoscope](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions `295`, `296` and `297` to Debian:
+
+* Don't rely on zipdetails' `--walk` argument being available, and only add that argument on newer versions after we test for that. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/b1b0d849)]
+* Review and merge support for [NuGet](https://www.nuget.org/) packages from Omair Majid. [[…](https://salsa.debian.org/omajid/diffoscope/commit/09abd4cddbebdf0f2310c47dc562826e44f18088)]
+* Update copyright years. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/5832cba9)]
+* Merge support for an `lzma` comparator from Will Hollywood. [[…](https://salsa.debian.org/omajid/diffoscope/commit/bf04ad9a251b8769270151497e5d0b0c879064d4)][[…](https://salsa.debian.org/omajid/diffoscope/commit/f94b754afdee4a7be6de657fa5717c399f600681)]
+
+Chris also merged an impressive changeset from [Siva Mahadevan](https://svmhdvn.name/) to make *disorders* more portable, especially on [FreeBSD](https://www.freebsd.org/). *disorderfs* is our [FUSE](https://en.wikipedia.org/wiki/Filesystem_in_Userspace)-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues [[…](https://salsa.debian.org/reproducible-builds/disorderfs/commit/c04c8f4)]. This was then uploaded to Debian as version `0.6.0-1`.
+
+Lastly, Vagrant Cascadian updated *diffoscope* in [GNU Guix](https://guix.gnu.org/) to version 296 [[…](https://debbugs.gnu.org/78460)][[…](https://codeberg.org/guix/guix/commit/470ad82bfaf3403bd6fc31ccd52b04027c6b8eeb)] and 297 [[…](https://codeberg.org/guix/guix/pulls/358)][[…](https://codeberg.org/guix/guix/commit/8b8b0c2e8d7f99036c56328a5f0a59394a3eddc3)], and *disorderfs* to version 0.6.0 [[…](https://debbugs.gnu.org/78515)][[…](https://codeberg.org/guix/guix/commit/6181d7cc8a620153bd48b3dba42c59636b4da259)].
+
+<br>
-* [FIXME](https://f-droid.org/2025/05/21/making-reproducible-builds-visible.html)
+### Website updates
-* FIXME various changes to the jenkins setup, which is the backend to both https://tests.reproducible-builds.org/ and https://reproduce.debian.net
- * migrated the central jenkins.debian.net server since 2012 generously hosted by [IONOS](https://ionos.com) from AMD Opteron to Intel Haswell CPUs, for now with currently 136 GB memory instead of 160 GB before.
- * dropped i386 from https://tests.reproducible-builds.org/ after 9 years since we began testing i386 in spring 2016. This is because starting with the upcoming trixie release, i386 is no longer supported as a regular architecture: there is no official kernel and no Debian installer for i386 systems. Also https://i386.reproduce.debian.net does verify what Debian actually still distributes for i386.
- * as such, we could also shutdown ionos(2|12|6|16)-i386.debian.net which had been hosted at [IONOS](https://ionos.com) as well.
- * infom(07|08)-i386.debian.net, generously hosted by [infomaniak|https://infomaniak.com], have been re-setup as infom(07|08)-amd64.debian.net, while their purpose, verifying packages for https://i386.reproduce.debian.net stayed the same.
- * ionos17-amd64.debian.net, used for verifying packages for https://all.reproduce.debian.net and also hosted at [IONOS](https://ionos.com) had it's memory increased from 40 to 64GB and the number of cores doubled to 32.
- * osuosl(6|7)-ppc64el.debian.net, generously hosted by [OSUOSL](https://osuosl.org/services/powerdev/) and verifying packages for https://ppc64el.reproduce.debian.net had their memory doubled to 16GB.
- * we got access to more riscv64 boards, now we have riscv64-(01|02|04|06|07|33|34.debian.net all with 16GB memory and 4 cores, but not all running a mainline kernel, all verifying packages for https://riscv64.reproduce.debian.net. Many thanks to [PLCT Lab, ISCAS](https://plctlab.org/en/) for providing those!
+[![]({{ "/images/reports/2025-05/website.png#right" | relative_url }})]({{ "/" | relative_url }})
-* FIXME: i386 stats from https://tests.reproducible-builds.org/debian/ was shutdown on 20250523
+Once again, there were a number of improvements made to our website this month including:
+
+* Chris Lamb:
+
+ * Merged four or five suggestions from Guillem Jover for the [GNU Autotools](https://en.wikipedia.org/wiki/GNU_Autotools) examples on the [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}) example page [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f4d56cdb)]
+ * Incorporated a number of fixes for the JavaScript `SOURCE_DATE_EPOCH` snippet from Sebastian Davis, which did not handle non-integer values correctly. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0a41c934)]
+
+* David A. Wheeler:
+
+ * Fix an apostrophe in the `README.md` file. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/043d4752)]
+
+* Hans-Christoph Steiner:
+
+ * Add the [F-Droid](https://f-droid.org/) "[Verification Server](https://f-droid.org/docs/Verification_Server/) to the [*Tools*]({{ "/tools/" | relative_url }}") page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/558a1cb2)]
+ * Add the [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/) as the website's root `LICENSE` file. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/eba4d798)]
+ * Updated the [*Recording the build environment*]({{ "/docs/recording/" | relative_url }}) page to add a section pertaining to how [F-Droid](https://f-droid.org) handles this. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/51c13c02)]
+
+* Jochen Sprickerhof:
+
+ * Add Chris Hofstaedtler to the [*Who is involved?*]({{ "/who/people/" | relative_url }}) page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e7bc1608)]
+
+* Sebastian Davids:
+
+ * Fix the [CoffeeScript](https://coffeescript.org/) example on the [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}) page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/35b120b7)]
+ * Remove the JavaScript example that uses a 'fixed' timezone on the [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}) page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1e62a6b4)]
+
+<br>
+
+### Reproducibility testing framework
+
+[![]({{ "/images/reports/2025-05/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility.
+
+However, Holger Levsen posted to [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month in order to bring a wider awareness to funding issues faced by the [Oregon State University](https://oregonstate.edu/) (OSU) [Open Source Lab](https://osuosl.org/) (OSL). As mentioned on [OSL's public post](https://osuosl.org/blog/osl-future/), "recent changes in university funding makes our current funding model no longer sustainable [and that] unless we secure $250,000 in committed funds, the OSL will shut down later this year". As Holger notes [in his post to our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/2025-May/003768.html), the Reproducible Builds project relies on hardware nodes hosted there. Nevertheless, Lance Albertson of OSL posted an [update to the funding situation later in the month](https://osuosl.org/blog/osl-future-update/) with broadly positive news.
+
+<br>
+
+Separate to this, there were various changes to the [Jenkins](https://www.jenkins.io/) setup this month, which is used as the backend driver of for both [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org/) and [*reproduce.debian.net*](https://reproduce.debian.net), including:
+
+* Migrating the central `jenkins.debian.net` server AMD Opteron to Intel Haswell CPUs. Thanks to [IONOS](https://ionos.com) for hosting this server since 2012.
+* After testing it for almost ten years, the `i386` architecture has been dropped from [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org/). This is because that, with the upcoming release of Debian *trixie*, `i386` is no longer supported as a 'regular' architecture — there will be no official kernel and no Debian installer for `i386` systems. As a result, a large number of nodes hosted by [Infomaniak](https://infomaniak.com) have been retooled from `i386` to `amd64`.
+* Another node, `ionos17-amd64.debian.net`, which is used for verifying packages for [*all.reproduce.debian.net*](https://all.reproduce.debian.net) (hosted by [IONOS](https://ionos.com)) has had its memory increased from 40 to 64GB, and the number of cores doubled to 32 as well. In addition, two nodes generously hosted by [OSUOSL](https://osuosl.org/services/powerdev/) have had their memory doubled to 16GB.
+* Lastly, we have been granted access to more `riscv64` architecture boards, so now we have seven such nodes, all with 16GB memory and 4 cores that are verifying packages for [*riscv64.reproduce.debian.net*](https://riscv64.reproduce.debian.net). Many thanks to [PLCT Lab, ISCAS](https://plctlab.org/en/) for providing those.
+
+<br>
+
+Outside of this, a number of smaller changes were also made by Holger Levsen:
+
+* [*reproduce.debian.net*](https://reproduce.debian.net)-related:
+
+ * Only use two workers for the `ppc64el` architecture due to RAM size. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/b960005b8)]
+ * Monitor `nginx_request` and `nginx_status` with the [Munin](https://munin-monitoring.org/) monitoring system. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7054da94c)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a0caceb95)]
+ * Detect various variants of network and memory errors. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ea8d2da1e)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/10aa2d9af)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/2bc01ea5c)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/b034b781e)]
+ * Add a prominent link to [*reproducible-builds.org*](https://reproducible-builds.org). [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e01be8f40)]
+ * Add a `rebuilderd-cache-cleanup.service` and run it daily via timer. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/5495a4c8e)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/79fd109a9)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f56bda2f5)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/24f6ff022)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/6bf9ac32d)]
+ * Be more verbose what sources are being downloaded. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/d0e38b306)]
+ * Correctly deal with packages with an epoch in their version [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/c66113ce0)] and deal with [binNMUs](https://wiki.debian.org/binNMU) versions with an epoch as well [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/2a3d2fd65)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/d0a635d61)].
+ * Document how to reschedule all other errors on all archs. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/d4734534e)]
+ * Misc documentation improvements. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/1f7e1def9)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7058a8027)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/c7d3bb1dc)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/04b83e66f)]
+ * Include the `$HOSTNAME` variable in the *rebuilderd* logfiles. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0acb6b31a)]
+ * Install the `equivs` package on all worker nodes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a05fe0b5a)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a5b9489a1)]
+
+* Jenkins nodes:
+
+ * Permit the `sudo` tool to fix up permission issues. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/2fc414e2b)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/6d7077306)]
+ * Document how to manage diskspace with [OpenStack](https://www.openstack.org/). [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/61c8c260d)]
+ * Ignore a number of spurious monitoring errors on `riscv64`, FreeBSD, etc.. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/927a0a68e)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/58b606ec3)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7cf00b4f3)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/551632968)]
+ * Install `ntpsec-ntpdate` (instead of `ntpdate`) as the former is available on Debian *trixie* and *bookworm*. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/9fc56dcc2)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/8e137a299)]
+ * Use the same [SSH `ControlPath`](https://man.openbsd.org/ssh_config) for all nodes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f122ae170)]
+ * Make sure the `munin` user uses the same SSH config as the `jenkins` user. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/3aab14aa7)]
+
+* [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org/)-related:
+
+ * Disable testing of the `i386` architecture. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ada4d4153)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7f2837389)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/56e6e6cff)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e44940bf0)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a94e996d6)]
+ * Document the current disk usage. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/9279052e0)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/257f9b879)]
+ * Address some image placement now that we only test three architectures. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e7513ffcf)]
+ * Keep track of build performance. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/4428f6d52)]
+
+* Misc:
+
+ * Fix a (harmless) typo in the `multiarch_versionskew` script. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/43926e0b2)]
+
+<!--
+
+<lamby> Holger, I need some more context on what the below is
suite all source packages reproducible icon reproducible packages FTBR icon unreproducible packages FTBFS icon packages failing to build timeout icon packages timing out depwait icon packages in depwait state not_for_us icon not for this architecture blacklisted icon blacklisted
@@ -62,66 +240,54 @@ stretch/i386 24719 22488 / 91.0% 1985 / 8.0% 130 / 0.5% 7 / 0.0% 32 / 0.1% 76 /
images/reports/2025-05/stretch_stats_pkg_state.png
images/reports/2025-05/
-* [FIXME: $pkg not available in metasnap API](https://salsa.debian.org/metasnap-team/metasnap/-/issues/4)
-* [FIXME](https://arxiv.org/abs/2503.21705)
+-->
+
+In addition, Jochen Sprickerhof made a series of changes related to [*reproduce.debian.net*](https://reproduce.debian.net):
-* FIXME: <raboof> I was able to reproduce the minimal NixOS installation ISO again, meaning building from 'source packages', though probably in a couple of cases those will still be using an upstream binary: https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756/11 \o/
+* Add out of memory detection to the statistics page. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/acf4ea9c8)]
+* Reverse the sorting order on the statistics page. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/c134bf90a)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/eaa0ec619)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e9d726d80)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/b38ac0884)]
+* Improve the spacing between statistics groups. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/b320ded2a)]
+* Update a (hard-coded) line number in error message detection pertaining to a `debrebuild` line number. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/265a5fb4e)]
+* Support Debian *unstable* in the `rebuilder-debian.sh` script. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ed578f44e)][…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7701c372e)]
+* Rely on `rebuildctl` to sync only 'arch-specific' packages. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/49ef8041e)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/eeb86e1ba)]
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/KNEXPQPSII46VM3C62LFZ3ODK6OZPXPL/)
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. This month, we wrote a large number of such patches, including:
* Bernhard M. Wiedemann:
- * replaced the `%jobs` rpm macro because rpm [embeds the CPU-core-count into the .src.rpm header](bugzilla.opensuse.org/show_bug.cgi?id=1237231)
- * [`yast-ruby-bindings`](https://github.com/yast/yast-ruby-bindings/pull/294)
- [`yast-control-center`](https://github.com/yast/yast-control-center/pull/62)
- [`crash`](https://src.opensuse.org/kernel-kdump/crash/pulls/2)
- [`libyui`](https://github.com/libyui/libyui/pull/116)
- [`yast`](https://github.com/yast/yast-devtools/pull/178)
- [`perl-Crypt-RC`](https://build.opensuse.org/request/show/1276293)
- [`python-gevent`](https://build.opensuse.org/request/show/1276306)
- [`autotrace`](https://build.opensuse.org/request/show/1277438)
- [`cvsps`](https://build.opensuse.org/request/show/1277441)
- [`gexif`](https://build.opensuse.org/request/show/1277447)
- [`gq`](https://build.opensuse.org/request/show/1277448)
- [`ibus-table-others`](https://build.opensuse.org/request/show/1277450)
- [`krb5-appl`](https://build.opensuse.org/request/show/1277456)
- [`linkloop`](https://build.opensuse.org/request/show/1277459)
- [`libexif-gtk`](https://build.opensuse.org/request/show/1277460)
- [`gtkam`](https://build.opensuse.org/request/show/1277463)
- [`notify-sharp`](https://build.opensuse.org/request/show/1277465)
- [`smictrl`](https://build.opensuse.org/request/show/1277471)
- [`seq24`](https://build.opensuse.org/request/show/1277472)
- [`sobby`](https://build.opensuse.org/request/show/1277473)
- [`urfkill`](https://build.opensuse.org/request/show/1277477)
- [`solfege`](https://build.opensuse.org/request/show/1277476)
- [`xine-lib`](https://build.opensuse.org/request/show/1277479)
- [`xkeycaps`](https://build.opensuse.org/request/show/1277480)
- [`xquarto`](https://build.opensuse.org/request/show/1277481)
- [`pcsc-eco5000`](https://build.opensuse.org/request/show/1277482)
- [`pcsc-reflex60`](https://build.opensuse.org/request/show/1279025)
- [`pcsc-acr38`](https://build.opensuse.org/request/show/1279024)
- [`pcsc-asedriveiiie-serial`](https://build.opensuse.org/request/show/1279029)
- [`pcsc-asedriveiiie-usb`](https://build.opensuse.org/request/show/1279030)
- [`pcsc-asekey`](https://build.opensuse.org/request/show/1279031)
- [`uwsgi`](https://build.opensuse.org/request/show/1277483)
- [`ncurses`](https://build.opensuse.org/request/show/1277853)
- [`MozillaFirefox`](https://build.opensuse.org/request/show/1277922)
- [`seamonkey`](https://build.opensuse.org/request/show/1280974)
- [`ck`](https://build.opensuse.org/request/show/1279009)
- [`python-boto3`](https://build.opensuse.org/request/show/128082)
- [`python-pytest-localserver`](https://build.opensuse.org/request/show/1280876)
- [`cmake`](https://build.opensuse.org/request/show/1280975)
- [`lib2geom`](https://build.opensuse.org/request/show/1280894)
- * [`wsmancli`](https://build.opensuse.org/request/show/1277478) (date+time ; %jobs)
- * [`netdiscover`](https://github.com/netdiscover-scanner/netdiscover/pull/38) (debuginfo mtime/date)
- * [`libmfx`](https://build.opensuse.org/request/show/1276079) (uname -r)
- * [`libmfx-gen`](https://build.opensuse.org/request/show/1276727) (uname -r)
- * [`liboqs`](https://build.opensuse.org/request/show/1276690) (uname -r)
- * [`ktoblzcheck-data`](https://build.opensuse.org/request/show/1279038) (date)
- * [`qt6-tools`](https://build.opensuse.org/request/show/1279420) (toolchain by upstream)
- * [`leafnode`](https://build.opensuse.org/request/show/1277080) (FTBFS-nocheck)
- * [`meson`](https://github.com/mesonbuild/meson/pull/14580) (toolchain)
- * [`cmake/musescore`](https://gitlab.kitware.com/cmake/cmake/-/issues/26957) (toolchain ASLR)
-
-Vagrant Cascadian updated *diffoscope* in [GNU Guix](https://guix.gnu.org/) to version 296 [[…](https://debbugs.gnu.org/78460)][[…](https://codeberg.org/guix/guix/commit/470ad82bfaf3403bd6fc31ccd52b04027c6b8eeb)] and 297 [[…](https://codeberg.org/guix/guix/pulls/358)][[…](https://codeberg.org/guix/guix/commit/8b8b0c2e8d7f99036c56328a5f0a59394a3eddc3)].
-
-Vagrant Cascadian updated *disorderfs* in [GNU Guix](https://guix.gnu.org/) to version 0.6.0 [[…](https://debbugs.gnu.org/78515)][[…](https://codeberg.org/guix/guix/commit/6181d7cc8a620153bd48b3dba42c59636b4da259)].
+
+ * [`autotrace`](https://build.opensuse.org/request/show/1277438), [`ck`](https://build.opensuse.org/request/show/1279009), [`cmake/musescore`](https://gitlab.kitware.com/cmake/cmake/-/issues/26957), [`cmake`](https://build.opensuse.org/request/show/1280975), [`crash`](https://src, opensuse.org/kernel-kdump/crash/pulls/2), [`cvsps`](https://build.opensuse.org/request/show/1277441), [`gexif`](https://build.opensuse.org/request/show/1277447), [`gq`](https://build.opensuse.org/request/show/1277448), [`gtkam`](https://build.opensuse.org/request/show/1277463), [`ibus-table-others`](https://build.opensuse.org/request/show/1277450), [`krb5-appl`](https://build.opensuse.org/request/show/1277456), [`ktoblzcheck-data`](https://build.opensuse.org/request/show/1279038), [`leafnode`](https://build.opensuse.org/request/show/1277080), [`lib2geom`](https://build.opensuse.org/request/show/1280894), [`libexif-gtk`](https://build.opensuse.org/request/show/1277460), [`libmfx-gen`](https://build.opensuse.org/request/show/1276727), [`libmfx`](https://build.opensuse.org/request/show/1276079), [`liboqs`](https://build.opensuse.org/request/show/1276690), [`libyui`](https://github.com/libyui/libyui/pull/116), [`linkloop`](https://build.opensuse.org/request/show/1277459), [`meson`](https://github.com/mesonbuild/meson/pull/14580), [`MozillaFirefox`](https://build.opensuse.org/request/show/1277922), [`ncurses`](https://build.opensuse.org/request/show/1277853), [`netdiscover`](https://github.com/netdiscover-scanner/netdiscover/pull/38), [`notify-sharp`](https://build.opensuse.org/request/show/1277465), [`pcsc-acr38`](https://build.opensuse.org/request/show/1279024), [`pcsc-asedriveiiie-serial`](https://build.opensuse.org/request/show/1279029), [`pcsc-asedriveiiie-usb`](https://build.opensuse.org/request/show/1279030), [`pcsc-asekey`](https://build.opensuse.org/request/show/1279031), [`pcsc-eco5000`](https://build.opensuse.org/request/show/1277482), [`pcsc-reflex60`](https://build.opensuse.org/request/show/1279025), [`perl-Crypt-RC`](https://build.opensuse.org/request/show/1276293), [`python-boto3`](https://build.opensuse.org/request/show/128082), [`python-gevent`](https://build.opensuse.org/request/show/1276306), [`python-pytest-localserver`](https://build.opensuse.org/request/show/1280876), [`qt6-tools`](https://build.opensuse.org/request/show/1279420), [`seamonkey`](https://build.opensuse.org/request/show/1280974), [`seq24`](https://build.opensuse.org/request/show/1277472), [`smictrl`](https://build.opensuse.org/request/show/1277471), [`sobby`](https://build.opensuse.org/request/show/1277473), [`solfege`](https://build.opensuse.org/request/show/1277476), [`urfkill`](https://build.opensuse.org/request/show/1277477), [`uwsgi`](https://build.opensuse.org/request/show/1277483), [`wsmancli`](https://build.opensuse.org/request/show/1277478), [`xine-lib`](https://build.opensuse.org/request/show/1277479), [`xkeycaps`](https://build.opensuse.org/request/show/1277480), [`xquarto`](https://build.opensuse.org/request/show/1277481), [`yast-control-center`](https://github.com/yast/yast-control-center/pull/62), [`yast-ruby-bindings`](https://github.com/yast/yast-ruby-bindings/pull/294) and [`yast`](https://github.com/yast/yast-devtools/pull/178)
+
+* Chris Hofstaedtler:
+
+ * [#1104578](https://bugs.debian.org/1104578) filed against [`jabber-muc`](https://tracker.debian.org/pkg/jabber-muc).
+
+* Chris Lamb:
+
+ * [#1105171](https://bugs.debian.org/1105171) filed against [`golang-github-lucas-clemente-quic-go`](https://tracker.debian.org/pkg/golang-github-lucas-clemente-quic-go).
+
+* Jelle van der Waa:
+
+ * [`gitlab-shell`](https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/1291)
+
+* Jochen Sprickerhof:
+
+ * [#1104965](https://bugs.debian.org/1104965) filed against [`bootp`](https://tracker.debian.org/pkg/bootp).
+
+* Zhaofeng Li:
+
+ * [Add support for `--mtime` and `--clamp-mtime`](https://github.com/libarchive/libarchive/pull/2601) to `bsdtar`.
+
+<br>
+<br>
+
+Finally, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
=====================================
images/reports/2025-05/SRL-reproducible_builds-baseline_assurance-report-final.png
=====================================
Binary files /dev/null and b/images/reports/2025-05/SRL-reproducible_builds-baseline_assurance-report-final.png differ
=====================================
images/reports/2025-05/bookworm_stats_pkg_state.png deleted
=====================================
Binary files a/images/reports/2025-05/bookworm_stats_pkg_state.png and /dev/null differ
=====================================
images/reports/2025-05/bullseye_stats_pkg_state.png deleted
=====================================
Binary files a/images/reports/2025-05/bullseye_stats_pkg_state.png and /dev/null differ
=====================================
images/reports/2025-05/buster_stats_pkg_state.png deleted
=====================================
Binary files a/images/reports/2025-05/buster_stats_pkg_state.png and /dev/null differ
=====================================
images/reports/2025-05/debian.png
=====================================
Binary files /dev/null and b/images/reports/2025-05/debian.png differ
=====================================
images/reports/2025-05/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2025-05/diffoscope.png differ
=====================================
images/reports/2025-05/experimental_stats_pkg_state.png deleted
=====================================
Binary files a/images/reports/2025-05/experimental_stats_pkg_state.png and /dev/null differ
=====================================
images/reports/2025-05/fdroid.png
=====================================
Binary files /dev/null and b/images/reports/2025-05/fdroid.png differ
=====================================
images/reports/2025-05/nixos.png
=====================================
Binary files /dev/null and b/images/reports/2025-05/nixos.png differ
=====================================
images/reports/2025-05/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2025-05/opensuse.png differ
=====================================
images/reports/2025-05/paper-2503.21705.png
=====================================
Binary files /dev/null and b/images/reports/2025-05/paper-2503.21705.png differ
=====================================
images/reports/2025-05/paper-2505.02521.png
=====================================
Binary files /dev/null and b/images/reports/2025-05/paper-2505.02521.png differ
=====================================
images/reports/2025-05/reproduce.png
=====================================
Binary files /dev/null and b/images/reports/2025-05/reproduce.png differ
=====================================
images/reports/2025-05/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2025-05/reproducible-builds.png differ
=====================================
images/reports/2025-05/stats_builds_per_day_i386.png deleted
=====================================
Binary files a/images/reports/2025-05/stats_builds_per_day_i386.png and /dev/null differ
=====================================
images/reports/2025-05/stretch_stats_pkg_state.png deleted
=====================================
Binary files a/images/reports/2025-05/stretch_stats_pkg_state.png and /dev/null differ
=====================================
images/reports/2025-05/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2025-05/testframework.png differ
=====================================
images/reports/2025-05/trixie_stats_pkg_state.png deleted
=====================================
Binary files a/images/reports/2025-05/trixie_stats_pkg_state.png and /dev/null differ
=====================================
images/reports/2025-05/unstable_stats_pkg_state.png deleted
=====================================
Binary files a/images/reports/2025-05/unstable_stats_pkg_state.png and /dev/null differ
=====================================
images/reports/2025-05/website.png
=====================================
Binary files /dev/null and b/images/reports/2025-05/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/db46c3aa170f26bfdae2a124dba1881806cfc5aa
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/db46c3aa170f26bfdae2a124dba1881806cfc5aa
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250604/d5ff9e7b/attachment.htm>
More information about the rb-commits
mailing list