[Git][reproducible-builds/reproducible-website][master] 2 commits: 2025-02: Misc changes prior to publication.

Chris Lamb (@lamby) gitlab at salsa.debian.org
Wed Mar 5 13:31:39 UTC 2025 


Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
6c7ced26 by Chris Lamb at 2025-03-05T13:28:37+00:00
2025-02: Misc changes prior to publication.

- - - - -
d9077499 by Chris Lamb at 2025-03-05T13:31:23+00:00
published as https://reproducible-builds.org/reports/2025-02/

- - - - -


3 changed files:

- _reports/2025-02.md
- + images/reports/2025-02/freebsd.png
- + images/reports/2025-02/pycascades.png


Changes:

=====================================
_reports/2025-02.md
=====================================
@@ -3,18 +3,25 @@ layout: report
 year: "2025"
 month: "02"
 title: "Reproducible Builds in February 2025"
-draft: true
+draft: false
+date: 2025-03-05 13:31:23
 ---
 
 [![]({{ "/images/reports/2025-02/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
 
 **Welcome to the second report in 2025 from the [Reproducible Builds]({{ "/" | relative_url }}) project.** Our monthly reports outline what we've been up to over the past month, and highlight items of news from elsewhere in the increasingly-important area of software supply-chain security. As usual, however, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
 
-<!--
-
 **Table of contents:**
 
--->
+0. [Reproducible Builds at FOSDEM 2025](#reproducible-builds-at-fosdem-2025)
+0. [Reproducible Builds at PyCascades 2025](#reproducible-builds-at-pycascades-2025)
+0. [Does Functional Package Management Enable Reproducible Builds at Scale?](#does-functional-package-management-enable-reproducible-builds-at-scale)
+0. [*reproduce.debian.net* updates](#reproducedebiannet-updates)
+0. [Upstream patches](#upstream-patches)
+0. [Distribution work](#distribution-work)
+0. [diffoscope & strip-nondeterminism](#diffoscope--strip-nondeterminism)
+0. [Website updates](#website-updates)
+0. [Reproducibility testing framework](#reproducibility-testing-framework)
 
 ---
 
@@ -48,11 +55,17 @@ Lastly, Simon Tournier presented in the *Open Research* track on the confluence
 
 <br>
 
-### PyCascades
+### Reproducible Builds at PyCascades 2025
+
+[![]({{ "/images/reports/2025-02/pycascades.png#right" | relative_url }})](https://2025.pycascades.com/program/talks/re-py-ducible-builds/)
+
+Vagrant Cascadian presented at this year's [PyCascades](https://2025.pycascades.com/) conference which was held on February 8th and 9th February in Portland, OR, USA. PyCascades is a regional instance of [PyCon](https://pycon.org/) held in the Pacific Northwest. Vagrant's talk, entitled [*Re-Py-Ducible Builds*](https://2025.pycascades.com/program/talks/re-py-ducible-builds/) caught the audience's attention with the following abstract:
+
+> Crank your Python best practices up to 11 with Reproducible Builds! This talk will explore Reproducible Builds by highlighting issues identified in Python projects, from the simple to the seemingly inscrutable. Reproducible Builds is basically the crazy idea that when you build something, and you build it again, you get the exact same thing... or even more important, if someone else builds it, they get the exact same thing too.
 
-Vagrant Cascadian presented Re-Py-Ducible Builds at PyCascades
-https://2025.pycascades.com/program/talks/re-py-ducible-builds/
-FIXME
+More info is available on the [talk's page](https://2025.pycascades.com/program/talks/re-py-ducible-builds/).
+
+<br>
 
 ### *"Does Functional Package Management Enable Reproducible Builds at Scale?"*
 
@@ -107,15 +120,6 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
 
     * [`tucnak`](https://build.opensuse.org/request/show/1247238)
 
-* [FreeBSD](https://www.freebsd.org/)-related:
-
-Thanks to an investment from the [Sovereign Tech Agency](https://freebsdfoundation.org/blog/zero-trust-builds-for-freebsd/) the FreeBSD project's work on unprivileged and reproducible builds continued this month.
-
-Notable fixes include:
-    * [`pkg`](https://github.com/freebsd/pkg/commit/ea82e1d6df919714a2e3472c7561f53a2dde69d1) (hash ordering)
-    * [`makefs`](https://cgit.freebsd.org/src/commit/usr.sbin/makefs/cd9660?id=518cdd344ec51584478f39b9a9cac77fc0766ce1) (source filesystem inode number leakage)
-    * [`FreeBSD base system packages`](https://cgit.freebsd.org/src/commit/?id=8a3537aaf7c19f7331fcc160ab42e36fc79e408a) (timestamp)
-
 * Bernhard M. Wiedemann:
 
     * [`aioquic`](https://github.com/aiortc/aioquic/issues/557)
@@ -197,23 +201,33 @@ There as been the usual work in various distributions this month, such as:
 
 [![]({{ "/images/reports/2025-02/debian.png#right" | relative_url }})](https://debian.org/)
 
-In Debian, 17 reviews of Debian packages were added, 6 were updated and 8 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
+In **Debian**, 17 reviews of Debian packages were added, 6 were updated and 8 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
 
 <br>
 
-[Fedora](https://fedoraproject.org/) developers Davide Cavalca and Zbigniew Jędrzejewski-Szmek gave a talk on [*Reproducible Builds in Fedora*](https://cfp.fedoraproject.org/media/flock-2024/submissions/SKWEXP/resources/Reproducible_builds_in_Fedora_Flock_2024_Iiyoq3s.pdf) (PDF), touching on [SRPM](https://en.wikipedia.org/wiki/RPM_Package_Manager#SRPM)-specific issues as well as the current status and future plans.
+**[Fedora](https://fedoraproject.org/)** developers Davide Cavalca and Zbigniew Jędrzejewski-Szmek gave a talk on [*Reproducible Builds in Fedora*](https://cfp.fedoraproject.org/media/flock-2024/submissions/SKWEXP/resources/Reproducible_builds_in_Fedora_Flock_2024_Iiyoq3s.pdf) (PDF), touching on [SRPM](https://en.wikipedia.org/wiki/RPM_Package_Manager#SRPM)-specific issues as well as the current status and future plans.
+
+<br>
+
+[![]({{ "/images/reports/2025-02/freebsd.png#right" | relative_url }})](https://freebsd.org/)
+
+Thanks to an investment from the [Sovereign Tech Agency](https://freebsdfoundation.org/blog/zero-trust-builds-for-freebsd/), the **[FreeBSD](https://www.freebsd.org/)** project's work on unprivileged and reproducible builds continued this month. Notable fixes include:
+
+* [`pkg`](https://github.com/freebsd/pkg/commit/ea82e1d6df919714a2e3472c7561f53a2dde69d1) (hash ordering)
+* [`makefs`](https://cgit.freebsd.org/src/commit/usr.sbin/makefs/cd9660?id=518cdd344ec51584478f39b9a9cac77fc0766ce1) (source filesystem inode number leakage)
+* [`FreeBSD base system packages`](https://cgit.freebsd.org/src/commit/?id=8a3537aaf7c19f7331fcc160ab42e36fc79e408a) (timestamp)
 
 <br>
 
-[The Yocto Project](https://yoctoproject.org/) has been struggling to upgrade to the latest go and rust releases due to reproducibilty problems in the newer versions. Hongxu Jia tracked down the issue with go meaning the project could upgrade from the 1.22 series to 1.24 with the fix being submitted upstream for review (see above). For rust, the project was significantly behind but has made recent progress after finally identifying the reproducibility blocking issues. At time of writing the project is at rust 1.82 which patches under review for 1.83 and 1.84 and fixes being discussed with the rust developers. We hope to improve the tests for reproducibility in the rust project itself to try and avoid future regressions.
+[The **Yocto Project**](https://yoctoproject.org/) has been struggling to upgrade to the latest [Go](https://go.dev/) and [Rust](https://www.rust-lang.org/) releases due to reproducibility problems in the newer versions. Hongxu Jia tracked down the issue with Go which meant that the project could upgrade from the 1.22 series to 1.24, with the fix being submitted upstream for review (see above). For Rust, however, the project was significantly behind, but has made recent progress after finally identifying the blocking reproducibility issues. At time of writing, the project is at Rust version 1.82, with patches under review for 1.83 and 1.84 and fixes being discussed with the Rust developers. The project hopes to improve the tests for reproducibility in the Rust project itself in order to try and avoid future regressions.
 
-The project continues to maintain it's ability to binary reproduce all of the recipes in [OpenEmbedded-Core](https://www.yoctoproject.org/reproducible-build-results/) regardless of the build host distro or the path of the build on the system.
+Yocto continues to maintain its ability to binary reproduce all of the recipes in [OpenEmbedded-Core](https://www.yoctoproject.org/reproducible-build-results/), regardless of the build host distribution or the current build path.
 
 <br>
 
 [![]({{ "/images/reports/2025-02/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
 
-Finally, Douglas DeMaio published an article on the [openSUSE blog](https://news.opensuse.org/) on announcing that the [*Reproducible-openSUSE (RBOS) Project Hits [Significant] Milestone*](https://news.opensuse.org/2025/02/18/rbos-project-hits-milestone/). In particular:
+Finally, Douglas DeMaio published an article on the [**openSUSE** blog](https://news.opensuse.org/) on announcing that the [*Reproducible-openSUSE (RBOS) Project Hits [Significant] Milestone*](https://news.opensuse.org/2025/02/18/rbos-project-hits-milestone/). In particular:
 
 > The [Reproducible-openSUSE (RBOS)](https://en.opensuse.org/openSUSE:Reproducible_openSUSE) project, which is a proof-of-concept fork of openSUSE, has reached a significant milestone after demonstrating a usable Linux distribution can be built with 100% bit-identical packages.
 
@@ -231,7 +245,7 @@ This news was [also announced on our mailing list](https://lists.reproducible-bu
 * Catch a `CalledProcessError` when calling `html2text`. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e470ee25)]
 * Update the minimal [*Black*](https://black.readthedocs.io/en/stable/) version. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c5aa1ff5)]
 
-Additionally, Vagrant Cascadian updated *diffoscope* in [GNU Guix](https://guix.gnu.org/) to version 287 [[…](https://debbugs.gnu.org/76080)][[…](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=27c2b2f1a6f48f238030893b6d0ebc9c2bc68b12)] and 288 [[…](https://debbugs.gnu.org/76122)][[…](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=d304311a3949795659bf08d9409ddf86481dcc36)] and submitted a patch to update to 289 [[…](https://debbugs.gnu.org/76599)]. Vagrant also fixed an issue breaking *reprotest* on guix[[…](https://debbugs.gnu.org/76602)][[…](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=2558392803663f4381fa9c09a53d329b719152bd)].
+Additionally, Vagrant Cascadian updated *diffoscope* in [GNU Guix](https://guix.gnu.org/) to version 287 [[…](https://debbugs.gnu.org/76080)][[…](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=27c2b2f1a6f48f238030893b6d0ebc9c2bc68b12)] and 288 [[…](https://debbugs.gnu.org/76122)][[…](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=d304311a3949795659bf08d9409ddf86481dcc36)] as well as submitted a patch to update to 289 [[…](https://debbugs.gnu.org/76599)]. Vagrant also fixed an issue that was breaking *reprotest* on Guix [[…](https://debbugs.gnu.org/76602)][[…](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=2558392803663f4381fa9c09a53d329b719152bd)].
 
 [*strip-nondeterminism*](https://salsa.debian.org/reproducible-builds/strip-nondeterminism) is our sister tool to remove specific non-deterministic results from a completed build. This month version `1.14.1-2` was [uploaded to Debian unstable](https://tracker.debian.org/news/1614424/accepted-strip-nondeterminism-1141-2-source-into-unstable/) by Holger Levsen.
 


=====================================
images/reports/2025-02/freebsd.png
=====================================
Binary files /dev/null and b/images/reports/2025-02/freebsd.png differ


=====================================
images/reports/2025-02/pycascades.png
=====================================
Binary files /dev/null and b/images/reports/2025-02/pycascades.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/4f330e1eb3559cc350ba0963aad56b9f54871257...d90774991c3fd89671bb97d820494e67ad772499

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/4f330e1eb3559cc350ba0963aad56b9f54871257...d90774991c3fd89671bb97d820494e67ad772499
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250305/0e8b9813/attachment.htm>

More information about the rb-commits mailing list