[Git][reproducible-builds/reproducible-website][master] 2025-04: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Fri May 9 20:13:12 UTC 2025
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
9111817a by Chris Lamb at 2025-05-09T13:12:30-07:00
2025-04: Initial draft
- - - - -
12 changed files:
- _reports/2025-04.md
- + images/reports/2025-04/2504.png
- + images/reports/2025-04/chains.png
- + images/reports/2025-04/debian.png
- + images/reports/2025-04/diffoscope.png
- + images/reports/2025-04/izzyondroid.png
- + images/reports/2025-04/opensuse.png
- + images/reports/2025-04/reproduce.png
- + images/reports/2025-04/reproducible-builds.png
- + images/reports/2025-04/russcoxarticle.png
- + images/reports/2025-04/testframework.png
- + images/reports/2025-04/website.png
Changes:
=====================================
_reports/2025-04.md
=====================================
@@ -6,75 +6,240 @@ title: "Reproducible Builds in April 2025"
draft: true
---
-* [FIXME](https://queue.acm.org/detail.cfm?id=3722542)
+[![]({{ "/images/reports/2025-04/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-* [FIXME](https://news.ycombinator.com/item?id=43653672)
+**Welcome to our fourth report from the [Reproducible Builds]({{ "/" | relative_url }}) project in 2025.** These monthly reports outline what we've been up to over the past month, and highlight items of news from elsewhere in the increasingly-important area of software supply-chain security. Lastly, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-* [FIXME](https://blog.josefsson.org/2025/04/17/verified-reproducible-tarballs/)
+<!--
-* FIXME: https://reproduce.debian.net/ now tests all trixie release archs except s390x and mips64el.
- - ppc64el added thanks to OSUOSL.org
- - armel added thanks to codethink.co.uk
+**Table of contents:**
-* [FIXME](https://blog.josefsson.org/2025/04/30/building-debian-in-a-gitlab-pipeline/)
+0. FIXME: Automatically generated
+
+-->
+
+---
+
+### [*reproduce.debian.net*](https://reproduce.debian.net/)
+
+[![]({{ "/images/reports/2025-04/reproduce.png#right" | relative_url }})](https://reproduce.debian.net)
+
+The last few months have seen the introduction, development and deployment of [*reproduce.debian.net*](https://reproduce.debian.net). In technical terms, this is an instance of [*rebuilderd*](https://github.com/kpcyrd/rebuilderd), our server designed monitor the official package repositories of Linux distributions and attempt to reproduce the observed results there.
+
+This month, however, we are pleased to announce that [*reproduce.debian.net*](https://reproduce.debian.net) now tests all the Debian *trixie* architectures except `s390x` and `mips64el`.
+
+The `ppc64el` architecture was added through the generous support of [Oregon State University Open Source Laboratory](https://osuosl.org/) (OSUOSL), and we can support the `armel` architecture thanks to [CodeThink](https://www.codethink.co.uk/).
+
+<br>
+
+### *[Fifty Years of Open Source Software Supply Chain Security](https://queue.acm.org/detail.cfm?id=3722542)*
+
+[![]({{ "/images/reports/2025-04/russcoxarticle.png#right" | relative_url }})](https://queue.acm.org/detail.cfm?id=3722542)
+
+Russ Cox has published a must-read article in [ACM Queue](https://queue.acm.org/) on [*Fifty Years of Open Source Software Supply Chain Security*](https://queue.acm.org/detail.cfm?id=3722542). Subtitled, "For decades, software reuse was only a lofty goal. Now it's very real.", Russ' article goes on to outline the history and original goals of software supply-chain security in the US military in the early 1970s, all the way to the [XZ Utils backdoor](https://en.wikipedia.org/wiki/XZ_Utils_backdoor) of 2024. Through that lens, Russ explores the problem and how it has changed, and hasn't changed, over time.
+
+He concludes as follows:
+
+> We are all struggling with a massive shift that has happened in the past 10 or 20 years in the software industry. For decades, software reuse was only a lofty goal. Now it's very real.12 Modern programming environments such as Go, Node, and Rust have made it trivial to reuse work by others, but our instincts about responsible behaviors have not yet adapted to this new reality.
+>
+> We all have more work to do.
+
+<br>
+
+### [4th CHAINS Software Supply Chain Workshop](https://chains.proj.kth.se/software-supply-chain-workshop-4.html)
+
+[![]({{ "/images/reports/2025-04/chains.png#right" | relative_url }})](https://chains.proj.kth.se/software-supply-chain-workshop-4.html)
+
+Convened as part of the [CHAINS](https://chains.proj.kth.se/) research project at the [KTH Royal Institute of Technology](https://www.kth.se/en) in Stockholm, Sweden, the [*4th CHAINS Software Supply Chain Workshop*](https://chains.proj.kth.se/software-supply-chain-workshop-4.html) occurred during April. During the workshop, there were a number of relevant workshops, including:
+
+* [Reproducible builds for Java](https://github.com/jvm-repo-rebuild/reproducible-central)
+* [Does Functional Package Management Enable Reproducible Builds at Scale?](https://hal.science/hal-04913007)
+* [Causes and Mitigations of Unreproducible Builds in Java](https://algomaster99.github.io/talks/4th-chains-workshop/slides.pdf)
+* [Fixing Breaking Dependency Updates Using LLMs](https://kth.diva-portal.org/smash/get/diva2:1905601/FULLTEXT01.pdf)
+* [The caveats of vulnerability analysis](https://chains.proj.kth.se/workshop_4_assets/slides/20250425_Henrik_PLATE_Keynote_CHAINS_Workshop.pdf)
+* [`maven-lockfile`](https://github.com/chains-project/maven-lockfile/) (Lockfiles for Java and Maven)
+* [`observer`](https://github.com/sbom-observer/observer-cli) (Generating SBOMs for C/C++)
+* [`dirty-waters`](https://github.com/chains-project/dirty-waters) (Transparency checks for software supply chains)
+* Finally, a [supply chain competition](https://chains.proj.kth.se/chains-repo-checklist.html). Martin Schwaighofer, the winner, [created a recap video](https://youtu.be/lqH2lVe8Isc) (20m43s).
+
+
+The [full listing of the agenda](https://chains.proj.kth.se/software-supply-chain-workshop-4.html) is available on the workshop's website.
+
+<br>
+
+### Mailing list updates
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+* Luca DiMaio of [Chainguard](https://www.chainguard.dev/) posted to the list reporting that they had successfully implemented reproducible filesystem images with both [`ext4`](https://en.wikipedia.org/wiki/Ext4) *and* an [EFI system partition](https://en.wikipedia.org/wiki/EFI_system_partition). They go on to list the various methods, and the thread generated at least fifteen replies.
+
+* David Wheeler announced that the [OpenSSF](https://openssf.org/) is building a "glossary" of sorts in order that they "consistently use the same meaning for the same term" and, moreover, that they have [drafted a definition for 'reproducible build'](https://glossary.openssf.org/reproducible-build/). The thread generated a significant number of replies on the definition, leading to a potential update to the Reproducible Build's own definition.
+
+* Lastly, *kpcyrd* posted to the list with a [timely reminder and update](https://lists.reproducible-builds.org/pipermail/rb-general/2025-April/003735.html) on their [`repro-env`](https://github.com/kpcyrd/repro-env)" tool. As first reported in [our July 2023 report]({{ "/reports/2023-07/" | relative_url }}"), *kpcyrd* mentions that:
+
+ > My initial interest in reproducible builds was "how do I distribute pre-compiled binaries on [GitHub](https://github.com) without people raising security concerns about them". I've cycled back to this original problem about 5 years later and built a tool that is meant to address this. [[…](https://lists.reproducible-builds.org/pipermail/rb-general/2023-July/003026.html)]
+
+<br>
+
+### [*Canonicalization for Unreproducible Builds in Java*](https://arxiv.org/abs/2504.21679)
+
+[![]({{ "/images/reports/2025-04/2504.png#right" | relative_url }})](https://arxiv.org/abs/2504.21679)
+
+Aman Sharma, Benoit Baudry and Martin Monperrus have published a new scholarly study related to reproducible builds within Java. Titled [*Canonicalization for Unreproducible Builds in Java*](https://arxiv.org/abs/2504.21679), the article's abstract is as follows:
+
+> […] Achieving reproducibility at scale remains difficult, especially in Java, due to a range of non-deterministic factors and caveats in the build process. In this work, we focus on reproducibility in Java-based software, archetypal of enterprise applications. We introduce a conceptual framework for reproducible builds, we analyze a large dataset from [Reproducible Central](https://github.com/jvm-repo-rebuild/reproducible-central#readme) and we develop a novel taxonomy of six root causes of unreproducibility. We study actionable mitigations: artifact and bytecode canonicalization using *OSS-Rebuild* and *jNorm* respectively. Finally, **we present *Chains-Rebuild*, a tool that raises reproducibility success from 9.48% to 26.89% on 12,283 unreproducible artifacts**. To sum up, our contributions are the first large-scale taxonomy of build unreproducibility causes in Java, a publicly available dataset of unreproducible builds, and Chains-Rebuild, a canonicalization tool for mitigating unreproducible builds in Java.
+
+A [full PDF of their article](https://arxiv.org/pdf/2504.21679) is available from [arXiv](https://arxiv.org/).
+
+<br>
+
+### Distribution roundup
+
+[![]({{ "/images/reports/2025-04/debian.png#right" | relative_url }})](https://debian.org/)
+
+In **Debian** this month:
+
+* Roland Clobus posted another [status report on reproducible ISO images](https://lists.reproducible-builds.org/pipermail/rb-general/2025-April/003700.html) on our [mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, with the summary that "all live images build reproducibly from the online Debian archive".
+
+* [Debian](https://debian.org) developer Simon Josefsson published another two reproducibility-related blog posts this month, the first on the topic of [*Verified Reproducible Tarballs*](https://blog.josefsson.org/2025/04/17/verified-reproducible-tarballs/). Simon sardonically challenges the reader as follows: "Do you want a supply-chain challenge for the Easter weekend? Pick some well-known software and try to re-create the official release tarballs from the corresponding Git checkout. *Is anyone able to reproduce anything these days?*" After that, they also published a blog post on [*Building Debian in a GitLab Pipeline*](https://blog.josefsson.org/2025/04/30/building-debian-in-a-gitlab-pipeline/) using their [multi-stage rebuild](https://blog.josefsson.org/2025/03/31/on-binary-distribution-rebuilds/) approach.
+
+* Roland also posted to our mailing list to highlight that "[there is now another tool in Debian that generates reproducible output](https://lists.reproducible-builds.org/pipermail/rb-general/2025-April/003723.html), `equivs`". This is a tool to create trivial Debian packages that might `Depend` on other packages. As Roland writes, "building the [`equivs`] package has been reproducible for a while, [but] now the output of the [tool] has become reproducible as well".
+
+* Lastly, 9 reviews of Debian packages were added, 10 were updated and 10 were removed this month adding to our [extensive knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
+
+[![]({{ "/images/reports/2025-04/izzyondroid.png#right" | relative_url }})](https://apt.izzysoft.de/fdroid/)
+
+The [**IzzyOnDroid**](https://apt.izzysoft.de/fdroid/) Android APK repository made more progress in April. Thanks to funding by [NLnet](https://nlnet.nl/) and [Mobifree](https://mobifree.org/), the project was also to put more time into their tooling. For instance, developers can [now easily run their own verification builder](https://codeberg.org/IzzyOnDroid/rbuilder_setup) in "less than 5 minutes". This currently supports [Debian](https://www.debian.org/)-based systems, but support for RPM-based systems is incoming.
+
+* The [`rbuilder_setup`](https://codeberg.org/IzzyOnDroid/rbuilder_setup) tool can now setup the entire framework within less than five minutes. The process is configurable, too, so everything from "just the basics to verify builds" up to a fully-fledged RB environment is also possible.
+
+* This tool works on [Debian](https://www.debian.org/), [RedHat](https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux) and [Arch Linux](https://archlinux.org/), as well as their derivates. The project has received successful reports from Debian, [Ubuntu](https://ubuntu.com/), [Fedora](https://fedoraproject.org/) and some Arch Linux derivates so far.
+
+* Documentation on how to work with reproducible builds (making apps reproducible, debugging unreproducible packages, etc) is [available in the project's wiki page](https://gitlab.com/IzzyOnDroid/repo/-/wikis/Reproducible-Builds).
+
+* [Future work](https://codeberg.org/IzzyOnDroid/-/projects/13002) is also in the pipeline, including documentation, guidelines and helpers for debugging.
+
+[![]({{ "/images/reports/2025-04/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Lastly, in [**openSUSE**](https://www.opensuse.org/) news, Bernhard M. Wiedemann posted another [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/ZVTOA6G3GTAVELEI6D5M67GVFDUUESBE/) for their work there.
+
+<br>
+
+### [*diffoscope*](https://diffoscope.org) & *strip-nondeterminism*
+
+[![]({{ "/images/reports/2025-04/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[diffoscope](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading a number of versions to Debian:
+
+* Use the `--walk` argument over the potentially dangerous alternative `--scan` when calling out to `zipdetails(1)`. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/661adfc0)]
+* Correct a longstanding issue where many `>`-based version tests used in conditional fixtures were broken. This was used to ensure that specific tests were only run when the version on the system was newer than a particular number. Thanks to Colin Watson for the report (Debian bug [#1102658](https://bugs.debian.org/1102658)) [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8234ff0a)]
+* Address a long-hidden issue in the `test_versions` testsuite as well, where we weren't actually testing the greater-than comparisons mentioned above, as it was masked by the tests for equality. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d930e990)]
+* Update copyright years. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6b02bfc2)]
+
+In *strip-nondeterminism*, however, Holger Levsen updated the Continuous Integration (CI) configuration in order to use the standard Debian pipelines via `debian/salsa-ci.yml` instead of using `.gitlab-ci.yml`. [[…](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/39dc600)]
+
+<br>
+
+### Website updates
+
+[![]({{ "/images/reports/2025-04/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+Once again, there were a number of improvements made to our website this month including:
+
+* Aman Sharma added OSS-Rebuild's [`stabilize`](https://github.com/google/oss-rebuild/tree/main/cmd/stabilize) tool to the [*Tools*]({{ "/tools/" | relative_url }}) page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/169fb7ea)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5cac89c6)]
+
+* Chris Lamb added a `configure.ac` ([GNU Autotools](https://en.wikipedia.org/wiki/GNU_Autotools)) example for using [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}). [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/54b010d0)]. Chris also updated the `SOURCE_DATE_EPOCH` snippet and move the archive metadata to a more suitable location. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/cbbe269d)]
+
+* Denis Carikli added [GNU Boot](https://www.gnu.org/software/gnuboot) to our ever-evolving [*Projects*]({{ "/who/projects/" | relative_url }}) page.
+
+<br>
+
+### Reproducibility testing framework
+
+[![]({{ "/images/reports/2025-04/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In April, a number of changes were made by Holger Levsen, including:
+
+* [*reproduce.debian.net*](https://reproduce.debian.net)-related:
+
+ * Add *armel.reproduce.debian.net* to support the `armel` architecture. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/260230bd6)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/afb3b49c8)]
+ * Add a new ARM node, `codethink05`. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/b116931d1)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/69f26a058)]
+ * Add *ppc64el.reproduce.debian.net* to support testing of the `ppc64el` architecture. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/699789a54)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/35272a222)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/fdbd776ee)]
+ * Improve the [*reproduce.debian.net*](https://reproduce.debian.net) front page. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/5c4914043)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/8abcbb3b6)]
+ * Make various changes to the `ppc64el` nodes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7aedbc53d)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/80b47a7b4)]9[[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a10e9cdde)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7737f2d89)]
+ * Make various changes to the `arm64` and `armhf` nodes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7aedbc53d)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/80b47a7b4)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f9759f473)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/38e09e06d)]
+ * Various changes related to the `rebuilderd-worker` entry point. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/85e3e2e0d)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f44727fe4)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/6e79a00d5)]
+ * Create and deploy a `pkgsync` script. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/671330b34)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0ff58a7b8)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/adfa7fb10)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0634985a4)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/b2f6de0d1)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/709558c99)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/b7358b4ea)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/2a8ea5870)]
+ * Fix the monitoring of the `riscv64` architecture. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e4f6a809a)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/86398501d)]
+ * Make a number of changes related to starting the `rebuilderd` service. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/08fe3923e)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/58f309a8e)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/6b46eb7c5)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/2a12b8b10)]
+
+* Backup-related:
+
+ * Backup the rebuilder databases every week. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/4d5dcc87c)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a1d9881a6)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ce0ff1002)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/b6ec69da3)]
+ * Improve the node health checks. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/1fc1b5c32)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/384e11cc9)]
+
+* Misc:
+
+ * Re-use existing connections to the SSH proxy node on the `riscv64` nodes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/d8a75cf20)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ecf2c3789)]
+ * Node maintenance. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0ea8da7dc)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/207b3c27a)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/06890e806)]
+
+In addition:
+
+* Jochen Sprickerhof fixed the `risvc64` host names [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/9bb310631)] and requested access to all the `rebuilderd` nodes [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/debca1332)].
+
+* Mattia Rizzolo updated the self-serve rebuild scheduling tool, replacing the deprecated "SSO"-style authentication with [OpenIDC](https://www.google.com/search?q=OpenIDc) which authenticates against *salsa.debian.org*. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/10a15454a)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/c28314d47)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/20c9da5f6)]
+
+* Roland Clobus updated the configuration for the `osuosl3` node to designate 4 workers for bigger builds. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a23c1d216)]
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
* Bernhard M. Wiedemann
- * [`lout`](https://build.opensuse.org/request/show/1273540) (timestamp)
- * [`mpiP`](https://build.opensuse.org/request/show/1273613) (date+host)
- * [`libabigail`](https://src.opensuse.org/jengelh/libabigail/pulls/2) (race)
+
+ * [`lout`](https://build.opensuse.org/request/show/1273540)
+ * [`mpiP`](https://build.opensuse.org/request/show/1273613)
+ * [`libabigail`](https://src.opensuse.org/jengelh/libabigail/pulls/2)
* [`cython`](https://github.com/cython/cython/issues/5986)
- * [`mpiP`](https://github.com/LLNL/mpiP/pull/57) (debugsource date+time+hostname)
- * [`godot`](https://github.com/godotengine/godot/issues/105181) (toolchain random)
- * [`gnome-text-editor`](https://bugzilla.opensuse.org/show_bug.cgi?id=1241147) (FTBFS)
- * [`clisp`](https://gitlab.com/gnu-clisp/clisp/-/issues/59) (FTBFS-2036)
- * [`rpm`](https://github.com/rpm-software-management/rpm/pull/3728) (SDE_MTIME)
- * [`Fiona`](https://github.com/Toblerity/Fiona/pull/1492) (FTBFS-2038)
- * [`qtdoc`](https://bugreports.qt.io/browse/QTBUG-136483) (toolchain random)
+ * [`mpiP`](https://github.com/LLNL/mpiP/pull/57)
+ * [`godot`](https://github.com/godotengine/godot/issues/105181)
+ * [`gnome-text-editor`](https://bugzilla.opensuse.org/show_bug.cgi?id=1241147)
+ * [`clisp`](https://gitlab.com/gnu-clisp/clisp/-/issues/59)
+ * [`rpm`](https://github.com/rpm-software-management/rpm/pull/3728)
+ * [`Fiona`](https://github.com/Toblerity/Fiona/pull/1492)
+ * [`qtdoc`](https://bugreports.qt.io/browse/QTBUG-136483)
+
+* Chris Hofstaedtler:
+
+ * [#1104512](https://bugs.debian.org/1104512) filed against [`command-not-found`](https://tracker.debian.org/pkg/command-not-found).
+ * [#1104517](https://bugs.debian.org/1104517) filed against [`command-not-found`](https://tracker.debian.org/pkg/command-not-found).
+ * [#1104535](https://bugs.debian.org/1104535) filed against [`cc65`](https://tracker.debian.org/pkg/cc65).
+
+* Chris Lamb:
+
+ * [#1102659](https://bugs.debian.org/1102659) filed against [`vcsh`](https://tracker.debian.org/pkg/vcsh).
+ * [#1103797](https://bugs.debian.org/1103797) filed against [`schism`](https://tracker.debian.org/pkg/schism).
+ * [#1103798](https://bugs.debian.org/1103798) filed against [`magic-wormhole-mailbox-server`](https://tracker.debian.org/pkg/magic-wormhole-mailbox-server).
+ * [#1103800](https://bugs.debian.org/1103800) filed against [`openvpn3-client`](https://tracker.debian.org/pkg/openvpn3-client).
* James Addison:
* [#1102760](https://bugs.debian.org/1102760) filed against [`apg`](https://tracker.debian.org/pkg/apg).
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/ZVTOA6G3GTAVELEI6D5M67GVFDUUESBE/)
+* Jochen Sprickerhof:
-```
-> We have exciting updates for the April report. Thanks to funding by NGI
-> Mobifree, we were able to complete our works to make our RB framework
-> publicly available. There's now:
->
-> * rbuilder_setup[1] to set up the entire framework within less than 5
-> minutes. Configurable, so everything from "just the basics to verify
-> builds" up to "full-fledged RB environment with debugging tools and
-> all" is possible.
-> rbuilder_setup works on Debian, Redhat, Arch – and their derivates.
-> We got success reports from Debian, Ubuntu, Fedora, and some Arch
-> derivates so far (and currently wait for some on WSL 🙈️). Several
-> Android devs adopted the framework already to get their apps ready
-> for RB.
-> * we've taken over maintenance of Fay's gradlew.py[2] and
-> gradle-wrapper-verify[3] as those are needed/used by rbtlog. We're
-> also in the process to take over maintenance of rbtlog itself.
-> * documentation on how to work with RBs (making apps RB, debugging
-> failed RBs, etc) are available in our wiki[4] now.
->
-> [1] https://codeberg.org/IzzyOnDroid/rbuilder_setup
-> [2] https://codeberg.org/IzzyOnDroid/gradlew.py
-> [3] https://codeberg.org/IzzyOnDroid/gradle-wrapper-verify
-> [4] https://gitlab.com/IzzyOnDroid/repo/-/wikis/Reproducible-Builds
->
-> Would be great if you could take some (or all?) of those points for the
-> April report. Apart from taking over rbtlog maintenance, the next
-> expected news would be "half of our apps are set up for RB"
-> (currently, 44.5% / 582 apps are) – maybe in Q3 then…
-```
+ * [#1103288](https://bugs.debian.org/1103288) filed against [`courier`](https://tracker.debian.org/pkg/courier).
+ * [#1103563](https://bugs.debian.org/1103563) filed against [`cross-toolchain-base`](https://tracker.debian.org/pkg/cross-toolchain-base).
----
+<br>
+<br>
+
+Finally, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
-```
-I am pleased to share our new study related to reproducible builds in Java titled "Canonicalization for Unreproducible Builds in Java" (https://arxiv.org/abs/2504.21679). Summary:
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
- 1. A taxonomy of causes of unreproducible builds in Java and their proposed mitigations.
- 2. Effectivness of canonicalization (same as stabilize/normalize) using OSS-Rebuild and jNorm.
- 3. Publicly available dataset of unreproducible releases. See README for more details.
-```
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
=====================================
images/reports/2025-04/2504.png
=====================================
Binary files /dev/null and b/images/reports/2025-04/2504.png differ
=====================================
images/reports/2025-04/chains.png
=====================================
Binary files /dev/null and b/images/reports/2025-04/chains.png differ
=====================================
images/reports/2025-04/debian.png
=====================================
Binary files /dev/null and b/images/reports/2025-04/debian.png differ
=====================================
images/reports/2025-04/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2025-04/diffoscope.png differ
=====================================
images/reports/2025-04/izzyondroid.png
=====================================
Binary files /dev/null and b/images/reports/2025-04/izzyondroid.png differ
=====================================
images/reports/2025-04/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2025-04/opensuse.png differ
=====================================
images/reports/2025-04/reproduce.png
=====================================
Binary files /dev/null and b/images/reports/2025-04/reproduce.png differ
=====================================
images/reports/2025-04/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2025-04/reproducible-builds.png differ
=====================================
images/reports/2025-04/russcoxarticle.png
=====================================
Binary files /dev/null and b/images/reports/2025-04/russcoxarticle.png differ
=====================================
images/reports/2025-04/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2025-04/testframework.png differ
=====================================
images/reports/2025-04/website.png
=====================================
Binary files /dev/null and b/images/reports/2025-04/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/9111817aa1692b4093ee50cc79a0e13e43bd23e2
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/9111817aa1692b4093ee50cc79a0e13e43bd23e2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250509/f248b9c8/attachment.htm>
More information about the rb-commits
mailing list