[Git][reproducible-builds/reproducible-website][master] 2 commits: 2025-04: Misc changes prior to publication.

Chris Lamb (@lamby) gitlab at salsa.debian.org
Mon May 12 19:00:48 UTC 2025 


Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
c3ff9a73 by Chris Lamb at 2025-05-12T12:00:23-07:00
2025-04: Misc changes prior to publication.

- - - - -
b58115fb by Chris Lamb at 2025-05-12T12:00:42-07:00
published as https://reproducible-builds.org/reports/2025-04/

- - - - -


3 changed files:

- _reports/2025-04.md
- images/reports/2025-04/nixos.png
- images/reports/2025-04/tui.png


Changes:

=====================================
_reports/2025-04.md
=====================================
@@ -3,20 +3,27 @@ layout: report
 year: "2025"
 month: "04"
 title: "Reproducible Builds in April 2025"
-draft: true
+draft: false
+date: 2025-05-12 19:00:42
 ---
 
 [![]({{ "/images/reports/2025-04/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
 
 **Welcome to our fourth report from the [Reproducible Builds]({{ "/" | relative_url }}) project in 2025.** These monthly reports outline what we've been up to over the past month, and highlight items of news from elsewhere in the increasingly-important area of software supply-chain security. Lastly, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
 
-<!--
-
 **Table of contents:**
 
-0. FIXME: Automatically generated
-
--->
+0. [reproduce.debian.net](#reproducedebiannet)
+0. [*Fifty Years of Open Source Software Supply Chain Security*](#fifty-years-of-open-source-software-supply-chain-security)
+0. [4th CHAINS Software Supply Chain Workshop](#4th-chains-software-supply-chain-workshop)
+0. [Mailing list updates](#mailing-list-updates)
+0. [*Canonicalization for Unreproducible Builds in Java*](#canonicalization-for-unreproducible-builds-in-java)
+0. [*OSS Rebuild* adds new TUI features](#oss-rebuild-adds-new-tui-features)
+0. [Distribution roundup](#distribution-roundup)
+0. [*diffoscope* & *strip-nondeterminism*](#diffoscope--strip-nondeterminism)
+0. [Website updates](#website-updates)
+0. [Reproducibility testing framework](#reproducibility-testing-framework)
+0. [Upstream patches](#upstream-patches)
 
 ---
 
@@ -40,7 +47,7 @@ Russ Cox has published a must-read article in [ACM Queue](https://queue.acm.org/
 
 He concludes as follows:
 
-> We are all struggling with a massive shift that has happened in the past 10 or 20 years in the software industry. For decades, software reuse was only a lofty goal. Now it's very real.12 Modern programming environments such as Go, Node, and Rust have made it trivial to reuse work by others, but our instincts about responsible behaviors have not yet adapted to this new reality.
+> We are all struggling with a massive shift that has happened in the past 10 or 20 years in the software industry. For decades, software reuse was only a lofty goal. Now it's very real. Modern programming environments such as Go, Node and Rust have made it trivial to reuse work by others, but our instincts about responsible behaviors have not yet adapted to this new reality.
 >
 > We all have more work to do.
 
@@ -52,7 +59,7 @@ He concludes as follows:
 
 Convened as part of the [CHAINS](https://chains.proj.kth.se/) research project at the [KTH Royal Institute of Technology](https://www.kth.se/en) in Stockholm, Sweden, the [*4th CHAINS Software Supply Chain Workshop*](https://chains.proj.kth.se/software-supply-chain-workshop-4.html) occurred during April. During the workshop, there were a number of relevant workshops, including:
 
-* [Signature, Attestations, and Reproducible Builds](https://chains.proj.kth.se/workshop_4_assets/slides/Signature_Attestations_Reproducible%20Builds.pdf)
+* [Signature, Attestations and Reproducible Builds](https://chains.proj.kth.se/workshop_4_assets/slides/Signature_Attestations_Reproducible%20Builds.pdf)
 * [Does Functional Package Management Enable Reproducible Builds at Scale?](https://hal.science/hal-04913007)
 * [Causes and Mitigations of Unreproducible Builds in Java](https://algomaster99.github.io/talks/4th-chains-workshop/slides.pdf) [\[paper\]](https://arxiv.org/abs/2504.21679)
 * [Fixing Breaking Dependency Updates Using LLMs](https://kth.diva-portal.org/smash/get/diva2:1905601/FULLTEXT01.pdf)
@@ -61,9 +68,7 @@ Convened as part of the [CHAINS](https://chains.proj.kth.se/) research project a
 * [`observer`](https://github.com/sbom-observer/observer-cli) (Generating SBOMs for C/C++)
 * [`dirty-waters`](https://github.com/chains-project/dirty-waters) (Transparency checks for software supply chains)
 * A [supply chain competition](https://chains.proj.kth.se/chains-repo-checklist.html). Martin Schwaighofer, the winner, [created a recap video](https://youtu.be/lqH2lVe8Isc) (20m43s).
-* Finally, [8 posters](https://chains.proj.kth.se/software-supply-chain-workshop-4.html#poster-session) on dependency introspection, diverse double compilation, dependency management, VEX, and SBOM.
-
-
+* Finally, [8 posters](https://chains.proj.kth.se/software-supply-chain-workshop-4.html#poster-session) on dependency introspection, diverse double compilation, dependency management, VEX and SBOM.
 
 The [full listing of the agenda](https://chains.proj.kth.se/software-supply-chain-workshop-4.html) is available on the workshop's website.
 
@@ -99,9 +104,9 @@ A [full PDF of their article](https://arxiv.org/pdf/2504.21679) is available fro
 
 [![]({{ "/images/reports/2025-04/tui.png#right" | relative_url }})](https://github.com/google/oss-rebuild)
 
-[OSS Rebuild](https://github.com/google/oss-rebuild) aims to automate rebuilding upstream language packages (e.g. from PyPI, crates.io, npm registries) and publish signed attestations and build definitions for public use.
+[*OSS Rebuild*](https://github.com/google/oss-rebuild) aims to automate rebuilding upstream language packages (e.g. from [PyPI](https://pypi.org/), [crates.io](https://crates.io/) and *npm* registries) and publish signed attestations and build definitions for public use.
 
-OSS Rebuild ships a TUI interface for viewing, launching, and debugging rebuilds. While previously requiring ownership of a full instance of OSS Rebuild's hosted infrastructure, the TUI [now supports](https://github.com/google/oss-rebuild/pull/487) a fully local mode of build execution and artifact storage. Thanks to Giacomo Benedetti for his usage feedback and work to extend the local-only development toolkit.
+OSS Rebuild ships a text-based user interface (TUI) for viewing, launching, and debugging rebuilds. While previously requiring ownership of a full instance of OSS Rebuild's hosted infrastructure, the [TUI now supports](https://github.com/google/oss-rebuild/pull/487) a fully local mode of build execution and artifact storage. Thanks to Giacomo Benedetti for his usage feedback and work to extend the local-only development toolkit.
 
 Another feature added to the TUI was an experimental [chatbot integration](https://github.com/google/oss-rebuild/pull/484) that provides interactive feedback on rebuild failure root causes and suggests fixes.
 
@@ -133,13 +138,13 @@ The [**IzzyOnDroid**](https://apt.izzysoft.de/fdroid/) Android APK repository ma
 
 * [Future work](https://codeberg.org/IzzyOnDroid/-/projects/13002) is also in the pipeline, including documentation, guidelines and helpers for debugging.
 
-[![]({{ "/images/reports/2025-04/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+[![]({{ "/images/reports/2025-04/nixos.png#right" | relative_url }})](https://reproducible.nixos.org/)
 
-In [**openSUSE**](https://www.opensuse.org/) news, Bernhard M. Wiedemann posted another [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/ZVTOA6G3GTAVELEI6D5M67GVFDUUESBE/) for their work there.
+[**NixOS**](https://reproducible.nixos.org) defined an [Outreachy](https://www.outreachy.org/) project for improving build reproducibility. In the application phase, NixOS saw some strong candidates providing contributions, both on the NixOS side and upstream: [guider-le-ecit](https://github.com/Guider-le-recit) analyzed a [`libpinyin` issue](https://github.com/Guider-le-recit). [Tessy James](https://github.com/TessyJames28) fixed an issue in [`arandr`](https://github.com/NixOS/nixpkgs/pull/395245) and helped analyze one in [`libvlc`](https://github.com/NixOS/nixpkgs/issues/393651) that led to a [proposed upstream fix](https://code.videolan.org/videolan/vlc/-/merge_requests/7149). Finally, [3pleX](https://github.com/3pleX-dev) fixed an issue which was accepted in upstream [`kitty`](https://github.com/kovidgoyal/kitty/pull/8509), one in upstream [`maturin`](https://github.com/PyO3/maturin/pull/2550), one in upstream [`python-sip`](https://github.com/Python-SIP/sip/pull/70) and one in the Nix packaging of [`python-libbytesize`](https://github.com/NixOS/nixpkgs/pull/395486). Sadly, the funding for this internship fell through, so NixOS were forced to abandon their search.
 
-[![]({{ "/images/reports/2025-04/nixos.png#right" | relative_url }})](https://reproducible.nixos.org/)
+[![]({{ "/images/reports/2025-04/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
 
-[**NixOS**](https://reproducible.nixos.org) had defined an [Outreachy](https://www.outreachy.org/) project for improving build reproducibility. In the application phase, we had some amazing candidates providing contributions, both on the NixOS side and upstream: [guider-le-ecit](https://github.com/Guider-le-recit) analyzed a [libpinyin issue](https://github.com/Guider-le-recit). [Tessy James](https://github.com/TessyJames28) fixed an issue in [arandr](https://github.com/NixOS/nixpkgs/pull/395245) and helped analyze one in [libvlc](https://github.com/NixOS/nixpkgs/issues/393651) which led to a fix also proposed [upstream](https://code.videolan.org/videolan/vlc/-/merge_requests/7149). Finally, [3pleX](https://github.com/3pleX-dev) fixed an issue which was accepted in upstream [kitty](https://github.com/kovidgoyal/kitty/pull/8509), one in upstream [maturin](https://github.com/PyO3/maturin/pull/2550), one in upstream [python-sip](https://github.com/Python-SIP/sip/pull/70) and one in the Nix packaging of [python-libbytesize](https://github.com/NixOS/nixpkgs/pull/395486). Sadly, the funding for this internship fell through, so even though we were impressed with the candidates we've had to abort the search.
+Lastly, in [**openSUSE**](https://www.opensuse.org/) news, Bernhard M. Wiedemann posted another [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/ZVTOA6G3GTAVELEI6D5M67GVFDUUESBE/) for their work there.
 
 <br>
 


=====================================
images/reports/2025-04/nixos.png
=====================================
Binary files a/images/reports/2025-04/nixos.png and b/images/reports/2025-04/nixos.png differ


=====================================
images/reports/2025-04/tui.png
=====================================
Binary files a/images/reports/2025-04/tui.png and b/images/reports/2025-04/tui.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/0a41c93486606f6961bd98215bd0a7e620fb4eeb...b58115fbba4f818e23215dbbe6419e2db108b8ef

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/0a41c93486606f6961bd98215bd0a7e620fb4eeb...b58115fbba4f818e23215dbbe6419e2db108b8ef
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250512/233c2035/attachment.htm>

More information about the rb-commits mailing list