[Git][reproducible-builds/reproducible-website][master] 2025-09: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Wed Oct 8 19:43:14 UTC 2025
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
7a315151 by Chris Lamb at 2025-10-08T12:42:56-07:00
2025-09: Initial draft
- - - - -
18 changed files:
- _reports/2025-09.md
- + images/reports/2025-09/2508.01530.png
- + images/reports/2025-09/apparmor.png
- + images/reports/2025-09/debian.png
- + images/reports/2025-09/diffoscope.png
- + images/reports/2025-09/fdroid.png
- + images/reports/2025-09/fedora.png
- + images/reports/2025-09/guix.png
- + images/reports/2025-09/izzyondroid.png
- + images/reports/2025-09/opensuse-lg.png
- + images/reports/2025-09/opensuse.png
- + images/reports/2025-09/oss-rebuild.png
- + images/reports/2025-09/reproducible-builds.png
- + images/reports/2025-09/rust.jpg
- + images/reports/2025-09/summit.jpg
- + images/reports/2025-09/testframework.png
- + images/reports/2025-09/website.png
- + images/reports/2025-09/why2025.png
Changes:
=====================================
_reports/2025-09.md
=====================================
@@ -6,24 +6,165 @@ title: "Reproducible Builds in September 2025"
draft: true
---
-* [FIXME](https://fedoraproject.org/wiki/Changes/Package_builds_are_expected_to_be_reproducible deferred to Fedora 44 as https://www.phoronix.com/news/Fedora-44-Reproducible-Builds reports based on https://meetbot.fedoraproject.org/meeting_matrix_fedoraproject-org/2025-09-02/fesco.2025-09-02-17.01.log.html)
+**Welcome to the September 2025 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
+{: .lead}
-* [FIXME](https://gwolf.org/2025/09/saying-_hi_-to-my-good-reproducible-builds-friends-while-reading-a-magazine-article.html)
+[![]({{ "/images/reports/2025-09/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-* Holger set up six new ionos rebuilderd-workers (ionos20-25) for https://reproduce.debian.net/all-pull184/ with 16 cores and 16 GB RAM each, replacing ionos16-18.
+**Welcome to the very latest report from the [Reproducible Builds]({{ "/" | relative_url }}) project.** our monthly reports outline what we've been up to over the past month, and highlight items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-* [FIXME](https://vulns.xyz/2025/09/rebuilderd-v0.25.0/) and [FIXME](https://lists.reproducible-builds.org/pipermail/rb-general/2025-September/003890.html)
+<!--
-* FIXME: DebianBug#1116598: debian-repro-status fails with 404 error on Debian Trixie
+**In this report:**
+
+0. (Automatically populated prior to publication.)
+
+-->
+
+---
+
+### [Reproducible Builds Summit 2025]({{ "/events/vienna2025/" | relative_url }})
+
+[![]({{ "/images/reports/2025-09/summit.jpg#right" | relative_url }})]({{ "/events/vienna2025/" | relative_url }})
+
+Please join us at the [upcoming Reproducible Builds Summit]({{ "/events/vienna2025/" | relative_url }}), set to take place from _October 28th — 30th 2025_ in Vienna, Austria!**
+
+We are thrilled to host the eighth edition of this exciting event, following the success of previous summits in various iconic locations around the world, including Venice, Marrakesh, Paris, Berlin, Hamburg and Athens. Our summits are a unique gathering that brings together attendees from diverse projects, united by a shared vision of advancing the Reproducible Builds effort.
+
+During this enriching event, participants will have the opportunity to engage in discussions, establish connections and exchange ideas to drive progress in this vital field. Our aim is to create an inclusive space that fosters collaboration, innovation and problem-solving.
+
+If you're interesting in joining us this year, please make sure to [read the event page]({{ "/events/vienna2025/" | relative_url }}) which has more details about the event and location. Registration is open until 20th September 2025, and we are very much looking forward to seeing many readers of these reports there!
+
+<br>
+
+### [*Can't we have nice things?*](https://cacm.acm.org/opinion/cant-we-have-nice-things/)
+
+Debian Developer [Gunnar Wolf blogged that](https://cacm.acm.org/opinion/cant-we-have-nice-things/) George V. Neville-Neil's "Kode Vicious" column in [Communications of the ACM](https://cacm.acm.org/) in which reproducible builds "is mentioned without needing to introduce it (assuming familiarity across the computing industry and academia)". Titled, [*Can't we have nice things?*](https://cacm.acm.org/opinion/cant-we-have-nice-things/), the article mentions:
+
+> Once the proper measurement points are known, we want to constrain the system such that what it does is simple enough to understand and easy to repeat. It is quite telling that the push for software that enables reproducible builds only really took off after an embarrassing widespread security issue ended up affecting the entire Internet. That there had already been 50 years of software development before anyone thought that introducing a few constraints might be a good idea is, well, let’s just say it generates many emotions, none of them happy, fuzzy ones. [[…](https://cacm.acm.org/opinion/cant-we-have-nice-things/)]
+
+<br>
+
+### Distribution work
+
+[![]({{ "/images/reports/2025-09/debian.png#right" | relative_url }})](https://debian.org/)
+
+In **Debian** this month, Johannes Starosta [filed a bug](https://bugs.debian.org/1116598) against the `debian-repro-status` package, reporting that it does not work on Debian *trixie*. (An [upstream bug report was also filed](https://github.com/kpcyrd/debian-repro-status/issues/19).) Furthermore, 17 reviews of Debian packages were added, 10 were updated and 14 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
+
+[![]({{ "/images/reports/2025-09/fedora.png#right" | relative_url }})](https://www.fedoraproject.org/)
+
+[In March's report]({{ "/reports/2025-03/" | relative_url }}), we included the news that **Fedora** would [aim for 99% package reproducibility](https://fedoraproject.org/wiki/Changes/Package_builds_are_expected_to_be_reproducible). This change [has now been deferred to Fedora 44](https://www.phoronix.com/news/Fedora-44-Reproducible-Builds) according to Phoronix.
+
+[![]({{ "/images/reports/2025-09/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Lastly, Bernhard M. Wiedemann posted another [**openSUSE**](https://www.opensuse.org/) [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/E2NABNGFPWSIUBOMBCRN4C3BX2B5VABL/) for their work there.
+
+<br>
+
+### Tool development
+
+**diffoscope** version `306` was [uploaded to Debian unstable](https://tracker.debian.org/news/1664272/accepted-diffoscope-306-source-into-unstable/) by Chris Lamb. It [included contributions already covered in previous months](https://salsa.debian.org/reproducible-builds/diffoscope/commits/306) as well as some changes by Zbigniew Jędrzejewski-Szmek to address issues with the the `fdtump` support [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8f265167)] and to move away from the deprecated `codes.open` method. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/112492ec)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/b19d7e7a)]
+
+**strip-nondeterminism** version `1.15.0-1` was [uploaded to Debian unstable](https://tracker.debian.org/news/1664629/accepted-strip-nondeterminism-1150-1-source-into-unstable/) by Chris Lamb. It included a contribution by Matwey Kornilov to add support for inline archive files for Erlang's escript [[…](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/90ef48f)].
+
+*kpcyrd* has [released a new version of **rebuilderd**](https://vulns.xyz/2025/09/rebuilderd-v0.25.0/). As a quick recap, *rebuilderd* is an automatic build scheduler that tracks binary packages available in a Linux distribution and attempts to compile the official binary packages from their (purported) source code and dependencies. The code for [in-toto](https://in-toto.io/) attestations has been reworked, and the instances now feature a new endpoint that can be queried to fetch the list of public-keys an instance currently identifies itself by. [[…](https://lists.reproducible-builds.org/pipermail/rb-general/2025-September/003890.html)]
+
+Lastly, Holger Levsen bumped the [`Standards-Version` field](https://www.debian.org/doc/debian-policy/ch-controlfields.html#standards-version) of **disorderfs**, with no changes needed. [[…](https://salsa.debian.org/reproducible-builds/disorderfs/commit/dd444b0)][[…](https://salsa.debian.org/reproducible-builds/disorderfs/commit/f19f069)]
+
+<br>
+
+### Reproducibility testing framework
+
+[![]({{ "/images/reports/2025-09/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In August, however, a number of changes were made by **Holger Levsen**, including:
+
+* Setting up six new *rebuilderd* workers with 16 cores and 16 GB RAM each.
+
+* [*reproduce.debian.net*](https://reproduce.debian.net)-related:
+
+ * Do not expose pending jobs; they are confusing without explaination. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/8a5ec032e)]
+ * Add a link to v1 API specification. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e1764373e)]
+ * Drop `rebuilderd-worker.conf` on a node. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a1efc6105)]
+ * Allow manual scheduling for any architectures. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/153edfe79)]
+ * Update path to *trixie* graphs. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0215d502c)]
+ * Use the same `rebuilder-debian.sh` script for all hosts. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f096b60e4)]
+ * Add all other suites to all other archs. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/514bd64be)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/5721f1e42)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/b927835fc)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/828ee052b)]
+ * Update SSH host keys for new hosts. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/5378be3dc)]
+ * Move to the `pull184` branch. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/663cafebc)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/9ce76d7b8)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/c10518803)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e6b2a82e7)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ef3ca1e51)]
+ * Only allow 20 GB cache for workers. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/755896abf)]
+
+* [OpenWrt](https://openwrt.org/)-related:
+
+ * Grant developer *aparcar* full `sudo` control on the `ionos30` node. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f53cd7ed4)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/9eb545d47)]
+
+* Jenkins nodes:
+
+ * Add a number of new nodes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a8bfcd809)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/dd3a400a7)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/954163a95)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/62c506c0f)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/5953a9b93)]
+ * Dont expect `/srv/workspace` to exist on OSUOSL nodes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/5ee534a7d)]
+ * Stop hardcoding IP addresses in `munin.conf`. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/311e8a8a1)]
+ * Add maintenance and health check jobs for new nodes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/4a762e80e)]
+ * Document slight changes in IONOS resources usage. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/97baf1535)]
+
+* Misc:
+
+ * Drop disabled [Alpine Linux](https://www.alpinelinux.org/) tests for good. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/9d612c169)]
+ * Move Debian live builds and some other Debian builds to the `ionos10` node. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0fb118f44)]
+ * Cleanup some legacy support from releases before Debian *trixie*. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ac6e3d3bd)]
+
+In addition, Jochen Sprickerhof made the following changes relating to [*reproduce.debian.net*](https://reproduce.debian.net):
+
+* Do not expose pending jobs on the main site. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7bfd59ff1)]
+* Switch the frontpage to reference Debian *forky* [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/5b1020059)], but do not attempt to build Debian *forky* on the `armel` architecture [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a81a9a613)].
+* Use consistent and up to date `rebuilder-debian.sh` script. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/8522748b5)]
+* Fix supported worker architectures. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0df1ff927)]
+* Add a basic 'excuses' page. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0bbb057c1)]
+* Move to the `pull184` branch. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/de05462ea)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/9ed7c0edd)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/02909e093)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0cc136a6c)]
+* Fix a typo in the JavaScript. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/466cf6a34)]
+* Update front page for the new v1 API. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/8e6f06ae4)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/eee7fa31a)]
+
+Lastly, Roland Clobus did some maintenance relating to the reproducibility testing of the [Debian Live](https://www.debian.org/CD/live/) images. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0e0244a85)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/48cee4d18)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/d9c0d5c7b)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/d55d9a703)]
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
* Aleksei Burlakov:
- * [`hawk2`](https://build.opensuse.org/request/show/1302599) (mtime)
+
+ * [`hawk2`](https://build.opensuse.org/request/show/1302599)
* Bernhard M. Wiedemann:
- * [`kf6-kirigami`](https://build.opensuse.org/request/show/1302953) (race finally avoided)
- * [`clamav`](https://bugzilla.opensuse.org/show_bug.cgi?id=1249404) (toolchain, random rust)
- * [`obs-build/librcc+librcd`](https://github.com/openSUSE/obs-build/issues/1099) (toolchain issue with timezone parsing)
- * [`ceph`](https://bugzilla.suse.com/show_bug.cgi?id=1249586) (random)
- * [`cmake/libarchive`](https://gitlab.kitware.com/cmake/cmake/-/issues/27263) (FTBFS-2038)
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/E2NABNGFPWSIUBOMBCRN4C3BX2B5VABL/)
+ * [`ceph`](https://bugzilla.suse.com/show_bug.cgi?id=1249586)
+ * [`clamav`](https://bugzilla.opensuse.org/show_bug.cgi?id=1249404)
+ * [`cmake/libarchive`](https://gitlab.kitware.com/cmake/cmake/-/issues/27263)
+ * [`kf6-kirigami`](https://build.opensuse.org/request/show/1302953)
+ * [`obs-build/librcc+librcd`](https://github.com/openSUSE/obs-build/issues/1099)
+
+* Chris Lamb:
+
+ * [#1113809](https://bugs.debian.org/1113809) filed against [`ms-gsl`](https://tracker.debian.org/pkg/ms-gsl).
+ * [#1113813](https://bugs.debian.org/1113813) filed against [`llama.cpp`](https://tracker.debian.org/pkg/llama.cpp).
+ * [#1114638](https://bugs.debian.org/1114638) filed against [`python-mcstasscript`](https://tracker.debian.org/pkg/python-mcstasscript).
+ * [#1114772](https://bugs.debian.org/1114772) filed against [`rocm-docs-core`](https://tracker.debian.org/pkg/rocm-docs-core).
+ * [#1114869](https://bugs.debian.org/1114869) filed against [`octave-optics`](https://tracker.debian.org/pkg/octave-optics).
+ * [#1114950](https://bugs.debian.org/1114950) filed against [`g2o`](https://tracker.debian.org/pkg/g2o).
+ * [#1114999](https://bugs.debian.org/1114999) filed against [`golang-forgejo-forgejo-levelqueue`](https://tracker.debian.org/pkg/golang-forgejo-forgejo-levelqueue).
+ * [#1115999](https://bugs.debian.org/1115999) filed against [`openrgb`](https://tracker.debian.org/pkg/openrgb).
+
+* Roland Clobus:
+
+ * [#1114521](https://bugs.debian.org/1114521) filed against [`mdadm`](https://tracker.debian.org/pkg/mdadm).
+
+<br>
+<br>
+
+Finally, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
=====================================
images/reports/2025-09/2508.01530.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/2508.01530.png differ
=====================================
images/reports/2025-09/apparmor.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/apparmor.png differ
=====================================
images/reports/2025-09/debian.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/debian.png differ
=====================================
images/reports/2025-09/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/diffoscope.png differ
=====================================
images/reports/2025-09/fdroid.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/fdroid.png differ
=====================================
images/reports/2025-09/fedora.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/fedora.png differ
=====================================
images/reports/2025-09/guix.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/guix.png differ
=====================================
images/reports/2025-09/izzyondroid.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/izzyondroid.png differ
=====================================
images/reports/2025-09/opensuse-lg.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/opensuse-lg.png differ
=====================================
images/reports/2025-09/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/opensuse.png differ
=====================================
images/reports/2025-09/oss-rebuild.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/oss-rebuild.png differ
=====================================
images/reports/2025-09/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/reproducible-builds.png differ
=====================================
images/reports/2025-09/rust.jpg
=====================================
Binary files /dev/null and b/images/reports/2025-09/rust.jpg differ
=====================================
images/reports/2025-09/summit.jpg
=====================================
Binary files /dev/null and b/images/reports/2025-09/summit.jpg differ
=====================================
images/reports/2025-09/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/testframework.png differ
=====================================
images/reports/2025-09/website.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/website.png differ
=====================================
images/reports/2025-09/why2025.png
=====================================
Binary files /dev/null and b/images/reports/2025-09/why2025.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/7a31515170dfc1fefa229c05f361ae7f7fea70f8
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/7a31515170dfc1fefa229c05f361ae7f7fea70f8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20251008/cb96c12b/attachment.htm>
More information about the rb-commits
mailing list