[Git][reproducible-builds/reproducible-website][master] 2026-03: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Tue Apr 7 16:55:48 UTC 2026
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
155e41d1 by Chris Lamb at 2026-04-07T12:55:29-04:00
2026-03: Initial draft
- - - - -
9 changed files:
- _reports/2026-03.md
- + images/reports/2026-03/debian.png
- + images/reports/2026-03/diffoscope.png
- + images/reports/2026-03/epub.jku.png
- + images/reports/2026-03/opensuse.png
- + images/reports/2026-03/reproduce.debian.net.png
- + images/reports/2026-03/reproducible-builds.png
- + images/reports/2026-03/tux.png
- + images/reports/2026-03/website.png
Changes:
=====================================
_reports/2026-03.md
=====================================
@@ -6,31 +6,175 @@ title: "Reproducible Builds in March 2026"
draft: true
---
-* [FIXME](https://epub.jku.at/obvulihs/content/titleinfo/13440717)
-* [FIXME](https://grapheneos.social/@GrapheneOS/116182571408865473)
+**Welcome to the March 2026 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
+{: .lead}
-* kpcyrd:
- * [`cargo`](https://github.com/rust-lang/cargo/pull/16691) (HashMap random order)
- * maybe this issue is the better resource though: https://github.com/rust-lang/cargo/issues/16693
+[![]({{ "/images/reports/2026-03/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-* [FIXME](https://lore.kernel.org/lkml/20260311011218.GA212983@quark/)
-* [FIXME](https://github.com/jonhoo/flurry/issues/135)
-* [FIXME](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130772)
+These reports outline what we've been up to in February, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-* [FIXME](https://lists.debian.org/debian-devel-announce/2026/03/msg00004.html)
+<!--
-* [FIXME](https://dl.gi.de/items/07a895be-d49c-4d73-b14d-cb533e850ca2)
+0. Table of contents generated here prior to publication
-* Vagrant Cascadian updated *diffoscope* in GNU Guix to version [`315`](https://codeberg.org/guix/guix/commit/61849b667726dd30d623b517380f5b12655b115a).
+-->
-* [FIXME rebuilderd v0.26.0](https://github.com/kpcyrd/rebuilderd/releases/tag/v0.26.0)
- * much smoother onboarding
- * many changes (see changelog)
- * `apt install -y rebuilderd rebuildctl rebuilderd-worker && systemctl enable --now rebuilderd-worker at node1 && sleep 3 && sudo rebuildctl status` and you should see one single idle node
- * you could avoid running rebuildctl as root, but `sudo usermod -aG rebuilderd "$USER" && newgrp rebuilderd -c 'rebuildctl status'` doesn't roll off the tongue that well
+---
+
+### Linux kernel's signature-based integrity checking to be replaced?
+
+[![]({{ "/images/reports/2026-03/tux.png#right" | relative_url }})](https://lore.kernel.org/lkml/20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net/)
+
+Eric Biggers posted to the [Linux Kernel Mailing List](https://lkml.org/) in response to a [patch series posted by Thomas Weißschuh](https://lore.kernel.org/lkml/20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net/) to introduce a hash-based system of integrity checking. Thomas' [original post](https://lore.kernel.org/lkml/20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net/) mentions:
+
+> The current signature-based module integrity checking has some drawbacks in combination with reproducible builds. Either the module signing key is generated at build time, which makes the build unreproducible, or a static signing key is used, which precludes rebuilds by third parties and makes the whole build and packaging process much more complicated.
+
+However, [Eric's followup message](https://lore.kernel.org/lkml/20260311011218.GA212983@quark/) goes further:
+
+> I think this actually undersells the feature. It's also much simpler than the signature-based module authentication. The latter relies on PKCS#7, X.509, ASN.1, OID registry, `crypto_sig` API, etc in addition to the implementations of the actual signature algorithm (RSA / ECDSA / ML-DSA) and at least one hash algorithm.
+
+<br>
+
+### Distribution work
+
+[![]({{ "/images/reports/2026-03/debian.png#right" | relative_url }})](https://debian.org/)
+
+In Debian this month,
+
+* Lucas Nussbaum [announced *Debaudit*](https://lists.debian.org/debian-devel-announce/2026/03/msg00004.html), a "new service to verify the reproducibility of Debian source packages":
+
+ > *debaudit* complements the work of the Reproducible Builds project. While [reproduce.debian.net](https://reproduce.debian.net/) focuses on ensuring that binary packages can be bit-for-bit reproduced from their source packages, *debaudit* focuses on the preceding step: ensuring that the source package itself is a faithful and reproducible representation of its upstream source or `Vcs-Git` repository.
+
+* *kpcyrd* [filed a bug against the `librust-const-random-dev` package](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130772) reporting that the `compile-time-rng` feature of the `ahash` crate uses the `const-random` crate in turn, which uses a macro to read/generate a random number generator during the build. This issue was also [filed upstream](https://github.com/jonhoo/flurry/issues/135).
+
+* 60 reviews of Debian packages were added, 4 were updated and 16 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). One new issue types was added, [`pkgjs_lock_json_file_issue`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/e1457606).
+
+[![]({{ "/images/reports/2026-03/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Lastly, Bernhard M. Wiedemann posted another [**openSUSE**](https://www.opensuse.org/) [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/Y4UFWITC7EWEMPU2LCE7BIMNXUQW5CNI/) for their work there.
+
+<br>
+
+### Tool development
+
+[![]({{ "/images/reports/2026-03/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[**diffoscope**](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes, including preparing and uploading versions, [`314`](https://tracker.debian.org/news/1729381/accepted-diffoscope-314-source-into-unstable/) and [`315`](https://tracker.debian.org/news/1732739/accepted-diffoscope-315-source-into-unstable/) to Debian.
+
+* Chris Lamb:
+
+ * Don't run `test_code_is_black_clean` test in the autopkgtests. ([#1130402](https://bugs.debian.org/1130402)). [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/fbdc9b0d)]
+ * Add some debugging info for PyPI debugging. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e881f4fa)]
+
+* Jelle van der Waa:
+
+ * Fix compatibility with [LLVM](https://llvm.org/) version 22. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6ea43da2)]
+ * Adjust the PGP file detection regular expression. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/1bb658f7)]
+
+* Michael R. Crusoe:
+
+ * Reformat the source code using [Black](https://github.com/psf/black) version 26.1.0 [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/3906fd77)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/9adf36d5)]
+
+In addition, Vagrant Cascadian [updated *diffoscope* in GNU Guix to version `315`](https://codeberg.org/guix/guix/commit/61849b667726dd30d623b517380f5b12655b115a).
+
+<br>
+
+[![]({{ "/images/reports/2026-03/reproduce.debian.net.png#right" | relative_url }})](https://reproduce.debian.net)
+
+[**rebuilderd**](https://github.com/kpcyrd/rebuilderd), our server designed monitor the official package repositories of Linux distributions and attempt to reproduce the observed results there; it powers, amongst other things, [*reproduce.debian.net*](https://reproduce.debian.net/).
+
+A new version, [0.26.0](https://github.com/kpcyrd/rebuilderd/releases/tag/v0.26.0), was released this month, with the following improvements:
+
+* Much smoother onboarding/installation.
+* Complete database redesign with many improvements.
+* New REST HTTP API.
+* It's now possible to artificially delay the first reproduce attempt. This gives archive infrastructure more time to catch up.
+* And [many, many other changes](https://github.com/kpcyrd/rebuilderd/releases/tag/v0.26.0).
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
* Bernhard M. Wiedemann:
+
+ * [`minify`](https://github.com/wilsonzlin/minify-html/pull/275) (rust random HashMap) / ([alternative](https://github.com/wilsonzlin/minify-html/pull/276) by *kpcyrd*)
* [`rpm-config-SUSE`](https://github.com/openSUSE/rpm-config-SUSE/pull/95) (toolchain)
- * [`minify`](https://github.com/wilsonzlin/minify-html/pull/275) (rust random HashMap) / [`alternative`](https://github.com/wilsonzlin/minify-html/pull/276) (by kpcyrd)
-* [openSUSE monthyl](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/Y4UFWITC7EWEMPU2LCE7BIMNXUQW5CNI/)
+* Chris Lamb:
+
+ * [#1129544](https://bugs.debian.org/1129544) filed against [`python-nxtomomill`](https://tracker.debian.org/pkg/python-nxtomomill).
+ * [#1130622](https://bugs.debian.org/1130622) filed against [`dh-fortran`](https://tracker.debian.org/pkg/dh-fortran).
+ * [#1130623](https://bugs.debian.org/1130623) filed against [`python-discovery`](https://tracker.debian.org/pkg/python-discovery).
+ * [#1130666](https://bugs.debian.org/1130666) filed against [`kanboard`](https://tracker.debian.org/pkg/kanboard).
+ * [#1131168](https://bugs.debian.org/1131168) filed against [`moltemplate`](https://tracker.debian.org/pkg/moltemplate).
+ * [#1131384](https://bugs.debian.org/1131384) filed against [`stacer`](https://tracker.debian.org/pkg/stacer).
+ * [#1131385](https://bugs.debian.org/1131385) filed against [`libcupsfilters`](https://tracker.debian.org/pkg/libcupsfilters).
+ * [#1131395](https://bugs.debian.org/1131395) filed against [`django-ninja`](https://tracker.debian.org/pkg/django-ninja).
+ * [#1131403](https://bugs.debian.org/1131403) filed against [`python-agate`](https://tracker.debian.org/pkg/python-agate).
+ * [#1132074](https://bugs.debian.org/1132074) filed against [`aetos`](https://tracker.debian.org/pkg/aetos).
+ * [#1132508](https://bugs.debian.org/1132508) filed against [`python-bayespy`](https://tracker.debian.org/pkg/python-bayespy).
+
+* *kpcyrd*:
+
+ * [`cargo`](https://github.com/rust-lang/cargo/pull/16691) (HashMap random order issue; [more info](https://github.com/rust-lang/cargo/issues/16693))
+
+<br>
+
+### Documentation updates
+
+[![]({{ "/images/reports/2026-03/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+Once again, there were a number of improvements made to our website this month including:
+
+* *kpcyrd*:
+
+ * Add a new page about [*Rust*]{{ "/docs/rust/" | relative_url }}) specifics. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3ed014bd)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/4bf02f0d)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/46c9f1e3)]
+
+* Robin Candau:
+
+ * Add link to the `diffoci` Arch Linux package on the [*Tools*]({{ "/tools/" | relative_url }}) page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0ca6c946)]
+
+* Timo Pohl:
+
+ * Add new *From Constrictor to Serpent: Investigating the Threat of Cache Poisoning in the Python Ecosystem* paper to the [*Academic publications*]({{ "/docs/publications/" | relative_url }}) page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8577c2d5)]
+ * Add GitLab registration confirmation to [*How to join the Salsa group*]({{ " /contribute/salsa/" | relative_url }} page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/b4f72f5a)]
+
+<br>
+
+### Two new academic papers
+
+[FIXME](https://dl.gi.de/items/07a895be-d49c-4d73-b14d-cb533e850ca2)
+<!-- Link currently HTTP 500; -->
+
+<br>
+
+[![]({{ "/images/reports/2026-03/epub.jku.png#right" | relative_url }})](https://epub.jku.at/obvulihs/content/titleinfo/13440717)
+
+Mario Lins of the University of Linz, Austria, has published their PhD doctoral thesis on the topic of [*Software supply chain transparency*](https://epub.jku.at/obvulihs/content/titleinfo/13440717):
+
+We begin by examining threats to the software distribution stage — the point at which artifacts (e.g., mobile apps) are delivered to end users — with an emphasis on mobile ecosystems [and] we next focus on the operating system on mobile devices, with an emphasis on mitigating bootloader-targeted attacks. We demonstrate how to compensate lost security guarantees on devices with an unlocked bootloader. This allows users to flash custom operating systems on devices that no longer receive security updates from the original manufacturer without compromising security. We then move to the source code stage. [Also,] we introduce a new architecture to ensure strong source-to-binary correspondence by leveraging the security guarantees of Confidential Computing technology. Finally, we present The Supply Chain Game, an organizational security approach that enhances standard risk-management methods. We demonstrate how game-theoretic techniques, combined with common risk management practices, can derive new criteria to better support decision makers.
+
+A [PDF](https://epub.jku.at/obvulihs/download/pdf/13440717) of the paper is available online.
+
+<br>
+
+### Misc news
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+* Holger Levsen [announced that this year's Reproducible Builds summit](https://lists.reproducible-builds.org/pipermail/rb-general/2026-March/004060.html) will almost certainly in held in Gothenburg, Sweden, from September 22 until 24, followed by two days of hacking. However, these dates are preliminary and not 100% final — an official announcement is forthcoming.
+
+* Mark Wielaard posted to our list [asking a question](https://lists.reproducible-builds.org/pipermail/rb-general/2026-March/004062.html) on the difference between [`debugedit`](https://sourceware.org/debugedit) and relative debug paths based on a comment on the [*Build path*]({{ "/docs/build-path/" | relative_url }}) page: "Have people tried more modern versions of `debugedit` to get deterministic (absolute) DWARF paths and found issues with it?
+
+<br>
+<br>
+
+Finally, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
=====================================
images/reports/2026-03/debian.png
=====================================
Binary files /dev/null and b/images/reports/2026-03/debian.png differ
=====================================
images/reports/2026-03/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2026-03/diffoscope.png differ
=====================================
images/reports/2026-03/epub.jku.png
=====================================
Binary files /dev/null and b/images/reports/2026-03/epub.jku.png differ
=====================================
images/reports/2026-03/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2026-03/opensuse.png differ
=====================================
images/reports/2026-03/reproduce.debian.net.png
=====================================
Binary files /dev/null and b/images/reports/2026-03/reproduce.debian.net.png differ
=====================================
images/reports/2026-03/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2026-03/reproducible-builds.png differ
=====================================
images/reports/2026-03/tux.png
=====================================
Binary files /dev/null and b/images/reports/2026-03/tux.png differ
=====================================
images/reports/2026-03/website.png
=====================================
Binary files /dev/null and b/images/reports/2026-03/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/155e41d1223e76c85f10a877f2f29ab73c981ef1
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/155e41d1223e76c85f10a877f2f29ab73c981ef1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20260407/d1eadef4/attachment.htm>
More information about the rb-commits
mailing list