[Git][reproducible-builds/reproducible-website][master] 2026-01: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Tue Feb 3 23:13:59 UTC 2026
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
f41edd40 by Chris Lamb at 2026-02-03T15:13:21-08:00
2026-01: Initial draft
- - - - -
11 changed files:
- _reports/2026-01.md
- + images/reports/2026-01/2601.png
- + images/reports/2026-01/3736731.3746146.png
- + images/reports/2026-01/archlinux.png
- + images/reports/2026-01/debian.png
- + images/reports/2026-01/diffoscope.png
- + images/reports/2026-01/flathub.png
- + images/reports/2026-01/guix.png
- + images/reports/2026-01/opensuse.png
- + images/reports/2026-01/reproducible-builds.png
- + images/reports/2026-01/website.png
Changes:
=====================================
_reports/2026-01.md
=====================================
@@ -1,31 +1,159 @@
+---
+layout: report
+year: "2026"
+month: "01"
+title: "Reproducible Builds in January 2026"
+draft: true
+---
-* [FIXME](https://lists.debian.org/debian-devel/2026/01/msg00116.html)
+**Welcome to the first monthly report in 2026 from the [Reproducible Builds](https://reproducible-builds.org) project!**
+{: .lead}
-* [FIXME: Scott Talbert uploaded dh-haskell (0.6.13)](https://tracker.debian.org/news/1705702/accepted-dh-haskell-0613-source-into-unstable/) with this one change:
- * Revert parallel support as it breaks reproducibility (Closes: #1125000)
+[![]({{ "/images/reports/2026-01/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-* [FIXME](https://blog.josefsson.org/2026/01/09/debian-taco-towards-a-gitsecdevops-debian/)
+These reports outline what we've been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-* [FIXME: flathub checking for build reproducibility](https://docs.flathub.org/blog/vorarbeiter-2026),
- [FIXME] their test results](https://builds.flathub.org/reproducible)
+---
-* [FIXME](https://salsa.debian.org/release-team/britney2/-/merge_requests/115) got merged and deployed, which means that reproduce.debian.net results are now used for britney2 migration information, instead of tests.r-b.o/debian results like in previous years until today. In future these results are intended to block or step up migrations too.
+### Flathub now testing for reproducibility
-* [FIXME](https://arxiv.org/pdf/2601.12811)
+[![]({{ "/images/reports/2026-01/flathub.png#right" | relative_url }})](https://www.opensuse.org/)
-* [FIXME](https://dl.acm.org/doi/10.1145/3736731.3746146)
+[Flathub](https://flathub.org/), the primary repository/app store for [Flatpak](https://flatpak.org/)-based applications, has begun checking for build reproducibility. [According to a recent blog post](https://docs.flathub.org/blog/vorarbeiter-2026):
-* [FIXME](https://www.reddit.com/r/linux/comments/1qfw17a/today_is_y2k38_commemoration_day_t12/) the year-2038 initially came up because of build-failures when testing for reproducible builds, but turned out to be a wide-spread issue in dozens of places even on 64-bit machines, because some programs use int to store the number of seconds since 1970, when they should use a 64-bit int instead.
+> We have started testing binary reproducibility of `x86_64` builds targeting the stable repository. This is possible thanks to [flathub-repro-checker](https://github.com/flathub-infra/flathub-repro-checker), a tool doing the necessary legwork to recreate the build environment and compare the result of the rebuild with what is published on Flathub. While these tests have been running for a while now, we have recently restarted them from scratch after enabling S3 storage for diffoscope artifacts.
+
+The test results and status is available on their [reproducible builds page](https://builds.flathub.org/reproducible).
+
+<br>
+
+### Reproducibility identifying countless software that will fail to build in 2038
+
+Longtime Reproducible Builds developer Bernhard M. Wiedemann [posted on Reddit on "Y2K38 commemoration day T-12"](https://www.reddit.com/r/linux/comments/1qfw17a/today_is_y2k38_commemoration_day_t12/) — that is to say, twelve years to the day before the UNIX Epoch will no longer fit into a signed 32-bit integer variable on 19th January 2038.
+
+Bernhard's comment succinctly outlines the problem as well as notes some of the potential remedies, as well as [links to a discussion with the GCC developers](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=118326) regarding "adding warnings for `int` → `time_t` conversions".
+
+At the time of publication, Bernard's topic had generated [50 comments in response](https://www.reddit.com/r/linux/comments/1qfw17a/today_is_y2k38_commemoration_day_t12/).
+
+<br>
+
+### Distribution work
+
+[![]({{ "/images/reports/2026-01/debian.png#right" | relative_url }})](https://debian.org/)
+
+In **Debian** this month:
+
+* Scott Talbert [uploaded a new version of `dh-haskell`](https://tracker.debian.org/news/1705702/accepted-dh-haskell-0613-source-into-unstable/) (0.6.13), reverting parallel support as it broke reproducibility, thereby fixing Debian bug [#1125000](https://bugs.debian.org/1125000).
+
+* Vagrant Cascadian posted to [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) on the topic of ["Duplicate Debian packages with matching name-version-arch problem"](https://lists.reproducible-builds.org/pipermail/rb-general/2026-January/003987.html). The issue is that `.buildinfo` files only "record the package name, version and architecture of the build-dependencies (and perhaps a bit more), but there are [corner cases where multiple artifacts have the same name, version and architecture](https://lists.debian.org/debian-snapshot/2025/10/msg00002.html)". This generated [some discussion on the mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/2026-January/thread.html#3987) as well as elsewhere in Debian.
+
+* Roland Clobus also posted to our mailing list regarding [*Building Debian Live images from snapshot.debian.org*](https://lists.reproducible-builds.org/pipermail/rb-general/2026-January/003991.html). This surfaced an issue regarding the timestamps of the `.deb` file, leading to Roland filing Debian bug [#1126000](https://bugs.debian.org/1126000) to liaise with the developers of the [*snapshot.debian.org*](https://snapshot.debian.org/) service.
+
+* A change was made to migrate away from using the results from [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in deciding whether a package is a suitable candidate for the Debian *testing* distribution (the staging area for the next stable Debian release) to use the results from [*reproduce.debian.net*](https://reproduce.debian.net/) instead. This was, [according to Paul Gevers' merge request](https://salsa.debian.org/release-team/britney2/-/merge_requests/115), because the former service "does so by building twice in a row with varying build environment. What we are actually interested in is if the binaries that we ship can be reproduced". The information provided by *reproduce.debian.net* is currently being used to delay or speed up packages' migration time based on their reproducibility status, but it has the potential, in the future, be used to block unreproducible packages from migrating entirely.
+
+* 41 reviews of Debian packages were added, 7 were updated and 37 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Chris Lamb identified and added a new [`source_date_epoch_affected_by_timezone_by_d_compiler_gdc`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/5051be53) issue type, as well as [`timezone_variant_in_argparse_manpage`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/2990c69b).
+
+<br>
+
+[![]({{ "/images/reports/2026-01/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Lastly, Bernhard M. Wiedemann posted another [**openSUSE**](https://www.opensuse.org/) [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/WGWBPINHEGH4MBKRJHFQJGEX6OZ7VWDU/) for his work there.
+
+<br>
+
+### Tool development
+
+[![]({{ "/images/reports/2026-01/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[**diffoscope**](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions, [`310`](https://tracker.debian.org/news/1706143/accepted-diffoscope-310-source-into-unstable/) and [`311`](https://tracker.debian.org/news/1709611/accepted-diffoscope-311-source-into-unstable/) to Debian.
+
+* Fix test compatibility with *u-boot-tools* version `2026-01`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/b56d1180)]
+* Drop the implied `Rules-Requires-Root: no` entry in `debian/control`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/eaa8c6d7)]
+* Bump `Standards-Version` to 4.7.3. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/194731e3)]
+* Reference the Debian `ocaml` package instead of `ocaml-nox`. ([#1125094](https://bugs.debian.org/1125094))
+* Apply a patch by Jelle van der Waa to adjust a test fixture match new lines. [[...](https://salsa.debian.org/jelle/diffoscope/commit/e4ec97f7861ffce491b19af6d61aefe003df6c6d)]
+* Also the drop implied `Priority: optional` from `debian/control`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/b40346a3)]
+
+<br>
+
+In addition, Holger Levsen uploaded two versions of **disorderfs**, first updating the package from FUSE 2 to [FUSE 3](https://salsa.debian.org/reproducible-builds/disorderfs/-/merge_requests/8) as described in [last months report]({{ "/reports/2025-12/" | relative_url }}), as well as updating the packaging to the latest Debian standards. A [second upload](https://tracker.debian.org/news/1703912/accepted-disorderfs-062-1-source-into-unstable/) (`0.6.2-1`) was subsequently made, with Holger adding instructions on how to add the upstream release to our release archive and incorporating changes by Roland Clobus to set `_FILE_OFFSET_BITS` on 32-bit platforms, fixing a build failure on 32-bit systems.
+
+<br>
+
+### Two new academic papers
+
+[![]({{ "/images/reports/2026-01/2601.png#right" | relative_url }})](https://arxiv.org/abs/2601.12811)
+
+Julien Malka, Stefano Zacchiroli and Théo Zimmermann of Télécom Paris’ in-house research laboratory, the [Information Processing and Communications Laboratory](https://www.telecom-paris.fr/en/research/labs/information-processing-ltci) (LTCI) published a paper this month titled [*Docker Does Not Guarantee Reproducibility*](https://arxiv.org/abs/2601.12811):
+
+> […] While [Docker](https://www.docker.com/) is frequently cited in the literature as a tool that enables reproducibility in theory, the extent of its guarantees and limitations in practice remains under-explored. In this work, we address this gap through two complementary approaches. First, we conduct a systematic literature review to examine how Docker is framed in scientific discourse on reproducibility and to identify documented best practices for writing `Dockerfile`s enabling reproducible image building. Then, we perform a large-scale empirical study of 5,298 Docker builds collected from GitHub workflows. By rebuilding these images and comparing the results with their historical counterparts, we assess the real reproducibility of Docker images and evaluate the effectiveness of the best practices identified in the literature.
+
+A [PDF](https://arxiv.org/pdf/2601.12811) of their paper is available online.
+
+<br>
+
+[![]({{ "/images/reports/2026-01/3736731.3746146.png#right" | relative_url }})](https://dl.acm.org/doi/10.1145/3736731.3746146)
+
+Quentin Guilloteau, Antoine Waehren and Florina M. Ciorba of the [University of Basel](https://www.unibas.ch/en.html) in Sweden **also** published a [*Docker*](https://docker.com/)-related paper, theirs called [*Longitudinal Study of the Software Environments Produced by Dockerfiles from Research Artifacts*](https://dl.acm.org/doi/10.1145/3736731.3746146):
+
+> The reproducibility crisis has affected all scientific disciplines, including computer science (CS). To address this issue, the CS community has established artifact evaluation processes at conferences and in journals to evaluate the reproducibility of the results shared in publications. Authors are therefore required to share their artifacts with reviewers, including code, data, and the software environment necessary to reproduce the results. One method for sharing the software environment proposed by conferences and journals is to utilize container technologies such as Docker and Apptainer. However, these tools rely on non-reproducible tools, resulting in non-reproducible containers. In this paper, we present a tool and methodology to evaluate variations over time in software environments of container images derived from research artifacts. We also present initial results on a small set of `Dockerfiles` from the Euro-Par 2024 conference.
+
+A [PDF](https://dl.acm.org/doi/epdf/10.1145/3736731.3746146) of their paper is available online.
+
+<br>
+
+## Miscellaneous news
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+* [*kpcyrd* started a thread](https://lists.reproducible-builds.org/pipermail/rb-general/2026-January/003995.html) after they noticed that "SWHID (also known as ISO/IEC 18670:2025) was published 1.0 in 2022 and ISO standardized in 2025, but uses the insecure [SHA-1 as core cryptographic primitive](https://www.swhid.org/specification/v1.2/5.Core_identifiers/)", asking whether there have been any attempts to upgrade this to SHA-256 or similar.
+
+* Jan-Benedict Glaw asked about the [*Reproducibility for Libreoffice [when performing] ODT to PDF conversion*](https://lists.reproducible-builds.org/pipermail/rb-general/2026-January/004005.html) after they observed that "simply calling `libreoffice --convert-to pdf some.odt` results in unreproducible output PDF. After [some replies](https://lists.reproducible-builds.org/pipermail/rb-general/2026-January/thread.html#4008), Jan-Benedict wrote back to observe that it may be an issue with both timestamps and embedded fonts.
+
+Lastly, *kpcyrd* added a [Rust](https://rust-lang.org/) section to the [*Stable order for outputs*]({{ "/docs/stable-outputs/" | relative_url }}) page on our website. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/07558472)]
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
* Bernhard M. Wiedemann:
- * [`otp`](https://github.com/erlang/otp/pull/10556) (jar mtime)
- * [`Nim`](https://github.com/nim-lang/Nim/issues/25442) (FTBFS-2038)
- * [`ZEO`](https://github.com/zopefoundation/ZEO/issues/245) (FTBFS-2038)
- * [`clamav`](https://github.com/Cisco-Talos/clamav/issues/1663) (FTBFS-2027)
- * [`Switcheroo`](https://gitlab.com/adhami3310/Switcheroo/-/commit/d85c2180f7545c5e0155ac412b763d027f95b549) (by Khaleel Al-Adhami, FTBFS-j1)
- * [`libaom`](https://aomedia-review.googlesource.com/c/aom/+/206321) (date/copyright year)
- * [`kf6-kuserfeedback`](https://build.opensuse.org/request/show/1327621) (%jobs)
- * [`uwsm`](https://build.opensuse.org/request/show/1329461) (nocheck pyc files)
+ * [`clamav`](https://github.com/Cisco-Talos/clamav/issues/1663)
+ * [`kf6-kuserfeedback`](https://build.opensuse.org/request/show/1327621)
+ * [`libaom`](https://aomedia-review.googlesource.com/c/aom/+/206321)
+ * [`Nim`](https://github.com/nim-lang/Nim/issues/25442)
+ * [`otp`](https://github.com/erlang/otp/pull/10556)
+ * [`Switcheroo`](https://gitlab.com/adhami3310/Switcheroo/-/commit/d85c2180f7545c5e0155ac412b763d027f95b549) (by Khaleel Al-Adhami)
+ * [`uwsm`](https://build.opensuse.org/request/show/1329461)
+ * [`ZEO`](https://github.com/zopefoundation/ZEO/issues/245)
+
+* Chris Lamb:
+
+ * [#1124697](https://bugs.debian.org/1124697) filed against [`sqlalchemy-i18n`](https://tracker.debian.org/pkg/sqlalchemy-i18n).
+ * [#1125671](https://bugs.debian.org/1125671) filed against [`tea-cli`](https://tracker.debian.org/pkg/tea-cli).
+ * [#1125725](https://bugs.debian.org/1125725) filed against [`libimage-librsvg-perl`](https://tracker.debian.org/pkg/libimage-librsvg-perl).
+ * [#1125727](https://bugs.debian.org/1125727) filed against [`seer`](https://tracker.debian.org/pkg/seer).
+ * [#1125729](https://bugs.debian.org/1125729) filed against [`grabix`](https://tracker.debian.org/pkg/grabix).
+ * [#1126038](https://bugs.debian.org/1126038) filed against [`hovercraft`](https://tracker.debian.org/pkg/hovercraft).
+ * [#1126039](https://bugs.debian.org/1126039) filed against [`lomiri-location-service`](https://tracker.debian.org/pkg/lomiri-location-service).
+ * [#1126092](https://bugs.debian.org/1126092) filed against [`argparse-manpage`](https://tracker.debian.org/pkg/argparse-manpage).
+ * [#1126454](https://bugs.debian.org/1126454) filed against [`xarray-safe-rcm`](https://tracker.debian.org/pkg/xarray-safe-rcm).
+ * [#1126512](https://bugs.debian.org/1126512) filed against [`gcc-15`](https://tracker.debian.org/pkg/gcc-15) ([forwarded upstream](https://github.com/dlang/dmd/issues/22463)).
+
+* Jochen Sprickerhof:
+
+ * [#1124951](https://bugs.debian.org/1124951) filed against [`rsyslog`](https://tracker.debian.org/pkg/rsyslog).
+ * [#1125000](https://bugs.debian.org/1125000) filed against [`dh-haskell`](https://tracker.debian.org/pkg/dh-haskell).
+
+<br>
+<br>
+
+Finally, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/WGWBPINHEGH4MBKRJHFQJGEX6OZ7VWDU/)
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
=====================================
images/reports/2026-01/2601.png
=====================================
Binary files /dev/null and b/images/reports/2026-01/2601.png differ
=====================================
images/reports/2026-01/3736731.3746146.png
=====================================
Binary files /dev/null and b/images/reports/2026-01/3736731.3746146.png differ
=====================================
images/reports/2026-01/archlinux.png
=====================================
Binary files /dev/null and b/images/reports/2026-01/archlinux.png differ
=====================================
images/reports/2026-01/debian.png
=====================================
Binary files /dev/null and b/images/reports/2026-01/debian.png differ
=====================================
images/reports/2026-01/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2026-01/diffoscope.png differ
=====================================
images/reports/2026-01/flathub.png
=====================================
Binary files /dev/null and b/images/reports/2026-01/flathub.png differ
=====================================
images/reports/2026-01/guix.png
=====================================
Binary files /dev/null and b/images/reports/2026-01/guix.png differ
=====================================
images/reports/2026-01/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2026-01/opensuse.png differ
=====================================
images/reports/2026-01/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2026-01/reproducible-builds.png differ
=====================================
images/reports/2026-01/website.png
=====================================
Binary files /dev/null and b/images/reports/2026-01/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f41edd4041e49dbcdc01c000828fccf9a19a381c
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f41edd4041e49dbcdc01c000828fccf9a19a381c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20260203/9472306f/attachment.htm>
More information about the rb-commits
mailing list