[Git][reproducible-builds/reproducible-website][master] 2025-12: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Tue Jan 6 20:18:21 UTC 2026
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
c82cb077 by Chris Lamb at 2026-01-06T12:17:57-08:00
2025-12: Initial draft
- - - - -
11 changed files:
- _reports/2025-12.md
- + images/reports/2025-12/1-s2.0-S2214212625003606-main.png
- + images/reports/2025-12/2505.png
- + images/reports/2025-12/Causes_and_Canonicalization_of_Unreproducible_Builds_in_Java.png
- + images/reports/2025-12/debian.png
- images/reports/2025-10/guix.png → images/reports/2025-12/guix.png
- + images/reports/2025-12/nixos.png
- + images/reports/2025-12/opensuse.png
- + images/reports/2025-12/reproducible-builds.png
- + images/reports/2025-12/stampdalf.png
- + images/reports/2025-12/website.png
Changes:
=====================================
_reports/2025-12.md
=====================================
@@ -6,41 +6,202 @@ title: "Reproducible Builds in December 2025"
draft: true
---
-* [FIXME](https://arxiv.org/pdf/2505.04834)
+**Welcome to the December 2025 from the [Reproducible Builds](https://reproducible-builds.org) project!**
+{: .lead}
-* [FIXME](https://blog.josefsson.org/2025/12/07/reproducible-guix-container-images/)
+[![]({{ "/images/reports/2025-12/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-* [FIXME: Micha Lenk announced throw away binaries for uploads to BACKPORTS-NEW](https://lists.debian.org/debian-backports-announce/2025/12/msg00000.html) making reproducing possible.
+Our monthly reports outline what we've been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-* [FIXME](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=11223991)
+<!--
-* [FIXME: Felix Moessbauer <felix.moessbauer at siemens.com> submitted Bug#1122577: ITP: debsbom -- Software Bill of Materials generator for distributions based on Debian](https://bugs.debian.org/1122577)
+**In this report:**
-* [FIXME](https://www.sciencedirect.com/science/article/pii/S2214212625003606)
+-->
-* [FIXME: Lucas Nussbaum announced](https://lists.debian.org/debian-qa/2025/12/msg00004.html) a new service [https://orig-check.debian.net/](https://orig-check.debian.net/) which nicely complements whatsrc.org.
- * Also very nice: that service is dedicated to [Lunar](https://reproducible-builds.org/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/) who sadly passed away a year ago.
+---
+
+### New *orig-check* service to validate Debian upstream tarballs
+
+This month, Debian Developer [Lucas Nussbaum](https://www.lucas-nussbaum.net/blog/) announced the [*orig-check*](https://orig-check.debian.net/) service, which attempts to automatically reproduce the generation upstream tarballs (ie. the "original source" component of a Debian source package), comparing that to the upstream tarball actually shipped with Debian.
+
+As of the time of writing, it is possible for a Debian developer to upload a source archive that does not actually correspond to upstream's version. Whilst this is not inherently malicious (it typically indicates some tooling/process issue), the very possibility that a maintainer's version may differ potentially permits a maintainer to make (malicious) changes that would be misattributed to upstream.
-* [FIXME: Holger went ahead and merged 11 commits from Alper Nebi Yasak / MR38 into debian-installer.git](https://salsa.debian.org/installer-team/debian-installer/-/merge_requests/38)
- 2fcb66f10 Add debian-installer-images tarball to CI reprotest artifacts
- a975f01d5 gen-hd-image: Use pseudorandom label IDs
- 86c4a74f4 Use pseudorandom volume ID for FAT filesystems
- b90d77b2f Set C.UTF-8 locale for bdftobogl calls
- 5774c5f5d Make seagate network-console uInitrd reproducible
- a83ecf581 Use xorriso to isohybridize x86 mini.iso images
- 75d265c5e Use gen-tarball to generate armhf tarballs
- a6de557a1 Set invariant mode, volume ID and label for mkfs.msdos calls
- 6ecffbc0a gen-tarball: Normalise file permissions
- f7498eccc Normalise permissions of files included in mini.iso images
- 962e03b7b Clamp mtimes of files included in mini.iso images
-
+This service therefore nicely complements the [*whatsrc.org*](https://whatsrc.org/) service, which was reported in our reports for both [April]({{ "/reports/2024-04/" | relative_url }}) and [August]({{ "/reports/2024-08/" | relative_url }}). The *orig-check* is dedicated to [Lunar]({{ "/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/" | relative_url }}), who sadly passed away a year ago.
-* [FIXME: cen/Klemen announced experimental support for FreeBSD added to rebuilderd](https://lists.reproducible-builds.org/pipermail/rb-general/2025-December/003971.html)
+<br>
### Distribution work
[![]({{ "/images/reports/2025-12/archlinux.png#right" | relative_url }})](https://archlinux.org/)
-In **Arch Linux** this month, Robin Candau and Mark Hegreberg worked at [making the Arch Linux WSL image bit-for-bit reproducible](https://gitlab.archlinux.org/archlinux/archlinux-wsl/-/merge_requests/76). Robin also shared some implementation details and future related work [to our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/2025-December/003975.html).
+In **Arch Linux** this month, Robin Candau and Mark Hegreberg worked at [making the Arch Linux WSL image bit-for-bit reproducible](https://gitlab.archlinux.org/archlinux/archlinux-wsl/-/merge_requests/76). Robin also shared some [implementation details and future related work](https://lists.reproducible-builds.org/pipermail/rb-general/2025-December/003975.html) on our [mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/).
+
+[![]({{ "/images/reports/2025-12/guix.png#right" | relative_url }})](https://guix.gnu.org/en/)
+
+Continuing a series reported in these reports for [March]({{ "/reports/2025-03/" | relative_url }}), [April]({{ "/reports/2025-04/" | relative_url }}) and [July]({{ "/reports/2025-07/" | relative_url }}) 2025 (etc.), [Simon Josefsson](https://blog.josefsson.org/) has published another interesting article this month, itself a followup to a [post Simon published in December 2024](https://blog.josefsson.org/2024/12/18/guix-container-images-for-gitlab-ci-cd/) regarding [**GNU Guix** Container Images](https://gitlab.com/debdistutils/guix/container) that are hosted on GitLab.
+
+[![]({{ "/images/reports/2025-12/debian.png#right" | relative_url }})](https://debian.org/)
+
+In **Debian** this month, Micha Lenk posted to the [*debian-backports-announce* mailing list](https://lists.debian.org/debian-backports-announce/) with the news that the [Backports](https://backports.debian.org/) archive [will now discard binaries generated and uploaded by maintainers](https://lists.debian.org/debian-backports-announce/2025/12/msg00000.html): "The benefit is that all binary packages [will] get built by the Debian buildds before we distribute them within the archive."
+
+Felix Moessbauer of [Siemens](https://www.siemens.com/global/en.html) then filed [a bug in the Debian bug tracker](https://bugs.debian.org/1122577) to signal their intention to package [*debsbom*](https://github.com/siemens/debsbom), a software bill of materials (SBOM) generator for distributions based on Debian. This generated a [discussion on the bug](https://bugs.debian.org/1122577) inquiring about the output format as well as a question about how these SBOMs might be distributed.
+
+Holger Levsen merged a [number of significant changes](https://salsa.debian.org/installer-team/debian-installer/-/merge_requests/38/diffs) written by [Alper Nebi Yasak](https://salsa.debian.org/alpernebbi) to the [Debian Installer](https://www.debian.org/devel/debian-installer/) in order to improve its reproducibility. As noted in [Alper's merge request](https://salsa.debian.org/installer-team/debian-installer/-/merge_requests/38), "These are the reproducibility fixes I looked into before *bookworm* release, but was a bit afraid to send as it's just before the release, because the things like the `xorriso` conversion changes the content of the files to try to make them reproducible."
+
+In addition, 76 reviews of Debian packages were added, 8 were updated and 27 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). A new `different_package_content_when_built_with_nocheck` issue type was added by Holger Levsen. [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/763d3753)]
+
+Arnout Engelen posted to our mailing list reporting that "On the heels of the **NixOS** 25.11 release, I reproduced the minimal installation ISO again". Arnout also [posted more details](https://arnout.engelen.eu/blog/reproducing-nixos-25.11-minimal-iso/) to their blog.
+
+[![]({{ "/images/reports/2025-12/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Lastly, Bernhard M. Wiedemann posted another [**openSUSE**](https://www.opensuse.org/) [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/2KUFWETJ5NAKCGNDVZJZVNVYTU2VAZ6D/) for his work there.
+
+<br>
+
+### Mailing list updates
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+* Jelle van der Waa followed up to a thread started late in November by Simon Mudd who was [*Looking for reproducible RPM building / rebuilding tooling*](https://lists.reproducible-builds.org/pipermail/rb-general/2025-November/003946.html). [In their followup](https://lists.reproducible-builds.org/pipermail/rb-general/2025-December/003948.html), Jelle mentions [*fedora-repro-build*](https://github.com/keszybz/fedora-repro) noting that it is designed to work with [Koji](https://koji.fedoraproject.org/koji/), Fedora's build service.
+
+[![]({{ "/images/reports/2025-12/stampdalf.png#right" | relative_url }})](https://github.com/89luca89/stampdalf)
+
+* [Luca Di Maio](https://github.com/89luca89) announced [*stampdalf*](https://github.com/89luca89/stampdalf), a "filesystem timestamp preservation" tool that wraps "arbitrary commands and ensures filesystem timestamp reproducibility":
+
+ > *stampdalf* allows you to run any command that modifies files in a directory tree, then automatically resets all timestamps back to their original values. Any new files created during command execution are set to [the UNIX epoch] or a custom timestamp via [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}).
+
+ The [project's GitHub page](https://github.com/89luca89/stampdalf) helpfully reveals that the project is "pronounced: stamp-dalf (stamp like time-stamp, dalf like Gandalf the wizard)" as "it's a wizard of time and stamps".)
+
+* Lastly, Reproducible Builds developer [*cen1*](https://github.com/cen1) posted to our list announcing that "early/experimental/alpha" support for [FreeBSD](https://www.freebsd.org/) was added to [*rebuilderd*](https://github.com/kpcyrd/rebuilderd). [In their post](https://lists.reproducible-builds.org/pipermail/rb-general/2025-December/003971.html), *cen1* reports that the "initial builds are in progress and [look quite decent](https://rebuilderd.xpam.pl:2096/)". *cen1* also interestingly notes that "since the upstream is currently not technically reproducible I had to relax the bit-for-bit identical requirement of rebuilderd [—] I consider the pkg to be reproducible if the tar is content-identical (via diffoscope), ignoring timestamps and some of the manifest files.".
+
+<br>
+
+### Three new academic papers published
+
+[![]({{ "/images/reports/2025-12/2505.png#right" | relative_url }})](https://arxiv.org/abs/2505.04834)
+
+Yogya Gamage and Benoit Baudry of [Université de Montréal](https://www.umontreal.ca/en/), Canada together with Deepika Tiwari and Martin Monperrus of [KTH Royal Institute of Technology](https://www.kth.se/en), Sweden published a paper on [*The Design Space of Lockfiles Across Package Managers*](https://arxiv.org/abs/2505.04834):
+
+> Most package managers also generate a lockfile, which records the exact set of resolved dependency versions. Lockfiles are used to reduce build times; to verify the integrity of resolved packages; and to support build reproducibility across environments and time. Despite these beneficial features, developers often struggle with their maintenance, usage, and interpretation. In this study, we unveil the major challenges related to lockfiles, such that future researchers and engineers can address them. […]
+
+A [PDF](https://arxiv.org/pdf/2505.04834) of their paper is available online.
+
+Benoit Baudry also [posted an announcement](https://lists.reproducible-builds.org/pipermail/rb-general/2025-December/003957.html) to our mailing list, which generated a [number of replies](https://lists.reproducible-builds.org/pipermail/rb-general/2025-December/thread.html#3957).
+
+<br>
+
+[![]({{ "/images/reports/2025-12/1-s2.0-S2214212625003606-main.png#right" | relative_url }})](https://www.sciencedirect.com/science/article/pii/S2214212625003606)
+
+Betul Gokkaya, Leonardo Aniello and Basel Halak of the [University of Southampton](https://www.southampton.ac.uk/) then published a paper on the [*A taxonomy of attacks, mitigations and risk assessment strategies*](https://www.sciencedirect.com/science/article/pii/S2214212625003606) within the software supply chain:
+
+> While existing studies primarily focus on software supply chain attacks’ prevention and detection methods, there is a need for a broad overview of attacks and comprehensive risk assessment for software supply chain security. This study conducts a systematic literature review to fill this gap. By analyzing 96 papers published between 2015-2023, we identified 19 distinct SSC attacks, including 6 novel attacks highlighted in recent studies. Additionally, we developed 25 specific security controls and established a precisely mapped taxonomy that transparently links each control to one or more specific attacks. […]
+
+A PDF of the paper is available online via the [article's canonical page](https://www.sciencedirect.com/science/article/pii/S2214212625003606).
+
+<br>
+
+[![]({{ "/images/reports/2025-12/Causes_and_Canonicalization_of_Unreproducible_Builds_in_Java.png#right" | relative_url }})](https://ieeexplore.ieee.org/document/11223991)
+
+Aman Sharma and Martin Monperrus of the [KTH Royal Institute of Technology](https://www.kth.se/en), Sweden along with Benoit Baudry of [Université de Montréal](https://www.umontreal.ca/en/), Canada published a paper this month on [*Causes and Canonicalization of Unreproducible Builds in Java*](https://ieeexplore.ieee.org/document/11223991). The abstract of the paper is as follows:
+
+> [Achieving] reproducibility at scale remains difficult, especially in Java, due to a range of non-deterministic factors and caveats in the build process. In this work, we focus on reproducibility in Java-based software, archetypal of enterprise applications. We introduce a conceptual framework for reproducible builds, we analyze a large dataset from Reproducible Central, and we develop a novel taxonomy of six root causes of unreproducibility. […]
+
+A [PDF](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=11223991) of the paper is available online.
+
+<br>
+
+### Website updates
+
+[![]({{ "/images/reports/2025-12/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+Once again, there were a number of improvements made to our website this month including:
+
+* Chris Lamb updated a number of [IzzyOnDroid](https://izzyondroid.org/) links. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c32f3798)]
+
+* Luca Di Maio updated the [*System images*]({{ "/docs/system-images/" | relative_url }}) page to document how to create [reproducible XFS filesystems]({{ "/docs/system-images/" | relative_url }}#xfs). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2cf0f4c8)]
+
+* Robert Stupp made a number of useful changes, fixing and reorganising the [Groovy](https://groovy-lang.org/) / [Kotlin](https://kotlinlang.org/) pages [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/4a785b2a)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5927908c)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/aaae3771)] as well adding a note about potential non-deterministic behaviour to the [*JVM*]({{ "/docs/jvm/" | relative_url }}) page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0beb497b)].
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
+
+* Chris Lamb:
+
+ * [#1121794](https://bugs.debian.org/1121794) filed against [`golang-github-spf13-afero`](https://tracker.debian.org/pkg/golang-github-spf13-afero).
+ * [#1121795](https://bugs.debian.org/1121795) filed against [`golang-github-appleboy-easyssh-proxy`](https://tracker.debian.org/pkg/golang-github-appleboy-easyssh-proxy).
+ * [#1121796](https://bugs.debian.org/1121796) filed against [`circlator`](https://tracker.debian.org/pkg/circlator).
+ * [#1121797](https://bugs.debian.org/1121797) filed against [`golang-github-jhoonb-archivex`](https://tracker.debian.org/pkg/golang-github-jhoonb-archivex).
+ * [#1121798](https://bugs.debian.org/1121798) filed against [`golang-github-jonas-p-go-shp`](https://tracker.debian.org/pkg/golang-github-jonas-p-go-shp).
+ * [#1121800](https://bugs.debian.org/1121800) filed against [`golang-github-foxboron-go-uefi`](https://tracker.debian.org/pkg/golang-github-foxboron-go-uefi).
+ * [#1121801](https://bugs.debian.org/1121801) filed against [`in-toto-golang`](https://tracker.debian.org/pkg/in-toto-golang).
+ * [#1121802](https://bugs.debian.org/1121802) filed against [`lua-penlight`](https://tracker.debian.org/pkg/lua-penlight).
+ * [#1121803](https://bugs.debian.org/1121803) filed against [`rust-fslock`](https://tracker.debian.org/pkg/rust-fslock).
+ * [#1121804](https://bugs.debian.org/1121804) filed against [`fff`](https://tracker.debian.org/pkg/fff).
+ * [#1121858](https://bugs.debian.org/1121858) filed against [`golang-github-notaryproject-notation-go`](https://tracker.debian.org/pkg/golang-github-notaryproject-notation-go).
+ * [#1121859](https://bugs.debian.org/1121859) filed against [`golang-github-google-go-tpm`](https://tracker.debian.org/pkg/golang-github-google-go-tpm).
+ * [#1121860](https://bugs.debian.org/1121860) filed against [`golang-github-foxboron-go-tpm-keyfiles`](https://tracker.debian.org/pkg/golang-github-foxboron-go-tpm-keyfiles).
+ * [#1121862](https://bugs.debian.org/1121862) filed against [`goobook`](https://tracker.debian.org/pkg/goobook).
+ * [#1121865](https://bugs.debian.org/1121865) filed against [`fortran-regex`](https://tracker.debian.org/pkg/fortran-regex).
+ * [#1122014](https://bugs.debian.org/1122014) filed against [`golang-github-yudai-gojsondiff`](https://tracker.debian.org/pkg/golang-github-yudai-gojsondiff).
+ * [#1122019](https://bugs.debian.org/1122019) filed against [`golang-github-tjfoc-gmsm`](https://tracker.debian.org/pkg/golang-github-tjfoc-gmsm).
+ * [#1122020](https://bugs.debian.org/1122020) filed against [`golang-github-otiai10-copy`](https://tracker.debian.org/pkg/golang-github-otiai10-copy).
+ * [#1122021](https://bugs.debian.org/1122021) filed against [`golang-k8s-sigs-kustomize-cmd-config`](https://tracker.debian.org/pkg/golang-k8s-sigs-kustomize-cmd-config).
+ * [#1122022](https://bugs.debian.org/1122022) filed against [`golang-github-artyom-mtab`](https://tracker.debian.org/pkg/golang-github-artyom-mtab).
+ * [#1122218](https://bugs.debian.org/1122218) filed against [`golang-k8s-sigs-release-utils`](https://tracker.debian.org/pkg/golang-k8s-sigs-release-utils).
+ * [#1122219](https://bugs.debian.org/1122219) filed against [`golang-github-theupdateframework-go-tuf`](https://tracker.debian.org/pkg/golang-github-theupdateframework-go-tuf).
+ * [#1122221](https://bugs.debian.org/1122221) filed against [`php-dompdf`](https://tracker.debian.org/pkg/php-dompdf).
+ * [#1122222](https://bugs.debian.org/1122222) filed against [`golang-github-viant-toolbox`](https://tracker.debian.org/pkg/golang-github-viant-toolbox).
+ * [#1122223](https://bugs.debian.org/1122223) filed against [`microbiomeutil`](https://tracker.debian.org/pkg/microbiomeutil).
+ * [#1122224](https://bugs.debian.org/1122224) filed against [`python-openstep-plist`](https://tracker.debian.org/pkg/python-openstep-plist).
+ * [#1122225](https://bugs.debian.org/1122225) filed against [`rust-xdg`](https://tracker.debian.org/pkg/rust-xdg).
+ * [#1122226](https://bugs.debian.org/1122226) filed against [`bibtexparser`](https://tracker.debian.org/pkg/bibtexparser).
+ * [#1122227](https://bugs.debian.org/1122227) filed against [`plyara`](https://tracker.debian.org/pkg/plyara).
+ * [#1122228](https://bugs.debian.org/1122228) filed against [`golang-github-valyala-fasthttp`](https://tracker.debian.org/pkg/golang-github-valyala-fasthttp).
+ * [#1122229](https://bugs.debian.org/1122229) filed against [`golang-github-issue9-identicon`](https://tracker.debian.org/pkg/golang-github-issue9-identicon).
+ * [#1122230](https://bugs.debian.org/1122230) filed against [`golang-github-cue-lang-cue`](https://tracker.debian.org/pkg/golang-github-cue-lang-cue).
+ * [#1122231](https://bugs.debian.org/1122231) filed against [`sigstore-go`](https://tracker.debian.org/pkg/sigstore-go).
+ * [#1122232](https://bugs.debian.org/1122232) filed against [`golang-github-apptainer-sif`](https://tracker.debian.org/pkg/golang-github-apptainer-sif).
+ * [#1122376](https://bugs.debian.org/1122376) filed against [`golang-github-gin-gonic-gin`](https://tracker.debian.org/pkg/golang-github-gin-gonic-gin).
+ * [#1122383](https://bugs.debian.org/1122383) filed against [`rust-rustpython-parser`](https://tracker.debian.org/pkg/rust-rustpython-parser).
+ * [#1122384](https://bugs.debian.org/1122384) filed against [`golang-github-reviewdog-errorformat`](https://tracker.debian.org/pkg/golang-github-reviewdog-errorformat).
+ * [#1122385](https://bugs.debian.org/1122385) filed against [`geoalchemy2`](https://tracker.debian.org/pkg/geoalchemy2).
+ * [#1122386](https://bugs.debian.org/1122386) filed against [`golang-github-shenwei356-breader`](https://tracker.debian.org/pkg/golang-github-shenwei356-breader).
+ * [#1122388](https://bugs.debian.org/1122388) filed against [`golang-github-ulikunitz-xz`](https://tracker.debian.org/pkg/golang-github-ulikunitz-xz).
+ * [#1122389](https://bugs.debian.org/1122389) filed against [`golang-mvdan-editorconfig`](https://tracker.debian.org/pkg/golang-mvdan-editorconfig).
+ * [#1122390](https://bugs.debian.org/1122390) filed against [`golang-github-digitorus-timestamp`](https://tracker.debian.org/pkg/golang-github-digitorus-timestamp).
+ * [#1122392](https://bugs.debian.org/1122392) filed against [`golang-forgejo-forgejo-levelqueue`](https://tracker.debian.org/pkg/golang-forgejo-forgejo-levelqueue).
+ * [#1122816](https://bugs.debian.org/1122816) filed against [`golang-github-kr-binarydist`](https://tracker.debian.org/pkg/golang-github-kr-binarydist).
+ * [#1122817](https://bugs.debian.org/1122817) filed against [`golang-github-kshedden-dstream`](https://tracker.debian.org/pkg/golang-github-kshedden-dstream).
+ * [#1122818](https://bugs.debian.org/1122818) filed against [`golang-github-google-go-pkcs11`](https://tracker.debian.org/pkg/golang-github-google-go-pkcs11).
+ * [#1122819](https://bugs.debian.org/1122819) filed against [`golang-github-akavel-rsrc`](https://tracker.debian.org/pkg/golang-github-akavel-rsrc).
+ * [#1122820](https://bugs.debian.org/1122820) filed against [`golang-github-go-macaron-toolbox`](https://tracker.debian.org/pkg/golang-github-go-macaron-toolbox).
+ * [#1122821](https://bugs.debian.org/1122821) filed against [`golang-goptlib`](https://tracker.debian.org/pkg/golang-goptlib).
+ * [#1122822](https://bugs.debian.org/1122822) filed against [`golang-github-dreamitgetit-statuscake`](https://tracker.debian.org/pkg/golang-github-dreamitgetit-statuscake).
+ * [#1122824](https://bugs.debian.org/1122824) filed against [`golang-github-google-go-attestation`](https://tracker.debian.org/pkg/golang-github-google-go-attestation).
+ * [#1122999](https://bugs.debian.org/1122999) filed against [`python-pyshortcuts`](https://tracker.debian.org/pkg/python-pyshortcuts).
+ * [#1123002](https://bugs.debian.org/1123002) filed against [`graudit`](https://tracker.debian.org/pkg/graudit).
+ * [#1123003](https://bugs.debian.org/1123003) filed against [`golang-github-roaringbitmap-roaring`](https://tracker.debian.org/pkg/golang-github-roaringbitmap-roaring).
+ * [#1123004](https://bugs.debian.org/1123004) filed against [`golang-github-linkedin-goavro`](https://tracker.debian.org/pkg/golang-github-linkedin-goavro).
+ * [#1123005](https://bugs.debian.org/1123005) filed against [`golang-github-cznic-ql`](https://tracker.debian.org/pkg/golang-github-cznic-ql).
+ * [#1123006](https://bugs.debian.org/1123006) filed against [`golang-github-muesli-termenv`](https://tracker.debian.org/pkg/golang-github-muesli-termenv).
+ * [#1123007](https://bugs.debian.org/1123007) filed against [`golang-github-jung-kurt-gofpdf`](https://tracker.debian.org/pkg/golang-github-jung-kurt-gofpdf).
+ * [#1123008](https://bugs.debian.org/1123008) filed against [`tdiary`](https://tracker.debian.org/pkg/tdiary).
+ * [#1123603](https://bugs.debian.org/1123603) filed against [`authselect`](https://tracker.debian.org/pkg/authselect).
+ * [#1123663](https://bugs.debian.org/1123663) filed against [`node-convert-source-map`](https://tracker.debian.org/pkg/node-convert-source-map).
+ * [#1123664](https://bugs.debian.org/1123664) filed against [`zope.deferredimport`](https://tracker.debian.org/pkg/zope.deferredimport).
+ * [#1124271](https://bugs.debian.org/1124271) filed against [`golang-k8s-apimachinery`](https://tracker.debian.org/pkg/golang-k8s-apimachinery).
+
+<br>
+<br>
+
+Finally, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
-Bernhard M. Wiedemann posted another [**openSUSE**](https://www.opensuse.org/) [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/2KUFWETJ5NAKCGNDVZJZVNVYTU2VAZ6D/) for his work there.
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
=====================================
images/reports/2025-12/1-s2.0-S2214212625003606-main.png
=====================================
Binary files /dev/null and b/images/reports/2025-12/1-s2.0-S2214212625003606-main.png differ
=====================================
images/reports/2025-12/2505.png
=====================================
Binary files /dev/null and b/images/reports/2025-12/2505.png differ
=====================================
images/reports/2025-12/Causes_and_Canonicalization_of_Unreproducible_Builds_in_Java.png
=====================================
Binary files /dev/null and b/images/reports/2025-12/Causes_and_Canonicalization_of_Unreproducible_Builds_in_Java.png differ
=====================================
images/reports/2025-12/debian.png
=====================================
Binary files /dev/null and b/images/reports/2025-12/debian.png differ
=====================================
images/reports/2025-10/guix.png → images/reports/2025-12/guix.png
=====================================
=====================================
images/reports/2025-12/nixos.png
=====================================
Binary files /dev/null and b/images/reports/2025-12/nixos.png differ
=====================================
images/reports/2025-12/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2025-12/opensuse.png differ
=====================================
images/reports/2025-12/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2025-12/reproducible-builds.png differ
=====================================
images/reports/2025-12/stampdalf.png
=====================================
Binary files /dev/null and b/images/reports/2025-12/stampdalf.png differ
=====================================
images/reports/2025-12/website.png
=====================================
Binary files /dev/null and b/images/reports/2025-12/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/c82cb07721385dd14a916a1ac83e173716b3ef05
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/c82cb07721385dd14a916a1ac83e173716b3ef05
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20260106/e85d959b/attachment.htm>
More information about the rb-commits
mailing list