[Git][reproducible-builds/reproducible-website][master] 2026-05: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Tue Jun 2 19:26:28 UTC 2026
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
e0e2cd55 by Chris Lamb at 2026-06-02T12:26:13-07:00
2026-05: Initial draft
- - - - -
12 changed files:
- _reports/2026-05.md
- + images/reports/2026-05/2605.png
- + images/reports/2026-05/BarbossHack.png
- + images/reports/2026-05/debian-lg.png
- + images/reports/2026-05/debian.png
- + images/reports/2026-05/diffoscope.png
- + images/reports/2026-05/fedora.png
- + images/reports/2026-05/holger-talk.png
- + images/reports/2026-05/opensuse.png
- + images/reports/2026-05/reproduce.debian.net.png
- + images/reports/2026-05/reproducible-builds.png
- + images/reports/2026-05/website.png
Changes:
=====================================
_reports/2026-05.md
=====================================
@@ -6,39 +6,219 @@ title: "Reproducible Builds in May 2026"
draft: true
---
+[![]({{ "/images/reports/2026-05/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-Debian britney changes:
-
-[FIXME: release team announcement](https://lists.debian.org/debian-devel-announce/2026/05/msg00001.html) and talk by Holger:
- title: reproduce.debian.net - reproducing what is distributed from ftp.d.o
- url: https://hamburg2026.mini.debconf.org/talks/13-reproducedebiannet-reproducing-what-is-distributed-from-ftpdo/
- at MiniDebConf Hamburg 2026
- date: 2026-05-09
- video: url: https://meetings-archive.debian.net/pub/debian-meetings/2026/MiniDebConf-Hamburg/hamburg2026-37-reproducedebiannet-reproducing-what-is-distributed-from-ftpdo.av1.webm
- slides: https://reproducible-builds.org/_lfs/presentations/2026-05-09-Reproducing-Debian-in-the-real-world/
-
-caused several articles:
-* [FIXME](https://lists.debian.org/debian-devel-announce/2026/05/msg00001.html)
-* [FIXME](https://www.phoronix.com/news/Debian-Must-Ship-Reproducible)
-* [FIXME](https://www.theregister.com/oses/2026/05/11/debian-14-cracks-down-on-unreproducible-packages/5238094)
-* [FIXME](https://linuxsecurity.com/features/debian-reproducible-builds)
-* [FIXME](https://www.heise.de/news/Debian-14-Reproduzierbare-Builds-werden-zur-Pflicht-11289259.html)
-* [FIXME](https://lwn.net/Articles/1072314/)
-
-[FIXME: also loong64 was added to reproduce.debian.net](https://loong64.reproduce.debian.net)
-
-Upstream:
- * [nftables](https://git.netfilter.org/nftables/commit/?id=ca86f206c92704170a295b8dc7a41f6448835dde)
-
-Bernhard M. Wiedemann:
- * [`neomutt`](https://github.com/neomutt/neomutt/issues/4877) (FTBFS-2038-01-19)
- * [`ntpsec`](https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1501) (date)
- * [`pacemaker`](https://bugzilla.opensuse.org/show_bug.cgi?id=1265183) (parallelism)
- * [`powerdevil6`](https://build.opensuse.org/request/show/1353945) (parallelism qt-rcc)
- * [`sssd`](https://github.com/SSSD/sssd/pull/8759) (FTBFS-2038)
-
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/62MATHSPIQTAEWXCUN5JOBI2GHC4D54X/)
-* [FIXME](https://arxiv.org/pdf/2605.08363)
-* [FIXME](https://github.com/BarbossHack/reproducible)
-
-* [FIXME: official rebuilderd packaging for fedora](https://bugzilla.redhat.com/show_bug.cgi?id=2482689)
+**Welcome to the May 2026 report from the [Reproducible Builds](https://reproducible-builds.org) project.**
+{: .lead}
+
+These reports outline what we've been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
+
+<!--
+
+In this month's report, we cover:
+
+0. (Automatically generated prior to release.)
+
+-->
+
+---
+
+<br>
+
+### Debian to ship reproducible packages in *forky* and beyond
+
+[![]({{ "/images/reports/2026-05/debian-lg.png#right" | relative_url }})](https://lists.debian.org/debian-devel-announce/2026/05/msg00001.html)
+
+In a huge change in Debian's reproducibility policy, the [Debian Release Team announced that](https://lists.debian.org/debian-devel-announce/2026/05/msg00001.html):
+
+> … we've decided it's time to say that **Debian must ship reproducible packages**. Since yesterday, we have enabled our migration software to block migration of new packages that can't be reproduced [on [*reproduce.debian.net*](on https://reproduce.debian.net/)] or existing packages in *testing* that regress in reproducibility.
+
+That is to say, if newly-uploaded packages are not reproducible, they won't be considered candidates for inclusion in the next stable release of Debian codenamed *forky*.
+
+This news generated a number of articles and comments in various news outlets:
+
+* Linux Weekly News (LWN): [*Debian to require reproducible builds*](https://lwn.net/Articles/1072314/)
+* Phoronix: [*Debian Release Team: Debian Must Now Ship Reproducible Packages*][https://www.phoronix.com/news/Debian-Must-Ship-Reproducible]
+* The Register: [*Debian 14 cracks down on unreproducible packages*](https://www.theregister.com/oses/2026/05/11/debian-14-cracks-down-on-unreproducible-packages/5238094)
+* LinuxSecurity.com: [*Debian 14 Makes Reproducible Builds Mandatory for Linux Packages*](https://linuxsecurity.com/features/debian-reproducible-builds)
+* Heise.de: [*Debian macht ernst: Nur noch reproduzierbare Pakete in „testing“*](https://www.heise.de/news/Debian-14-Reproduzierbare-Builds-werden-zur-Pflicht-11289259.html)
+
+<br>
+
+### *Kettle: Attested Builds for Verifiable Software*
+
+[![]({{ "/images/reports/2026-05/2605.png#right" | relative_url }})](https://arxiv.org/abs/2605.08363)
+
+André Arko and Amean Asad published a paper this month on [Kettle](https://github.com/lunal-dev/kettle), a build system that "produces cryptographically verifiable provenance for software built inside Trusted Execution Environments":
+
+> A *Kettle* build records the source commit, dependency set, toolchain, build
+> environment and output artifact digests in a provenance document produced
+> inside a measured confidential VM. The SHA-256 digest of that document is
+> committed to the TEE platform’s attestation report-data field, so the
+> hardware-signed attestation report is itself the signature on the provenance,
+> with the signing identity chaining to the TEE manufacturer's root of trust
+> rather than to the build infrastructure operator. Because the CVM image is
+> itself reproducible, its launch measurement is public and stable, which lets
+> a build requester pre-attest the CVM before submitting any input and
+> optionally deliver source over a TLS channel terminated inside it, so the
+> build runs end-to-end confidentially without the host ever seeing source code
+> in plaintext.
+
+A [PDF](https://arxiv.org/pdf/2605.08363) of the paper is available online.
+
+<br>
+
+### Holger Levsen on reproducing official Debian packages
+
+Reproducible Builds developer Holger Levsen gave a talk at the [2026 Hamburg MiniDebconf](https://hamburg2026.mini.debconf.org/) this year on the topic of [*reproduce.debian.net - reproducing what is distributed from ftp.d.o*](https://hamburg2026.mini.debconf.org/talks/13-reproducedebiannet-reproducing-what-is-distributed-from-ftpdo/) — that is to say, moving away from testing whether a package is reproducible in a *theoretical* sense (eg. whether we can build it twice in different environments and achieve the same result in our test system), and attempting to reproduce the same `.deb` files in the official Debian archive itself. This small-sounding distinction is actually essential, as this is the only means through which the reproducible builds technique can determine whether build systems are compromised are not.
+
+[![]({{ "/images/reports/2026-05/holger-talk.png#center" | relative_url }})](https://chuangtzu.ftp.acc.umu.se/pub/debian-meetings/2026/MiniDebConf-Hamburg/hamburg2026-37-reproducedebiannet-reproducing-what-is-distributed-from-ftpdo.av1.webm)
+
+A [video](https://meetings-archive.debian.net/pub/debian-meetings/2026/MiniDebConf-Hamburg/hamburg2026-37-reproducedebiannet-reproducing-what-is-distributed-from-ftpdo.av1.webm) (32m37s) of the talk is available, as are [Holger's slides](https://reproducible-builds.org/_lfs/presentations/2026-05-09-Reproducing-Debian-in-the-real-world/).
+
+<br>
+
+### New *rebuilderd* version announced
+
+[![]({{ "/images/reports/2026-05/reproduce.debian.net.png#right" | relative_url }})](https://reproduce.debian.net)
+
+[**rebuilderd**](https://github.com/kpcyrd/rebuilderd), our server designed monitor the official package repositories of Linux distributions and attempt to reproduce the observed results there; it powers, amongst other things, [*reproduce.debian.net*](https://reproduce.debian.net/).
+
+A new version, [0.27.0](https://github.com/kpcyrd/rebuilderd/releases/tag/v0.27.0), was released this month, with the following headline changes:
+
+* Improved `.udeb` support
+* Breaking changes in pkg sync configuration
+* Manual cleanup needed for Arch Linux instances
+
+As [*kpcyrd*'s announcement mentions](https://lists.reproducible-builds.org/pipermail/rb-general/2026-May/004115.html):
+
+> The new *rebuilderd* package is currently available in the `extra-testing` repository. Note the Arch Linux package is upgraded from `v0.25.0` from `v0.27.0`; please be patient with the database migrations on first restart, and make
+yourself familiar with the [breaking changes in v0.26.0](https://github.com/kpcyrd/rebuilderd/releases/tag/v0.26.0) too.
+
+<br>
+
+### Distribution work
+
+[![]({{ "/images/reports/2026-05/debian.png#right" | relative_url }})](https://debian.org/)
+
+In **Debian** this month:
+
+* The [`loong64` architecture was added to *reproduce.debian.net*](https://loong64.reproduce.debian.net). This is a 64-bit Reduced Instruction Set Computer (RISC) instruction set architecture developed by [Loongson](https://en.wikipedia.org/wiki/Loongson).
+
+* 40 reviews of Debian packages were added, 68 were updated and 75 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). A number of issue types were updated, such as the addition of a new `sphinx_reading_durations` toolchain issue [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/ffb83115)], a `golang_mango_generates_manpages_with_build_date` issue [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/de1c015b)] and a `random_offset_id_in_cython_linetrace` [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/b99f0ae7)]. In addition, the `timestamps_in_qhc` issue was "refocused" to `timestamps_in_qhc` [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/f3bbf1a8)].
+
+<br>
+
+[![]({{ "/images/reports/2026-05/fedora.png#right" | relative_url }})](https://fedoraproject.org/)
+
+In **Fedora**, [Jelle van der Waa submitted a request](https://bugzilla.redhat.com/show_bug.cgi?id=2482689) for an official Fedora [*rebuilderd*](https://github.com/kpcyrd/rebuilderd) package which was reviewed by Neal Gompa.
+
+<br>
+
+[![]({{ "/images/reports/2026-05/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Lastly, Bernhard M. Wiedemann posted another [**openSUSE**](https://www.opensuse.org/) [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/62MATHSPIQTAEWXCUN5JOBI2GHC4D54X/) for their reproducibility work there.
+
+<br>
+
+### Misc news
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+* *cen* posted an interesting question to our list regarding "[an interesting case of time-based non-reproducibility](https://lists.reproducible-builds.org/pipermail/rb-general/2026-May/004092.html)" after they noticed that [Arch Linux's *rebuilderd* instance reports the `grep` package as being reproducible](https://reproducible.archlinux.org/api/v0/builds/787931/log) whilst [their own is not](https://rebuilderd.xpam.pl:2096/api/v1/builds/416039/log). Although the root cause of the issue is that various "translations are fetched from a remote location during bootstrap", *cen* argues that:
+
+ > Perhaps rebuilderd needs a feature where `GOOD` packages are also periodically rebuilt in exponential back-off style and compared against current upstream build and also our last `GOOD` build. This would confirm whether a package is reproducible if built in a short time window but also help uncover longer time window issues that are currently hidden.
+
+* Reproducible Builds developer *kpcryd* [copied-in our mailing list to an existing email thread](https://lists.reproducible-builds.org/pipermail/rb-general/2026-May/004110.html) that was occurring on Debian bug [#1137357](https://bugs.debian.org/1137357) regarding deterministic signatures in the Rust-based [Sequoia OpenPGP library](https://sequoia-pgp.org/). This generated some very interesting replies, such as [this one by David A. Wheeler](https://lists.reproducible-builds.org/pipermail/rb-general/2026-May/004111.html) on how naïve methods for obtaining determinism in signatures may inadvertently reveal private keys.
+
+* Lastly, David A. Wheeler announced that the [2026 Software Supply Chain Offensive Research and Ecosystem Defenses](https://scored.dev/) (SCORED '26) conference will be held on October 6 2026 in Prague, Czechia. David [specifically notes in their announcement](https://lists.reproducible-builds.org/pipermail/rb-general/2026-May/004114.html) that the conference's Call for Papers (CfP) explicitly includes "Reproducible builds" and that the submission deadline is July 12, 2026.
+
+<br>
+
+### Patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where applicable or possible. This month, we wrote a large number of such patches, including:
+
+* Arnout Engelen (1):
+
+ * [`nftables`](https://git.netfilter.org/nftables/commit/?id=ca86f206c92704170a295b8dc7a41f6448835dde)
+
+* Bernhard M. Wiedemann (5):
+
+ * [`neomutt`](https://github.com/neomutt/neomutt/issues/4877)
+ * [`ntpsec`](https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1501)
+ * [`pacemaker`](https://bugzilla.opensuse.org/show_bug.cgi?id=1265183)
+ * [`powerdevil6`](https://build.opensuse.org/request/show/1353945)
+ * [`sssd`](https://github.com/SSSD/sssd/pull/8759)
+
+* Chris Lamb (23):
+
+ * [#1135692](https://bugs.debian.org/1135692) filed against [`dkimpy`](https://tracker.debian.org/pkg/dkimpy).
+ * [#1135873](https://bugs.debian.org/1135873) filed against [`fortran-stdlib`](https://tracker.debian.org/pkg/fortran-stdlib).
+ * [#1136291](https://bugs.debian.org/1136291) filed against [`powerline`](https://tracker.debian.org/pkg/powerline).
+ * [#1136297](https://bugs.debian.org/1136297) filed against [`pycayennelpp`](https://tracker.debian.org/pkg/pycayennelpp).
+ * [#1136298](https://bugs.debian.org/1136298) filed against [`pycorrfit`](https://tracker.debian.org/pkg/pycorrfit).
+ * [#1136424](https://bugs.debian.org/1136424) filed against [`sphinx-needs`](https://tracker.debian.org/pkg/sphinx-needs).
+ * [#1136425](https://bugs.debian.org/1136425) filed against [`ruby-otr-activerecord`](https://tracker.debian.org/pkg/ruby-otr-activerecord).
+ * [#1136426](https://bugs.debian.org/1136426) filed against [`git-pw`](https://tracker.debian.org/pkg/git-pw).
+ * [#1136427](https://bugs.debian.org/1136427) filed against [`golang-github-akavel-rsrc`](https://tracker.debian.org/pkg/golang-github-akavel-rsrc).
+ * [#1136686](https://bugs.debian.org/1136686) filed against [`pampi`](https://tracker.debian.org/pkg/pampi).
+ * [#1136689](https://bugs.debian.org/1136689) filed against [`libreoffice-dictionaries`](https://tracker.debian.org/pkg/libreoffice-dictionaries).
+ * [#1137016](https://bugs.debian.org/1137016) filed against [`vnu`](https://tracker.debian.org/pkg/vnu).
+ * [#1137017](https://bugs.debian.org/1137017) filed against [`golang-github-shirou-gopsutil`](https://tracker.debian.org/pkg/golang-github-shirou-gopsutil).
+ * [#1137018](https://bugs.debian.org/1137018) filed against [`javacc5`](https://tracker.debian.org/pkg/javacc5).
+ * [#1137019](https://bugs.debian.org/1137019) filed against [`rssguard`](https://tracker.debian.org/pkg/rssguard).
+ * [#1137204](https://bugs.debian.org/1137204) filed against [`golang-github-containerd-accelerated-container-image`](https://tracker.debian.org/pkg/golang-github-containerd-accelerated-container-image).
+ * [#1137335](https://bugs.debian.org/1137335) filed against [`docker-credential-gcr`](https://tracker.debian.org/pkg/docker-credential-gcr).
+ * [#1137336](https://bugs.debian.org/1137336) filed against [`xpenguins`](https://tracker.debian.org/pkg/xpenguins).
+ * [#1138232](https://bugs.debian.org/1138232) filed against [`cairocffi`](https://tracker.debian.org/pkg/cairocffi).
+ * [#1138639](https://bugs.debian.org/1138639) filed against [`meshy`](https://tracker.debian.org/pkg/meshy).
+ * [#1138640](https://bugs.debian.org/1138640) filed against [`bingo`](https://tracker.debian.org/pkg/bingo).
+ * [#1138641](https://bugs.debian.org/1138641) filed against [`golang-github-cyclonedx-cyclonedx-go`](https://tracker.debian.org/pkg/golang-github-cyclonedx-cyclonedx-go).
+ * [#1138642](https://bugs.debian.org/1138642) filed against [`nfstest`](https://tracker.debian.org/pkg/nfstest).
+
+* Paul Gevers (1):
+
+ * [#1136939](https://bugs.debian.org/1136939) filed against [`mandos`](https://tracker.debian.org/pkg/mandos).
+
+* Vagrant Cascadian (2):
+
+ * [#1138608](https://bugs.debian.org/1138608) and [#1138611](https://bugs.debian.org/1138611) filed against [`grub2`](https://tracker.debian.org/pkg/grub2).
+
+<br>
+
+### Documentation updates
+
+[![]({{ "/images/reports/2026-05/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+* Chris Lamb:
+
+ * Added a missing `+` (plus sign) to the [GNU Autotools](https://en.wikipedia.org/wiki/GNU_Autotools) example on the [`SOURCE_DATE_EPOCH` documentation page]({{ "/docs/source-date-epoch/" | relative_url }}). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5bb3ebd9)]
+
+* Mattia Rizzolo:
+
+ * Made a number of chnages to the [*2026 Gothenberg Summit*]({{ "/events/gothenburg2026/" | relative_url }}) event page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/83040792)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/88ceb66e)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/edce4638)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d0cce962)]
+
+<br>
+
+### Reproducible open source messengers
+
+[![]({{ "/images/reports/2026-05/BarbossHack.png#right" | relative_url }})](https://github.com/BarbossHack/reproducible)
+
+GitHub developer *BarbossHack* is [maintaining an repository/page on GitHub](https://github.com/BarbossHack/reproducible) to "track reproducibility status of open source messengers":
+
+<br>
+<br>
+
+
+
+<br>
+<br>
+
+Finally, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
=====================================
images/reports/2026-05/2605.png
=====================================
Binary files /dev/null and b/images/reports/2026-05/2605.png differ
=====================================
images/reports/2026-05/BarbossHack.png
=====================================
Binary files /dev/null and b/images/reports/2026-05/BarbossHack.png differ
=====================================
images/reports/2026-05/debian-lg.png
=====================================
Binary files /dev/null and b/images/reports/2026-05/debian-lg.png differ
=====================================
images/reports/2026-05/debian.png
=====================================
Binary files /dev/null and b/images/reports/2026-05/debian.png differ
=====================================
images/reports/2026-05/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2026-05/diffoscope.png differ
=====================================
images/reports/2026-05/fedora.png
=====================================
Binary files /dev/null and b/images/reports/2026-05/fedora.png differ
=====================================
images/reports/2026-05/holger-talk.png
=====================================
Binary files /dev/null and b/images/reports/2026-05/holger-talk.png differ
=====================================
images/reports/2026-05/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2026-05/opensuse.png differ
=====================================
images/reports/2026-05/reproduce.debian.net.png
=====================================
Binary files /dev/null and b/images/reports/2026-05/reproduce.debian.net.png differ
=====================================
images/reports/2026-05/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2026-05/reproducible-builds.png differ
=====================================
images/reports/2026-05/website.png
=====================================
Binary files /dev/null and b/images/reports/2026-05/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/e0e2cd5521bd0b0640278c47d48b035afd68d5ac
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/e0e2cd5521bd0b0640278c47d48b035afd68d5ac
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20260602/06c819c0/attachment.htm>
More information about the rb-commits
mailing list