[Git][reproducible-builds/reproducible-website][master] published as https://reproducible-builds.org/reports/2026-05/

Chris Lamb (@lamby) gitlab at salsa.debian.org
Thu Jun 4 19:12:25 UTC 2026 


Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
f9dc514d by Chris Lamb at 2026-06-04T12:12:15-07:00
published as https://reproducible-builds.org/reports/2026-05/

- - - - -


1 changed file:

- _reports/2026-05.md


Changes:

=====================================
_reports/2026-05.md
=====================================
@@ -3,7 +3,8 @@ layout: report
 year: "2026"
 month: "05"
 title: "Reproducible Builds in May 2026"
-draft: true
+draft: false
+date: 2026-06-04 19:12:15
 ---
 
 [![]({{ "/images/reports/2026-05/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
@@ -13,28 +14,23 @@ draft: true
 
 These reports outline what we've been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
 
-<!--
-
 In this month's report, we cover:
 
-0. (Automatically generated prior to release.)
-
--->
+0. [Debian to ship reproducible packages in *forky* and beyond](#debian-to-ship-reproducible-packages-in-forky-and-beyond)
+0. [Holger Levsen on reproducing official Debian packages](#holger-levsen-on-reproducing-official-debian-packages)
+0. [Reproducible Builds 2026 summit to be held in Gothenburg, Sweden](#reproducible-builds-2026-summit-to-be-held-in-gothenburg-sweden)
+0. [*Kettle: Attested Builds for Verifiable Software*](#kettle-attested-builds-for-verifiable-software)
+0. [New *rebuilderd* version announced](#new-rebuilderd-version-announced)
+0. [Reproducible open source messengers](#reproducible-open-source-messengers)
+0. [Distribution work](#distribution-work)
+0. [Misc news](#misc-news)
+0. [Patches](#patches)
+0. [Documentation updates](#documentation-updates)
 
 ---
 
 <br>
 
-### Reproducible Builds summit 2026 in Gothenburg, Sweden
-
-As preliminary announced in [March 2026](https://lists.reproducible-builds.org/pipermail/rb-general/2026-March/004060.html)
-we will be having our yearly Reproducible Builds summit 2026 in Gothenburg Sweden, from September 22 
-until 24, followed by two days of hacking!
-
-Further information will be provided on our website and the [rb-general mailinglist](https://lists.reproducible-builds.org/listinfo/rb-general) very soon.
-
-<br>
-
 ### Debian to ship reproducible packages in *forky* and beyond
 
 [![]({{ "/images/reports/2026-05/debian-lg.png#right" | relative_url }})](https://lists.debian.org/debian-devel-announce/2026/05/msg00001.html)
@@ -43,9 +39,7 @@ In a huge change in Debian's reproducibility policy, the [Debian Release Team an
 
 > … we've decided it's time to say that **Debian must ship reproducible packages**. Since yesterday, we have enabled our migration software to block migration of new packages that can't be reproduced [on [*reproduce.debian.net*](on https://reproduce.debian.net/)] or existing packages in *testing* that regress in reproducibility.
 
-That is to say, if newly-uploaded packages are not reproducible, they won't be considered candidates for inclusion in the next stable release of Debian codenamed *forky*.
-
-[FIXME: further clarifications about exceptions during the forky release cycle](https://lists.debian.org/debian-devel/2026/05/msg00383.html)
+That is to say, if newly-uploaded packages are not reproducible, they won't be considered candidates for inclusion in the next stable release of Debian codenamed *forky*. ([Some exceptions may be granted](https://lists.debian.org/debian-devel/2026/05/msg00383.html).)
 
 This news generated a number of articles and comments in various news outlets:
 
@@ -59,9 +53,9 @@ This news generated a number of articles and comments in various news outlets:
 
 ### Holger Levsen on reproducing official Debian packages
 
-FIXME: this (previous paragraph) was also announced when...
+Reproducible Builds developer Holger Levsen gave a talk at the [2026 Hamburg MiniDebconf](https://hamburg2026.mini.debconf.org/) this year on the topic of [*reproduce.debian.net - reproducing what is distributed from ftp.d.o*](https://hamburg2026.mini.debconf.org/talks/13-reproducedebiannet-reproducing-what-is-distributed-from-ftpdo/).
 
-Reproducible Builds developer Holger Levsen gave a talk at the [2026 Hamburg MiniDebconf](https://hamburg2026.mini.debconf.org/) this year on the topic of [*reproduce.debian.net - reproducing what is distributed from ftp.d.o*](https://hamburg2026.mini.debconf.org/talks/13-reproducedebiannet-reproducing-what-is-distributed-from-ftpdo/) — that is to say, moving away from testing whether a package is reproducible in a *theoretical* sense (eg. whether we can build it twice in different environments and achieve the same result in our test system), and attempting to reproduce the same `.deb` files in the official Debian archive itself. This small-sounding distinction is actually essential, as this is the only means through which the reproducible builds technique can determine whether build systems are compromised are not.
+Holger's talk announced that Debian intends to ship only reproducible packages in *forky* and beyond (see above), but also talked more broadly about reproducible builds, our testing framework and the Debian archive. That is to say, moving away from testing whether a package is reproducible in a *theoretical* sense (eg. whether we can build it twice in different environments and achieve the same result in our test system), and attempting to reproduce the same `.deb` files in the official Debian archive itself. This small-sounding distinction is actually essential, as this is the only means through which the reproducible builds technique can determine whether build systems are compromised are not.
 
 [![]({{ "/images/reports/2026-05/holger-talk.png#center" | relative_url }})](https://chuangtzu.ftp.acc.umu.se/pub/debian-meetings/2026/MiniDebConf-Hamburg/hamburg2026-37-reproducedebiannet-reproducing-what-is-distributed-from-ftpdo.av1.webm)
 
@@ -69,6 +63,14 @@ A [video](https://meetings-archive.debian.net/pub/debian-meetings/2026/MiniDebCo
 
 <br>
 
+### Reproducible Builds 2026 summit to be held in Gothenburg, Sweden
+
+As initially announced in [March 2026](https://lists.reproducible-builds.org/pipermail/rb-general/2026-March/004060.html), we will be having our yearly Reproducible Builds summit 2026 in Gothenburg Sweden, from September 22 until 24, followed by two days of hacking!
+
+Further information will be provided on our website and [on the *rb-general* mailing list](https://lists.reproducible-builds.org/listinfo/rb-general) very soon.
+
+<br>
+
 ### *Kettle: Attested Builds for Verifiable Software*
 
 [![]({{ "/images/reports/2026-05/2605.png#right" | relative_url }})](https://arxiv.org/abs/2605.08363)
@@ -116,7 +118,7 @@ yourself familiar with the [breaking changes in v0.26.0](https://github.com/kpcy
 
 [![]({{ "/images/reports/2026-05/BarbossHack.png#right" | relative_url }})](https://github.com/BarbossHack/reproducible)
 
-GitHub developer *BarbossHack* is [maintaining an repository/page on GitHub](https://github.com/BarbossHack/reproducible) to "track reproducibility status of open source messengers":
+GitHub developer *BarbossHack* is [maintaining an repository/page on GitHub](https://github.com/BarbossHack/reproducible) to "track reproducibility status of open source messengers".
 
 <br>
 
@@ -124,27 +126,15 @@ GitHub developer *BarbossHack* is [maintaining an repository/page on GitHub](htt
 
 [![]({{ "/images/reports/2026-05/debian.png#right" | relative_url }})](https://debian.org/)
 
-In **Debian** this month:
-
-* The [`loong64` architecture was added to *reproduce.debian.net*](https://loong64.reproduce.debian.net). This is a 64-bit Reduced Instruction Set Computer (RISC) instruction set architecture developed by [Loongson](https://en.wikipedia.org/wiki/Loongson).
+In **Debian** this month, the [`loong64` architecture was added to *reproduce.debian.net*](https://loong64.reproduce.debian.net). This is a 64-bit Reduced Instruction Set Computer (RISC) instruction set architecture developed by [Loongson](https://en.wikipedia.org/wiki/Loongson).
 
-* 40 reviews of Debian packages were added, 68 were updated and 75 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). A number of issue types were updated, such as the addition of a new `sphinx_reading_durations` toolchain issue [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/ffb83115)], a `golang_mango_generates_manpages_with_build_date` issue [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/de1c015b)] and a `random_offset_id_in_cython_linetrace` [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/b99f0ae7)]. In addition, the `timestamps_in_qhc` issue was "refocused" to `timestamps_in_qhc` [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/f3bbf1a8)].
+Vagrant Cascadian performed [Non-Maintainer Uploads](https://wiki.debian.org/NonMaintainerUpload) (NMUs) in Debian for several packages with outstanding patches over a year old. These included [`rocdbgapi`](https://browse.dgit.debian.org/rocdbgapi.git/commit/?id=46edda9ca57c482aff561cff7b20e074c9f0d442), [`onevpl-intel-gpu`](https://salsa.debian.org/debian/onevpl-intel-gpu/-/commit/d361dc68bcf4bb92c192af1f20b2878fbcc297f3), [`python-pytest-shell-utilities`](https://browse.dgit.debian.org/python-pytest-shell-utilities.git/commit/?id=326ae9029fd93ffb10a497b9fc99f8e9f62356c6), [`python-mt-940`](https://browse.dgit.debian.org/python-mt-940.git/commit/?id=da6105767e8c7922cd279bc07da1e5f576c9e2a5) and [`pympress`](https://browse.dgit.debian.org/pympress.git/commit/?id=c7fbef54dd54a5fec826f4aa492a3832dfd062c9).
 
-Vagrant Cascadian performed [Non-Maintainer Uploads](https://wiki.debian.org/NonMaintainerUpload) (NMUs) in Debian
-for several packages with outstanding patches over a year old
-[rocdbgapi](https://browse.dgit.debian.org/rocdbgapi.git/commit/?id=46edda9ca57c482aff561cff7b20e074c9f0d442),
-[onevpl-intel-gpu](https://salsa.debian.org/debian/onevpl-intel-gpu/-/commit/d361dc68bcf4bb92c192af1f20b2878fbcc297f3),
-[python-pytest-shell-utilities](https://browse.dgit.debian.org/python-pytest-shell-utilities.git/commit/?id=326ae9029fd93ffb10a497b9fc99f8e9f62356c6),
-[python-mt-940](https://browse.dgit.debian.org/python-mt-940.git/commit/?id=da6105767e8c7922cd279bc07da1e5f576c9e2a5)
-and
-[pympress](https://browse.dgit.debian.org/pympress.git/commit/?id=c7fbef54dd54a5fec826f4aa492a3832dfd062c9)
+On *tests.reproducible-builds.org*, Vagrant Cascadian [fixed the huge spike in build failures by adding `passwd` to the base tarballs](https://salsa.debian.org/qa/jenkins.debian.net/-/commit/a741f156dff8dd2f2a0b6531756865c958ef7fd7), and [re-enabled building `gcc` and `binutils` packages with PGO (Profile Guided Optimization) and LTO (Link Time Optimization)](https://salsa.debian.org/qa/jenkins.debian.net/-/commit/1352171fa9f9fb9460ed0cb66befc0f65fb4f51b) to avoid giving a false sense of reproducibility.
 
-On tests.reproducible-builds.org Vagrant Cascadian [fixed the huge spike in build failures by adding "passwd" to the base tarballs](https://salsa.debian.org/qa/jenkins.debian.net/-/commit/a741f156dff8dd2f2a0b6531756865c958ef7fd7) and
-[re-enabled building gcc and binutils packages with PGO (Profile Guided Optimization) and LTO (Link Time Optimization)](https://salsa.debian.org/qa/jenkins.debian.net/-/commit/1352171fa9f9fb9460ed0cb66befc0f65fb4f51b),
-on tests.reproducible-builds.org to avoid giving a false sense of reproducibility.
+[Inconsistencies on the reproducibility of the condor package](https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20260518/015547.html) were brought up on the Debian *reproducible-builds* mailing list. Following a hunch, Vagrant Cascadian eventually [identified the issue was related to embedded kernel versions](https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20260518/015550.html) which was [then fixed upstream](https://github.com/htcondor/htcondor/pull/4500) and [fixed in Debian](https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20260525/015558.html) as well.
 
-[Inconsistencies on the reproducibility of the condor package](https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20260518/015547.html)
-were brought up on the the Debian reproducible-builds mailing list. Following a hunch, Vagrant Cascadian eventually identified the issue was related to [embedded kernel versions](https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20260518/015550.html) and was [fixed upstream](https://github.com/htcondor/htcondor/pull/4500) and also [fixed in Debian](https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20260525/015558.html).
+Lastly, 40 reviews of Debian packages were added, 68 were updated and 75 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). A number of issue types were updated, such as the addition of a new `sphinx_reading_durations` toolchain issue [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/ffb83115)], a `golang_mango_generates_manpages_with_build_date` issue [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/de1c015b)] and a `random_offset_id_in_cython_linetrace` [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/b99f0ae7)]. In addition, the `timestamps_in_qhc` issue was "refocused" to `timestamps_in_qhc` [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/f3bbf1a8)].
 
 <br>
 



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f9dc514d179d2f591c113ac62191e09559ae5531

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f9dc514d179d2f591c113ac62191e09559ae5531
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20260604/ce6cda2a/attachment.htm>

More information about the rb-commits mailing list