[Git][reproducible-builds/reproducible-website][master] 2026-02: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Tue Mar 10 18:51:15 UTC 2026
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
a20c76ce by Chris Lamb at 2026-03-10T11:50:51-07:00
2026-02: Initial draft
- - - - -
11 changed files:
- _reports/2026-02.md
- + images/reports/2026-02/2601.20662.png
- + images/reports/2026-02/2602.11887.png
- + images/reports/2026-02/2602.17678.png
- + images/reports/2026-02/2602.19383.png
- + images/reports/2026-02/debian.png
- + images/reports/2026-02/diffoscope.png
- + images/reports/2026-02/opensuse.png
- + images/reports/2026-02/reproduce.debian.net.png
- + images/reports/2026-02/reproducible-builds.png
- + images/reports/2026-02/website.png
Changes:
=====================================
_reports/2026-02.md
=====================================
@@ -6,46 +6,197 @@ title: "Reproducible Builds in February 2026"
draft: true
---
-* [FIXME](https://arxiv.org/pdf/2601.20662)
+**Welcome to the February 2026 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
+{: .lead}
-* FIXME: https://gitlab.gnome.org/GNOME/gnome-clocks/-/issues/436 gnome-clocks 50.beta has regressed in reproducibility compared to 49.0 as detected by https://reproduce.debian.net/.
+[![]({{ "/images/reports/2026-02/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-* [FIXME](https://arxiv.org/pdf/2602.11887)
+These reports outline what we've been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-* https://tracker.debian.org/pkg/debsbom-toolkit was uploaded to unstable, shipping two binary packages:
- debsbom (0.6.2-1) -SBOM generator for Debian-based distributions (tool)
- debsbom generates SBOMs (Software Bill of Materials) for distributions based on Debian in the two standard formats SPDX and CycloneDX.
- The generated SBOM includes all installed binary packages and also contains Debian Source packages.
- This package contains the debsbom CLI.
- python-debsbom-doc - This package contains the documentation for debsbom.
+---
+
+### [*reproduce.debian.net*](https://reproduce.debian.net/)
+
+[![]({{ "/images/reports/2026-02/reproduce.debian.net.png#right" | relative_url }})](https://reproduce.debian.net)
+
+The year has seen the introduction, development and deployment of [*reproduce.debian.net*](https://reproduce.debian.net). In technical terms, this is an instance of [*rebuilderd*](https://github.com/kpcyrd/rebuilderd), our server designed monitor the official package repositories of Linux distributions and attempt to reproduce the observed results there.
+
+This month, however, Holger Levsen added suite-based navigation (eg. Debian *trixie* vs *forky*) to the service (in addition to the already existing architecture based navigation) which can be observed on, for instance, the [Debian *trixie-backports*](https://reproduce.debian.net/trixie-backports.html) or [*trixie-security*](https://reproduce.debian.net/trixie-security.html) pages.
+
+<br>
+
+### Tool development
+
+[![]({{ "/images/reports/2026-02/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[**diffoscope**](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes, including preparing and uploading versions, [`312`](https://tracker.debian.org/news/1713576/accepted-diffoscope-312-source-into-unstable/) and [`313`](https://tracker.debian.org/news/1719459/accepted-diffoscope-313-source-into-unstable/) to Debian.
+
+In particular, Chris updated the post-release deployment pipeline to ensure that the pipeline does not fail if the automatic deployment to [PyPI](https://pypi.org/) fails [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/3beea8cb)]. In addition, Vagrant Cascadian updated an external reference for the `7z` tool for [GNU Guix](https://guix.gnu.org/). [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a826a008)]
+
+<br>
+
+### Distribution work
+
+[![]({{ "/images/reports/2026-02/debian.png#right" | relative_url }})](https://debian.org/)
+
+In Debian this month:
+
+* 26 reviews of Debian packages were added, 5 were updated and 19 were removed this month adding to [our extensive knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
+
+* A new [*debsbom*](https://tracker.debian.org/pkg/debsbom-toolkit) package was uploaded to *unstable*. According to the package description, this package "generates SBOMs (Software Bill of Materials) for distributions based on Debian in the two standard formats, SPDX and CycloneDX. The generated SBOM includes all installed binary packages and also contains Debian Source packages."
+
+* In addition, a [`sbom-toolkit`](https://tracker.debian.org/pkg/sbom-toolkit) package was uploaded, which "provides a collection of scripts for generating SBOM. This is the tooling used in [Apertis to generate the Licenses SBOM and the Build Dependency SBOM](https://www.apertis.org/architecture/platform/software_bill_of_materials/). It also includes `dh-setup-copyright`, a [Debhelper](https://wiki.debian.org/Debhelper) addon to generate SBOMs from [DWARF debug information](https://en.wikipedia.org/wiki/DWARF), which are "extracted from DWARF debug information by running `dwarf2sources` on every ELF binaries in the package and saving the output."
+
+[![]({{ "/images/reports/2026-02/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Lastly, Bernhard M. Wiedemann posted another [**openSUSE**](https://www.opensuse.org/) [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/QH2ULPPQD5U54TEK5OMWLUEFWSGMLIS5/) for their work there.
+
+<br>
+
+### Miscellaneous news
-* https://tracker.debian.org/pkg/sbom-toolkit was uploaded to unstable, shipping two binary packages:
- sbom-toolkit (0.0.20260112) - collection of scripts for generating SBOM
- This package provides a collection of scripts for generating SBOM. This is the tooling used in Apertis to generate the Licenses SBOM and the Build Dependency SBOM.
- dh-setup-copyright (0.0.20260112) - debhelper addon to generate SBOM from DWARF debug information
- dh-setup-copyright is debhelper program that generates the list for source file names used to build every binary and pulls the licenses from any sources part of other packages. The source file list is extracted from DWARF debug information by running dwarf2sources on every ELF binaries in the package and saving the output to /usr/share/doc/<package>.
+* [Sören Tempel (*nmeum*)](https://notes.8pit.net/) wrote up their insightful notes on [*Debugging Reproducibility Issues in Rust Software*](https://notes.8pit.net/notes/iqfs.html) after nondeterministic issues were [found and investigated for `pimsync` in the GNU Guix review process](https://codeberg.org/guix/guix/pulls/4551#issuecomment-10997750)
+* Jeremy Bicha reported a bug in [GNOME Clocks](https://apps.gnome.org/en-GB//Clocks/) after they noticed that [version `50.beta` regressed in reproducibility compared to `49.0`](https://gitlab.gnome.org/GNOME/gnome-clocks/-/issues/436). Specifically, "the new generated `.oga` files differ in their `Serial No.` and `Checksum` [fields]". However, [Jeremy ended up fixing the issue](https://gitlab.gnome.org/GNOME/gnome-clocks/-/commit/dbeb4fa3502a1ab8e05069e24319a9f276f2b4e1) by replacing [`ffmpeg`](https://www.ffmpeg.org/) with [`oggenc`](https://www.rarewares.org/ogg-oggenc.php).
-* [FIXME](https://arxiv.org/pdf/2602.17678)
+* *kpcyrd* [shared some information](https://lists.reproducible-builds.org/pipermail/rb-general/2026-February/004022.html) from the [`archlinux-dev-public`](https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.org/) mailing list on our [mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month after a discussion at [our latest Summit meeting]({{ "/events/vienna2025/" | relative_url }}) on the topic of [Link-Time Optimisation](https://llvm.org/docs/LinkTimeOptimization.html) (LTO) — specifically on the reasons [why LTO often needs to be disabled](https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.org/message/BSAAFYOJ3KTYZXACIQ26RP5II4JULLS4/) in relation to [Arch Linux](https://archlinux.org)'s approach to binary hardening.
-* [FIXME](https://arxiv.org/pdf/2602.19383)
+* Janneke Nieuwenhuizen [posed a question](https://lists.reproducible-builds.org/pipermail/rb-general/2026-February/004037.html) to our list about whether there might be situations where using the UNIX epoch itself (i.e. `0`) may materially differ from using [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }})) when a situation demands the use of a fixed timestamp.
-* FIXME: h01ger added suite based navigation to reproduce.debian.net, in addition to the already existing arch based navigation.
- an example or a pic says more than a thousand words, so please have a look at https://reproduce.debian.net/trixie-backports.html or https://reproduce.debian.net/trixie-security.html
+* Laurent Huberdeau [announced that they had recently finished their masters thesis](https://lists.reproducible-builds.org/pipermail/rb-general/2026-February/004031.html) "arguing for the use of [POSIX shell for diverse double-compilation and reproducible builds"](https://umontreal.scholaris.ca/items/2f44323a-9f4f-482a-98be-542d8ee5b9fb). Laurent also presents [`pnut`](https://github.com/udem-dlteam/pnut), a C compiler capable of bootstrapping itself and [TCC](https://en.wikipedia.org/wiki/Tiny_C_Compiler) from "any [POSIX-compliant shell](https://en.wikipedia.org/wiki/Unix_shell#Bourne_shell) and human-readable source files."
-* [Debugging Reproducibility Issues in Rust Software](https://notes.8pit.net/notes/iqfs.html)
- * FIXME non-deterministic issues were found and investigated for pimsync in the review process of adding to guix https://codeberg.org/guix/guix/pulls/4551#issuecomment-10997750
- * FIXME blogpost is an in-depth writeup of how to troubleshoot Reproducible Rust in general though
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
* Bernhard M. Wiedemann:
- * [`paracon`](https://build.opensuse.org/request/show/1331443) (gzip -n)
- * [`python-flake8-comprehensions`](https://build.opensuse.org/request/show/1331718) (%jobs)
- * [`obs-studio`](https://build.opensuse.org/request/show/1335456) (date)
- * [`lima`](https://github.com/lima-vm/lima/pull/4561) (gzip -n)
- * [`meson`](https://github.com/mesonbuild/meson/pull/15529) (toolchain jar mtime for libbluray)
- * [`pyshark`](https://github.com/KimiNewt/pyshark/issues/747) (FTBFS-random)
- * [`aiohttp`](https://github.com/aio-libs/aiohttp/pull/12088) (FTBFS-2027)
- * [`server`](https://github.com/MariaDB/server/pull/4667) (FTBFS-2030)
- * [`vlang`](https://github.com/vlang/v/issues/26664) (FTBFS-2038)
-
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/QH2ULPPQD5U54TEK5OMWLUEFWSGMLIS5/)
+
+ * [`aiohttp`](https://github.com/aio-libs/aiohttp/pull/12088)
+ * [`lima`](https://github.com/lima-vm/lima/pull/4561)
+ * [`meson`](https://github.com/mesonbuild/meson/pull/15529)
+ * [`obs-studio`](https://build.opensuse.org/request/show/1335456)
+ * [`paracon`](https://build.opensuse.org/request/show/1331443)
+ * [`pyshark`](https://github.com/KimiNewt/pyshark/issues/747)
+ * [`python-flake8-comprehensions`](https://build.opensuse.org/request/show/1331718)
+ * [`server`](https://github.com/MariaDB/server/pull/4667)
+ * [`vlang`](https://github.com/vlang/v/issues/26664)
+
+* Gioele Barabucci:
+
+ * [#1127641](https://bugs.debian.org/1127641) filed against [`bitsnpicas`](https://tracker.debian.org/pkg/bitsnpicas).
+ * [#1127643](https://bugs.debian.org/1127643) filed against [`fonts-topaz-unicode`](https://tracker.debian.org/pkg/fonts-topaz-unicode).
+ * [#1128901](https://bugs.debian.org/1128901) filed against [`bitsnpicas`](https://tracker.debian.org/pkg/bitsnpicas).
+
+<br>
+
+### Documentation updates
+
+[![]({{ "/images/reports/2026-02/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+Once again, there were a number of improvements made to our website this month including:
+
+* Aman Sharma added a Java reproducible builds paper to the [*Academic publications*]({{ "/docs/publications/" | relative_url }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a43a33b3)]
+
+* Chris Lamb added a reference to the [`repro-build`](https://github.com/freedomofpress/repro-build) to the [*Tools*]({{ "/tools/" | relative_url }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c3ae179f)]
+
+* Michiel Hendriks corrected an issue on the [*JVM*]({{ "/docs/jvm/" | relative_url }}) page in relation to `.properties` files. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c77b3931)]
+
+* *kpcyrd* added [Homebrew](https://docs.brew.sh/Reproducible-Builds) to the [*Who is involved*]({{ "/docs/projects/" | relative_url }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/db7a2a97)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/86eae61a)]
+
+<br>
+
+### Four new academic papers
+
+[![]({{ "/images/reports/2026-02/2601.20662.png#right" | relative_url }})](https://arxiv.org/abs/2601.20662)
+
+Julien Malka and Arnout Engelen published a paper titled [*Lila: Decentralized Build Reproducibility Monitoring for the Functional Package Management Model*](https://arxiv.org/abs/2601.20662):
+
+> [While] recent studies have shown that high reproducibility rates are achievable at scale — demonstrated by the Nix ecosystem achieving over 90% reproducibility on more than 80,000 packages — the problem of effective reproducibility monitoring remains largely unsolved. In this work, **we address the reproducibility monitoring challenge by introducing *Lila*, a decentralized system for reproducibility assessment tailored to the functional package management model.** Lila enables distributed reporting of build results and aggregation into a reproducibility database […].
+
+A [PDF](https://arxiv.org/pdf/2601.20662) of their paper is available online.
+
+<br>
+
+[![]({{ "/images/reports/2026-02/2602.11887.png#right" | relative_url }})](https://arxiv.org/abs/2602.11887)
+
+Javier Ron and Martin Monperrus of [KTH Royal Institute of Technology](https://www.kth.se/en), Sweden, also published a paper, titled [*Verifiable Provenance of Software Artifacts with Zero-Knowledge Compilation*](https://arxiv.org/abs/2602.11887):
+
+> Verifying that a compiled binary originates from its claimed source code is a fundamental security requirement, called source code provenance. Achieving verifiable source code provenance in practice remains challenging. The most popular technique, called reproducible builds, requires difficult matching and reexecution of build toolchains and environments. **We propose a novel approach to verifiable provenance based on compiling software with zero-knowledge virtual machines (zkVMs).** By executing a compiler within a zkVM, our system produces both the compiled output and a cryptographic proof attesting that the compilation was performed on the claimed source code with the claimed compiler. […]
+
+A [PDF](https://arxiv.org/pdf/2602.11887) of the paper is available online.
+
+<br>
+
+[![]({{ "/images/reports/2026-02/2602.17678.png#right" | relative_url }})](https://arxiv.org/abs/2602.17678)
+
+Oreofe Solarin of [Department of Computer and Data Sciences](https://engineering.case.edu/computer-and-data-sciences), [Case Western Reserve University](https://case.edu/), Cleveland, Ohio, USA, published [*It's Not Just Timestamps: A Study on Docker Reproducibility*](https://arxiv.org/abs/2602.17678):
+
+> Reproducible container builds promise a simple integrity check for software supply chains: rebuild an image from its Dockerfile and compare hashes. **We built a Docker measurement pipeline and apply it to a stratified sample of 2,000 GitHub repositories that contained a Dockerfile. We found that only 56% produce any buildable image, and just 2.7% of those are bitwise reproducible without any infrastructure configurations.** After modifying infrastructure configurations, we raise bitwise reproducibility by 18.6%, but 78.7% of buildable Dockerfiles remain non-reproducible.
+
+A [PDF](https://arxiv.org/pdf/2602.17678) of Oreofe's paper is available online.
+
+<br>
+
+[![]({{ "/images/reports/2026-02/2602.19383.png#right" | relative_url }})](https://arxiv.org/abs/2602.19383)
+
+Lastly, Jens Dietrich and Behnaz Hassanshahi published [*On the Variability of Source Code in Maven Package Rebuilds*](https://arxiv.org/abs/2602.19383):
+
+> [In] this paper we test the assumption that the same source code is being used [by] alternative builds. To study this, we compare the sources released with packages on Maven Central, with the sources associated with independently built packages from Google's [Assured Open Source](https://cloud.google.com/security/products/assured-open-source-software) and Oracle's Build-from-Source projects. […]
+
+A [PDF](https://arxiv.org/pdf/2602.19383) of their paper is available online.
+
+<br>
+
+
+### Four new academic papers
+
+[![]({{ "/images/reports/2026-02/2601.20662.png#right" | relative_url }})](https://arxiv.org/abs/2601.20662)
+
+Julien Malka and Arnout Engelen published a paper titled [*Lila: Decentralized Build Reproducibility Monitoring for the Functional Package Management Model*](https://arxiv.org/abs/2601.20662):
+
+> [While] recent studies have shown that high reproducibility rates are achievable at scale — demonstrated by the Nix ecosystem achieving over 90% reproducibility on more than 80,000 packages — the problem of effective reproducibility monitoring remains largely unsolved. In this work, **we address the reproducibility monitoring challenge by introducing *Lila*, a decentralized system for reproducibility assessment tailored to the functional package management model.** Lila enables distributed reporting of build results and aggregation into a reproducibility database […].
+
+A [PDF](https://arxiv.org/pdf/2601.20662) of their paper is available online.
+
+<br>
+
+[![]({{ "/images/reports/2026-02/2602.11887.png#right" | relative_url }})](https://arxiv.org/abs/2602.11887)
+
+Javier Ron and Martin Monperrus of [KTH Royal Institute of Technology](https://www.kth.se/en), Sweden, also published a paper, titled [*Verifiable Provenance of Software Artifacts with Zero-Knowledge Compilation*](https://arxiv.org/abs/2602.11887):
+
+> Verifying that a compiled binary originates from its claimed source code is a fundamental security requirement, called source code provenance. Achieving verifiable source code provenance in practice remains challenging. The most popular technique, called reproducible builds, requires difficult matching and reexecution of build toolchains and environments. **We propose a novel approach to verifiable provenance based on compiling software with zero-knowledge virtual machines (zkVMs).** By executing a compiler within a zkVM, our system produces both the compiled output and a cryptographic proof attesting that the compilation was performed on the claimed source code with the claimed compiler. […]
+
+A [PDF](https://arxiv.org/pdf/2602.11887) of the paper is available online.
+
+<br>
+
+[![]({{ "/images/reports/2026-02/2602.17678.png#right" | relative_url }})](https://arxiv.org/abs/2602.17678)
+
+Oreofe Solarin of [Department of Computer and Data Sciences](https://engineering.case.edu/computer-and-data-sciences), [Case Western Reserve University](https://case.edu/), Cleveland, Ohio, USA, published [*It's Not Just Timestamps: A Study on Docker Reproducibility*](https://arxiv.org/abs/2602.17678):
+
+> Reproducible container builds promise a simple integrity check for software supply chains: rebuild an image from its Dockerfile and compare hashes. **We built a Docker measurement pipeline and apply it to a stratified sample of 2,000 GitHub repositories that contained a Dockerfile. We found that only 56% produce any buildable image, and just 2.7% of those are bitwise reproducible without any infrastructure configurations.** After modifying infrastructure configurations, we raise bitwise reproducibility by 18.6%, but 78.7% of buildable Dockerfiles remain non-reproducible.
+
+A [PDF](https://arxiv.org/pdf/2602.17678) of Oreofe's paper is available online.
+
+<br>
+
+[![]({{ "/images/reports/2026-02/2602.19383.png#right" | relative_url }})](https://arxiv.org/abs/2602.19383)
+
+Lastly, Jens Dietrich and Behnaz Hassanshahi published [*On the Variability of Source Code in Maven Package Rebuilds*](https://arxiv.org/abs/2602.19383):
+
+> [In] this paper we test the assumption that the same source code is being used [by] alternative builds. To study this, we compare the sources released with packages on Maven Central, with the sources associated with independently built packages from Google's [Assured Open Source](https://cloud.google.com/security/products/assured-open-source-software) and Oracle's Build-from-Source projects. […]
+
+A [PDF](https://arxiv.org/pdf/2602.19383) of their paper is available online.
+
+<br>
+<br>
+
+Finally, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
=====================================
images/reports/2026-02/2601.20662.png
=====================================
Binary files /dev/null and b/images/reports/2026-02/2601.20662.png differ
=====================================
images/reports/2026-02/2602.11887.png
=====================================
Binary files /dev/null and b/images/reports/2026-02/2602.11887.png differ
=====================================
images/reports/2026-02/2602.17678.png
=====================================
Binary files /dev/null and b/images/reports/2026-02/2602.17678.png differ
=====================================
images/reports/2026-02/2602.19383.png
=====================================
Binary files /dev/null and b/images/reports/2026-02/2602.19383.png differ
=====================================
images/reports/2026-02/debian.png
=====================================
Binary files /dev/null and b/images/reports/2026-02/debian.png differ
=====================================
images/reports/2026-02/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2026-02/diffoscope.png differ
=====================================
images/reports/2026-02/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2026-02/opensuse.png differ
=====================================
images/reports/2026-02/reproduce.debian.net.png
=====================================
Binary files /dev/null and b/images/reports/2026-02/reproduce.debian.net.png differ
=====================================
images/reports/2026-02/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2026-02/reproducible-builds.png differ
=====================================
images/reports/2026-02/website.png
=====================================
Binary files /dev/null and b/images/reports/2026-02/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/a20c76ced9fd78a2e56148b099effa4b5f991a3d
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/a20c76ced9fd78a2e56148b099effa4b5f991a3d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20260310/cf37f723/attachment.htm>
More information about the rb-commits
mailing list