[Git][reproducible-builds/reproducible-website][master] 2026-04: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Tue May 5 19:18:19 UTC 2026
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
588c9fb9 by Chris Lamb at 2026-05-05T12:17:54-07:00
2026-04: Initial draft
- - - - -
10 changed files:
- _reports/2026-04.md
- + images/reports/2026-04/Civil_Infrastructure_Platform_10_Years.jpg
- + images/reports/2026-04/debian.png
- + images/reports/2026-04/diffoscope.png
- + images/reports/2026-04/opensuse.png
- + images/reports/2026-04/reproduce.debian.net.png
- + images/reports/2026-04/reproducible-builds.png
- + images/reports/2026-04/rustsec.png
- + images/reports/2026-04/tor.png
- + images/reports/2026-04/website.png
Changes:
=====================================
_reports/2026-04.md
=====================================
@@ -6,37 +6,218 @@ title: "Reproducible Builds in April 2026"
draft: true
---
-* [FIXME](https://github.com/rustsec/rustsec/issues/1576)
+**Welcome to our April 2026 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
+{: .lead}
-* [FIXME](https://blog.torproject.org/exploring-stateless-relays/) - another usecase of real world r-b
+[![]({{ "/images/reports/2026-04/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-* [FIXME #1133364 apt should ignore 0 epoch when downloading or installing with a version specifier](https://bugs.debian.org/1133364)
+Our reports outline what we've been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-* [FIXME](https://github.com/openSUSE/open-build-service/pull/19510) by Michael Schroeder added some r-b verification support in open-build-service
+<!--
+In this month's report, we cover:
-## Distribution work
+* (Automatically generated prior to publication)
+
+-->
+
+---
+
+### Tor stateless relays and Reproducible Builds
+
+[![]({{ "/images/reports/2026-04/tor.png#right" | relative_url }})](https://blog.torproject.org/exploring-stateless-relays/)
+
+An interesting post was published on the [blog of the Tor Project](https://blog.torproject.org/) by [Osservatorio Nessuno OdV](https://osservatorionessuno.org/) this month on "stateless relays". These are stateless, diskless operating systems that are designed to be used as [Tor exit relays](https://en.wikipedia.org/wiki/Tor_(network)). According to the post, which is titled [*A Server That Forgets: Exploring Stateless Relays*](https://blog.torproject.org/exploring-stateless-relays/):
+
+> For relay operators, this approach raises the security bar by enforcing better behaviors by design:
+> […]
+> 4. **Reproducibility**. A system that doesn't change between reboots is easier to verify and, eventually, to reproduce and audit.
+
+Furthermore, using a [Trusted Platform Module](https://en.wikipedia.org/wiki/Trusted_Platform_Module) (TPM), could allow for greater integrity in the future:
+
+> **Transparency logs**. Once you have a measured boot chain, you can publish it. A relay operator provides a recipe for a reproducible build; anyone can recompute the expected hash and verify it matches what the TPM reports. An append-only transparency log can make these attestations publicly auditable. The Tor community could run an independent monitor to track this across the relay fleet.
+
+<br>
+
+### Civil Infrastructure Platform celebrates 10 years of supporting industrial grade Linux
+
+[![]({{ "/images/reports/2026-04/Civil_Infrastructure_Platform_10_Years.jpg#right" | relative_url }})](https://cip-project.org/blog/2026/04/28/a-decade-of-industrial-grade-linux-reflecting-on-the-cip-journey-and-the-road-ahead)
+
+Congratulations to the [Civil Infrastructure Platform](https://cip-project.org/) (CIP) for [reaching their 10-year anniversary](https://cip-project.org/blog/2026/04/28/a-decade-of-industrial-grade-linux-reflecting-on-the-cip-journey-and-the-road-ahead) last month. CIP has been a supporter of Reproducible Builds for many years, and we have collaborated on a number of technical issues that overlap. As Chris Lamb mentions [in CIP's press release](https://www.morningstar.com/news/pr-newswire/20260429dc47021/civil-infrastructure-platform-celebrates-10-years-of-supporting-industrial-grade-linux):
+
+> The collaboration between the Reproducible Builds project and CIP highlights a critical shift in how we approach industrial software. Through verifiability, CIP ensures that the open source foundation of our critical infrastructure is not only sustainable but also demonstrably secure. This commitment to transparency is vital for the trust and resilience required by critical systems over decades of operation."
+
+<br>
+
+### Reproducibility issues in Rust binaries that embed random bytes
+
+[![]({{ "/images/reports/2026-04/rustsec.png#right" | relative_url }})](https://rustsec.org/)
+
+Reproducible Builds developer *kpcyrd* [opened an ticket](https://github.com/rustsec/rustsec/issues/1576) on the [Rustsec](https://rustsec.org/) issue tracker regarding binaries that deliberately inject random bytes into their binaries "as a secret seed for a [Hash Collision DoS mitigation](https://en.wikipedia.org/wiki/Collision_attack)."
+
+As [*kpcyrd* notes in his message](https://github.com/rustsec/rustsec/issues/1576#issue-4241372819), this causes issues for reproducibility and it is not guaranteed that end-user binaries are "mostly distributed pre-compiled through package managers, meaning the binaries (and by extension the secret seed) are public knowledge". *kpcyrd* goes on to note:
+
+> This is somewhat unique to Rust because Python/JavaScript doesn't compile binaries, and Go (to my knowledge) is too restrictive during build for any library to pull something like this.
+
+<br>
+
+### Distribution work
[![]({{ "/images/reports/2026-04/archlinux.png#right" | relative_url }})](https://archlinux.org/)
In **Arch Linux** this month, Robin Candau and Mark Hegreberg worked at adding a new `repro` tag/version to the Arch Linux Docker images [providing a bit-for-bit reproducible image](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/merge_requests/96). Robin also shared [a related announcement and implementation details](https://lists.reproducible-builds.org/pipermail/rb-general/2026-April/004087.html) on our [mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/).
-## Upstream patches
+Arch Linux developer [Robin Candau](https://antiz.fr/) posted a blog post announcing that "[Arch Linux Now Has a Bit-for-Bit Reproducible Docker Image"](https://antiz.fr/blog/archlinux-now-has-a-reproducible-docker-image/)". Robin mentions one interesting caveat:
-* Robin Candau:
- * [`cef`](https://github.com/chromiumembedded/cef/pull/4152) (timestamps)
+> to ensure reproducibility, the [`pacman`](https://wiki.archlinux.org/title/Pacman) [package manager] keys have to be stripped from the image, meaning that pacman is not usable out of the box in this image. While waiting to find a suitable solution to this technical constraint, we are therefore providing this reproducible image under a dedicated tag as a first milestone. [[…](https://antiz.fr/blog/archlinux-now-has-a-reproducible-docker-image/)]
+
+The blog post was [also discussed on Hacker News](https://news.ycombinator.com/item?id=47871519).
+
+<br>
+
+[![]({{ "/images/reports/2026-04/debian.png#right" | relative_url }})](https://debian.org/)
+
+In **Debian** this month, 24 reviews of Debian packages were added, 7 were updated and 16 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
+
+In addition, Reproducible Builds developer Jochen Sprickerhof filed a bug against the [APT package manager](https://en.wikipedia.org/wiki/APT_(software)) to request that "[APT should ignore [a] `0` epoch when downloading or installing with a version specifier](https://bugs.debian.org/1133364)". This is related to the special-case handling of the [optional epoch prefix](https://www.debian.org/doc/debian-policy/ch-controlfields.html#version) in Debian package version numbers.
+
+<br>
+
+[![]({{ "/images/reports/2026-04/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Lastly, in [**openSUSE**](https://www.opensuse.org/), Michael Schroeder added reproducibility verification support in the [Open Build Service](https://openbuildservice.org/) [[…](https://github.com/openSUSE/open-build-service/pull/19510)] and Bernhard M. Wiedemann posted another [**openSUSE**](https://www.opensuse.org/) [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/QILLXXZXB2RRWSMUQIPFU6LKBY7SEPO7/) for their reproducibility work there.
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
* Bernhard M. Wiedemann:
- * [`python-PyBrowserID`](https://bugzilla.opensuse.org/show_bug.cgi?id=1261815) (FTBFS-stuck-j1)
- * [`waywall`](https://github.com/tesselslate/waywall/pull/58) (lua random hash order)
+
+ * [`python-PyBrowserID`](https://bugzilla.opensuse.org/show_bug.cgi?id=1261815)j
+ * [`waywall`](https://github.com/tesselslate/waywall/pull/58)
+
+* Chris Lamb:
+
+ * [#1132876](https://bugs.debian.org/1132876) filed against [`wapiti`](https://tracker.debian.org/pkg/wapiti).
+ * [#1133008](https://bugs.debian.org/1133008) filed against [`mage`](https://tracker.debian.org/pkg/mage).
+ * [#1133174](https://bugs.debian.org/1133174) filed against [`vim-youcompleteme`](https://tracker.debian.org/pkg/vim-youcompleteme).
+ * [#1133958](https://bugs.debian.org/1133958) filed against [`python-observabilityclient`](https://tracker.debian.org/pkg/python-observabilityclient).
+ * [#1133960](https://bugs.debian.org/1133960) filed against [`gwcs`](https://tracker.debian.org/pkg/gwcs).
+ * [#1134236](https://bugs.debian.org/1134236) filed against [`php-dompdf`](https://tracker.debian.org/pkg/php-dompdf).
+ * [#1134490](https://bugs.debian.org/1134490) filed against [`supercell`](https://tracker.debian.org/pkg/supercell).
+ * [#1134552](https://bugs.debian.org/1134552) filed against [`gunicorn`](https://tracker.debian.org/pkg/gunicorn).
+ * [#1134666](https://bugs.debian.org/1134666) filed against [`fonts-spleen`](https://tracker.debian.org/pkg/fonts-spleen).
+ * [#1134667](https://bugs.debian.org/1134667) filed against [`geoalchemy2`](https://tracker.debian.org/pkg/geoalchemy2).
+ * [#1134668](https://bugs.debian.org/1134668) filed against [`rust-opam-file-rs`](https://tracker.debian.org/pkg/rust-opam-file-rs).
+ * [#1135003](https://bugs.debian.org/1135003) filed against [`spaln`](https://tracker.debian.org/pkg/spaln).
+ * [#1135104](https://bugs.debian.org/1135104) filed against [`python-msgspec`](https://tracker.debian.org/pkg/python-msgspec).
+ * [#1135192](https://bugs.debian.org/1135192) filed against [`golang-github-go-ini-ini`](https://tracker.debian.org/pkg/golang-github-go-ini-ini).
+ * [#1135193](https://bugs.debian.org/1135193) filed against [`golang-github-deruina-timberjack`](https://tracker.debian.org/pkg/golang-github-deruina-timberjack).
+ * [#1135269](https://bugs.debian.org/1135269) filed against [`ruby-timers`](https://tracker.debian.org/pkg/ruby-timers).
+ * [#1135279](https://bugs.debian.org/1135279) filed against [`node-yarnpkg`](https://tracker.debian.org/pkg/node-yarnpkg).
+
+* Jochen Sprickerhof:
+
+ * [#1133772](https://bugs.debian.org/1133772) filed against [`gcc-15`](https://tracker.debian.org/pkg/gcc-15).
+ * [#1134412](https://bugs.debian.org/1134412) filed against [`chromium`](https://tracker.debian.org/pkg/chromium).
* Michael Schroeder:
- * [`open-build-service`](https://github.com/openSUSE/open-build-service/pull/19510) (toolchain: verification support)
+ * [`open-build-service`](https://github.com/openSUSE/open-build-service/pull/19510)
+
+* Robin Candau:
+
+ * [`cef`](https://github.com/chromiumembedded/cef/pull/4152)
+
+<br>
+
+### *diffoscope* development
+
+[![]({{ "/images/reports/2026-04/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[**diffoscope**](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes, including preparing and uploading versions, [`316`](https://tracker.debian.org/news/1737900/accepted-diffoscope-316-source-into-unstable/), [`317`](https://tracker.debian.org/news/1740609/accepted-diffoscope-317-source-into-unstable/) and [`318`](https://tracker.debian.org/news/1747530/accepted-diffoscope-318-source-into-unstable/) to Debian.
+
+* Chris Lamb:
+
+ * Bump Standards-Version to `4.7.4`. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/22785043)]
+ * Correct ordering of `python3-guestfs` architecture restrictions. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f089e36b)]
+ * Limit `python3-guestfs` Build-Dependency to architectures that are not `i386`. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0c61f974)]
+ * Try to fix `PYPI_ID_TOKEN` debugging. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/2c4e960b)]
+
+* Holger Levsen:
+
+ * Add `ppc64el` to the list of `python3-guestfs` architecture whitelist. (Closes: #1132974). [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/eec382e5)]
+
+* Manuel Jacob:
+
+ * Remove a misleading comment. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/15512eef)]
+
+<br>
+
+### Documentation updates
+
+[![]({{ "/images/reports/2026-04/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+Yet again, there were a number of improvements made to our website this month including:
+
+* Manuel Jacob:
+
+ * Fix a number of issues on the [*Stable inputs*]({{ "/docs/stable-inputs/" | relative_url }}) page, including using the present tense instead of future [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3eb4b174)], clarifying a case-dependent sorting issue [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0b62a165)], clarifying when the ordering should be stable [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0a926e8f)], and update information about the sorting behavior of [GNU Make](https://www.gnu.org/software/make/). [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/69cb802c)]
+ * On the [*Archives*]({{ "/docs/archives/" | relative_url }} page, remove information about deterministic archives in historical [Fedora](https://fedoraproject.org/) versions [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/50909f64)], add a note about `.tar` file portability [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d7c77206)], correct a section about `.tar` PAX headers [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dab45176)] and a missing word [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7aacdc83)].
+
+* Mattia Rizzolo:
+
+ * Add a basic draft, subject to change, of the [*2026 Gothenberg Summit*]({{ "/events/gothenburg2026/" | relative_url }}) event page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/bb0b4d59)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d9d39451)]
+
+* *kpcyrd*:
+
+ * Remove a link from the [*2026 Gothenberg Summit*]({{ "/events/gothenburg2026/" | relative_url }}) event page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a26d4ef9)]
+
+* *ktecho*:
+
+ * Add [WalletScrutiny.com](https://walletscrutiny.com/) to the [*Projects*]({{ "/who/projects/" }}) page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/65c88596)]
+
+<br>
+
+## Misc news
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+* Timo Pohl posted our list inviting people to "online group discussions with 4-6 participants each to talk about your perception of terms and
+requirements for reproducibility." As Timo notes:
+
+ > During our research of the existing literature, as well as my experience
+ > at the [Reproducible Builds Summit 2025 in Vienna]({{ "/events/vienna2025/" | relative_url }}),
+ > we noticed that some of the terminology in the field is not used
+ > consistently across different groups of people, and that the precise
+ > meaning of some core terms like "reproducibility of an artifact" in
+ > itself is not uniform.
+
+ As Timo mentions, the sessions will last roughly 90 minutes and will be rewarded with 50€ per participant.
+
+* *kpcyrd* posted to the list asking for assistance with fixing an issue after updating the `flake.lock` file for their [`repro-env`](https://github.com/kpcyrd/repro-env) project.
+
+* Aman Sharma of the [KTH Royal Institute of Technology](https://www.kth.se/), Sweden, posted to our list in order to share that [Eric Cornelissen](https://www.ericcornelissen.dev/), a PhD student in KTH's [CHAINS](https://chains.proj.kth.se/) group, is maintaining an open-source project to [monitor the reproducibility of GitHub Actions](https://github.com/ericcornelissen/reproducing-actions):
+
+ > The goal of the project is to assess whether
+ > [GitHub Actions](https://github.com/features/actions) can be reproduced.
+ > Currently, it focuses on two types of Actions: JavaScript-based actions
+ > and Docker-based actions (composite actions are
+ > not considered). For JavaScript actions, the project rebuilds the
+ > distributed files and compares them bit-by-bit with the repository
+ > contents. For [Docker](https://www.docker.com/) actions, it rebuilds
+ > images from the `Dockerfile` and checks for semantic equivalence, using
+ > [`diffoci`](https://github.com/reproducible-containers/diffoci), across
+ > builds.
+
+<br>
+<br>
-* [FIXME](https://antiz.fr/blog/archlinux-now-has-a-reproducible-docker-image/)
+Finally, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
-* [FIXME](https://news.ycombinator.com/item?id=47871519)
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
-* [FIXME](https://www.morningstar.com/news/pr-newswire/20260429dc47021/civil-infrastructure-platform-celebrates-10-years-of-supporting-industrial-grade-linux)
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/QILLXXZXB2RRWSMUQIPFU6LKBY7SEPO7/)
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
=====================================
images/reports/2026-04/Civil_Infrastructure_Platform_10_Years.jpg
=====================================
Binary files /dev/null and b/images/reports/2026-04/Civil_Infrastructure_Platform_10_Years.jpg differ
=====================================
images/reports/2026-04/debian.png
=====================================
Binary files /dev/null and b/images/reports/2026-04/debian.png differ
=====================================
images/reports/2026-04/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2026-04/diffoscope.png differ
=====================================
images/reports/2026-04/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2026-04/opensuse.png differ
=====================================
images/reports/2026-04/reproduce.debian.net.png
=====================================
Binary files /dev/null and b/images/reports/2026-04/reproduce.debian.net.png differ
=====================================
images/reports/2026-04/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2026-04/reproducible-builds.png differ
=====================================
images/reports/2026-04/rustsec.png
=====================================
Binary files /dev/null and b/images/reports/2026-04/rustsec.png differ
=====================================
images/reports/2026-04/tor.png
=====================================
Binary files /dev/null and b/images/reports/2026-04/tor.png differ
=====================================
images/reports/2026-04/website.png
=====================================
Binary files /dev/null and b/images/reports/2026-04/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/588c9fb95e714cc7370ffcd8c97ff4cb7605c706
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/588c9fb95e714cc7370ffcd8c97ff4cb7605c706
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20260505/3afcdcee/attachment.htm>
More information about the rb-commits
mailing list