[Git][reproducible-builds/reproducible-website][master] 2 commits: 2026-04: Misc changes prior to publication.

Chris Lamb (@lamby) gitlab at salsa.debian.org
Thu May 7 21:16:08 UTC 2026 


Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
05146d5e by Chris Lamb at 2026-05-07T14:15:51-07:00
2026-04: Misc changes prior to publication.

- - - - -
bf8b9006 by Chris Lamb at 2026-05-07T14:16:02-07:00
published as https://reproducible-builds.org/reports/2026-04/

- - - - -


2 changed files:

- _reports/2026-04.md
- images/reports/2026-04/rustsec.png


Changes:

=====================================
_reports/2026-04.md
=====================================
@@ -3,7 +3,8 @@ layout: report
 year: "2026"
 month: "04"
 title: "Reproducible Builds in April 2026"
-draft: true
+draft: false
+date: 2026-05-07 21:16:02
 ---
 
 **Welcome to our April 2026 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
@@ -13,20 +14,27 @@ draft: true
 
 Our reports outline what we've been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
 
-<!--
 In this month's report, we cover:
 
-* (Automatically generated prior to publication)
-
--->
+0. [Tor stateless relays and Reproducible Builds](#tor-stateless-relays-and-reproducible-builds)
+0. [Civil Infrastructure Platform celebrates 10 years of supporting industrial grade Linux](#civil-infrastructure-platform-celebrates-10-years-of-supporting-industrial-grade-linux)
+0. [Reproducible Builds at LinuxFest NorthWest](#reproducible-builds-at-linuxfest-northwest)
+0. [Reproducibility issues in Rust binaries that embed random bytes](#reproducibility-issues-in-rust-binaries-that-embed-random-bytes)
+0. [Distribution work](#distribution-work)
+0. [Patches](#patches)
+0. [diffoscope development](#diffoscope-development)
+0. [Documentation updates](#documentation-updates)
+0. [Misc news](#misc-news)
 
 ---
 
+<br>
+
 ### Tor stateless relays and Reproducible Builds
 
 [![]({{ "/images/reports/2026-04/tor.png#right" | relative_url }})](https://blog.torproject.org/exploring-stateless-relays/)
 
-An interesting post was published on the [blog of the Tor Project](https://blog.torproject.org/) by [Osservatorio Nessuno OdV](https://osservatorionessuno.org/) this month on "stateless relays". These are stateless, diskless operating systems that are designed to be used as [Tor exit relays](https://en.wikipedia.org/wiki/Tor_(network)). According to the post, which is titled [*A Server That Forgets: Exploring Stateless Relays*](https://blog.torproject.org/exploring-stateless-relays/):
+An interesting post was published on [Tor Project blog](https://blog.torproject.org/) by [Osservatorio Nessuno OdV](https://osservatorionessuno.org/) this month on "stateless relays". These are stateless, diskless operating systems that are designed to be used as [Tor exit relays](https://en.wikipedia.org/wiki/Tor_(network)). According to the post, which is titled [*A Server That Forgets: Exploring Stateless Relays*](https://blog.torproject.org/exploring-stateless-relays/):
 
 > For relay operators, this approach raises the security bar by enforcing better behaviors by design:
 > […]
@@ -48,6 +56,14 @@ Congratulations to the [Civil Infrastructure Platform](https://cip-project.org/)
 
 <br>
 
+### Reproducible Builds at LinuxFest NorthWest
+
+Vagrant Cascadian and Chris Lamb hosted a table in the exposition hall at [LinuxFest NorthWest](https://www.linuxfestnorthwest.org) 2026 this month in Bellingham, WA, USA, introducing many people to Reproducible Builds and answering questions both days of the conference.
+
+In addition, Vagrant presented *Beyond Trusting Open Source Software* on Sunday afternoon, exploring the intersection of Free/Open Source Software, Reproducible Builds and Bootstrappable builds, and how they all reinforce each other. Vagrant's [slides are available](https://people.debian.org/~vagrant/lfnw-2026/Beyond-Trusting-OSS.pdf) online, including [source code](https://people.debian.org/~vagrant/lfnw-2026/beyond-trusting-oss_2026.04.26+lfnw.dsc) to [build them reproducibly](https://people.debian.org/~vagrant/lfnw-2026/beyond-trusting-oss_2026.04.26+lfnw_amd64.buildinfo).
+
+<br>
+
 ### Reproducibility issues in Rust binaries that embed random bytes
 
 [![]({{ "/images/reports/2026-04/rustsec.png#right" | relative_url }})](https://rustsec.org/)
@@ -60,29 +76,15 @@ As [*kpcyrd* notes in his message](https://github.com/rustsec/rustsec/issues/157
 
 <br>
 
-### Reproducible Builds at LinuxFest NorthWest
-
-Vagrant Cascadian and Chris Lamb hosted a table in the expo hall of at
-[LinuxFest NorthWest](https://www.linuxfestnorthwest.org), introducing
-many people to the concepts of reproducible builds and answering
-questions both days of the conference.
-
-Vagrant presented "Beyond Trusting Open Source Software" Sunday
-afternoon, exploring the intersection of Free/Open Source Software,
-Reproducible Builds and Bootstrappable builds, and how they all
-reinforce each other. [Slides available](https://people.debian.org/~vagrant/lfnw-2026/Beyond-Trusting-OSS.pdf)
-including [source code](https://people.debian.org/~vagrant/lfnw-2026/beyond-trusting-oss_2026.04.26+lfnw.dsc)
-to [reproducibly build them](https://people.debian.org/~vagrant/lfnw-2026/beyond-trusting-oss_2026.04.26+lfnw_amd64.buildinfo).
-
 ### Distribution work
 
 [![]({{ "/images/reports/2026-04/archlinux.png#right" | relative_url }})](https://archlinux.org/)
 
 In **Arch Linux** this month, Robin Candau and Mark Hegreberg worked at adding a new `repro` tag/version to the Arch Linux Docker images [providing a bit-for-bit reproducible image](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/merge_requests/96). Robin also shared [a related announcement and implementation details](https://lists.reproducible-builds.org/pipermail/rb-general/2026-April/004087.html) on our [mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/).
 
-Arch Linux developer [Robin Candau](https://antiz.fr/) posted a blog post announcing that "[Arch Linux Now Has a Bit-for-Bit Reproducible Docker Image"](https://antiz.fr/blog/archlinux-now-has-a-reproducible-docker-image/)". Robin mentions one interesting caveat:
+Arch Linux developer [Robin Candau](https://antiz.fr/) posted a blog post announcing that "[Arch Linux Now Has a Bit-for-Bit Reproducible Docker Image](https://antiz.fr/blog/archlinux-now-has-a-reproducible-docker-image/)". Robin mentions one interesting caveat:
 
-> to ensure reproducibility, the [`pacman`](https://wiki.archlinux.org/title/Pacman) [package manager] keys have to be stripped from the image, meaning that pacman is not usable out of the box in this image. While waiting to find a suitable solution to this technical constraint, we are therefore providing this reproducible image under a dedicated tag as a first milestone. [[…](https://antiz.fr/blog/archlinux-now-has-a-reproducible-docker-image/)]
+> to ensure reproducibility, the [`pacman`](https://wiki.archlinux.org/title/Pacman) [package manager] keys have to be stripped from the image, meaning that `pacman` is not usable out of the box in this image. While waiting to find a suitable solution to this technical constraint, we are therefore providing this reproducible image under a dedicated tag as a first milestone. [[…](https://antiz.fr/blog/archlinux-now-has-a-reproducible-docker-image/)]
 
 The blog post was [also discussed on Hacker News](https://news.ycombinator.com/item?id=47871519).
 
@@ -92,25 +94,27 @@ The blog post was [also discussed on Hacker News](https://news.ycombinator.com/i
 
 In **Debian** this month, 24 reviews of Debian packages were added, 7 were updated and 16 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
 
-Vagrant Cascadian performed Non-Maintainer Uploads (NMUs) in Debian for several packages with outstanding patches over a year old [jakarta-jmeter](https://browse.dgit.debian.org/jakarta-jmeter.git/commit/?id=8d58dd34c395640976b0b85480bc3439fce2dee4), [wxmplot](https://browse.dgit.debian.org/wxmplot.git/commit/?id=a9820f784cf708f95d6fc0f6120c3bff6c5ac4e8), [critcl](https://browse.dgit.debian.org/critcl.git/commit/?id=b2fff653dbb0be23bcede9c13ce605df47451570), [vcsh](https://browse.dgit.debian.org/vcsh.git/commit/?id=5d3c1278738bd83dd0463e541c252b93ba7983ee) and [magic-wormhole-transit-relay](https://salsa.debian.org/debian/magic-wormhole-transit-relay/-/commit/6d610654e596e2fadcc29007be232582de363e39).
+Vagrant Cascadian performed [Non-Maintainer Uploads](https://wiki.debian.org/NonMaintainerUpload) (NMUs) in Debian for several packages with outstanding patches over a year old [jakarta-jmeter](https://browse.dgit.debian.org/jakarta-jmeter.git/commit/?id=8d58dd34c395640976b0b85480bc3439fce2dee4), [wxmplot](https://browse.dgit.debian.org/wxmplot.git/commit/?id=a9820f784cf708f95d6fc0f6120c3bff6c5ac4e8), [critcl](https://browse.dgit.debian.org/critcl.git/commit/?id=b2fff653dbb0be23bcede9c13ce605df47451570), [vcsh](https://browse.dgit.debian.org/vcsh.git/commit/?id=5d3c1278738bd83dd0463e541c252b93ba7983ee) and [magic-wormhole-transit-relay](https://salsa.debian.org/debian/magic-wormhole-transit-relay/-/commit/6d610654e596e2fadcc29007be232582de363e39).
 
 In addition, Reproducible Builds developer Jochen Sprickerhof filed a bug against the [APT package manager](https://en.wikipedia.org/wiki/APT_(software)) to request that "[APT should ignore [a] `0` epoch when downloading or installing with a version specifier](https://bugs.debian.org/1133364)". This is related to the special-case handling of the [optional epoch prefix](https://www.debian.org/doc/debian-policy/ch-controlfields.html#version) in Debian package version numbers.
 
 <br>
 
-[![]({{ "/images/reports/2026-04/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+[![]({{ "/images/reports/2026-04/nixos.png#right" | relative_url }})](https://reproducible.nixos.org/)
 
-Lastly, in [**openSUSE**](https://www.opensuse.org/), Michael Schroeder added reproducibility verification support in the [Open Build Service](https://openbuildservice.org/) [[…](https://github.com/openSUSE/open-build-service/pull/19510)] and Bernhard M. Wiedemann posted another [**openSUSE**](https://www.opensuse.org/) [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/QILLXXZXB2RRWSMUQIPFU6LKBY7SEPO7/) for their reproducibility work there.
+In [**NixOS**](https://reproducible.nixos.org/), Julien Malka presented [*Lila: Decentralized Build Reproducibility Monitoring for the Functional Package Management Model*](https://arxiv.org/abs/2601.20662), a paper written together with Arnout Engelen at the [Mining Software Repositories](https://2026.msrconf.org/) (MSR) [ACM](https://www.acm.org/) conference, where it was awarded the [MSR 2026 FOSS Impact Award](https://www.linkedin.com/posts/msr2026-softwareengineering-miningsoftwarerepositories-ugcPost-7449898460209827843-tDfw). Congratulations!
 
 <br>
 
-[![]({{ "/images/reports/2026-04/nixos.png#right" | relative_url }})](https://reproducible.nixos.org/)
+[![]({{ "/images/reports/2026-04/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
 
-In [**NixOS**](https://reproducible.nixos.org/), Julien Malka presented the [*Lila: Decentralized Build Reproducibility Monitoring for the Functional Package Management Model*](https://arxiv.org/abs/2601.20662) paper written together with Arnout Engelen at the [Mining Software Repositories (MSR)](https://2026.msrconf.org/) [ACM](https://www.acm.org/) conference, where it was awarded the [MSR 2026 FOSS Impact Award](https://www.linkedin.com/posts/msr2026-softwareengineering-miningsoftwarerepositories-ugcPost-7449898460209827843-tDfw)
+Lastly, in [**openSUSE**](https://www.opensuse.org/), Michael Schroeder added reproducibility verification support in the [Open Build Service](https://openbuildservice.org/) [[…](https://github.com/openSUSE/open-build-service/pull/19510)] and Bernhard M. Wiedemann posted another [**openSUSE**](https://www.opensuse.org/) [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/QILLXXZXB2RRWSMUQIPFU6LKBY7SEPO7/) for their reproducibility work there.
+
+<br>
 
-### Upstream patches
+### Patches
 
-The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where applicable or possible. This month, we wrote a large number of such patches, including:
 
 * Bernhard M. Wiedemann:
 
@@ -150,7 +154,7 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
 
    * [`cef`](https://github.com/chromiumembedded/cef/pull/4152)
 
-* Chris Lamb and Vagrant Cascadian
+* Chris Lamb and Vagrant Cascadian:
 
   * [`ltsp`](https://github.com/ltsp/ltsp/commit/abc35263de311ce51e76cc9d9650dd5ba280c2c8)
 
@@ -206,7 +210,7 @@ Yet again, there were a number of improvements made to our website this month in
 
 <br>
 
-## Misc news
+### Misc news
 
 On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
 


=====================================
images/reports/2026-04/rustsec.png
=====================================
Binary files a/images/reports/2026-04/rustsec.png and b/images/reports/2026-04/rustsec.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/2a5d4f7a29f51b83928271a479c292490bb5360d...bf8b9006385c2d1deadbe1169822bd8ffcf2ee83

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/2a5d4f7a29f51b83928271a479c292490bb5360d...bf8b9006385c2d1deadbe1169822bd8ffcf2ee83
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20260507/6cddf752/attachment.htm>

More information about the rb-commits mailing list