Reproducible Builds in March 2025🔹
Chris Lamb
chris at reproducible-builds.org
Fri Apr 11 22:17:46 UTC 2025
--------------------------------------------------------------------
o
⬋ ⬊ March 2025 in Reproducible Builds
o o
⬊ ⬋ https://reproducible-builds.org/reports/2025-03/
o
--------------------------------------------------------------------
Welcome to the third report in 2025 from the Reproducible Builds [0]
project. Our monthly reports outline what we've been up to over the past
month, and highlight items of news from elsewhere in the increasingly-
important area of software supply-chain security.
As usual, however, if you are interested in contributing to the
Reproducible Builds project, please visit the "Contribute" [1] page on
our website.
[0] https://reproducible-builds.org/contribute/
Table of contents:
* Debian bookworm live images now fully reproducible from their binary packages
* "How NixOS and reproducible builds could have detected the xz backdoor"
* LWN: Fedora change aims for 99% package reproducibility
* Python adopts PEP standard for specifying package dependencies
* OSS Rebuild real-time validation and tooling improvements
* SimpleX Chat server components now reproducible
* Three new scholarly papers
* Distribution roundup
* An overview of "Supply Chain Attacks on Linux distributions"
* diffoscope & strip-nondeterminism
* Website updates
* Reproducibility testing framework
* Upstream patches
§
Debian bookworm live images now fully reproducible from their binary packages
-----------------------------------------------------------------------------
Roland Clobus announced [2] on our mailing list [3] this month that all
the major desktop variants (ie. Gnome, KDE, etc.) can be reproducibly
created for Debian bullseye, bookworm and trixie from their (pre-
compiled) binary packages.
Building reproducible Debian live images does not require building from
reproducible source code, but this is still a remarkable achievement.
Some large proportion of the binary packages that comprise these live
images can (and were) built reproducibly, but live image generation works
at a higher level. (By contrast, "full" or end-to-end reproducibility of
a bootable OS image will, in time, require both the compile-the-packages
the build-the-bootable-image stages to be reproducible.)
Nevertheless, in response, Roland's announcement generated significant
congratulations as well as some discussion regarding the finer points of
the terms employed: a full outline of the replies can be found here [4].
The news was also picked up by Linux Weekly News [5] (LWN) as well as
to Hacker News [6].
[2] https://lists.reproducible-builds.org/pipermail/rb-general/2025-March/003675.html
[3] https://lists.reproducible-builds.org/listinfo/rb-general/
[4] https://lists.reproducible-builds.org/pipermail/rb-general/2025-March/thread.html#3675
[5] https://lwn.net/Articles/1015402/
[6] https://news.ycombinator.com/item?id=43484520
[7] https://luj.fr/blog/how-nixos-could-have-detected-xz.html
§
"How NixOS and reproducible builds could have detected the xz backdoor" [7]"
----------------------------------------------------------------------------
Julien Malka aka 'luj' published an in-depth blog post this month with
the highly-stimulating title "How NixOS and reproducible builds could
have detected the xz backdoor for the benefit of all [8]".
Starting with an dive into the relevant technical details of the XZ Utils
backdoor [9], Julien's article goes on to describe how we might avoid the
xz "catastrophe" in the future by building software from trusted sources
and building trust into untrusted release tarballs by way of comparing
sources and leveraging bitwise reproducibility, i.e. applying the
practices of Reproducible Builds.
The article generated significant discussion on Hacker News [10] as well
as on Linux Weekly News [11] (LWN).
[8] https://luj.fr/blog/how-nixos-could-have-detected-xz.html
[9] https://en.wikipedia.org/wiki/XZ_Utils_backdoor
[10] https://news.ycombinator.com/item?id=43448075
[11] https://lwn.net/Articles/1015095/
§
LWN: "Fedora change aims for 99% package reproducibility"
---------------------------------------------------------
Linux Weekly News [12] (LWN) contributor Joe Brockmeier has published a
detailed round-up on how "Fedora change aims for 99% package
reproducibility" [13]. The article opens by mentioning that although
Debian [14] has "been working toward reproducible builds for more than a
decade", the Fedora [15] project has now:
> …progressed far enough that the project is now considering a change
> proposal [16] for the Fedora 43 development cycle, expected to be
> released in October, with a goal of making 99% of Fedora's package
> builds reproducible. So far, reaction to the proposal seems favorable
> and focused primarily on how to achieve the goal—with minimal pain for
> packagers—rather than whether to attempt it.
The Change Proposal itself [17] is worth reading:
> Over the last few releases, we [Fedora] changed our build
> infrastructure to make package builds reproducible. This is enough to
> reach 90%. The remaining issues need to be fixed in individual packages.
> After this Change, package builds are expected to be reproducible. Bugs
> will be filed against packages when an irreproducibility is detected.
> The goal is to have no fewer than 99% of package builds reproducible.
Further discussion can be found on the Fedora mailing list [18] as well
as on Fedora's Discourse instance [19].
[12] https://lwn.net/
[13] https://lwn.net/SubscriberLink/1014979/8f538e14bf589a72/
[14] https://debian.org/
[15] https://fedoraproject.org/
[16] https://fedoraproject.org/wiki/Changes/Package_builds_are_expected_to_be_reproducible
[17] https://fedoraproject.org/wiki/Changes/Package_builds_are_expected_to_be_reproducible
[18] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/3OGIBZWPBB43QEVDXPEHNYEYJWMRPJ4E/
[19] https://discussion.fedoraproject.org/t/f43-change-proposal-package-builds-are-expected-to-be-reproducible-system-wide/147320
§
Python adopts PEP standard for specifying package dependencies
--------------------------------------------------------------
Python developer Brett Cannon [20] reported on Fosstodon [21] that PEP
751 [22] was recently accepted. This design document [23] has the purpose
of describing "a file format to record Python dependencies for
installation reproducibility". As the abstract of the proposal writes:
> This PEP proposes a new file format for specifying dependencies to
> enable reproducible installation in a Python environment. The format is
> designed to be human-readable and machine-generated. Installers
> consuming the file should be able to calculate what to install without
> the need for dependency resolution at install-time.
The PEP, which itself supersedes PEP 665 [24], mentions that "there are
at least five well-known solutions to this problem in the community".
[20] https://snarky.ca/
[21] https://fosstodon.org/@brettcannon/114259151263031733
[22] https://peps.python.org/pep-0751/
[23] https://peps.python.org/pep-0001/
[24] https://peps.python.org/pep-0665/
§
OSS Rebuild real-time validation and tooling improvements
---------------------------------------------------------
OSS Rebuild [25] aims to automate rebuilding upstream language packages
(e.g. from PyPI, crates.io, npm registries) and publish signed
attestations and build definitions for public use.
OSS Rebuild is now attempting rebuilds as packages are published,
shortening the time to validating rebuilds and publishing attestations.
Aman Sharma contributed classifiers and fixes for common sources of non-
determinism in JAR packages.
Improvements were also made to some of the core tools in the project:
- timewarp [26] for simulating the registry responses from sometime
in the past.
- proxy [27] for transparent interception and logging of
network activity.
- and stabilize [28], yet another nondeterminism fixer.
[25] https://github.com/google/oss-rebuild
[26] https://github.com/google/oss-rebuild/tree/ca63fb9/cmd/timewarp
[27] https://github.com/google/oss-rebuild/tree/ca63fb9/cmd/proxy
[28] https://github.com/google/oss-rebuild/tree/ca63fb9/cmd/stabilize
§
SimpleX Chat server components now reproducible
-----------------------------------------------
SimpleX Chat [29] is a privacy-oriented decentralised messaging platform
that eliminates user identifiers and metadata, offers end-to-end
encryption and has a unique approach to decentralised identity. Starting
from version 6.3, however, Simplex has implemented reproducible builds
for its server components [30]. This advancement allows anyone to verify
that the binaries distributed by SimpleX match the source code,
improving transparency and trustworthiness.
[29] https://simplex.chat/
[30] https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html
§
Three new scholarly papers
--------------------------
Aman Sharma of the KTH Royal Institute of Technology [31] of Stockholm,
Sweden published a paper on "Build and Runtime Integrity for Java" [32]
(PDF). The paper's abstract notes that "Software Supply Chain attacks
are increasingly threatening the security of software systems" and goes
on to compare build- and run-time integrity:
> Build-time integrity ensures that the software artifact creation
> process, from source code to compiled binaries, remains untampered.
> Runtime integrity, on the other hand, guarantees that the executing
> application loads and runs only
> trusted code, preventing dynamic injection of malicious components.
Aman's paper explores solutions to safeguard Java applications and
proposes some novel techniques to detect malicious code injection. A
full PDF [33] of the paper is available.
[31] https://www.kth.se/en
[32] https://algomaster99.github.io/publications/build-and-runtime/icse-ds.pdf
[33] https://algomaster99.github.io/publications/build-and-runtime/icse-ds.pdf
In addition, Hamed Okhravi and Nathan Burow of Massachusetts Institute
of Technology (MIT) Lincoln Laboratory [34] along with Fred B. Schneider
[35] of Cornell University [36] published a paper in the most recent
edition of IEEE Security & Privacy [37] on "Software Bill of Materials
as a Proactive Defense" [38]:
> The recently mandated software bill of materials (SBOM) is intended to
> help mitigate software supply-chain risk. We discuss extensions that
> would enable an SBOM to serve as a basis for making trust assessments
> thus also serving as a proactive defense.
A full PDF of the paper [39] is available.
[34] https://www.ll.mit.edu/
[35] https://www.cs.cornell.edu/fbs/
[36] https://www.cornell.edu/
[37] https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=8013
[38] https://ieeexplore.ieee.org/document/10942514
[39] https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10942514
Lastly, huge congratulations to Giacomo Benedetti [40] of the University
of Genoa [41] for publishing their PhD thesis. Titled "Improving
Transparency, Trust, and Automation in the Software Supply Chain",
Giacomo's thesis:
> addresses three critical aspects of the software supply chain to
> enhance security: transparency, trust, and automation. First, it
> investigates transparency as a mechanism to empower developers with
> accurate and complete insights into the software components integrated
> into their applications. To this end, the thesis introduces SUNSET and
> PIP-SBOM, leveraging modeling and SBOMs (Software Bill of Materials) as
> foundational tools for transparency and security. Second, it examines
> software trust, focusing on the effectiveness of reproducible builds in
> major ecosystems and proposing solutions to bolster their adoption.
> Finally, it emphasizes the role of automation in modern software
> management, particularly in ensuring user safety and application
> reliability. This includes developing a tool for automated security
> testing of GitHub Actions and analyzing the permission models of
> prominent platforms like GitHub, GitLab, and BitBucket.
[40] https://giacomobenedetti.github.io/
[41] https://unige.it/en
§
Distribution roundup
--------------------
In Debian this month:
* kpcyrd released and uploaded debian-repro-status version 0.2.1-1
[42] which fixes an issue related to querying architecture-
independent packages [43]. In addition, Holger Levsen identified
three issues surrounding outputs to standard output and standard
error [44] as well as a request for summarised [45] and machine-
readable [46].
[42] https://tracker.debian.org/news/1626706/accepted-rust-debian-repro-status-021-1-source-into-unstable/
[43] https://bugs.debian.org/1098440
[44] https://github.com/kpcyrd/debian-repro-status/issues/12
[45] https://github.com/kpcyrd/debian-repro-status/issues/13
[46] https://github.com/kpcyrd/debian-repro-status/issues/14
* Debian [47] developer Simon Josefsson published two reproducibility-
related blog posts this month. The first was on the topic of
"Reproducible Software Releases" [48] which discusses some techniques
and gotchas that can be encountered when generating reproducible
source packages — ie. ensuring that the source code archives that
open-source software projects release can be reproduced by others.
Simon's second post builds on his earlier experiments with
reproducing parts of Trisquel/Debian [49]. Titled "On Binary
Distribution Rebuilds" [50], it discusses potential methods to
"bootstrap a binary distribution like Debian from some other
bootstrappable environment like Guix [51].
[47] https://debian.org
[48] https://blog.josefsson.org/2025/03/24/reproducible-software-releases/
[49] https://blog.josefsson.org/2024/07/10/towards-idempotent-rebuilds/
[50] https://blog.josefsson.org/2025/03/31/on-binary-distribution-rebuilds/
[51] https://guix.gnu.org/
* Jochen Sprickerhof uploaded sbuild version 0.88.5 with a change
relevant to reproducible builds: specifically, the
build_as_root_when_needed functionality still supports older versions
of dpkg(1). [52]
[52] https://tracker.debian.org/news/1622951/accepted-sbuild-0885-source-into-unstable/
* Lastly, 16 reviews of Debian packages were added, 11 were updated and
11 were removed this month adding to our knowledge about identified
issues [53]. One new toolchain issue, tempdir_in_cython_cythonize
[54] was identified by Chris Lamb as well.
[53] https://tests.reproducible-builds.org/debian/index_issues.html
[54] https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/7263825d
The IzzyOnDroid [55] Android APK repository reached another milestone in
March, crossing the 40% coverage mark — specifically, more than 42% of
the apps in the repository is now reproducible
Thanks to funding by NLnet [56]/Mobifree [57], the project was also to
put more time into their tooling. For instance, developers can now run
easily their own verification builder [58] in "less than 5 minutes". This
currently supports Debian [59]-based systems, but support for RPM-based
systems is incoming. Future work in the pipeline [60], including
documentation, guidelines and helpers for debugging.
[55] https://apt.izzysoft.de/fdroid/
[56] https://nlnet.nl/
[57] https://mobifree.org/
[58] https://codeberg.org/IzzyOnDroid/rbuilder_setup
[59] https://www.debian.org/
[60] https://codeberg.org/IzzyOnDroid/-/projects/13002
Fedora [61] developer Zbigniew Jędrzejewski-Szmek [62] announced a work-
in-progress script called fedora-repro-build [63] which attempts to
reproduce an existing package within a Koji [64] build environment.
Although the project's README file [65] lists a number of "fields will
always or almost always vary" (and there are a non-zero list of other
known issues [66]), this is an excellent first step towards full Fedora
reproducibility (see above for more information).
[61] https://fedoraproject.org/
[62] https://github.com/keszybz
[63] https://github.com/keszybz/fedora-repro-build
[64] https://pagure.io/koji/
[65] https://github.com/keszybz/fedora-repro-build#readme
[66] https://pagure.io/fedora-reproducible-builds/project/issues?tags=irreproducibility
Lastly, in openSUSE [67] news, Bernhard M. Wiedemann posted another
monthly update [68] for his work there.
[67] https://www.opensuse.org/
[68] https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/EZV6JBSOWKHQHTBG2VMA2FULA5XWXXLE/
§
An overview of "Supply Chain Attacks on Linux distributions"
------------------------------------------------------------
Fenrisk [69], a cybersecurity risk-management company, has published a
lengthy overview of "Supply Chain Attacks on Linux distributions" [70].
Authored by Maxime Rinaudo [71], the article asks:
> [What] would it take to compromise an entire Linux distribution
> directly through their public infrastructure? Is it possible to perform
> such a compromise as simple security researchers with no available
> resources but time?
[69] https://fenrisk.com/en/
[70] https://fenrisk.com/supply-chain-attacks
[71] https://x.com/MaxRio13
§
diffoscope strip-nondeterminism
-------------------------------
diffoscope [73] is our in-depth and content-aware diff utility that can
locate and diagnose reproducibility issues. This month, Chris Lamb made
the following changes, including preparing and uploading versions 290,
291, 292 and 293 and 293 to Debian:
* Bug fixes:
* file(1) version 5.46 now returns XHTML document for .xhtml files
such as those found nested within our .epub tests. [74]
* Also consider .aar files as APK files, at least for the sake of
diffoscope. [75]
* Require the new, upcoming, version of file(1) and update our
quine [76])-related testcase. [77]
* Codebase improvements:
* Ensure all calls to our_check_output in the ELF comparator have
the potential CalledProcessError exception caught. [78][79]
* Correct an import masking issue. [80]
* Add a missing subprocess import. [81]
* Reformat openssl.py. [82]
* Update copyright years. [83][84][85]
[73] https://diffoscope.org
[74] https://salsa.debian.org/reproducible-builds/diffoscope/commit/0eafad2a
[75] https://salsa.debian.org/reproducible-builds/diffoscope/commit/75b82281
[76] https://en.wikipedia.org/wiki/Quine_(computing
[77] https://salsa.debian.org/reproducible-builds/diffoscope/commit/b448a4eb
[78] https://salsa.debian.org/reproducible-builds/diffoscope/commit/d688b9a4
[79] https://salsa.debian.org/reproducible-builds/diffoscope/commit/c1827a11
[80] https://salsa.debian.org/reproducible-builds/diffoscope/commit/6cb11741
[81] https://salsa.debian.org/reproducible-builds/diffoscope/commit/ba827474
[82] https://salsa.debian.org/reproducible-builds/diffoscope/commit/cb33c13f
[83] https://salsa.debian.org/reproducible-builds/diffoscope/commit/3afece54
[84] https://salsa.debian.org/reproducible-builds/diffoscope/commit/7752dc71
[85] https://salsa.debian.org/reproducible-builds/diffoscope/commit/f0a81da9
In addition, Ivan Trubach contributed a change to ignore the st_size
metadata entry for directories as it is essentially arbitrary and
introduces unnecessary or even spurious changes. [86]
[86] https://salsa.debian.org/reproducible-builds/diffoscope/commit/6a848187
§
Website updates
---------------
Once again, there were a number of improvements made to our website this
month, including:
* Benedikt Ritter added the Reproducible Builds Gradle Plugin [87] to
our "Tools" [88] page. [89]
* Chris Lamb added a Meson [90] alternative for generating
SOURCE_DATE_EPOCH that calls out to Python to the SOURCE_DATE_EPOCH
documentation [91]. [92]
* Hervé Boutemy updated the "JVM documentation" [93] to clarify that
the target is rebuild attestation. [94]
* Lastly, Holger Levsen added Julien Malka and Zbigniew Jędrzejewski-
Szmek to our "Involved people" [95] [96][97] as well as replaced
suggestions to follow us on Twitter/X to follow us on Mastodon [98]
instead [99][100].
[87] https://github.com/gradlex-org/reproducible-builds
[88] https://reproducible-builds.org/tools/
[89] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a99359bc
[90] https://mesonbuild.com/
[91] https://reproducible-builds.org/docs/source-date-epoch/
[92] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1e2be408
[93] https://reproducible-builds.org/docs/jvm/
[94] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0357fc3b
[95] https://reproducible-builds.org/who/people/
[96] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/43feb729
[97] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/91fe1179
[98] https://fosstodon.org/@reproducible_builds
[99] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f4e10ec1
[100] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d606c0dd
§
Reproducibility testing framework
---------------------------------
The Reproducible Builds project operates a comprehensive testing
framework running primarily at tests.reproducible-builds.org [101] in
order to check packages and other artifacts for reproducibility. In
March, a number of changes were made by Holger Levsen, including:
* reproduce.debian.net [102]-related:
* Add links to two related bugs about buildinfos.debian.net [103]. [104]
* Add an extra sync to the database backup. [105]
* Overhaul description of what the service is
about. [106][107][108][109][110][111]
* Improve the documentation to indicate that need to fix
syncronisation pipes. [112][113]
* Improve the statistics page by breaking down output by
architecture. [114]
* Add a copyright statement. [115]
* Add a space after the package name so one can search for specific
packages more easily. [116]
* Add a script to work around/implement a missing feature of
debrebuild. [117]
[101] https://tests.reproducible-builds.org
[102] https://reproduce.debian.net
[103] https://buildinfos.debian.net/
[104] https://salsa.debian.org/qa/jenkins.debian.net/commit/b32979051
[105] https://salsa.debian.org/qa/jenkins.debian.net/commit/de1701228
[106] https://salsa.debian.org/qa/jenkins.debian.net/commit/64c68c638
[107] https://salsa.debian.org/qa/jenkins.debian.net/commit/9629d2a55
[108] https://salsa.debian.org/qa/jenkins.debian.net/commit/a407cace0
[109] https://salsa.debian.org/qa/jenkins.debian.net/commit/36931ac3e
[110] https://salsa.debian.org/qa/jenkins.debian.net/commit/0006d529b
[111] https://salsa.debian.org/qa/jenkins.debian.net/commit/06012d7c3
[112] https://salsa.debian.org/qa/jenkins.debian.net/commit/0995de563
[113] https://salsa.debian.org/qa/jenkins.debian.net/commit/f6a87edd2
[114] https://salsa.debian.org/qa/jenkins.debian.net/commit/cefd12cb0
[115] https://salsa.debian.org/qa/jenkins.debian.net/commit/2d7a440ef
[116] https://salsa.debian.org/qa/jenkins.debian.net/commit/6a2ac88c3
[117] https://salsa.debian.org/qa/jenkins.debian.net/commit/2db5e9850
* Misc:
* Run debian-repro-status at the end of the chroot-install
tests. [118][119]
* Document that we have unused diskspace at Ionos [120]. [121]
[118] https://salsa.debian.org/qa/jenkins.debian.net/commit/b39a8a930
[119] https://salsa.debian.org/qa/jenkins.debian.net/commit/30a957c74
[120] https://www.ionos.com/
[121] https://salsa.debian.org/qa/jenkins.debian.net/commit/d976c3a20
In addition:
* James Addison made a number of changes to the reproduce.debian.net
[122] homepage. [123][124].
[122] https://reproduce.debian.net
[123] https://salsa.debian.org/qa/jenkins.debian.net/commit/ce9d0caa5
[124] https://salsa.debian.org/qa/jenkins.debian.net/commit/77470511c
* Jochen Sprickerhof updated the statistics generation to catch "No
space left on device" issues. [125]
[125] https://salsa.debian.org/qa/jenkins.debian.net/commit/a3eed6a26
* Mattia Rizzolo added a better command to stop the builders [126] and
fixed the reStructuredText [127] syntax in the README.infrastructure
[128] file. [129]
[126] https://salsa.debian.org/qa/jenkins.debian.net/commit/b1427f9ff
[127] https://docutils.sourceforge.io/rst.html
[128] https://salsa.debian.org/qa/jenkins.debian.net/-/blob/HEAD/README.infrastructure
[129] https://salsa.debian.org/qa/jenkins.debian.net/commit/e3379a162
And finally, node maintenance was performed by Holger Levsen
[130][131][132] and Mattia Rizzolo [133][134].
[130] https://salsa.debian.org/qa/jenkins.debian.net/commit/9e5698436
[131] https://salsa.debian.org/qa/jenkins.debian.net/commit/54f378c00
[132] https://salsa.debian.org/qa/jenkins.debian.net/commit/e5d54ad30
[133] https://salsa.debian.org/qa/jenkins.debian.net/commit/edf2b0c6e
[134] https://salsa.debian.org/qa/jenkins.debian.net/commit/736f5ca3e
§
Upstream patches
----------------
The Reproducible Builds project detects, dissects and attempts to fix as
many currently-unreproducible packages as possible. We endeavour to send
all of our patches upstream where appropriate. This month, we wrote a
large number of such patches, including:
* Baptiste Daroussin:
* FreeBSD pkgbase [135]
[135] https://cgit.freebsd.org/src/commit/Makefile.inc1?id=8e99c8ad8fd41d3befae62f9eee59d8c5c60a539
* Bernhard M. Wiedemann:
* bash [136]
* cobra [137]
* cpython [138]
* deepin-daemon [139]
* difftastic [140]
* firefox-esr [141]
* fritzing [142]
* gawk [143]
* kbd [144]
* libcorrect [145]
* m4 [146]
* os-autoinst [147]
* python-nanobind [148]
* python3-espressomd [149]
* sad [150]
* wrk [151]
[136] https://build.opensuse.org/request/show/1251745
[137] https://github.com/spf13/cobra/pull/2246
[138] https://github.com/python/cpython/issues/130979
[139] https://bugzilla.opensuse.org/show_bug.cgi?id=1238196
[140] https://build.opensuse.org/request/show/1251169
[141] https://bugzilla.opensuse.org/show_bug.cgi?id=1239446
[142] https://bugzilla.opensuse.org/show_bug.cgi?id=1239967
[143] https://build.opensuse.org/request/show/1254398
[144] https://build.opensuse.org/request/show/1265349
[145] https://bugzilla.opensuse.org/show_bug.cgi?id=1238370
[146] https://build.opensuse.org/request/show/1254473
[147] https://bugzilla.opensuse.org/show_bug.cgi?id=1239686
[148] https://bugzilla.opensuse.org/show_bug.cgi?id=1239153
[149] https://build.opensuse.org/request/show/1255097
[150] https://build.opensuse.org/request/show/1252059
[151] https://build.opensuse.org/request/show/1251668
* Chris Lamb:
* #1099516 [152] filed against sphinxcontrib-googleanalytics [153].
* #1100016 [154] filed against hx [155].
* #1100018 [156] filed against yaramod [157].
* #1100115 [158] filed against font-manager [159].
* #1100977 [160] filed against python-moto [161].
* #1101740 [162] filed against jenkins-job-builder [163].
* #1101741 [164] filed against isync [165].
* #1101742 [166] filed against python-pytest-shell-utilities [167].
* #1101743 [168] filed against oss4 [169].
[152] https://bugs.debian.org/1099516
[153] https://tracker.debian.org/pkg/sphinxcontrib-googleanalytics
[154] https://bugs.debian.org/1100016
[155] https://tracker.debian.org/pkg/hx
[156] https://bugs.debian.org/1100018
[157] https://tracker.debian.org/pkg/yaramod
[158] https://bugs.debian.org/1100115
[159] https://tracker.debian.org/pkg/font-manager
[160] https://bugs.debian.org/1100977
[161] https://tracker.debian.org/pkg/python-moto
[162] https://bugs.debian.org/1101740
[163] https://tracker.debian.org/pkg/jenkins-job-builder
[164] https://bugs.debian.org/1101741
[165] https://tracker.debian.org/pkg/isync
[166] https://bugs.debian.org/1101742
[167] https://tracker.debian.org/pkg/python-pytest-shell-utilities
[168] https://bugs.debian.org/1101743
[169] https://tracker.debian.org/pkg/oss4
* Fridrich Strba:
* xmlgraphics-fop [170]
[170] https://build.opensuse.org/request/show/1250478
* Jochen Sprickerhof:
* #1100051 [171] filed against suricata [172].
[171] https://bugs.debian.org/1100051
[172] https://tracker.debian.org/pkg/suricata
* Robin Candau:
* clifm [173]
* lidm [174]
[173] https://github.com/leo-arch/clifm/pull/332
[174] https://github.com/javalsai/lidm/pull/27
§
Finally, if you are interested in contributing to the Reproducible
Builds project, please visit our "Contribute" [175] page on our website.
However, you can get in touch with us via:
* IRC: #reproducible-builds on irc.oftc.net.
* Mastodon: @reproducible_builds at fosstodon.org [176]
* Mailing list: rb-general at lists.reproducible-builds.org [177]
[175] https://reproducible-builds.org/contribute/
[176] https://fosstodon.org/@reproducible_builds
[177] https://lists.reproducible-builds.org/listinfo/rb-general
--
o
⬋ ⬊
o o reproducible-builds.org 💠
⬊ ⬋
o
More information about the rb-general
mailing list