SUSE r-b

Bernhard M. Wiedemann bernhardout at lsmod.de
Thu Jul 31 13:31:35 UTC 2025 

Hello fellow R-B-ings,

I have quite some news.
While I have been working part-time on reproducible-builds for openSUSE 
since 2016, it was never an official SUSE project.
Even last year, when I took four months of unpaid leave from SUSE to 
work on RBOS [1] as my heart desired...

But that changed earlier this year when reproducible-builds for SLES-16 
became an official goal for the product. More people are talking about 
digital sovereignty and supply-chain security now.
Since then I have been testing and sending fixes as fast as I could.

In the July monthly report [2] we now have more SUSEans contribute fixes 
than I ever thought would happen. Even for complicated stuff like emacs.
And we fixed issues that were around for years (e.g. in llvm since at 
least 2018, numpy, mozilla-nss...)

While there are still some issues left, we document in a README [3] how 
to verify binaries anyway for many of them, e.g.
colord: needs AVX2 on the build machine (bsc#1237156)
java-21-openjdk: needs to be built on a 4-core VM (bsc#1221224)
memcached: needs to be built before year 2038 (bsc#1246407)

And I added a package named SLES-reproducible-builds that blocks 
installation of remaining known-unverifiable packages via rpm's 
"Conflicts" mechanism.

Today, only 9 of 3319 (source) packages have significant problems left 
(plus 7 with pending fixes), so 99.5% of packages have reproducible builds.

There are remaining questions on how to handle binaries pesign-ed for 
secure boot and how to best get kiwi to produce bit-reproducible images 
for iso, VMs and containers.

We still have a few months until release, so let's see how nice it will 
be in the end.
There is always more left to do (e.g. for openSUSE Factory with its 16k 
packages).


Ciao
Bernhard M.

[1] 
https://lists.reproducible-builds.org/pipermail/rb-general/2025-February/003661.html

[2] https://reproducible-builds.org/reports/2025-07/

[3] 
https://build.opensuse.org/projects/home:bmwiedemann/packages/SLES-reproducible-builds/files/README
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250731/30513618/attachment.sig>

More information about the rb-general mailing list