Reproducible Builds in May 2025🔹
Chris Lamb
chris at reproducible-builds.org
Fri Jun 6 21:32:14 UTC 2025
--------------------------------------------------------------------
o
⬋ ⬊ May 2025 in Reproducible Builds
o o
⬊ ⬋ https://reproducible-builds.org/reports/2025-05/
o
--------------------------------------------------------------------
Welcome to our 5th report from the Reproducible Builds project in
2025!
Our monthly reports outline what we've been up to over the past month,
and highlight items of news from elsewhere in the increasingly-
important area of software supply-chain security. If you are
interested in contributing to the Reproducible Builds project, please
do visit the Contribute [1] page on our website.
In this report:
* Security audit of Reproducible Builds tools published
* "When good pseudorandom numbers go bad"
* Academic articles
* Distribution work
* diffoscope and disorderfs
* Website updates
* Reproducibility testing framework
* Upstream patches
[1] https://reproducible-builds.org/contribute/
§
Security audit of Reproducible Builds tools published
-----------------------------------------------------
The Open Technology Fund [2]'s (OTF) security partner Security Research
Labs [3] recently an conducted audit of some specific parts of tools
developed by Reproducible Builds. This form of security audit, sometimes
called a "whitebox" audit, is a form testing in which auditors have
complete knowledge of the item being tested. They auditors assessed the
various codebases for resilience against hacking, with key areas
including differential report formats in diffoscope [4], common client
web attacks, command injection, privilege management, hidden
modifications in the build process and attack vectors that might enable
denials of service.
The audit focused on three core Reproducible Builds tools: diffoscope
[5], a Python application that unpacks archives of files and directories
and transforms their binary formats into human-readable form in order to
compare them; strip-nondeterminism, a Perl program that improves
reproducibility by stripping out non-deterministic information such as
timestamps or other elements introduced during packaging; and
reprotest, a Python application that builds source code multiple times
in various environments in order to to test reproducibility.
OTF's announcement [6] contains more of an overview of the audit, and
the full 24-page report [7] is available in PDF form as well.
[2] https://www.opentech.fund/
[3] https://www.srlabs.de/
[4] https://diffoscope.org/
[5] https://diffoscope.org/
[6] https://www.opentech.fund/security-safety-audits/reproducible-builds-security-audit/
[7] https://www.opentech.fund/wp-content/uploads/2025/05/SRL-reproducible_builds-baseline_assurance-report-final.pdf
[8] https://blog.djnavarro.net/posts/2025-05-18_multivariate-normal-sampling-floating-point/
§
"When good pseudorandom numbers go bad" [8]
-------------------------------------------
Danielle Navarro [9] published an interesting and amusing article on
their blog on "When good pseudorandom numbers go bad" [10]. Danielle
sets the stage as follows:
> [Colleagues] approached me to talk about a reproducibility issue
> they'd been having with some R [11] code. They'd been running
> simulations that rely on generating samples from a multivariate
> normal distribution, and despite doing the prudent thing and using
> set.seed() [12] to control the state of the random number generator
> (RNG), the results were not computationally reproducible. The same
> code, executed on different machines, would produce different random
> numbers. The numbers weren't "just a little bit different" in the
> way that we've all wearily learned to expect when you try to force
> computers to do mathematics. They were painfully, brutally,
> catastrophically, irreproducible different. Somewhere, somehow,
> something broke.
Thanks to David Wheeler for posting about this article [13] on our
mailing list [14]
[9] https://djnavarro.net/
[10] https://blog.djnavarro.net/posts/2025-05-18_multivariate-normal-sampling-floating-point/
[11] https://www.r-project.org/
[12] https://www.rdocumentation.org/packages/simEd/versions/2.0.1/topics/set.seed
[13] https://lists.reproducible-builds.org/pipermail/rb-general/2025-May/003795.html
[14] https://lists.reproducible-builds.org/listinfo/rb-general/
§
Academic articles
-----------------
There were two scholarly articles published this month that related
to reproducibility:
Daniel Hugenroth and Alastair R. Beresford of the University of Cambridge
[15] in the United Kingdom and Mario Lins and René Mayrhofer
of Johannes Kepler University [16] in Linz, Austria published an article
titled "Attestable builds: compiling verifiable binaries on untrusted
systems using trusted execution environments" [17]. In their
paper, they:
> ... present attestable builds, a new paradigm to provide strong
> source-to- binary correspondence in software artifacts. We tackle
> the challenge of opaque build pipelines that disconnect the trust
> between source code, which can be understood and audited, and the
> final binary artifact, which is difficult to inspect. Our system
> uses modern trusted execution environments (TEEs) and sandboxed
> build containers to provide strong guarantees that a given artifact
> was correctly built from a specific source code snapshot. As such it
> complements existing approaches like reproducible builds which
> typically require time-intensive modifications to existing build
> configurations and dependencies, and require independent parties to
> continuously build and verify artifacts.
The authors compare "attestable builds" with reproducible builds by
noting an attestable build requires "only minimal changes to an existing
project, and offers nearly instantaneous verification of the
correspondence between a given binary and the source code and build
pipeline used to construct it", and proceed by determining that t"he
overhead (42 seconds start-up latency and 14% increase in build
duration) is small in comparison to the overall build time."
Timo Pohl, Pavel Novák, Marc Ohm and Michael Meier have published a
paper called "Towards Reproducibility for Software Packages in Scripting
Language Ecosystems" [18]. The authors note that past research into
Reproducible Builds has focused primarily on compiled languages and
their ecosystems, with a further emphasis on Linux
distribution packages:
> However, the popular scripting language ecosystems potentially face
> unique issues given the systematic difference in distributed artifacts.
> This Systemization of Knowledge [19] (SoK) [paper] provides an overview
> of existing research, aiming to highlight future directions, as well as
> chances to transfer existing knowledge from compiled language
> ecosystems. To that end, we work out key aspects in current research,
> systematize identified challenges for software reproducibility, and map
> them between the ecosystems.
Ultimately, the three authors find that the literature is "sparse",
focusing on few individual problems and ecosystems, and therefore
identify space for more critical research.
[15] https://www.cam.ac.uk/
[16] https://www.jku.at/en
[17] https://arxiv.org/abs/2505.02521
[18] https://arxiv.org/abs/2503.21705
[19] https://www.jsys.org/type_SoK/
§
Distribution work
-----------------
In Debian this month:
* Ian Jackson filed a bug against the debian-policy package [20] in
order to delve into an issue affecting Debian's support for cross-
architecture compilation [21], multiple-architecture systems [22],
reproducible builds' SOURCE_DATE_EPOCH [23] environment variable and
the ability to recompile already-uploaded packages to Debian with a
new/updated toolchain (binNMUs [24]). Ian identifies a specific case,
specifically in the libopts25-dev package, involving a manual page
that had interesting downstream effects, potentially affecting backup
systems. The bug generated a large number of replies, some of which
have references to similar or overlapping issues, such as this one
from 2016/2017 [25].
* Chris Hofstaedtler filed a bug against the metasnap.debian.net [26]
service to note that some packages are not available in metasnap
API [27].
* 22 reviews of Debian packages were added, 24 were updated and 11 were
removed this month, all adding to our knowledge about identified
issues [28].
[20] https://bugs.debian.org/1104854
[21] https://wiki.debian.org/CrossCompiling
[22] https://wiki.debian.org/CategoryMultiarch
[23] https://reproducible-builds.org/docs/source-date-epoch/
[24] https://wiki.debian.org/binNMU
[25] https://bugs.debian.org/843773#132
[26] http://metasnap.debian.net/
[27] https://salsa.debian.org/metasnap-team/metasnap/-/issues/4
[28] https://tests.reproducible-builds.org/debian/index_issues.html
Hans-Christoph Steiner of the F-Droid [29] catalogue of open source
applications for the Android platform published a blog post on "Making
reproducible builds visible" [30]. Noting that "Reproducible builds are
essential in order to have trustworthy software", Hans also mentions
that "F-Droid has been delivering reproducible builds since 2015
[31]". However:
> There is now a "Reproducibility Status [32]" link for each app on
> f-droid.org, listed on every app’s page. Our verification server shows
> ✔️️ or 💔 based on its build results, where ✔️️ means our rebuilder
> reproduced the same APK file and 💔 means it did not. The IzzyOnDroid
> [33] repository has developed a more elaborate system of badges which
> displays a ✅ for each rebuilder. Additionally, there is a sketch of a
> five-level graph to represent some aspects about which processes
> were run.
Hans compares the approach with projects such as Arch Linux and Debian
that "provide developer-facing tools to give feedback about
reproducible builds, but do not display information about reproducible
builds in the user-facing interfaces like the package management
GUIs."
[29] https://f-droid.org/en/
[30] https://f-droid.org/2025/05/21/making-reproducible-builds-visible.html
[31] https://f-droid.org/en/2015/02/11/complete-reproducible-app-distribution-achieved.html
[32] https://verification.f-droid.org/packages/com.nextcloud.client/
[33] https://apt.izzysoft.de/fdroid/
Arnout Engelen [36] of the NixOS [37] project has been working on
reproducing the minimal installation ISO image [38]. This month, Arnout
has successfully reproduced the build of the minimal image for the 25.05
release without relying on the binary cache. Work on also reproducing
the graphical installer image is ongoing.
[36] https://engelen.eu/
[37] https://nixos.org/
[38] https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756/11
In openSUSE [39] news, Bernhard M. Wiedemann posted another monthly
update [40] for their work there.
[39] https://www.opensuse.org/
[40] https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/KNEXPQPSII46VM3C62LFZ3ODK6OZPXPL/
Lastly in Fedora [41] news, Jelle van der Waa opened issues tracking
reproducible issues in Haskell documentation [42], Qt6 recording the
host kernel [43] and R packages recording the current date [44]. The R
packages can be made reproducible with packaging changes in Fedora.
[41] https://fedoraproject.org
[42] https://pagure.io/fedora-reproducible-builds/project/issue/26
[43] https://pagure.io/fedora-reproducible-builds/project/issue/24
[44] https://pagure.io/fedora-reproducible-builds/project/issue/25
§
diffoscope and disorderfs
-------------------------
diffoscope [46] is our in-depth and content-aware diff utility that can
locate and diagnose reproducibility issues. This month, Chris Lamb made
the following changes, including preparing and uploading versions 295,
296 and 297 to Debian:
* Don't rely on zipdetails' --walk argument being available, and only
add that argument on newer versions after we test for that. [47]
* Review and merge support for NuGet [48] packages from Omair
Majid. [49]
* Update copyright years. [50]
* Merge support for an lzma comparator from Will Hollywood. [51][52]
[46] https://diffoscope.org
[47] https://salsa.debian.org/reproducible-builds/diffoscope/commit/b1b0d849
[48] https://www.nuget.org/
[49] https://salsa.debian.org/omajid/diffoscope/commit/09abd4cddbebdf0f2310c47dc562826e44f18088
[50] https://salsa.debian.org/reproducible-builds/diffoscope/commit/5832cba9
[51] https://salsa.debian.org/omajid/diffoscope/commit/bf04ad9a251b8769270151497e5d0b0c879064d4
[52] https://salsa.debian.org/omajid/diffoscope/commit/f94b754afdee4a7be6de657fa5717c399f600681
Chris also merged an impressive changeset from Siva Mahadevan [53] to
make disorderfs more portable, especially on FreeBSD [54].
disorderfs is our FUSE [55]-based filesystem that deliberately
introduces non-determinism into directory system calls in order to flush
out reproducibility issues [56]. This was then uploaded to Debian as
version 0.6.0-1.
[53] https://svmhdvn.name/
[54] https://www.freebsd.org/
[55] https://en.wikipedia.org/wiki/Filesystem_in_Userspace
[56] https://salsa.debian.org/reproducible-builds/disorderfs/commit/c04c8f4
Lastly, Vagrant Cascadian updated diffoscope in GNU Guix [57] to
version 296 [58][59] and 297 [60][61], and disorderfs to version
0.6.0 [62][63].
[57] https://guix.gnu.org/
[58] https://debbugs.gnu.org/78460
[59] https://codeberg.org/guix/guix/commit/470ad82bfaf3403bd6fc31ccd52b04027c6b8eeb
[60] https://codeberg.org/guix/guix/pulls/358
[61] https://codeberg.org/guix/guix/commit/8b8b0c2e8d7f99036c56328a5f0a59394a3eddc3
[62] https://debbugs.gnu.org/78515
[63] https://codeberg.org/guix/guix/commit/6181d7cc8a620153bd48b3dba42c59636b4da259
§
Website updates
---------------
Once again, there were a number of improvements made to our website this
month including:
* Chris Lamb:
* Merged four or five suggestions from Guillem Jover for the GNU
Autotools [64] examples on the SOURCE_DATE_EPOCH [65] example
page [66]
* Incorporated a number of fixes for the JavaScript
SOURCE_DATE_EPOCH snippet from Sebastian Davis, which did not
handle non-integer values correctly. [67]
[64] https://en.wikipedia.org/wiki/GNU_Autotools
[65] https://reproducible-builds.org/docs/source-date-epoch/
[66] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f4d56cdb
[67] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0a41c934
* David A. Wheeler:
* Fix an apostrophe in the README.md file. [68]
[68] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/043d4752
* Hans-Christoph Steiner:
* Add the F-Droid [69] "Verification Server [70] to the "Tools"
[71] page. [72]
* Add the Creative Commons Attribution-ShareAlike 4.0 International
[73] as the website's root LICENSE file. [74]
* Updated the "Recording the build environment" [75] page to add a
section pertaining to how F-Droid [76] handles this. [77]
[69] https://f-droid.org/
[70] https://f-droid.org/docs/Verification_Server/
[71] https://reproducible-builds.org/tools/
[72] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/558a1cb2
[73] https://creativecommons.org/licenses/by-sa/4.0/
[74] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/eba4d798
[75] https://reproducible-builds.org/docs/recording/
[76] https://f-droid.org
[77] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/51c13c02
* Jochen Sprickerhof:
* Add Chris Hofstaedtler to the "Who is involved?" [78] page. [79]
[78] https://reproducible-builds.org/who/people/
[79] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e7bc1608
* Sebastian Davids:
* Fix the CoffeeScript [80] example on the SOURCE_DATE_EPOCH [81]
page. [82]
* Remove the JavaScript example that uses a 'fixed' timezone on the
SOURCE_DATE_EPOCH [83] page. [84]
[80] https://coffeescript.org/
[81] https://reproducible-builds.org/docs/source-date-epoch/
[82] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/35b120b7
[83] https://reproducible-builds.org/docs/source-date-epoch/
[84] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1e62a6b4
§
Reproducibility testing framework
---------------------------------
The Reproducible Builds project operates a comprehensive testing
framework running primarily at tests.reproducible-builds.org [85] in
order to check packages and other artifacts for reproducibility.
However, Holger Levsen posted to our mailing list [86] this month in
order to bring a wider awareness to funding issues faced by the Oregon
State University [87] (OSU) Open Source Lab [88] (OSL). As mentioned on
OSL's public post [89], "recent changes in university funding makes our
current funding model no longer sustainable [and that] unless we secure
$250,000 in committed funds, the OSL will shut down later this year". As
Holger notes in his post to our mailing list [90], the Reproducible
Builds project relies on hardware nodes hosted there. Nevertheless,
Lance Albertson of OSL posted an update to the funding situation later
in the month [91] with broadly positive news.
[85] https://tests.reproducible-builds.org
[86] https://lists.reproducible-builds.org/listinfo/rb-general/
[87] https://oregonstate.edu/
[88] https://osuosl.org/
[89] https://osuosl.org/blog/osl-future/
[90] https://lists.reproducible-builds.org/pipermail/rb-general/2025-May/003768.html
[91] https://osuosl.org/blog/osl-future-update/
Separate to this, there were various changes to the Jenkins [92] setup
this month, which is used as the backend driver of for both
tests.reproducible-builds.org [93] and reproduce.debian.net
[94], including:
* Migrating the central jenkins.debian.net server AMD Opteron to Intel
Haswell CPUs. Thanks to IONOS [95] for hosting this server
since 2012.
* After testing it for almost ten years, the i386 architecture has been
dropped from tests.reproducible-builds.org [96]. This is because
that, with the upcoming release of Debian 'trixie', i386 is no longer
supported as a 'regular' architecture — there will be no official
kernel and no Debian installer for i386 systems. As a result, a large
number of nodes hosted by Infomaniak [97] have been retooled from
i386 to amd64.
* Another node, ionos17-amd64.debian.net, which is used for verifying
packages for all.reproduce.debian.net [98] (hosted by IONOS [99])
has had its memory increased from 40 to 64GB, and the number of cores
doubled to 32 as well. In addition, two nodes generously hosted by
OSUOSL [100] have had their memory doubled to 16GB.
* Lastly, we have been granted access to more riscv64 architecture
boards, so now we have seven such nodes, all with 16GB memory and 4
cores that are verifying packages for riscv64.reproduce.debian.net
[101]. Many thanks to PLCT Lab, ISCAS [102] for providing those.
[92] https://www.jenkins.io/
[93] https://tests.reproducible-builds.org/
[94] https://reproduce.debian.net
[95] https://ionos.com
[96] https://tests.reproducible-builds.org/
[97] https://infomaniak.com
[98] https://all.reproduce.debian.net
[99] https://ionos.com
[100] https://osuosl.org/services/powerdev/
[101] https://riscv64.reproduce.debian.net
[102] https://plctlab.org/en/
Outside of this, a number of smaller changes were also made by
Holger Levsen:
* reproduce.debian.net [103]-related:
* Only use two workers for the ppc64el architecture due to RAM
size. [104]
* Monitor nginx_request and nginx_status with the Munin [105]
monitoring system. [106][107]
* Detect various variants of network and memory
errors. [108][109][110][111]
* Add a prominent link to reproducible-builds.org [112]. [113]
* Add a rebuilderd-cache-cleanup.service and run it daily via
timer. [114][115][116][117][118]
* Be more verbose what sources are being downloaded. [119]
* Correctly deal with packages with an epoch in their version [120]
and deal with binNMUs [121] versions with an epoch as
well [122][123].
* Document how to reschedule all other errors on all archs. [124]
* Misc documentation improvements. [125][126][127][128]
* Include the $HOSTNAME variable in the rebuilderd
logfiles. [129]
* Install the equivs package on all worker nodes. [130][131]
[103] https://reproduce.debian.net
[104] https://salsa.debian.org/qa/jenkins.debian.net/commit/b960005b8
[105] https://munin-monitoring.org/
[106] https://salsa.debian.org/qa/jenkins.debian.net/commit/7054da94c
[107] https://salsa.debian.org/qa/jenkins.debian.net/commit/a0caceb95
[108] https://salsa.debian.org/qa/jenkins.debian.net/commit/ea8d2da1e
[109] https://salsa.debian.org/qa/jenkins.debian.net/commit/10aa2d9af
[110] https://salsa.debian.org/qa/jenkins.debian.net/commit/2bc01ea5c
[111] https://salsa.debian.org/qa/jenkins.debian.net/commit/b034b781e
[112] https://reproducible-builds.org
[113] https://salsa.debian.org/qa/jenkins.debian.net/commit/e01be8f40
[114] https://salsa.debian.org/qa/jenkins.debian.net/commit/5495a4c8e
[115] https://salsa.debian.org/qa/jenkins.debian.net/commit/79fd109a9
[116] https://salsa.debian.org/qa/jenkins.debian.net/commit/f56bda2f5
[117] https://salsa.debian.org/qa/jenkins.debian.net/commit/24f6ff022
[118] https://salsa.debian.org/qa/jenkins.debian.net/commit/6bf9ac32d
[119] https://salsa.debian.org/qa/jenkins.debian.net/commit/d0e38b306
[120] https://salsa.debian.org/qa/jenkins.debian.net/commit/c66113ce0
[121] https://wiki.debian.org/binNMU
[122] https://salsa.debian.org/qa/jenkins.debian.net/commit/2a3d2fd65
[123] https://salsa.debian.org/qa/jenkins.debian.net/commit/d0a635d61
[124] https://salsa.debian.org/qa/jenkins.debian.net/commit/d4734534e
[125] https://salsa.debian.org/qa/jenkins.debian.net/commit/1f7e1def9
[126] https://salsa.debian.org/qa/jenkins.debian.net/commit/7058a8027
[127] https://salsa.debian.org/qa/jenkins.debian.net/commit/c7d3bb1dc
[128] https://salsa.debian.org/qa/jenkins.debian.net/commit/04b83e66f
[129] https://salsa.debian.org/qa/jenkins.debian.net/commit/0acb6b31a
[130] https://salsa.debian.org/qa/jenkins.debian.net/commit/a05fe0b5a
[131] https://salsa.debian.org/qa/jenkins.debian.net/commit/a5b9489a1
* Jenkins nodes:
* Permit the sudo tool to fix up permission issues. [132][133]
* Document how to manage diskspace with OpenStack [134]. [135]
* Ignore a number of spurious monitoring errors on riscv64,
FreeBSD, etc.. [136][137][138][139]
* Install ntpsec-ntpdate (instead of ntpdate) as the former is
available on Debian 'trixie' and 'bookworm'. [140][141]
* Use the same SSH ControlPath [142] for all nodes. [143]
* Make sure the munin user uses the same SSH config as the jenkins
user. [144]
[132] https://salsa.debian.org/qa/jenkins.debian.net/commit/2fc414e2b
[133] https://salsa.debian.org/qa/jenkins.debian.net/commit/6d7077306
[134] https://www.openstack.org/
[135] https://salsa.debian.org/qa/jenkins.debian.net/commit/61c8c260d
[136] https://salsa.debian.org/qa/jenkins.debian.net/commit/927a0a68e
[137] https://salsa.debian.org/qa/jenkins.debian.net/commit/58b606ec3
[138] https://salsa.debian.org/qa/jenkins.debian.net/commit/7cf00b4f3
[139] https://salsa.debian.org/qa/jenkins.debian.net/commit/551632968
[140] https://salsa.debian.org/qa/jenkins.debian.net/commit/9fc56dcc2
[141] https://salsa.debian.org/qa/jenkins.debian.net/commit/8e137a299
[142] https://man.openbsd.org/ssh_config
[143] https://salsa.debian.org/qa/jenkins.debian.net/commit/f122ae170
[144] https://salsa.debian.org/qa/jenkins.debian.net/commit/3aab14aa7
* tests.reproducible-builds.org [145]-related:
* Disable testing of the i386
architecture. [146][147][148][149][150]
* Document the current disk usage. [151][152]
* Address some image placement now that we only test three
architectures. [153]
* Keep track of build performance. [154]
[145] https://tests.reproducible-builds.org/
[146] https://salsa.debian.org/qa/jenkins.debian.net/commit/ada4d4153
[147] https://salsa.debian.org/qa/jenkins.debian.net/commit/7f2837389
[148] https://salsa.debian.org/qa/jenkins.debian.net/commit/56e6e6cff
[149] https://salsa.debian.org/qa/jenkins.debian.net/commit/e44940bf0
[150] https://salsa.debian.org/qa/jenkins.debian.net/commit/a94e996d6
[151] https://salsa.debian.org/qa/jenkins.debian.net/commit/9279052e0
[152] https://salsa.debian.org/qa/jenkins.debian.net/commit/257f9b879
[153] https://salsa.debian.org/qa/jenkins.debian.net/commit/e7513ffcf
[154] https://salsa.debian.org/qa/jenkins.debian.net/commit/4428f6d52
* Misc:
* Fix a (harmless) typo in the multiarch_versionskew script. [155]
[155] https://salsa.debian.org/qa/jenkins.debian.net/commit/43926e0b2
In addition, Jochen Sprickerhof made a series of changes related to
reproduce.debian.net:
* Add out of memory detection to the statistics page. [157]
* Reverse the sorting order on the statistics
page. [158][159][160][161]
* Improve the spacing between statistics groups. [162]
* Update a (hard-coded) line number in error message detection
pertaining to a debrebuild line number. [163]
* Support Debian 'unstable' in the rebuilder-debian.sh
script. [164][165]
* Rely on rebuildctl to sync only 'arch-specific' packages. [166][167]
[156] https://reproduce.debian.net
[157] https://salsa.debian.org/qa/jenkins.debian.net/commit/acf4ea9c8
[158] https://salsa.debian.org/qa/jenkins.debian.net/commit/c134bf90a
[159] https://salsa.debian.org/qa/jenkins.debian.net/commit/eaa0ec619
[160] https://salsa.debian.org/qa/jenkins.debian.net/commit/e9d726d80
[161] https://salsa.debian.org/qa/jenkins.debian.net/commit/b38ac0884
[162] https://salsa.debian.org/qa/jenkins.debian.net/commit/b320ded2a
[163] https://salsa.debian.org/qa/jenkins.debian.net/commit/265a5fb4e
[164] https://salsa.debian.org/qa/jenkins.debian.net/commit/ed578f44e
[165] https://salsa.debian.org/qa/jenkins.debian.net/commit/7701c372e
[166] https://salsa.debian.org/qa/jenkins.debian.net/commit/49ef8041e
[167] https://salsa.debian.org/qa/jenkins.debian.net/commit/eeb86e1ba
§
Upstream patches
----------------
The Reproducible Builds project detects, dissects and attempts to fix as
many currently-unreproducible packages as possible. This month, we wrote
a large number of such patches, including:
* Bernhard M. Wiedemann:
* autotrace [168], ck [169], cmake/musescore [170], cmake [171],
crash [172], cvsps [173], gexif [174], gq [175], gtkam [176],
ibus-table-others [177], krb5-appl [178], ktoblzcheck-data [179],
leafnode [180], lib2geom [181], libexif-gtk [182], libmfx-gen
[183], libmfx [184], liboqs [185], libyui [186], linkloop [187],
meson [188], MozillaFirefox [189], ncurses [190], netdiscover
[191], notify-sharp [192], pcsc-acr38 [193], pcsc-asedriveiiie-
serial [194], pcsc-asedriveiiie-usb [195], pcsc-asekey [196],
pcsc-eco5000 [197], pcsc-reflex60 [198], perl-Crypt-RC [199],
python-boto3 [200], python-gevent [201], python-pytest-
localserver [202], qt6-tools [203], seamonkey [204], seq24 [205],
smictrl [206], sobby [207], solfege [208], urfkill [209], uwsgi
[210], wsmancli [211], xine-lib [212], xkeycaps [213], xquarto
[214], yast-control-center [215], yast-ruby-bindings [216] and
yast [217]
[168] https://build.opensuse.org/request/show/1277438
[169] https://build.opensuse.org/request/show/1279009
[170] https://gitlab.kitware.com/cmake/cmake/-/issues/26957
[171] https://build.opensuse.org/request/show/1280975
[172] https://src.opensuse.org/kernel-kdump/crash/pulls/2
[173] https://build.opensuse.org/request/show/1277441
[174] https://build.opensuse.org/request/show/1277447
[175] https://build.opensuse.org/request/show/1277448
[176] https://build.opensuse.org/request/show/1277463
[177] https://build.opensuse.org/request/show/1277450
[178] https://build.opensuse.org/request/show/1277456
[179] https://build.opensuse.org/request/show/1279038
[180] https://build.opensuse.org/request/show/1277080
[181] https://build.opensuse.org/request/show/1280894
[182] https://build.opensuse.org/request/show/1277460
[183] https://build.opensuse.org/request/show/1276727
[184] https://build.opensuse.org/request/show/1276079
[185] https://build.opensuse.org/request/show/1276690
[186] https://github.com/libyui/libyui/pull/116
[187] https://build.opensuse.org/request/show/1277459
[188] https://github.com/mesonbuild/meson/pull/14580
[189] https://build.opensuse.org/request/show/1277922
[190] https://build.opensuse.org/request/show/1277853
[191] https://github.com/netdiscover-scanner/netdiscover/pull/38
[192] https://build.opensuse.org/request/show/1277465
[193] https://build.opensuse.org/request/show/1279024
[194] https://build.opensuse.org/request/show/1279029
[195] https://build.opensuse.org/request/show/1279030
[196] https://build.opensuse.org/request/show/1279031
[197] https://build.opensuse.org/request/show/1277482
[198] https://build.opensuse.org/request/show/1279025
[199] https://build.opensuse.org/request/show/1276293
[200] https://build.opensuse.org/request/show/128082
[201] https://build.opensuse.org/request/show/1276306
[202] https://build.opensuse.org/request/show/1280876
[203] https://build.opensuse.org/request/show/1279420
[204] https://build.opensuse.org/request/show/1280974
[205] https://build.opensuse.org/request/show/1277472
[206] https://build.opensuse.org/request/show/1277471
[207] https://build.opensuse.org/request/show/1277473
[208] https://build.opensuse.org/request/show/1277476
[209] https://build.opensuse.org/request/show/1277477
[210] https://build.opensuse.org/request/show/1277483
[211] https://build.opensuse.org/request/show/1277478
[212] https://build.opensuse.org/request/show/1277479
[213] https://build.opensuse.org/request/show/1277480
[214] https://build.opensuse.org/request/show/1277481
[215] https://github.com/yast/yast-control-center/pull/62
[216] https://github.com/yast/yast-ruby-bindings/pull/294
[217] https://github.com/yast/yast-devtools/pull/178
* Chris Hofstaedtler:
* #1104578 [218] filed against jabber-muc [219].
[218] https://bugs.debian.org/1104578
[219] https://tracker.debian.org/pkg/jabber-muc
* Chris Lamb:
* #1105171 [220] filed against golang-github-lucas-clemente-quic-
go [221].
[220] https://bugs.debian.org/1105171
[221] https://tracker.debian.org/pkg/golang-github-lucas-clemente-quic-go
* Jelle van der Waa:
* gitlab-shell [222]
[222] https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/1291
* Jochen Sprickerhof:
* #1104965 [223] filed against bootp [224].
[223] https://bugs.debian.org/1104965
[224] https://tracker.debian.org/pkg/bootp
* Zhaofeng Li:
* Add support for --mtime and --clamp-mtime [225] to bsdtar.
[225] https://github.com/libarchive/libarchive/pull/2601
* James Addison:
* #1105119 [226] for python3 — requested enabling a LTO-adjacent
option that should improve build reproducibility.
* #1106274 [227] upstream fix merged for freezegun [228] for a
timezone issue causing unit tests to fail during testing.
* Opened a pull request [229] for tutanota [230] in an attempt to
resolve a long-standing reproducibility issue [231].
[226] https://bugs.debian.org/1105119
[227] https://bugs.debian.org/1106274
[228] https://github.com/spulec/freezegun/
[229] https://github.com/tutao/tutanota/pull/9034
[230] https://github.com/tutao/tutanota/
[231] https://github.com/tutao/tutanota/issues/1016
* Zbigniew Jędrzejewski-Szmek:
* 0xFFFF [232]: Use SOURCE_DATE_EPOCH for date in manual pages.
[232] https://src.fedoraproject.org/rpms/0xFFFF/pull-request/1
§
Finally, if you are interested in contributing to the Reproducible
Builds project, please visit our Contribute [233] page on our website.
However, you can get in touch with us via:
* IRC: #reproducible-builds on irc.oftc.net.
* Mastodon: @reproducible_builds at fosstodon.org [234]
* Mailing list: rb-general at lists.reproducible-builds.org [235]
[233] https://reproducible-builds.org/contribute/
[234] https://fosstodon.org/@reproducible_builds
[235] https://lists.reproducible-builds.org/listinfo/rb-general
--
o
⬋ ⬊
o o reproducible-builds.org 💠
⬊ ⬋
o
More information about the rb-general
mailing list