Reproducible Builds in April 2025🔹

Chris Lamb chris at reproducible-builds.org
Mon May 12 19:15:12 UTC 2025


--------------------------------------------------------------------
        o
      ⬋   ⬊      April 2025 in Reproducible Builds
     o     o
      ⬊   ⬋      https://reproducible-builds.org/reports/2025-04/
        o
--------------------------------------------------------------------


Welcome to our fourth report from the Reproducible Builds [0] project in
2025! These monthly reports outline what we've been up to over the past
month, and highlight items of news from elsewhere in the increasingly-
important area of software supply-chain security.

If you are interested in contributing to the Reproducible Builds
project, please visit the Contribute [1] page on our website.

 [1] https://reproducible-builds.org/contribute/


Table of contents:

 * reproduce.debian.net
 * "Fifty Years of Open Source Software Supply Chain Security"
 * 4th CHAINS Software Supply Chain Workshop
 * Mailing list updates
 * "Canonicalization for Unreproducible Builds in Java"
 * "OSS Rebuild" adds new TUI features
 * Distribution roundup
 * "diffoscope" & "strip-nondeterminism"
 * Website updates
 * Reproducibility testing framework
 * Upstream patches



                                    §

reproduce.debian.net
--------------------

The last few months have seen the introduction, development and
deployment of reproduce.debian.net [3]. In technical terms, this is an
instance of rebuilderd [4], our server designed monitor the official
package repositories of Linux distributions and attempt to reproduce
the observed results there.

This month, however, we are pleased to announce that
reproduce.debian.net [5] now tests all the Debian trixie architectures
except s390x and mips64el.

The ppc64el architecture was added through the generous support of
Oregon State University Open Source Laboratory [6] (OSUOSL), and we
can support the armel architecture thanks to CodeThink [7].

 [3] https://reproduce.debian.net
 [4] https://github.com/kpcyrd/rebuilderd
 [5] https://reproduce.debian.net
 [6] https://osuosl.org/
 [7] https://www.codethink.co.uk/

                                    §


"Fifty Years of Open Source Software Supply Chain Security"
-----------------------------------------------------------

Russ Cox has published a must-read article in ACM Queue [9] on "Fifty
Years of Open Source Software Supply Chain Security" [10]. Subtitled,
"For decades, software reuse was only a lofty goal. Now it's very
real.", Russ' article goes on to outline the history and original goals
of software supply-chain security in the US military in the early 1970s,
all the way to the XZ Utils backdoor [11] of 2024. Through that lens,
Russ explores the problem and how it has changed, and hasn't changed,
over time.

He concludes as follows:

> We are all struggling with a massive shift that has happened in the
> past 10 or 20 years in the software industry. For decades, software
> reuse was only a lofty goal. Now it's very real. Modern programming
> environments such as Go, Node and Rust have made it trivial to reuse
> work by others, but our instincts about responsible behaviors have
> not yet adapted to this new reality.
>
> We all have more work to do.

 [9] https://queue.acm.org/
 [10] https://queue.acm.org/detail.cfm?id=3722542
 [11] https://en.wikipedia.org/wiki/XZ_Utils_backdoor

                                    §


4th CHAINS Software Supply Chain Workshop
-----------------------------------------

Convened as part of the CHAINS [13] research project at the KTH Royal
Institute of Technology [14] in Stockholm, Sweden, the 4th CHAINS
Software Supply Chain Workshop [15] occurred during April. During the
workshop, there were a number of relevant workshops, including:

* Signature, Attestations and Reproducible Builds [16]
* Does Functional Package Management Enable Reproducible Builds at
  Scale? [17]
* Causes and Mitigations of Unreproducible Builds in Java [18]
* Fixing Breaking Dependency Updates Using LLMs [19]
* The caveats of vulnerability analysis [20]
* maven-lockfile [21] (Lockfiles for Java and Maven)
* observer [22] (Generating SBOMs for C/C++)
* dirty-waters [23] (Transparency checks for software supply chains)
* A supply chain competition [24]. Martin Schwaighofer, the winner,
  created a recap video [25] (20m43s).
* Finally, 8 posters [26] on dependency introspection, diverse double
  compilation, dependency management, VEX and SBOM.

The full listing of the agenda [27] is available on the
workshop's website.

 [13] https://chains.proj.kth.se/
 [14] https://www.kth.se/en
 [15] https://chains.proj.kth.se/software-supply-chain-workshop-4.html
 [16] https://chains.proj.kth.se/workshop_4_assets/slides/Signature_Attestations_Reproducible%20Builds.pdf
 [17] https://hal.science/hal-04913007
 [18] https://algomaster99.github.io/talks/4th-chains-workshop/slides.pdf
 [19] https://kth.diva-portal.org/smash/get/diva2:1905601/FULLTEXT01.pdf
 [20] https://chains.proj.kth.se/workshop_4_assets/slides/20250425_Henrik_PLATE_Keynote_CHAINS_Workshop.pdf
 [21] https://github.com/chains-project/maven-lockfile/
 [22] https://github.com/sbom-observer/observer-cli
 [23] https://github.com/chains-project/dirty-waters
 [24] https://chains.proj.kth.se/chains-repo-checklist.html
 [25] https://youtu.be/lqH2lVe8Isc
 [26] https://chains.proj.kth.se/software-supply-chain-workshop-4.html#poster-session
 [27] https://chains.proj.kth.se/software-supply-chain-workshop-4.html

                                    §


Mailing list updates
--------------------

On our mailing list [28] this month:

* Luca DiMaio of Chainguard [29] posted to the list reporting that they
  had successfully implemented reproducible filesystem images with both
  ext4 [30] *and* an EFI system partition [31]. They go on to list the
  various methods, and the thread generated at least fifteen replies.

     [28] https://lists.reproducible-builds.org/listinfo/rb-general/
     [29] https://www.chainguard.dev/
     [30] https://en.wikipedia.org/wiki/Ext4

* David Wheeler announced that the OpenSSF [32] is building a
  "glossary" of sorts in order that they "consistently use the same
  meaning for the same term" and, moreover, that they have drafted a
  definition for 'reproducible build' [33]. The thread generated a
  significant number of replies on the definition, leading to a
  potential update to the Reproducible Build's own definition.

     [31] https://en.wikipedia.org/wiki/EFI_system_partition
     [32] https://openssf.org/
     [33] https://glossary.openssf.org/reproducible-build/

* Lastly, kpcyrd posted to the list with a timely reminder and update
  [34] on their repro-env [35]" tool. As first reported in our July
  2023 report [36], kpcyrd mentions that:

    > My initial interest in reproducible builds was "how do I
    distribute pre-compiled binaries on GitHub [37] without people
    raising security concerns about them". I've cycled back to this
    original problem about 5 years later and built a tool that is meant
    to address this. [38]

     [34] https://lists.reproducible-builds.org/pipermail/rb-general/2025-April/003735.html
     [35] https://github.com/kpcyrd/repro-env
     [36] https://reproducible-builds.org/reports/2023-07/
     [37] https://github.com
     [38] https://lists.reproducible-builds.org/pipermail/rb-general/2023-July/003026.html

                                    §


"Canonicalization for Unreproducible Builds in Java"
----------------------------------------------------

Aman Sharma, Benoit Baudry and Martin Monperrus have published a new
scholarly study related to reproducible builds within Java. Titled
"Canonicalization for Unreproducible Builds in Java" [40], the article's
abstract is as follows:

> […] Achieving reproducibility at scale remains difficult, especially
> in Java, due to a range of non-deterministic factors and caveats in
> the build process. In this work, we focus on reproducibility in
> Java-based software, archetypal of enterprise applications. We
> introduce a conceptual framework for reproducible builds, we analyze
> a large dataset from Reproducible Central [41] and we develop a
> novel taxonomy of six root causes of unreproducibility. We study
> actionable mitigations: artifact and bytecode canonicalization using
> OSS-Rebuild and jNorm respectively. Finally, we present
> Chains-Rebuild, a tool that raises reproducibility success from
> 9.48% to 26.89% on 12,283 unreproducible artifacts. To sum up, our
> contributions are the first large-scale taxonomy of build
> unreproducibility causes in Java, a publicly available dataset of
> unreproducible builds, and Chains-Rebuild, a canonicalization tool
> for mitigating unreproducible builds in Java.

A full PDF of their article [42] is available from arXiv [43].

 [40] https://arxiv.org/abs/2504.21679
 [41] https://github.com/jvm-repo-rebuild/reproducible-central#readme
 [42] https://arxiv.org/pdf/2504.21679
 [43] https://arxiv.org/

                                    §


OSS Rebuild adds new TUI features
---------------------------------

OSS Rebuild [44] aims to automate rebuilding upstream language
packages (e.g. from PyPI [45], crates.io [46] and npm registries) and
publish signed attestations and build definitions for public use.

OSS Rebuild ships a text-based user interface (TUI) for viewing,
launching, and debugging rebuilds. While previously requiring ownership
of a full instance of OSS Rebuild's hosted infrastructure, the TUI now
supports [47] a fully local mode of build execution and artifact
storage. Thanks to Giacomo Benedetti for his usage feedback and work to
extend the local-only development toolkit.

Another feature added to the TUI was an experimental chatbot integration
[48] that provides interactive feedback on rebuild failure root causes
and suggests fixes.

 [44] https://github.com/google/oss-rebuild
 [45] https://pypi.org/
 [46] https://crates.io/
 [47] https://github.com/google/oss-rebuild/pull/487
 [48] https://github.com/google/oss-rebuild/pull/484

                                    §


Distribution roundup
--------------------

In Debian this month:

* Roland Clobus posted another status report on reproducible ISO images
  [49] on our mailing list [50] this month, with the summary that "all
  live images build reproducibly from the online Debian archive".

* Debian [51] developer Simon Josefsson published another two
  reproducibility-related blog posts this month, the first on the topic
  of "Verified Reproducible Tarballs" [52]. Simon sardonically
  challenges the reader as follows: "Do you want a supply-chain
  challenge for the Easter weekend? Pick some well-known software and
  try to re-create the official release tarballs from the corresponding
  Git checkout. "Is anyone able to reproduce anything these days?"
  After that, they also published a blog post on "Building Debian in a
  GitLab Pipeline" [53] using their multi-stage rebuild [54] approach.

* Roland also posted to our mailing list to highlight that "there is
  now another tool in Debian that generates reproducible output [55],
  equivs". This is a tool to create trivial Debian packages that might
  Depend on other packages. As Roland writes, "building the [equivs]
  package has been reproducible for a while, [but] now the output of
  the [tool] has become reproducible as well".

* Lastly, 9 reviews of Debian packages were added, 10 were updated and
  10 were removed this month adding to our extensive knowledge about
  identified issues [56].

 [49] https://lists.reproducible-builds.org/pipermail/rb-general/2025-April/003700.html
 [50] https://lists.reproducible-builds.org/listinfo/rb-general/
 [51] https://debian.org
 [52] https://blog.josefsson.org/2025/04/17/verified-reproducible-tarballs/
 [53] https://blog.josefsson.org/2025/04/30/building-debian-in-a-gitlab-pipeline/
 [54] https://blog.josefsson.org/2025/03/31/on-binary-distribution-rebuilds/
 [55] https://lists.reproducible-builds.org/pipermail/rb-general/2025-April/003723.html
 [56] https://tests.reproducible-builds.org/debian/index_issues.html

The IzzyOnDroid [57] Android APK repository made more progress in April.
Thanks to funding by NLnet [58] and Mobifree [59], the project was also
to put more time into their tooling. For instance, developers can now
easily run their own verification builder [60] in "less than 5 minutes".
This currently supports Debian [61]-based systems, but support for RPM-
based systems is incoming.

* The rbuilder_setup [62] tool can now setup the entire framework
  within less than five minutes. The process is configurable, too, so
  everything from "just the basics to verify builds" up to a fully-
  fledged RB environment is also possible.

* This tool works on Debian [63], RedHat [64] and Arch Linux [65], as
  well as their derivates. The project has received successful reports
  from Debian, Ubuntu [66], Fedora [67] and some Arch Linux derivates
  so far.

* Documentation on how to work with reproducible builds (making apps
  reproducible, debugging unreproducible packages, etc) is available in
  the project's wiki page [68].

* Future work [69] is also in the pipeline, including documentation,
  guidelines and helpers for debugging.

 [57] https://apt.izzysoft.de/fdroid/
 [58] https://nlnet.nl/
 [59] https://mobifree.org/
 [60] https://codeberg.org/IzzyOnDroid/rbuilder_setup
 [61] https://www.debian.org/
 [62] https://codeberg.org/IzzyOnDroid/rbuilder_setup
 [63] https://www.debian.org/
 [64] https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux
 [65] https://archlinux.org/
 [66] https://ubuntu.com/
 [67] https://fedoraproject.org/
 [68] https://gitlab.com/IzzyOnDroid/repo/-/wikis/Reproducible-Builds
 [69] https://codeberg.org/IzzyOnDroid/-/projects/13002

NixOS [70] defined an Outreachy [71] project for improving build
reproducibility. In the application phase, NixOS saw some strong
candidates providing contributions, both on the NixOS side and upstream:
guider-le-ecit [72] analyzed a libpinyin issue [73]. Tessy James [74]
fixed an issue in arandr [75] and helped analyze one in libvlc [76] that
led to a proposed upstream fix [77]. Finally, 3pleX [78] fixed an issue
which was accepted in upstream kitty [79], one in upstream maturin [80],
one in upstream python-sip [81] and one in the Nix packaging of python-
libbytesize [82]. Sadly, the funding for this internship fell through,
so NixOS were forced to abandon their search.

 [70] https://reproducible.nixos.org
 [71] https://www.outreachy.org/
 [72] https://github.com/Guider-le-recit
 [73] https://github.com/Guider-le-recit
 [74] https://github.com/TessyJames28
 [75] https://github.com/NixOS/nixpkgs/pull/395245
 [76] https://github.com/NixOS/nixpkgs/issues/393651
 [77] https://code.videolan.org/videolan/vlc/-/merge_requests/7149
 [78] https://github.com/3pleX-dev
 [79] https://github.com/kovidgoyal/kitty/pull/8509
 [80] https://github.com/PyO3/maturin/pull/2550
 [81] https://github.com/Python-SIP/sip/pull/70
 [82] https://github.com/NixOS/nixpkgs/pull/395486

Lastly, in openSUSE [83] news, Bernhard M. Wiedemann posted another
monthly update [84] for their work there.

 [83] https://www.opensuse.org/
 [84] https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/ZVTOA6G3GTAVELEI6D5M67GVFDUUESBE/

                                    §


diffoscope & strip-nondeterminism
---------------------------------

diffoscope [86] is our in-depth and content-aware diff utility that can
locate and diagnose reproducibility issues. This month, Chris Lamb made
the following changes, including preparing and uploading a number of
versions to Debian:

* Use the --walk argument over the potentially dangerous alternative
  --scan when calling out to zipdetails(1). [87]
* Correct a longstanding issue where many >-based version tests used in
  conditional fixtures were broken. This was used to ensure that
  specific tests were only run when the version on the system was newer
  than a particular number. Thanks to Colin Watson for the report
  (Debian bug #1102658 [88]) [89]
* Address a long-hidden issue in the test_versions testsuite as well,
  where we weren't actually testing the greater-than comparisons
  mentioned above, as it was masked by the tests for equality. [90]
* Update copyright years. [91]

In strip-nondeterminism, however, Holger Levsen updated the Continuous
Integration (CI) configuration in order to use the standard Debian
pipelines via debian/salsa-ci.yml instead of using .gitlab-ci.yml. [92]

 [86] https://diffoscope.org
 [87] https://salsa.debian.org/reproducible-builds/diffoscope/commit/661adfc0
 [88] https://bugs.debian.org/1102658
 [89] https://salsa.debian.org/reproducible-builds/diffoscope/commit/8234ff0a
 [90] https://salsa.debian.org/reproducible-builds/diffoscope/commit/d930e990
 [91] https://salsa.debian.org/reproducible-builds/diffoscope/commit/6b02bfc2
 [92] https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/39dc600

                                    §


Website updates
---------------

Once again, there were a number of improvements made to our website this
month including:

* Aman Sharma added OSS-Rebuild's stabilize [93] tool to the "Tools"
  [94] page. [95][96]

   [93] https://github.com/google/oss-rebuild/tree/main/cmd/stabilize
   [94] https://reproducible-builds.org/tools/
   [95] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/169fb7ea
   [96] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5cac89c6

* Chris Lamb added a configure.ac (GNU Autotools [97]) example for
  using SOURCE_DATE_EPOCH [98]. [99]. Chris also updated the
  SOURCE_DATE_EPOCH snippet and move the archive metadata to a more
  suitable location. [100]

   [97] https://en.wikipedia.org/wiki/GNU_Autotools
   [98] https://reproducible-builds.org/docs/source-date-epoch/
   [99] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/54b010d0
   [100] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/cbbe269d

* Denis Carikli added GNU Boot [101] to our ever-evolving "Projects"
  [102] page.

   [101] https://www.gnu.org/software/gnuboot
   [102] https://reproducible-builds.org/who/projects/

                                    §


Reproducibility testing framework
---------------------------------

The Reproducible Builds project operates a comprehensive testing
framework running primarily at tests.reproducible-builds.org [103] in
order to check packages and other artifacts for reproducibility. In
April, a number of changes were made by Holger Levsen, including:

* reproduce.debian.net [104]-related:

    * Add armel.reproduce.debian.net to support the armel
      architecture. [105][106]
    * Add a new ARM node, codethink05. [107][108]
    * Add ppc64el.reproduce.debian.net to support testing of the
      ppc64el architecture. [109][110][111]
    * Improve the reproduce.debian.net [112] front page. [113][114]
    * Make various changes to the ppc64el nodes. [115][116]9[117][118]
    * Make various changes to the arm64 and armhf
      nodes. [119][120][121][122]
    * Various changes related to the rebuilderd-worker entry
      point. [123][124][125]
    * Create and deploy a pkgsync
      script. [126][127][128][129][130][131][132][133]
    * Fix the monitoring of the riscv64 architecture. [134][135]
    * Make a number of changes related to starting the rebuilderd
      service. [136][137][138][139]

     [103] https://tests.reproducible-builds.org
     [104] https://reproduce.debian.net
     [105] https://salsa.debian.org/qa/jenkins.debian.net/commit/260230bd6
     [106] https://salsa.debian.org/qa/jenkins.debian.net/commit/afb3b49c8
     [107] https://salsa.debian.org/qa/jenkins.debian.net/commit/b116931d1
     [108] https://salsa.debian.org/qa/jenkins.debian.net/commit/69f26a058
     [109] https://salsa.debian.org/qa/jenkins.debian.net/commit/699789a54
     [110] https://salsa.debian.org/qa/jenkins.debian.net/commit/35272a222
     [111] https://salsa.debian.org/qa/jenkins.debian.net/commit/fdbd776ee
     [112] https://reproduce.debian.net
     [113] https://salsa.debian.org/qa/jenkins.debian.net/commit/5c4914043
     [114] https://salsa.debian.org/qa/jenkins.debian.net/commit/8abcbb3b6
     [115] https://salsa.debian.org/qa/jenkins.debian.net/commit/7aedbc53d
     [116] https://salsa.debian.org/qa/jenkins.debian.net/commit/80b47a7b4
     [117] https://salsa.debian.org/qa/jenkins.debian.net/commit/a10e9cdde
     [118] https://salsa.debian.org/qa/jenkins.debian.net/commit/7737f2d89
     [119] https://salsa.debian.org/qa/jenkins.debian.net/commit/7aedbc53d
     [120] https://salsa.debian.org/qa/jenkins.debian.net/commit/80b47a7b4
     [121] https://salsa.debian.org/qa/jenkins.debian.net/commit/f9759f473
     [122] https://salsa.debian.org/qa/jenkins.debian.net/commit/38e09e06d
     [123] https://salsa.debian.org/qa/jenkins.debian.net/commit/85e3e2e0d
     [124] https://salsa.debian.org/qa/jenkins.debian.net/commit/f44727fe4
     [125] https://salsa.debian.org/qa/jenkins.debian.net/commit/6e79a00d5
     [126] https://salsa.debian.org/qa/jenkins.debian.net/commit/671330b34
     [127] https://salsa.debian.org/qa/jenkins.debian.net/commit/0ff58a7b8
     [128] https://salsa.debian.org/qa/jenkins.debian.net/commit/adfa7fb10
     [129] https://salsa.debian.org/qa/jenkins.debian.net/commit/0634985a4
     [130] https://salsa.debian.org/qa/jenkins.debian.net/commit/b2f6de0d1
     [131] https://salsa.debian.org/qa/jenkins.debian.net/commit/709558c99
     [132] https://salsa.debian.org/qa/jenkins.debian.net/commit/b7358b4ea
     [133] https://salsa.debian.org/qa/jenkins.debian.net/commit/2a8ea5870
     [134] https://salsa.debian.org/qa/jenkins.debian.net/commit/e4f6a809a
     [135] https://salsa.debian.org/qa/jenkins.debian.net/commit/86398501d
     [136] https://salsa.debian.org/qa/jenkins.debian.net/commit/08fe3923e
     [137] https://salsa.debian.org/qa/jenkins.debian.net/commit/58f309a8e
     [138] https://salsa.debian.org/qa/jenkins.debian.net/commit/6b46eb7c5
     [139] https://salsa.debian.org/qa/jenkins.debian.net/commit/2a12b8b10

* Backup-related:

    * Backup the rebuilder databases every week. [140][141][142][143]
    * Improve the node health checks. [144][145]

     [140] https://salsa.debian.org/qa/jenkins.debian.net/commit/4d5dcc87c
     [141] https://salsa.debian.org/qa/jenkins.debian.net/commit/a1d9881a6
     [142] https://salsa.debian.org/qa/jenkins.debian.net/commit/ce0ff1002
     [143] https://salsa.debian.org/qa/jenkins.debian.net/commit/b6ec69da3
     [144] https://salsa.debian.org/qa/jenkins.debian.net/commit/1fc1b5c32
     [145] https://salsa.debian.org/qa/jenkins.debian.net/commit/384e11cc9

* Misc:

    * Re-use existing connections to the SSH proxy node on the riscv64
      nodes. [146][147]
    * Node maintenance. [148][149][150]

     [146] https://salsa.debian.org/qa/jenkins.debian.net/commit/d8a75cf20
     [147] https://salsa.debian.org/qa/jenkins.debian.net/commit/ecf2c3789
     [148] https://salsa.debian.org/qa/jenkins.debian.net/commit/0ea8da7dc
     [149] https://salsa.debian.org/qa/jenkins.debian.net/commit/207b3c27a
     [150] https://salsa.debian.org/qa/jenkins.debian.net/commit/06890e806

In addition:

* Jochen Sprickerhof fixed the risvc64 host names [151] and requested
  access to all the rebuilderd nodes [152].

* Mattia Rizzolo updated the self-serve rebuild scheduling tool,
  replacing the deprecated "SSO"-style authentication with OpenIDC
  [153] which authenticates against salsa.debian.org. [154][155][156]

* Roland Clobus updated the configuration for the osuosl3 node to
  designate 4 workers for bigger builds. [157]

 [151] https://salsa.debian.org/qa/jenkins.debian.net/commit/9bb310631
 [152] https://salsa.debian.org/qa/jenkins.debian.net/commit/debca1332
 [153] https://www.google.com/search?q=OpenIDc
 [154] https://salsa.debian.org/qa/jenkins.debian.net/commit/10a15454a
 [155] https://salsa.debian.org/qa/jenkins.debian.net/commit/c28314d47
 [156] https://salsa.debian.org/qa/jenkins.debian.net/commit/20c9da5f6
 [157] https://salsa.debian.org/qa/jenkins.debian.net/commit/a23c1d216

                                    §


Upstream patches
----------------

The Reproducible Builds project detects, dissects and attempts to fix as
many currently-unreproducible packages as possible. We endeavour to send
all of our patches upstream where appropriate. This month, we wrote a
large number of such patches, including:

* Bernhard M. Wiedemann

    * lout [158]
    * mpiP [159]
    * libabigail [160]
    * cython [161]
    * mpiP [162]
    * godot [163]
    * gnome-text-editor [164]
    * clisp [165]
    * rpm [166]
    * Fiona [167]
    * qtdoc [168]

     [158] https://build.opensuse.org/request/show/1273540
     [159] https://build.opensuse.org/request/show/1273613
     [160] https://src.opensuse.org/jengelh/libabigail/pulls/2
     [161] https://github.com/cython/cython/issues/5986
     [162] https://github.com/LLNL/mpiP/pull/57
     [163] https://github.com/godotengine/godot/issues/105181
     [164] https://bugzilla.opensuse.org/show_bug.cgi?id=1241147
     [165] https://gitlab.com/gnu-clisp/clisp/-/issues/59
     [166] https://github.com/rpm-software-management/rpm/pull/3728
     [167] https://github.com/Toblerity/Fiona/pull/1492
     [168] https://bugreports.qt.io/browse/QTBUG-136483

* Chris Hofstaedtler:

    * #1104512 [169] filed against command-not-found [170].
    * #1104517 [171] filed against command-not-found [172].
    * #1104535 [173] filed against cc65 [174].

     [169] https://bugs.debian.org/1104512
     [170] https://tracker.debian.org/pkg/command-not-found
     [171] https://bugs.debian.org/1104517
     [172] https://tracker.debian.org/pkg/command-not-found
     [173] https://bugs.debian.org/1104535
     [174] https://tracker.debian.org/pkg/cc65

* Chris Lamb:

    * #1102659 [175] filed against vcsh [176].
    * #1103797 [177] filed against schism [178].
    * #1103798 [179] filed against magic-wormhole-mailbox-server [180].
    * #1103800 [181] filed against openvpn3-client [182].

     [175] https://bugs.debian.org/1102659
     [176] https://tracker.debian.org/pkg/vcsh
     [177] https://bugs.debian.org/1103797
     [178] https://tracker.debian.org/pkg/schism
     [179] https://bugs.debian.org/1103798
     [180] https://tracker.debian.org/pkg/magic-wormhole-mailbox-server
     [181] https://bugs.debian.org/1103800
     [182] https://tracker.debian.org/pkg/openvpn3-client

* James Addison:

    * #1102760 [183] filed against apg [184].

     [183] https://bugs.debian.org/1102760
     [184] https://tracker.debian.org/pkg/apg

* Jochen Sprickerhof:

    * #1103288 [185] filed against courier [186].
    * #1103563 [187] filed against cross-toolchain-base [188].

     [185] https://bugs.debian.org/1103288
     [186] https://tracker.debian.org/pkg/courier
     [187] https://bugs.debian.org/1103563
     [188] https://tracker.debian.org/pkg/cross-toolchain-base


                                    §


Finally, if you are interested in contributing to the Reproducible
Builds project, please visit our "Contribute" [189] page on our website.
However, you can get in touch with us via:

 * IRC: #reproducible-builds on irc.oftc.net.

 * Mastodon: @reproducible_builds at fosstodon.org [190]

 * Mailing list: rb-general at lists.reproducible-builds.org [191]

 [189] https://reproducible-builds.org/contribute/
 [190] https://fosstodon.org/@reproducible_builds
 [191] https://lists.reproducible-builds.org/listinfo/rb-general


-- 
      o
    ⬋   ⬊
   o     o     reproducible-builds.org 💠
    ⬊   ⬋
      o


More information about the rb-general mailing list