Reproducible Builds in April 2025🔹
Chris Lamb
chris at reproducible-builds.org
Mon May 12 19:15:12 UTC 2025
--------------------------------------------------------------------
o
⬋ ⬊ April 2025 in Reproducible Builds
o o
⬊ ⬋ https://reproducible-builds.org/reports/2025-04/
o
--------------------------------------------------------------------
Welcome to our fourth report from the Reproducible Builds [0] project in
2025! These monthly reports outline what we've been up to over the past
month, and highlight items of news from elsewhere in the increasingly-
important area of software supply-chain security.
If you are interested in contributing to the Reproducible Builds
project, please visit the Contribute [1] page on our website.
[1] https://reproducible-builds.org/contribute/
Table of contents:
* reproduce.debian.net
* "Fifty Years of Open Source Software Supply Chain Security"
* 4th CHAINS Software Supply Chain Workshop
* Mailing list updates
* "Canonicalization for Unreproducible Builds in Java"
* "OSS Rebuild" adds new TUI features
* Distribution roundup
* "diffoscope" & "strip-nondeterminism"
* Website updates
* Reproducibility testing framework
* Upstream patches
§
reproduce.debian.net
--------------------
The last few months have seen the introduction, development and
deployment of reproduce.debian.net [3]. In technical terms, this is an
instance of rebuilderd [4], our server designed monitor the official
package repositories of Linux distributions and attempt to reproduce
the observed results there.
This month, however, we are pleased to announce that
reproduce.debian.net [5] now tests all the Debian trixie architectures
except s390x and mips64el.
The ppc64el architecture was added through the generous support of
Oregon State University Open Source Laboratory [6] (OSUOSL), and we
can support the armel architecture thanks to CodeThink [7].
[3] https://reproduce.debian.net
[4] https://github.com/kpcyrd/rebuilderd
[5] https://reproduce.debian.net
[6] https://osuosl.org/
[7] https://www.codethink.co.uk/
§
"Fifty Years of Open Source Software Supply Chain Security"
-----------------------------------------------------------
Russ Cox has published a must-read article in ACM Queue [9] on "Fifty
Years of Open Source Software Supply Chain Security" [10]. Subtitled,
"For decades, software reuse was only a lofty goal. Now it's very
real.", Russ' article goes on to outline the history and original goals
of software supply-chain security in the US military in the early 1970s,
all the way to the XZ Utils backdoor [11] of 2024. Through that lens,
Russ explores the problem and how it has changed, and hasn't changed,
over time.
He concludes as follows:
> We are all struggling with a massive shift that has happened in the
> past 10 or 20 years in the software industry. For decades, software
> reuse was only a lofty goal. Now it's very real. Modern programming
> environments such as Go, Node and Rust have made it trivial to reuse
> work by others, but our instincts about responsible behaviors have
> not yet adapted to this new reality.
>
> We all have more work to do.
[9] https://queue.acm.org/
[10] https://queue.acm.org/detail.cfm?id=3722542
[11] https://en.wikipedia.org/wiki/XZ_Utils_backdoor
§
4th CHAINS Software Supply Chain Workshop
-----------------------------------------
Convened as part of the CHAINS [13] research project at the KTH Royal
Institute of Technology [14] in Stockholm, Sweden, the 4th CHAINS
Software Supply Chain Workshop [15] occurred during April. During the
workshop, there were a number of relevant workshops, including:
* Signature, Attestations and Reproducible Builds [16]
* Does Functional Package Management Enable Reproducible Builds at
Scale? [17]
* Causes and Mitigations of Unreproducible Builds in Java [18]
* Fixing Breaking Dependency Updates Using LLMs [19]
* The caveats of vulnerability analysis [20]
* maven-lockfile [21] (Lockfiles for Java and Maven)
* observer [22] (Generating SBOMs for C/C++)
* dirty-waters [23] (Transparency checks for software supply chains)
* A supply chain competition [24]. Martin Schwaighofer, the winner,
created a recap video [25] (20m43s).
* Finally, 8 posters [26] on dependency introspection, diverse double
compilation, dependency management, VEX and SBOM.
The full listing of the agenda [27] is available on the
workshop's website.
[13] https://chains.proj.kth.se/
[14] https://www.kth.se/en
[15] https://chains.proj.kth.se/software-supply-chain-workshop-4.html
[16] https://chains.proj.kth.se/workshop_4_assets/slides/Signature_Attestations_Reproducible%20Builds.pdf
[17] https://hal.science/hal-04913007
[18] https://algomaster99.github.io/talks/4th-chains-workshop/slides.pdf
[19] https://kth.diva-portal.org/smash/get/diva2:1905601/FULLTEXT01.pdf
[20] https://chains.proj.kth.se/workshop_4_assets/slides/20250425_Henrik_PLATE_Keynote_CHAINS_Workshop.pdf
[21] https://github.com/chains-project/maven-lockfile/
[22] https://github.com/sbom-observer/observer-cli
[23] https://github.com/chains-project/dirty-waters
[24] https://chains.proj.kth.se/chains-repo-checklist.html
[25] https://youtu.be/lqH2lVe8Isc
[26] https://chains.proj.kth.se/software-supply-chain-workshop-4.html#poster-session
[27] https://chains.proj.kth.se/software-supply-chain-workshop-4.html
§
Mailing list updates
--------------------
On our mailing list [28] this month:
* Luca DiMaio of Chainguard [29] posted to the list reporting that they
had successfully implemented reproducible filesystem images with both
ext4 [30] *and* an EFI system partition [31]. They go on to list the
various methods, and the thread generated at least fifteen replies.
[28] https://lists.reproducible-builds.org/listinfo/rb-general/
[29] https://www.chainguard.dev/
[30] https://en.wikipedia.org/wiki/Ext4
* David Wheeler announced that the OpenSSF [32] is building a
"glossary" of sorts in order that they "consistently use the same
meaning for the same term" and, moreover, that they have drafted a
definition for 'reproducible build' [33]. The thread generated a
significant number of replies on the definition, leading to a
potential update to the Reproducible Build's own definition.
[31] https://en.wikipedia.org/wiki/EFI_system_partition
[32] https://openssf.org/
[33] https://glossary.openssf.org/reproducible-build/
* Lastly, kpcyrd posted to the list with a timely reminder and update
[34] on their repro-env [35]" tool. As first reported in our July
2023 report [36], kpcyrd mentions that:
> My initial interest in reproducible builds was "how do I
distribute pre-compiled binaries on GitHub [37] without people
raising security concerns about them". I've cycled back to this
original problem about 5 years later and built a tool that is meant
to address this. [38]
[34] https://lists.reproducible-builds.org/pipermail/rb-general/2025-April/003735.html
[35] https://github.com/kpcyrd/repro-env
[36] https://reproducible-builds.org/reports/2023-07/
[37] https://github.com
[38] https://lists.reproducible-builds.org/pipermail/rb-general/2023-July/003026.html
§
"Canonicalization for Unreproducible Builds in Java"
----------------------------------------------------
Aman Sharma, Benoit Baudry and Martin Monperrus have published a new
scholarly study related to reproducible builds within Java. Titled
"Canonicalization for Unreproducible Builds in Java" [40], the article's
abstract is as follows:
> […] Achieving reproducibility at scale remains difficult, especially
> in Java, due to a range of non-deterministic factors and caveats in
> the build process. In this work, we focus on reproducibility in
> Java-based software, archetypal of enterprise applications. We
> introduce a conceptual framework for reproducible builds, we analyze
> a large dataset from Reproducible Central [41] and we develop a
> novel taxonomy of six root causes of unreproducibility. We study
> actionable mitigations: artifact and bytecode canonicalization using
> OSS-Rebuild and jNorm respectively. Finally, we present
> Chains-Rebuild, a tool that raises reproducibility success from
> 9.48% to 26.89% on 12,283 unreproducible artifacts. To sum up, our
> contributions are the first large-scale taxonomy of build
> unreproducibility causes in Java, a publicly available dataset of
> unreproducible builds, and Chains-Rebuild, a canonicalization tool
> for mitigating unreproducible builds in Java.
A full PDF of their article [42] is available from arXiv [43].
[40] https://arxiv.org/abs/2504.21679
[41] https://github.com/jvm-repo-rebuild/reproducible-central#readme
[42] https://arxiv.org/pdf/2504.21679
[43] https://arxiv.org/
§
OSS Rebuild adds new TUI features
---------------------------------
OSS Rebuild [44] aims to automate rebuilding upstream language
packages (e.g. from PyPI [45], crates.io [46] and npm registries) and
publish signed attestations and build definitions for public use.
OSS Rebuild ships a text-based user interface (TUI) for viewing,
launching, and debugging rebuilds. While previously requiring ownership
of a full instance of OSS Rebuild's hosted infrastructure, the TUI now
supports [47] a fully local mode of build execution and artifact
storage. Thanks to Giacomo Benedetti for his usage feedback and work to
extend the local-only development toolkit.
Another feature added to the TUI was an experimental chatbot integration
[48] that provides interactive feedback on rebuild failure root causes
and suggests fixes.
[44] https://github.com/google/oss-rebuild
[45] https://pypi.org/
[46] https://crates.io/
[47] https://github.com/google/oss-rebuild/pull/487
[48] https://github.com/google/oss-rebuild/pull/484
§
Distribution roundup
--------------------
In Debian this month:
* Roland Clobus posted another status report on reproducible ISO images
[49] on our mailing list [50] this month, with the summary that "all
live images build reproducibly from the online Debian archive".
* Debian [51] developer Simon Josefsson published another two
reproducibility-related blog posts this month, the first on the topic
of "Verified Reproducible Tarballs" [52]. Simon sardonically
challenges the reader as follows: "Do you want a supply-chain
challenge for the Easter weekend? Pick some well-known software and
try to re-create the official release tarballs from the corresponding
Git checkout. "Is anyone able to reproduce anything these days?"
After that, they also published a blog post on "Building Debian in a
GitLab Pipeline" [53] using their multi-stage rebuild [54] approach.
* Roland also posted to our mailing list to highlight that "there is
now another tool in Debian that generates reproducible output [55],
equivs". This is a tool to create trivial Debian packages that might
Depend on other packages. As Roland writes, "building the [equivs]
package has been reproducible for a while, [but] now the output of
the [tool] has become reproducible as well".
* Lastly, 9 reviews of Debian packages were added, 10 were updated and
10 were removed this month adding to our extensive knowledge about
identified issues [56].
[49] https://lists.reproducible-builds.org/pipermail/rb-general/2025-April/003700.html
[50] https://lists.reproducible-builds.org/listinfo/rb-general/
[51] https://debian.org
[52] https://blog.josefsson.org/2025/04/17/verified-reproducible-tarballs/
[53] https://blog.josefsson.org/2025/04/30/building-debian-in-a-gitlab-pipeline/
[54] https://blog.josefsson.org/2025/03/31/on-binary-distribution-rebuilds/
[55] https://lists.reproducible-builds.org/pipermail/rb-general/2025-April/003723.html
[56] https://tests.reproducible-builds.org/debian/index_issues.html
The IzzyOnDroid [57] Android APK repository made more progress in April.
Thanks to funding by NLnet [58] and Mobifree [59], the project was also
to put more time into their tooling. For instance, developers can now
easily run their own verification builder [60] in "less than 5 minutes".
This currently supports Debian [61]-based systems, but support for RPM-
based systems is incoming.
* The rbuilder_setup [62] tool can now setup the entire framework
within less than five minutes. The process is configurable, too, so
everything from "just the basics to verify builds" up to a fully-
fledged RB environment is also possible.
* This tool works on Debian [63], RedHat [64] and Arch Linux [65], as
well as their derivates. The project has received successful reports
from Debian, Ubuntu [66], Fedora [67] and some Arch Linux derivates
so far.
* Documentation on how to work with reproducible builds (making apps
reproducible, debugging unreproducible packages, etc) is available in
the project's wiki page [68].
* Future work [69] is also in the pipeline, including documentation,
guidelines and helpers for debugging.
[57] https://apt.izzysoft.de/fdroid/
[58] https://nlnet.nl/
[59] https://mobifree.org/
[60] https://codeberg.org/IzzyOnDroid/rbuilder_setup
[61] https://www.debian.org/
[62] https://codeberg.org/IzzyOnDroid/rbuilder_setup
[63] https://www.debian.org/
[64] https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux
[65] https://archlinux.org/
[66] https://ubuntu.com/
[67] https://fedoraproject.org/
[68] https://gitlab.com/IzzyOnDroid/repo/-/wikis/Reproducible-Builds
[69] https://codeberg.org/IzzyOnDroid/-/projects/13002
NixOS [70] defined an Outreachy [71] project for improving build
reproducibility. In the application phase, NixOS saw some strong
candidates providing contributions, both on the NixOS side and upstream:
guider-le-ecit [72] analyzed a libpinyin issue [73]. Tessy James [74]
fixed an issue in arandr [75] and helped analyze one in libvlc [76] that
led to a proposed upstream fix [77]. Finally, 3pleX [78] fixed an issue
which was accepted in upstream kitty [79], one in upstream maturin [80],
one in upstream python-sip [81] and one in the Nix packaging of python-
libbytesize [82]. Sadly, the funding for this internship fell through,
so NixOS were forced to abandon their search.
[70] https://reproducible.nixos.org
[71] https://www.outreachy.org/
[72] https://github.com/Guider-le-recit
[73] https://github.com/Guider-le-recit
[74] https://github.com/TessyJames28
[75] https://github.com/NixOS/nixpkgs/pull/395245
[76] https://github.com/NixOS/nixpkgs/issues/393651
[77] https://code.videolan.org/videolan/vlc/-/merge_requests/7149
[78] https://github.com/3pleX-dev
[79] https://github.com/kovidgoyal/kitty/pull/8509
[80] https://github.com/PyO3/maturin/pull/2550
[81] https://github.com/Python-SIP/sip/pull/70
[82] https://github.com/NixOS/nixpkgs/pull/395486
Lastly, in openSUSE [83] news, Bernhard M. Wiedemann posted another
monthly update [84] for their work there.
[83] https://www.opensuse.org/
[84] https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/ZVTOA6G3GTAVELEI6D5M67GVFDUUESBE/
§
diffoscope & strip-nondeterminism
---------------------------------
diffoscope [86] is our in-depth and content-aware diff utility that can
locate and diagnose reproducibility issues. This month, Chris Lamb made
the following changes, including preparing and uploading a number of
versions to Debian:
* Use the --walk argument over the potentially dangerous alternative
--scan when calling out to zipdetails(1). [87]
* Correct a longstanding issue where many >-based version tests used in
conditional fixtures were broken. This was used to ensure that
specific tests were only run when the version on the system was newer
than a particular number. Thanks to Colin Watson for the report
(Debian bug #1102658 [88]) [89]
* Address a long-hidden issue in the test_versions testsuite as well,
where we weren't actually testing the greater-than comparisons
mentioned above, as it was masked by the tests for equality. [90]
* Update copyright years. [91]
In strip-nondeterminism, however, Holger Levsen updated the Continuous
Integration (CI) configuration in order to use the standard Debian
pipelines via debian/salsa-ci.yml instead of using .gitlab-ci.yml. [92]
[86] https://diffoscope.org
[87] https://salsa.debian.org/reproducible-builds/diffoscope/commit/661adfc0
[88] https://bugs.debian.org/1102658
[89] https://salsa.debian.org/reproducible-builds/diffoscope/commit/8234ff0a
[90] https://salsa.debian.org/reproducible-builds/diffoscope/commit/d930e990
[91] https://salsa.debian.org/reproducible-builds/diffoscope/commit/6b02bfc2
[92] https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/39dc600
§
Website updates
---------------
Once again, there were a number of improvements made to our website this
month including:
* Aman Sharma added OSS-Rebuild's stabilize [93] tool to the "Tools"
[94] page. [95][96]
[93] https://github.com/google/oss-rebuild/tree/main/cmd/stabilize
[94] https://reproducible-builds.org/tools/
[95] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/169fb7ea
[96] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5cac89c6
* Chris Lamb added a configure.ac (GNU Autotools [97]) example for
using SOURCE_DATE_EPOCH [98]. [99]. Chris also updated the
SOURCE_DATE_EPOCH snippet and move the archive metadata to a more
suitable location. [100]
[97] https://en.wikipedia.org/wiki/GNU_Autotools
[98] https://reproducible-builds.org/docs/source-date-epoch/
[99] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/54b010d0
[100] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/cbbe269d
* Denis Carikli added GNU Boot [101] to our ever-evolving "Projects"
[102] page.
[101] https://www.gnu.org/software/gnuboot
[102] https://reproducible-builds.org/who/projects/
§
Reproducibility testing framework
---------------------------------
The Reproducible Builds project operates a comprehensive testing
framework running primarily at tests.reproducible-builds.org [103] in
order to check packages and other artifacts for reproducibility. In
April, a number of changes were made by Holger Levsen, including:
* reproduce.debian.net [104]-related:
* Add armel.reproduce.debian.net to support the armel
architecture. [105][106]
* Add a new ARM node, codethink05. [107][108]
* Add ppc64el.reproduce.debian.net to support testing of the
ppc64el architecture. [109][110][111]
* Improve the reproduce.debian.net [112] front page. [113][114]
* Make various changes to the ppc64el nodes. [115][116]9[117][118]
* Make various changes to the arm64 and armhf
nodes. [119][120][121][122]
* Various changes related to the rebuilderd-worker entry
point. [123][124][125]
* Create and deploy a pkgsync
script. [126][127][128][129][130][131][132][133]
* Fix the monitoring of the riscv64 architecture. [134][135]
* Make a number of changes related to starting the rebuilderd
service. [136][137][138][139]
[103] https://tests.reproducible-builds.org
[104] https://reproduce.debian.net
[105] https://salsa.debian.org/qa/jenkins.debian.net/commit/260230bd6
[106] https://salsa.debian.org/qa/jenkins.debian.net/commit/afb3b49c8
[107] https://salsa.debian.org/qa/jenkins.debian.net/commit/b116931d1
[108] https://salsa.debian.org/qa/jenkins.debian.net/commit/69f26a058
[109] https://salsa.debian.org/qa/jenkins.debian.net/commit/699789a54
[110] https://salsa.debian.org/qa/jenkins.debian.net/commit/35272a222
[111] https://salsa.debian.org/qa/jenkins.debian.net/commit/fdbd776ee
[112] https://reproduce.debian.net
[113] https://salsa.debian.org/qa/jenkins.debian.net/commit/5c4914043
[114] https://salsa.debian.org/qa/jenkins.debian.net/commit/8abcbb3b6
[115] https://salsa.debian.org/qa/jenkins.debian.net/commit/7aedbc53d
[116] https://salsa.debian.org/qa/jenkins.debian.net/commit/80b47a7b4
[117] https://salsa.debian.org/qa/jenkins.debian.net/commit/a10e9cdde
[118] https://salsa.debian.org/qa/jenkins.debian.net/commit/7737f2d89
[119] https://salsa.debian.org/qa/jenkins.debian.net/commit/7aedbc53d
[120] https://salsa.debian.org/qa/jenkins.debian.net/commit/80b47a7b4
[121] https://salsa.debian.org/qa/jenkins.debian.net/commit/f9759f473
[122] https://salsa.debian.org/qa/jenkins.debian.net/commit/38e09e06d
[123] https://salsa.debian.org/qa/jenkins.debian.net/commit/85e3e2e0d
[124] https://salsa.debian.org/qa/jenkins.debian.net/commit/f44727fe4
[125] https://salsa.debian.org/qa/jenkins.debian.net/commit/6e79a00d5
[126] https://salsa.debian.org/qa/jenkins.debian.net/commit/671330b34
[127] https://salsa.debian.org/qa/jenkins.debian.net/commit/0ff58a7b8
[128] https://salsa.debian.org/qa/jenkins.debian.net/commit/adfa7fb10
[129] https://salsa.debian.org/qa/jenkins.debian.net/commit/0634985a4
[130] https://salsa.debian.org/qa/jenkins.debian.net/commit/b2f6de0d1
[131] https://salsa.debian.org/qa/jenkins.debian.net/commit/709558c99
[132] https://salsa.debian.org/qa/jenkins.debian.net/commit/b7358b4ea
[133] https://salsa.debian.org/qa/jenkins.debian.net/commit/2a8ea5870
[134] https://salsa.debian.org/qa/jenkins.debian.net/commit/e4f6a809a
[135] https://salsa.debian.org/qa/jenkins.debian.net/commit/86398501d
[136] https://salsa.debian.org/qa/jenkins.debian.net/commit/08fe3923e
[137] https://salsa.debian.org/qa/jenkins.debian.net/commit/58f309a8e
[138] https://salsa.debian.org/qa/jenkins.debian.net/commit/6b46eb7c5
[139] https://salsa.debian.org/qa/jenkins.debian.net/commit/2a12b8b10
* Backup-related:
* Backup the rebuilder databases every week. [140][141][142][143]
* Improve the node health checks. [144][145]
[140] https://salsa.debian.org/qa/jenkins.debian.net/commit/4d5dcc87c
[141] https://salsa.debian.org/qa/jenkins.debian.net/commit/a1d9881a6
[142] https://salsa.debian.org/qa/jenkins.debian.net/commit/ce0ff1002
[143] https://salsa.debian.org/qa/jenkins.debian.net/commit/b6ec69da3
[144] https://salsa.debian.org/qa/jenkins.debian.net/commit/1fc1b5c32
[145] https://salsa.debian.org/qa/jenkins.debian.net/commit/384e11cc9
* Misc:
* Re-use existing connections to the SSH proxy node on the riscv64
nodes. [146][147]
* Node maintenance. [148][149][150]
[146] https://salsa.debian.org/qa/jenkins.debian.net/commit/d8a75cf20
[147] https://salsa.debian.org/qa/jenkins.debian.net/commit/ecf2c3789
[148] https://salsa.debian.org/qa/jenkins.debian.net/commit/0ea8da7dc
[149] https://salsa.debian.org/qa/jenkins.debian.net/commit/207b3c27a
[150] https://salsa.debian.org/qa/jenkins.debian.net/commit/06890e806
In addition:
* Jochen Sprickerhof fixed the risvc64 host names [151] and requested
access to all the rebuilderd nodes [152].
* Mattia Rizzolo updated the self-serve rebuild scheduling tool,
replacing the deprecated "SSO"-style authentication with OpenIDC
[153] which authenticates against salsa.debian.org. [154][155][156]
* Roland Clobus updated the configuration for the osuosl3 node to
designate 4 workers for bigger builds. [157]
[151] https://salsa.debian.org/qa/jenkins.debian.net/commit/9bb310631
[152] https://salsa.debian.org/qa/jenkins.debian.net/commit/debca1332
[153] https://www.google.com/search?q=OpenIDc
[154] https://salsa.debian.org/qa/jenkins.debian.net/commit/10a15454a
[155] https://salsa.debian.org/qa/jenkins.debian.net/commit/c28314d47
[156] https://salsa.debian.org/qa/jenkins.debian.net/commit/20c9da5f6
[157] https://salsa.debian.org/qa/jenkins.debian.net/commit/a23c1d216
§
Upstream patches
----------------
The Reproducible Builds project detects, dissects and attempts to fix as
many currently-unreproducible packages as possible. We endeavour to send
all of our patches upstream where appropriate. This month, we wrote a
large number of such patches, including:
* Bernhard M. Wiedemann
* lout [158]
* mpiP [159]
* libabigail [160]
* cython [161]
* mpiP [162]
* godot [163]
* gnome-text-editor [164]
* clisp [165]
* rpm [166]
* Fiona [167]
* qtdoc [168]
[158] https://build.opensuse.org/request/show/1273540
[159] https://build.opensuse.org/request/show/1273613
[160] https://src.opensuse.org/jengelh/libabigail/pulls/2
[161] https://github.com/cython/cython/issues/5986
[162] https://github.com/LLNL/mpiP/pull/57
[163] https://github.com/godotengine/godot/issues/105181
[164] https://bugzilla.opensuse.org/show_bug.cgi?id=1241147
[165] https://gitlab.com/gnu-clisp/clisp/-/issues/59
[166] https://github.com/rpm-software-management/rpm/pull/3728
[167] https://github.com/Toblerity/Fiona/pull/1492
[168] https://bugreports.qt.io/browse/QTBUG-136483
* Chris Hofstaedtler:
* #1104512 [169] filed against command-not-found [170].
* #1104517 [171] filed against command-not-found [172].
* #1104535 [173] filed against cc65 [174].
[169] https://bugs.debian.org/1104512
[170] https://tracker.debian.org/pkg/command-not-found
[171] https://bugs.debian.org/1104517
[172] https://tracker.debian.org/pkg/command-not-found
[173] https://bugs.debian.org/1104535
[174] https://tracker.debian.org/pkg/cc65
* Chris Lamb:
* #1102659 [175] filed against vcsh [176].
* #1103797 [177] filed against schism [178].
* #1103798 [179] filed against magic-wormhole-mailbox-server [180].
* #1103800 [181] filed against openvpn3-client [182].
[175] https://bugs.debian.org/1102659
[176] https://tracker.debian.org/pkg/vcsh
[177] https://bugs.debian.org/1103797
[178] https://tracker.debian.org/pkg/schism
[179] https://bugs.debian.org/1103798
[180] https://tracker.debian.org/pkg/magic-wormhole-mailbox-server
[181] https://bugs.debian.org/1103800
[182] https://tracker.debian.org/pkg/openvpn3-client
* James Addison:
* #1102760 [183] filed against apg [184].
[183] https://bugs.debian.org/1102760
[184] https://tracker.debian.org/pkg/apg
* Jochen Sprickerhof:
* #1103288 [185] filed against courier [186].
* #1103563 [187] filed against cross-toolchain-base [188].
[185] https://bugs.debian.org/1103288
[186] https://tracker.debian.org/pkg/courier
[187] https://bugs.debian.org/1103563
[188] https://tracker.debian.org/pkg/cross-toolchain-base
§
Finally, if you are interested in contributing to the Reproducible
Builds project, please visit our "Contribute" [189] page on our website.
However, you can get in touch with us via:
* IRC: #reproducible-builds on irc.oftc.net.
* Mastodon: @reproducible_builds at fosstodon.org [190]
* Mailing list: rb-general at lists.reproducible-builds.org [191]
[189] https://reproducible-builds.org/contribute/
[190] https://fosstodon.org/@reproducible_builds
[191] https://lists.reproducible-builds.org/listinfo/rb-general
--
o
⬋ ⬊
o o reproducible-builds.org 💠
⬊ ⬋
o
More information about the rb-general
mailing list