Reproducible Builds in September 2025 💠
Chris Lamb
chris at reproducible-builds.org
Fri Oct 10 20:04:00 UTC 2025
--------------------------------------------------------------------
o
⬋ ⬊ September 2025 in Reproducible Builds
o o
⬊ ⬋ https://reproducible-builds.org/reports/2025-09/
o
--------------------------------------------------------------------
Welcome to the very latest report from the Reproducible Builds
project! Our monthly reports outline what we've been up to over the
past month, and highlight items of news from elsewhere in the
increasingly-important area of software supply-chain security. As
ever, if you are interested in contributing to the Reproducible
Builds project, please see the Contribute [2] page on our website.
In this report:
* Reproducible Builds Summit 2025
* Can’t we have nice things?
* Distribution work
* Tool development
* Reproducibility testing framework
* Upstream patches
[0] https://reproducible-builds.org/contribute/
§
Reproducible Builds Summit 2025
-------------------------------
Please join us at the upcoming Reproducible Builds Summit [4], set
to take place from October 28th — 30th 2025 in Vienna, Austria!
We are thrilled to host the eighth edition of this exciting event,
following the success of previous summits in various iconic
locations around the world, including Venice, Marrakesh, Paris,
Berlin, Hamburg and Athens. Our summits are a unique gathering that
brings together attendees from diverse projects, united by a shared
vision of advancing the Reproducible Builds effort.
During this enriching event, participants will have the opportunity
to engage in discussions, establish connections and exchange ideas
to drive progress in this vital field. Our aim is to create an
inclusive space that fosters collaboration, innovation and
problem-solving.
If you're interesting in joining us this year, please make sure to
read the event page [5] which has more details about the event and
location. Registration is open until 20th September 2025, and we
are very much looking forward to seeing many readers of these
reports there!
[4] https://reproducible-builds.org/events/vienna2025/
[5] https://reproducible-builds.org/events/vienna2025/
§
"Can't we have nice things?"
----------------------------
Debian Developer Gunnar Wolf blogged that [7] George V.
Neville-Neil's "Kode Vicious" column in Communications of the ACM
[8] in which reproducible builds "is mentioned without needing to
introduce it (assuming familiarity across the computing industry
and academia)". Titled, "Can't we have nice things?" [7], the
article mentions:
> Once the proper measurement points are known, we want to
> constrain the system such that what it does is simple enough to
> understand and easy to repeat. It is quite telling that the push
> for software that enables reproducible builds only really took
> off after an embarrassing widespread security issue ended up
> affecting the entire Internet. That there had already been 50
> years of software development before anyone thought that
> introducing a few constraints might be a good idea is, well,
> let’s just say it generates many emotions, none of them happy,
> fuzzy ones.
[7] https://cacm.acm.org/opinion/cant-we-have-nice-things/
[8] https://cacm.acm.org/
§
Distribution work
-----------------
In Debian this month, Johannes Starosta filed a bug [11] against
the debian-repro-status package, reporting that it does not work on
Debian trixie. (An upstream bug report was also filed [12].)
Furthermore, 17 reviews of Debian packages were added, 10 were
updated and 14 were removed this month adding to our knowledge
about identified issues [13].
[11] https://bugs.debian.org/1116598
[12] https://github.com/kpcyrd/debian-repro-status/issues/19
[13] https://tests.reproducible-builds.org/debian/index_issues.html
In March's report [14], we included the news that Fedora would aim
for 99% package reproducibility [15]. This change has now been
deferred to Fedora 44 [16] according to Phoronix.
[14] https://reproducible-builds.org/reports/2025-03/
[15] https://fedoraproject.org/wiki/Changes/Package_builds_are_expected_to_be_reproducible
[16] https://www.phoronix.com/news/Fedora-44-Reproducible-Builds
Lastly, Bernhard M. Wiedemann posted another openSUSE [17] monthly
update [18] for their work there.
[17] https://www.opensuse.org/
[18] https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/E2NABNGFPWSIUBOMBCRN4C3BX2B5VABL/
§
Tool development
----------------
diffoscope version 306 was uploaded to Debian unstable [19] by
Chris Lamb. It included contributions already covered in previous
months [20] as well as some changes by Zbigniew Jędrzejewski-Szmek
to address issues with the fdtump support [21] and to move away
from the deprecated codes.open method. [22][23]
[19] https://tracker.debian.org/news/1664272/accepted-diffoscope-306-source-into-unstable/
[20] https://salsa.debian.org/reproducible-builds/diffoscope/commits/306
[21] https://salsa.debian.org/reproducible-builds/diffoscope/commit/8f265167
[22] https://salsa.debian.org/reproducible-builds/diffoscope/commit/112492ec
[23] https://salsa.debian.org/reproducible-builds/diffoscope/commit/b19d7e7a
strip-nondeterminism version 1.15.0-1 was uploaded to Debian
unstable [24] by Chris Lamb. It included a contribution by Matwey
Kornilov to add support for inline archive files for Erlang's
escript [25].
[24] https://tracker.debian.org/news/1664629/accepted-strip-nondeterminism-1150-1-source-into-unstable/
[25] https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/90ef48f
kpcyrd has released a new version of rebuilderd [26]. As a quick
recap, rebuilderd is an automatic build scheduler that tracks
binary packages available in a Linux distribution and attempts to
compile the official binary packages from their (purported) source
code and dependencies. The code for in-toto [27] attestations has
been reworked, and the instances now feature a new endpoint that
can be queried to fetch the list of public-keys an instance
currently identifies itself by. [28]
[26] https://vulns.xyz/2025/09/rebuilderd-v0.25.0/
[27] https://in-toto.io/
[28] https://lists.reproducible-builds.org/pipermail/rb-general/2025-September/003890.html
Lastly, Holger Levsen bumped the Standards-Version field [29] of
disorderfs, with no changes needed. [30][31]
[29] https://www.debian.org/doc/debian-policy/ch-controlfields.html#standards-version
[30] https://salsa.debian.org/reproducible-builds/disorderfs/commit/dd444b0
[31] https://salsa.debian.org/reproducible-builds/disorderfs/commit/f19f069
§
Reproducibility testing framework
---------------------------------
The Reproducible Builds project operates a comprehensive testing
framework running primarily at tests.reproducible-builds.org in
order to check packages and other artifacts for reproducibility. In
August, however, a number of changes were made by Holger Levsen,
including:
* Setting up six new rebuilderd workers with 16 cores and 16 GB
RAM each.
* reproduce.debian.net-related:
* Do not expose pending jobs; they are confusing without
explaination. [34]
* Add a link to v1 API specification. [35]
* Drop rebuilderd-worker.conf on a node. [36]
* Allow manual scheduling for any architectures. [37]
* Update path to *trixie* graphs. [38]
* Use the same rebuilder-debian.sh script for all hosts. [39]
* Add all other suites to all other archs. [40][41][42][43]
* Update SSH host keys for new hosts. [44]
* Move to the pull184 branch. [45][46][47][48][49]
* Only allow 20 GB cache for workers. [50]
[34] https://salsa.debian.org/qa/jenkins.debian.net/commit/8a5ec032e
[35] https://salsa.debian.org/qa/jenkins.debian.net/commit/e1764373e
[36] https://salsa.debian.org/qa/jenkins.debian.net/commit/a1efc6105
[37] https://salsa.debian.org/qa/jenkins.debian.net/commit/153edfe79
[38] https://salsa.debian.org/qa/jenkins.debian.net/commit/0215d502c
[39] https://salsa.debian.org/qa/jenkins.debian.net/commit/f096b60e4
[40] https://salsa.debian.org/qa/jenkins.debian.net/commit/514bd64be
[41] https://salsa.debian.org/qa/jenkins.debian.net/commit/5721f1e42
[42] https://salsa.debian.org/qa/jenkins.debian.net/commit/b927835fc
[43] https://salsa.debian.org/qa/jenkins.debian.net/commit/828ee052b
[44] https://salsa.debian.org/qa/jenkins.debian.net/commit/5378be3dc
[45] https://salsa.debian.org/qa/jenkins.debian.net/commit/663cafebc
[46] https://salsa.debian.org/qa/jenkins.debian.net/commit/9ce76d7b8
[47] https://salsa.debian.org/qa/jenkins.debian.net/commit/c10518803
[48] https://salsa.debian.org/qa/jenkins.debian.net/commit/e6b2a82e7
[49] https://salsa.debian.org/qa/jenkins.debian.net/commit/ef3ca1e51
[50] https://salsa.debian.org/qa/jenkins.debian.net/commit/755896abf
* OpenWrt [51]-related:
* Grant developer *aparcar* full sudo control on the ionos30
node. [52][53]
[51] https://openwrt.org/
[52] https://salsa.debian.org/qa/jenkins.debian.net/commit/f53cd7ed4
[53] https://salsa.debian.org/qa/jenkins.debian.net/commit/9eb545d47
* Jenkins nodes:
* Add a number of new nodes. [54][55][56][57][58]
* Dont expect /srv/workspace to exist on OSUOSL nodes. [59]
* Stop hardcoding IP addresses in munin.conf. [60]
* Add maintenance and health check jobs for new nodes. [61]
* Document slight changes in IONOS resources usage. [62]
[54] https://salsa.debian.org/qa/jenkins.debian.net/commit/a8bfcd809
[55] https://salsa.debian.org/qa/jenkins.debian.net/commit/dd3a400a7
[56] https://salsa.debian.org/qa/jenkins.debian.net/commit/954163a95
[57] https://salsa.debian.org/qa/jenkins.debian.net/commit/62c506c0f
[58] https://salsa.debian.org/qa/jenkins.debian.net/commit/5953a9b93
[59] https://salsa.debian.org/qa/jenkins.debian.net/commit/5ee534a7d
[60] https://salsa.debian.org/qa/jenkins.debian.net/commit/311e8a8a1
[61] https://salsa.debian.org/qa/jenkins.debian.net/commit/4a762e80e
[62] https://salsa.debian.org/qa/jenkins.debian.net/commit/97baf1535
* Misc:
* Drop disabled Alpine Linux [63] tests for good. [64]
* Move Debian live builds and some other Debian builds to the
ionos10 node. [65]
* Cleanup some legacy support from releases before Debian
trixie. [66]
[63] https://www.alpinelinux.org/
[64] https://salsa.debian.org/qa/jenkins.debian.net/commit/9d612c169
[65] https://salsa.debian.org/qa/jenkins.debian.net/commit/0fb118f44
[66] https://salsa.debian.org/qa/jenkins.debian.net/commit/ac6e3d3bd
In addition, Jochen Sprickerhof made the following changes relating to
reproduce.debian.net:
* Do not expose pending jobs on the main site. [68]
* Switch the frontpage to reference Debian *forky* [69], but do not
attempt to build Debian *forky* on the armel architecture [70].
* Use consistent and up to date rebuilder-debian.sh script. [71]
* Fix supported worker architectures. [72]
* Add a basic 'excuses' page. [73]
* Move to the pull184 branch. [74][75][76][77]
* Fix a typo in the JavaScript. [78]
* Update front page for the new v1 API. [79][80]
[67] https://reproduce.debian.net
[68] https://salsa.debian.org/qa/jenkins.debian.net/commit/7bfd59ff1
[69] https://salsa.debian.org/qa/jenkins.debian.net/commit/5b1020059
[70] https://salsa.debian.org/qa/jenkins.debian.net/commit/a81a9a613
[71] https://salsa.debian.org/qa/jenkins.debian.net/commit/8522748b5
[72] https://salsa.debian.org/qa/jenkins.debian.net/commit/0df1ff927
[73] https://salsa.debian.org/qa/jenkins.debian.net/commit/0bbb057c1
[74] https://salsa.debian.org/qa/jenkins.debian.net/commit/de05462ea
[75] https://salsa.debian.org/qa/jenkins.debian.net/commit/9ed7c0edd
[76] https://salsa.debian.org/qa/jenkins.debian.net/commit/02909e093
[77] https://salsa.debian.org/qa/jenkins.debian.net/commit/0cc136a6c
[78] https://salsa.debian.org/qa/jenkins.debian.net/commit/466cf6a34
[79] https://salsa.debian.org/qa/jenkins.debian.net/commit/8e6f06ae4
[80] https://salsa.debian.org/qa/jenkins.debian.net/commit/eee7fa31a
Lastly, Roland Clobus did some maintenance relating to the
reproducibility testing of the Debian Live [81] images. [82][83][84][85]
[81] https://www.debian.org/CD/live/
[82] https://salsa.debian.org/qa/jenkins.debian.net/commit/0e0244a85
[83] https://salsa.debian.org/qa/jenkins.debian.net/commit/48cee4d18
[84] https://salsa.debian.org/qa/jenkins.debian.net/commit/d9c0d5c7b
[85] https://salsa.debian.org/qa/jenkins.debian.net/commit/d55d9a703
§
Upstream patches
----------------
The Reproducible Builds project detects, dissects and attempts to
fix as many currently-unreproducible packages as possible. We
endeavour to send all of our patches upstream where appropriate.
This month, we wrote a large number of such patches, including:
* Aleksei Burlakov:
* hawk2 [86]
[86] https://build.opensuse.org/request/show/1302599
* Bernhard M. Wiedemann:
* ceph [87]
* clamav [88]
* cmake/libarchive [89]
* kf6-kirigami [90]
* obs-build/librcc+librcd [91]
[87] https://bugzilla.suse.com/show_bug.cgi?id=1249586
[88] https://bugzilla.opensuse.org/show_bug.cgi?id=1249404
[89] https://gitlab.kitware.com/cmake/cmake/-/issues/27263
[90] https://build.opensuse.org/request/show/1302953
[91] https://github.com/openSUSE/obs-build/issues/1099
* Chris Lamb:
* #1113809 [92] filed against ms-gsl [93].
* #1113813 [94] filed against llama.cpp [95].
* #1114638 [96] filed against python-mcstasscript [97].
* #1114772 [98] filed against rocm-docs-core [99].
* #1114869 [100] filed against octave-optics [101].
* #1114950 [102] filed against g2o [103].
* #1114999 [104] filed against golang-forgejo-forgejo-levelqueue [105].
* #1115999 [106] filed against openrgb [107].
[92] https://bugs.debian.org/1113809
[93] https://tracker.debian.org/pkg/ms-gsl
[94] https://bugs.debian.org/1113813
[95] https://tracker.debian.org/pkg/llama.cpp
[96] https://bugs.debian.org/1114638
[97] https://tracker.debian.org/pkg/python-mcstasscript
[98] https://bugs.debian.org/1114772
[99] https://tracker.debian.org/pkg/rocm-docs-core
[100] https://bugs.debian.org/1114869
[101] https://tracker.debian.org/pkg/octave-optics
[102] https://bugs.debian.org/1114950
[103] https://tracker.debian.org/pkg/g2o
[104] https://bugs.debian.org/1114999
[105] https://tracker.debian.org/pkg/golang-forgejo-forgejo-levelqueue
[106] https://bugs.debian.org/1115999
[107] https://tracker.debian.org/pkg/openrgb
* Roland Clobus:
* #1114521 [108] filed against mdadm [109].
[108] https://bugs.debian.org/1114521
[109] https://tracker.debian.org/pkg/mdadm
§
Finally, if you are interested in contributing to the Reproducible
Builds project, please visit our Contribute [110] page on our website.
However, you can get in touch with us via:
* IRC: #reproducible-builds on irc.oftc.net.
* Mastodon: @reproducible_builds at fosstodon.org [111]
* Mailing list: rb-general at lists.reproducible-builds.org [112]
[110] https://reproducible-builds.org/contribute/
[111] https://fosstodon.org/@reproducible_builds
[112] https://lists.reproducible-builds.org/listinfo/rb-general
--
o
⬋ ⬊
o o reproducible-builds.org 💠
⬊ ⬋
o
More information about the rb-general
mailing list