Reproducible Builds in July 2025

Welcome to the seventh report from the Reproducible Builds project in 2025. Our monthly reports outline what we’ve been up to over the past month, and highlight items of news from elsewhere in the increasingly-important area of software supply-chain security. If you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.

In this report:

1. Reproducible Builds Summit 2025
2. Reproducible Builds an official goal for SUSE Enterprise Linux
3. Reproducible Builds at FOSSY 2025
4. New OSS Rebuild project from Google
5. New extension of Python setuptools to support reproducible builds
6. diffoscope
7. New library to patch system functions for reproducibility
8. Independently Reproducible Git Bundles
9. Website updates
10. Distribution work
11. Reproducibility testing framework
12. Upstream patches

---

Reproducible Builds Summit 2025

We are extremely pleased to announce the upcoming Reproducible Builds Summit, set to take place from October 28th — 30th 2025 in Vienna, Austria!

We are thrilled to host the eighth edition of this exciting event, following the success of previous summits in various iconic locations around the world, including Venice, Marrakesh, Paris, Berlin, Hamburg and Athens. Our summits are a unique gathering that brings together attendees from diverse projects, united by a shared vision of advancing the Reproducible Builds effort.

During this enriching event, participants will have the opportunity to engage in discussions, establish connections and exchange ideas to drive progress in this vital field. Our aim is to create an inclusive space that fosters collaboration, innovation and problem-solving.

If you’re interesting in joining us this year, please make sure to read the event page which has more details about the event and location. Registration is open until 20th September 2025, and we are very much looking forward to seeing many readers of these reports there!

Reproducible Builds an official goal for SUSE Enterprise Linux

On our mailing list this month, Bernhard M. Wiedemann revealed the big news that reproducibility is now an official goal for SUSE Linux Enterprise Server (SLES) 16:

[Everything] changed earlier this year when reproducible-builds for SLES-16 became an official goal for the product. More people are talking about digital sovereignty and supply-chain security now. […] Today, only 9 of 3319 (source) packages have significant problems left (plus 7 with pending fixes), so 99.5% of packages have reproducible builds.

Reproducible Builds at FOSSY 2025

On Saturday 2nd August, Vagrant Cascadian and Chris Lamb presented at this year’s FOSSY 2025. Their talk, titled Never Mind the Checkboxes, Here’s Reproducible Builds!, was introduced as follows:

There are numerous policy compliance and regulatory processes being developed that target software development… but do they solve actual problems? Does it improve the quality of software? Do Software Bill of Materials (SBOMs) actually give you the information necessary to verify how a given software artifact was built? What is the goal of all these compliance checklists anyways… or more importantly, what should the goals be? If a software object is signed, who should be trusted to sign it, and can they be trusted … forever?

Hosted by the Software Freedom Conservancy and taking place in Portland, Oregon, USA, FOSSY aims to be a community-focused event: “Whether you are a long time contributing member of a free software project, a recent graduate of a coding bootcamp or university, or just have an interest in the possibilities that free and open source software bring, FOSSY will have something for you”. More information on the event is available on the FOSSY 2025 website, including the full programme schedule.

Vagrant and Chris also staffed a table, where they will be available to answer any questions about Reproducible Builds and discuss collaborations with other projects.

New OSS Rebuild project from Google

The Google Open Source Security Team (GOSST) published an article this month announcing OSS Rebuild, “a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts.” As the post itself documents, the new project comprises four facets:

• Automation to derive declarative build definitions for existing PyPI (Python), npm (JS/TS), and Crates.io (Rust) packages.
• SLSA Provenance for thousands of packages across our supported ecosystems, meeting SLSA Build Level 3 requirements with no publisher intervention.
• Build observability and verification tools that security teams can integrate into their existing vulnerability management workflows.
• Infrastructure definitions to allow organizations to easily run their own instances of OSS Rebuild to rebuild, generate, sign, and distribute provenance.

One difference with most projects that aim for bit-for-bit reproducibility, OSS Rebuild aims for a kind of “semantic” reproducibility:

Through automation and heuristics, we determine a prospective build definition for a target package and rebuild it. We semantically compare the result with the existing upstream artifact, normalizing each one to remove instabilities that cause bit-for-bit comparisons to fail (e.g. archive compression).

The extensive post includes examples about how to access OSS Rebuild attestations using the Go-based command-line interface.

New extension of Python setuptools to support reproducible builds

Wim Jeantine-Glenn has written a PEP 517 Build backend in order to enable reproducible builds when building Python projects that use setuptools.

Called setuptools-reproducible, the project’s README file contains the following:

Setuptools can create reproducible wheel archives (.whl) by setting SOURCE_DATE_EPOCH at build time, but setting the env var is insufficient for creating reproducible sdists (.tar.gz). setuptools-reproducible [therefore] wraps the hooks build_sdist build_wheel with some modifications to make reproducible builds by default.

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions 301, 302 and 303 to Debian:

• Improvements:

  • Use Difference.from_operation in an attempt to pipeline the output of the extract-vmlinux script, potentially avoiding it all in memory. […]
  • Memoize a number of calls to --version, saving a very large number of external subprocess calls.

• Bug fixes:

  • Don’t check for PyPDF version 3 specifically, check for versions greater than 3. […]
  • Ensure that Java class files are named .class on the filesystem before passing them to javap(1). […]
  • Mask stderr from extract-vmlinux script. […][…]
  • Avoid spurious differences in h5dump output caused by exposure of absolute internal extraction paths. (#1108690)

• Misc:

  • Use our_check_output in the ODT comparator. […]
  • Update copyright years. […]

In addition:

• Siva Mahadevan made a change to use the --print-armap long option when calling nm(1) for wider compatibility. […]

• Vagrant Diffoscope updated diffoscope in GNU Guix to 300 […], 301 […], 302 and fixed the execute bit on the extract-vmlinux script […].

Lastly, Chris Lamb added a tmpfs to try.diffoscope.org so that diffoscope has a non-trivial temporary area to unpack archives, etc. […]

Elsewhere in our tooling, however, reprotest is our tool for building the same source code twice in different environments and then checking the binaries produced by each build for any differences. This month, reprotest version 0.7.30 was uploaded to Debian unstable by Holger Levsen, chiefly including a change by Rebecca N. Palmer to not call sudo with the -h flag in order to fix Debian bug #1108550. […]

New library to patch system functions for reproducibility

Nicolas Graves has written and published libfate, a simple collection of tiny libraries to patch system functions deterministically using LD_PRELOAD. According to the project’s README:

libfate provides deterministic replacements for common non-deterministic system functions that can break reproducible builds. Instead of relying on complex build systems or apps or extensive patching, libfate uses the LD_PRELOAD trick to intercept system calls and return fixed, predictable values.

Describing why he wrote it, Nicolas writes:

I originally used the OpenSUSE dettrace approach to make Emacs reproducible in Guix. But when Guix switch to GCC@14, dettrace stopped working as expected. dettrace is a complex piece of software, my need was much less heavy: I don’t need to systematically patch all sources of nondetermism, just the ones that make a process/binary unreproducible in a container/chroot.

”Independently Reproducible Git Bundles”

Simon Josefsson has published another interesting article this month. Titled Independently Reproducible Git Bundles, the blog post describes the advantages of why you might a reproducible bundle, and the pitfalls that can arise when trying to create them:

One desirable property is that someone else should be able to reproduce the same git bundle, and not only that a single individual is able to reproduce things on one machine. It surprised me to see that when I ran the same set of commands on a different machine (started from a fresh git clone), I got a different checksum. The different checksums occurred even when nothing had been committed on the server side between the two runs.

Website updates

Once again, there were a number of improvements made to our website this month including:

• Bernhard M. Wiedemann added an entry related to R-B-OS on the History page. […]

• Chris Lamb:

  • Replaced “rbtlog run by Fay” by “rbtlog run by Benl” on the Who is involved page. […]
  • Added a new, centered version of the RB logo. […]

• Holger Levsen:

  • Added and worked on the page for the Vienna 2025 summit. […][…]
  • Add Jarl Gullberg to the Who is involved? page. […]
  • Add a talk from the recent MiniDebConf in Hamburg to our database of talks and presentations. […]

• Julien Cristau fixed a link to the diffoci repository on the [Tools](/tools/ page. […]

Distribution work

In Debian this month:

• 5 reviews of Debian packages were added, 4 were updated and 2 were removed this month adding to our ever-increasing knowledge about identified issues.

• The release notes for the upcoming Debian Trixie release feature the following paragraph related to Reproducible Builds, thanks to the collaboration of Justin B Rye, Chris Hofstaedtler, Vagrant Cascadian and Holger Levsen:

Debian contributors have made significant progress toward ensuring package builds produce byte-for-byte reproducible results. You can check the status for packages installed on your system using the new package debian-repro-status, or visit reproduce.debian.net for Debian’s overall statistics for trixie and later. You can contribute to these efforts by joining #debian-reproducible on IRC to discuss fixes, or verify the statistics by installing the new rebuilderd package and setting up your own instance.

The IzzyOnDroid Android APK repository made further progress in July, crossing the 50% reproducibility threshold — congratulations. Furthermore, a new release of the Neo Store was released, which exposes the reproducible status directly next to the version of each app.

In GNU Guix, a series of patches intended to fix the reproducibility for the Mono programming language was merged, fixing reproducibility in Mono versions 1.9 […], 2.4 […] and 2.6 […].

Lastly, in addition to the news that openSUSE Enterprise Linux now [has an official goal of reproducibility]((https://lists.reproducible-builds.org/pipermail/rb-general/2025-July/003846.html), Bernhard M. Wiedemann posted another monthly update for their work there.

Reproducibility testing framework

The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility. In June, however, a number of changes were made by Holger Levsen, including:

• Switch the URL for the Tails package set. […]
• Make the dsa-check-packages output more useful. […]
• Setup the ppc64el architecture again, has it has returned — this time with a 2.7 GiB database instead of 72 GiB. […]

In addition, Jochen Sprickerhof improved the reproducibility statistics generation:

• Enable caching of statistics. […][…][…]
• Add some common non-reproducible patterns. […]
• Change output to directory. […]
• Add a page sorted by diffoscope size. […][…]
• Switch to Python’s argparse module and separate output(). […]

Holger also submitted a number of Debian bugs against rebuilderd and rebuilderd-worker:

• Config files and scripts for a simple one machine setup. […][…]
• Create a rebuilderd user. […]
• Create rebuilderd-worker user with sbuild. […]

Lastly, Mattia Rizzolo added a scheduled job to renew some SSL certificates […] and Vagrant Cascadian performed some node maintenance […][…].

Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Bernhard M. Wiedemann:

  • dpdk
  • HTTP-CookieJar
  • ibus-libzhuyin
  • java-21-openjdk
  • kea
  • libcamera
  • libpinyin
  • libsemigroups
  • llvm, llvm20 , llvm20, llvm19, llvm15, llvm17 (and all backports to llvm7-19)
  • mumble
  • python-Babel/pympress
  • python-numpy
  • python-numpy
  • python-paho-mqtt
  • python-rencode
  • rabbitmq-server
  • rage
  • re-flex
  • shadow-rs

• Chris Lamb:

  • #1109484 filed against rust-microformats
  • #1109731 filed against piglit

• Rafał Mikrut:

  • cargo-i18n

• Robin Candau:

  • netdata

There were a number of other patches from openSUSE developers:

• BCI-dockerfile-generator (Dirk Mueller)
• agama (Imobach Gonzalez Sosa)
• emacs (Werner Fink)
• firecracker (Andrea Manzini)
• maven-archiver (Fridrich Strba)
• moditect (Fridrich Strba)
• obs-build (Adrian Schroeter)
• ovmf (Richard Lyu)
• python-rdflib (Daniel Garcia)
• python313:doc (Daniel Garcia)

Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.

• Mastodon: @reproducible_builds@fosstodon.org

• Mailing list: rb-general@lists.reproducible-builds.org