Reviewing existing reproducible builds tools


  • diff two artefacts and check if they are the same.
  • if not, it will open artefact and will try to find out what’s wrong.
  • it does this recursetly
  • e.g. a zip file, will be open and it will identify which file within the archive is different.
  • e.g. a elf file will be opened and the section is being identified.


  • runs after the build
  • remove known causes of nondeterminism
  • e.g. jar’s aren’t reproducible and make it reproducible
  • remove several timestamp
  • should not exist by designed
  • but upstream is hard or take a lot of time. it’s an intermediate solution


  • fuse filesystem
  • has different modes
  • e.g. random
  • ls -f / can return every time a difference
  • e.g. invert
  • invert the listing
  • e.g. order
  • will order mode

Good practices:

  • runs once in “order” mode
  • runs second in invert mode to have a deterministic non-deterministic way.

  • web service
  • you don’t have to install diffoscope with the lots of dependencies
  • written in django
  • cmdline client to avoid main diffoscope install
  • upload
  • diff on the server
  • create a link to be shared into the bug report


  • tool to run the a build run twice
  • can use container
  • reprotest make will run it twice. but changing the environment like TZ

  • based jenkins
  • doesn’t run reprotest
  • is running bunch of scripts to do the build twice
  • is legacy, but moving to reprotest, isn’t going to happen, as long reprotest is still under development


  • the upstream is not reproducible
  • lots of distribution patches
  • unclear if the reproducible patches gonna accepted
  • lynxis will do a fork because the maintainer isn’t
  • not reproducible becaues of timestamps and scheduling problems


  • packages manager guarantees reproducibility
  • guix challenge compares difference sources of a binary


can test a packages which has been uploaded to opensuse build system. varies:

  • hostname
  • date

tool request

  • to make javascript reproducible, there should be a npm-ls to get all the npm packages.
  • someone created a cross-ecosystem scraper to scrape npm, pypi
  • prevent build systems to talk to the internet
  • run a tcpdump on the system. if the .pcap file is greater than 0, you know the build talked to the internet. It helps create a good bug report to know, to which server it talks and what.
  • Put the “is the build talking to the internet” feature into the build system.
  • call runc without network
  • create a namespace without network

Feedback results to the community

  • travis-ci integration
  • create a tool to integrate it into their build process
  • create a feedback api.
  • get badges

The unreproducible package

have a package full of unreproducible things

next sessions

  • squashfs forking session
  • reprotest