Project Updates
Reproducible Builds Summit 2025 Project Summaries
National Research Council of Italy (CNR)
Who: Giacomo Benedetti 1
RB Status: $22\%$ 2
Ask about:
R-B in open-source ecosystems 3
Software Security Research 4
Want to know about:
Hands-on experience in Package release process/publishing 5
Build process management 6
University of Bonn
Who: Tino & Marc 7
RB Status: $10\%$ reproducible 8
Ask about:
Software Supply Chain Security 9
R-B for Programming Language Ecosystems 10
Research/Papers 11
Learn about:
Practical application of R-B 12
Attestations/Provenance 13
Bootstrappable Builds 14
Project/Org: Arch Linux
Who is here: Antiz, kpcyrd 15
RB Status: Yes ($88.5\%$) 16
Ask us about:
Having rebuilders for 5 years 17
Centralizing RB patches/fixes 18
Want to learn:
How to enforce RB Policy (Debian) 19
Reproducible Releng images 20
Apache Software Foundation (Apache Airflow)
Who: Yarek (MERE) 21
Status: Reproducible $100\%$ 22
What you can ask:
Breaking often 23
Python reproducibility 24
Weird reproducibility issues 25
What to learn:
How to reproduce reproducibility 26
Expiry of reproducibility 27
How to sell reproducibility 28
North Carolina State University
Who: Will Enck 29
RB Status: Unknown 30
Ask Us About:
RBs in language ecosystems 31
Research + RBs 32
Want to Learn:
How I can create research agendas that solve your problems 33
Apache Maven
Who: Hervé BOUTEMY 34
RB Status: $M_{A}V\in N=1_{\infty}\times RB$ Built with Maven 35353535
Ask us about:
Reproducible Central 36
Shields.io Reproducible Badge 37
Reproducible Dependencies Report 38
Want to learn / work on:
Attestations 39
Rebuild 40
Build sharing 41
NetBSD/pkg src
Who: Thomas 42
RB Status: NetBSD: quite reproducible (most of the time) 43; pkgsrc: early stages 44
Ask about: NetBSD build system 45
Want to learn:
State of distributions 46
Common pitfalls & workarounds/solutions 47
Project: None / Independent
Who: KLEMEN / CENA (Git) 48
RB Status: In process of updating the rebuilder 49494949
Ask about / Learn:
Making reproducible Docker/OCI images easier for developers 50505050
Where and how to help the RB community 515151515151515151
New York University
Who: Justin Cappos & Yaxuan (Alice) Wen 52
RB Status: Undefined 53
We can talk about:
Build from trusted enclave 54
In-toto attestation 55
SBOM accuracy/completeness 56
We want to learn:
How people do RB currently? 57
Interesting problems people have found 58
Unknown-Unknowns (Plz nerd snipes us) 59
OSS Rebuild
Who: Matthew Suozzo, William Burton, Aman Sharma (Emeritus) 60
Status:
npm: $<50\%$ 61
pypi: $\sim 50\%$ 62
crates.io: $>50\%$ 63
maven: $\sim 5\%$ 64
Ask us:
AI Rebuilds 65
Git internals 66
Language package ecosystems 67
Work on:
Registry API 68
Improving Rust coverage 69
Native build reproducibility 70
Consensus in rebuilders 71
The Tor Project
Who: Nicolas
RB Status: Tor Browser is built reproducibly.
Ask me about: Tor Browser and Tor Browser Build.
Want to learn about / work on: Build attestation systems and databases.
GUlX / ROCHE
Who: GáBOR, EFRAIM (GUlX) / GáBOR (ROCHE)
RB Status: $80\%$ (GUlX) / $95\%$, but very fragile (ROCHE)
Ask about (GUlX):
Diffoscope
Discoverability
Early Bootstrap Simplification
Debian Package Build
How to do this from other build systems?
Ask about (ROCHE):
Moving from "almost working" to prod ready
Corporate Penetration
Aptly
Project: Nix/NixOS
Who: Paul, Julien, Martin
RB Status: $92\%$ of $100$k packages
Ask us about:
How Nix works
LILA: decentralized RB monitoring
$lact$: signature format to attest reproducibility
Defining reproducibility based on evidence
Want to learn / work on:
Reproducible disk images/appliances & measured boot
Rebuildd / challenges in rebuilding old Debian packages
$lact$ policy engine
openSUSE
Who: Bernhard, Georg
R-B Status: $98.5\%$ ($16$k packages)
Ask about:
ORS
Normalization
Want to work on: Normalization
R-B-OS
Who: BERNHARD
R-B-Status: $100\%$ of $3$K packages
Ask Us About:
VM IMAGES
EMACS
Want to Work On:
GHC R.B
Octave R.B
Rust R.B / Debugging
