Welcome to the 6th report from the Reproducible Builds project in 2025. Our monthly reports outline what we’ve been up to over the past month, and highlight items of news from elsewhere in the increasingly-important area of software supply-chain security. If you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.
In this report:
- Reproducible Builds at FOSSY 2025
- Distribution work
- diffoscope
- OSS Rebuild updates
- Website updates
- Upstream patches
- Reproducibility testing framework
Reproducible Builds at FOSSY 2025
On Saturday 2nd August, Vagrant Cascadian and Chris Lamb will be presenting at this year’s FOSSY 2025. Their talk, titled Never Mind the Checkboxes, Here’s Reproducible Builds!, is being introduced as follows:
There are numerous policy compliance and regulatory processes being developed that target software development… but do they solve actual problems? Does it improve the quality of software? Do Software Bill of Materials (SBOMs) actually give you the information necessary to verify how a given software artifact was built? What is the goal of all these compliance checklists anyways… or more importantly, what should the goals be? If a software object is signed, who should be trusted to sign it, and can they be trusted … forever?
The talk will introduce the audience to Reproducible Builds as a set of best practices which allow users and developers to verify that software artifacts were built from the source code, but also allows auditing for license compliance, providing security benefits, and removes the need to trust arbitrary software vendors.
Hosted by the Software Freedom Conservancy and taking place in Portland, Oregon, USA, FOSSY aims to be a community-focused event: “Whether you are a long time contributing member of a free software project, a recent graduate of a coding bootcamp or university, or just have an interest in the possibilities that free and open source software bring, FOSSY will have something for you”. More information on the event is available on the FOSSY 2025 website, including the full programme schedule.
Vagrant and Chris will also be staffing a table this year, where they will be available to answer any questions about Reproducible Builds and discuss collaborations with other projects.
Distribution work
In Debian this month:
-
Holger Levsen has discovered that it is now possible to bootstrap a minimal Debian trixie using 100% reproducible packages. This result can itself be reproduced, using the
debian-repro-statustool andmmdebstrap’s support for hooks:$ mmdebstrap --variant=apt --include=debian-repro-status \ --chrooted-customize-hook=debian-repro-status \ trixie /dev/null 2>&1 | grep "Your system has" INFO debian-repro-status > Your system has 100.00% been reproduced. -
On our mailing list this month, Helmut Grohne wrote an extensive message raising an issue related to Uploads with conflicting buildinfo filenames:
Having several
.buildinfofiles for the same architecture is something that we plausibly want to have eventually. Imagine running two sets of buildds and assembling a single upload containing buildinfo files from both buildds in the same upload. In a similar vein, as a developer I may want to supply several.buildinfofiles with my source upload (e.g. for multiple architectures). Doing any of this is incompatible with current incoming processing and withreprepro. -
5 reviews of Debian packages were added, 4 were updated and 8 were removed this month adding to our ever-growing knowledge about identified issues.
In GNU Guix, Timothee Mathieu reported that a long-standing issue with reproducibility of shell containers across different host operating systems has been solved. In their message, Timothee mentions:
I discovered that pytorch (and maybe other dependencies) has a reproducibility problem of order 1e-5 when on AVX512 compared to AVX2. I first tried to solve the problem by disabling AVX512 at the level of pytorch, but it did not work. The dev of pytorch said that it may be because some components dispatch computation to MKL-DNN, I tried to disable AVX512 on MKL, and still the results were not reproducible, I also tried to deactivate in openmpi without success. I finally concluded that there was a problem with AVX512 somewhere in the dependencies graph but I gave up identifying where, as this seems very complicated.
The IzzyOnDroid Android APK repository made more progress in June. Not only have they just passed 48% reproducibility coverage, Ben started making their reproducible builds more visible, by offering rbtlog shields, a kind of badge that has been quickly picked up by many developers who are proud to present their applications’ reproducibility status.
Lastly, in openSUSE news, Bernhard M. Wiedemann posted another monthly update for their work there.
diffoscope
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions 298, 299 and 300 to Debian:
- Add
python3-defusedxmlto theBuild-Dependsin order to include it in the Docker image. […] - Handle the RPM format’s
HEADERSIGNATURESandHEADERIMMUTABLEas a special-case to avoid unnecessarily large diffs. Thanks to Daniel Duan for the report and suggestion. […][…] - Update copyright years. […]
In addition, @puer-robustus fixed a regression introduced in an earlier commit which resulted in some differences being lost. […][…]
Lastly, Vagrant Cascadian updated diffoscope in GNU Guix to version 299 […][…] and 300 […][…].
OSS Rebuild updates
OSS Rebuild has added a new network analyzer that provides transparent HTTP(S) interception during builds, capturing all network traffic to monitor external dependencies and identify suspicious behavior, even in unmodified maintainer-controlled build processes.
The text-based user interface now features automated failure clustering that can group similar rebuild failures and provides natural language failure summaries, making it easier to identify and understand patterns across large numbers of build failures.
OSS Rebuild has also improved the local development experience with a unified interface for build execution strategies, allowing for more extensible environment setup for build execution. The team also designed a new website and logo.
Website updates
Once again, there were a number of improvements made to our website this month including:
-
Arnaud Brousseau added Stageˣ, a new Linux distribution, to our Tools page.
-
Chris Lamb improved the
dockerinstructions on the diffoscope website. […]
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
-
Chris Riches:
-
Bernhard M. Wiedemann:
arandr,curl,dpdk,dpdk,eww,gnucash,gramps,latex2html,llvm20,mp,nvidia-open-driver-G06-signed,obs,ovmf,pcre2,perl-XML-LibXML,perl,python-reportlab,python313,qt6-datavis3d,qt6-declarative,qt6-sensors,qt6-virtualkeyboard,rage-encryption,scummvm,timescaledb&zoxide.- Plus several issues with how
rpmbuildexpands the%jobsvariable in the.src.rpmheader, including:chromium,cmake,edk2,firefox-esr,gnome-keyring-sharp,gtk2-engine-aurora,gtk2-engine-cleanice,gtk2-engines,libqt5-qtlocation,libreoffice,luabind,lxmenu-data,mozc,MozillaThunderbird,perl-DateTime-Calendar-Mayan,perl-Getopt-ArgvFile,perl-MooseX-Meta-TypeConstraint-ForceCoercion,perl-XML-Entities,python-convertdate,suitesparse&webkit2gtk3
-
Robin Candau:
gramps(useSOURCE_DATE_EPOCHwhen compressing man pages)
-
Chris Lamb:
- #1108273 filed against
tree-puzzle. - #1108281 filed against
cctools. - #1108532 filed against
python-django-import-export.
- #1108273 filed against
–
Reproducibility testing framework
The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility. In June, however, a number of changes were made by Holger Levsen, including:
-
reproduce.debian.net-related:
-
Installed and deployed rebuilderd version 0.24 from Debian unstable in order to make use of the new compression feature added by Jarl Gullberg for the database. This resulted in massive decrease of the SQLite databases:
- 79G → 2.8G (
all) - 84G → 3.2G (
amd64) - 75G → 2.9G (
arm64) - 45G → 2.1G (
armel) - 48G → 2.2G (
armhf) - 73G → 2.8G (
i386) - 72G → 2.7G (
ppc64el) - 45G → 2.1G (
riscv64)
… for a combined saving from 521G → 20.8G. This naturally reduces the requirements to run an independent rebuilderd instance and will permit us to add more Debian suites as well.
- 79G → 2.8G (
- During migration to the latest version of rebuilderd, make sure several services are not started. […]
- Actually run rebuilderd from
/usr/bin. […] - Raise temperatures for NVME devices on some
riscv64nodes that should be ignored. […][…] - Use a 64KB kernel page size on the
ppc64elarchitecture (see #1106757). […] - Improve ordering of some “failed to reproduce” statistics. […]
- Detect a number of potential causes of build failures within the statistics. […][…]
- Add support for manually scheduling for the
anyarchitecture. […]
-
-
Misc:
In addition, Jochen Sprickerhof greatly improved the statistics and the logging functionality, including adopting to the new database format of rebuilderd version 0.24.0 […] and temporarily increasing maximum log size in order to debug a nettlesome build […]. Jochen also dropped the CPUSchedulingPolicy=idle systemd flag on the workers. […]
Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
-
IRC:
#reproducible-buildsonirc.oftc.net. -
Mastodon: @reproducible_builds@fosstodon.org
-
Mailing list:
rb-general@lists.reproducible-builds.org
