Reproducible Builds in January 2026

Welcome to the first monthly report in 2026 from the Reproducible Builds project!

These reports outline what we’ve been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.

1. Flathub now testing for reproducibility
2. Reproducibility identifying projects that will fail to build in 2038
3. Distribution work
4. Tool development
5. Two new academic papers
6. Upstream patches

---

Flathub now testing for reproducibility

Flathub, the primary repository/app store for Flatpak-based applications, has begun checking for build reproducibility. According to a recent blog post:

We have started testing binary reproducibility of x86_64 builds targeting the stable repository. This is possible thanks to flathub-repro-checker, a tool doing the necessary legwork to recreate the build environment and compare the result of the rebuild with what is published on Flathub. While these tests have been running for a while now, we have recently restarted them from scratch after enabling S3 storage for diffoscope artifacts.

The test results and status is available on their reproducible builds page.

Reproducibility identifying software projects that will fail to build in 2038

Longtime Reproducible Builds developer Bernhard M. Wiedemann posted on Reddit on “Y2K38 commemoration day T-12” — that is to say, twelve years to the day before the UNIX Epoch will no longer fit into a signed 32-bit integer variable on 19th January 2038.

Bernhard’s comment succinctly outlines the problem as well as notes some of the potential remedies, as well as links to a discussion with the GCC developers regarding “adding warnings for int → time_t conversions”.

At the time of publication, Bernard’s topic had generated 50 comments in response.

Distribution work

Conda is language-agnostic package manager which was originally developed to help Python data scientists and is now a popular package manager for Python and R.

conda-forge, a community-led infrastructure for Conda recently revamped their dashboards to rebuild packages straight to track reproducibility. There have been changes over the past two years to make the conda-forge build tooling fully reproducible by embedding the ‘lockfile’ of the entire build environment inside the packages.

In Debian this month:

• Scott Talbert uploaded a new version of dh-haskell (0.6.13), reverting parallel support as it broke reproducibility, thereby fixing Debian bug #1125000.

• Vagrant Cascadian posted to our mailing list on the topic of “Duplicate Debian packages with matching name-version-arch problem”. The issue is that .buildinfo files only “record the package name, version and architecture of the build-dependencies (and perhaps a bit more), but there are corner cases where multiple artifacts have the same name, version and architecture”. This generated some discussion on the mailing list as well as elsewhere in Debian.

• Roland Clobus also posted to our mailing list regarding Building Debian Live images from snapshot.debian.org. This surfaced an issue regarding the timestamps of the .deb file, leading to Roland filing Debian bug #1126000 to liaise with the developers of the snapshot.debian.org service.

• A change was made to migrate away from using the results from tests.reproducible-builds.org in deciding whether a package is a suitable candidate for the Debian testing distribution (the staging area for the next stable Debian release) to use the results from reproduce.debian.net instead. This was, according to Paul Gevers’ merge request, because the former service “does so by building twice in a row with varying build environment. What we are actually interested in is if the binaries that we ship can be reproduced”. The information provided by reproduce.debian.net in future will be used to delay or speed up packages’ migration time based on their reproducibility status, and further in the future shall be used to block unreproducible packages from migrating entirely.

• 41 reviews of Debian packages were added, 7 were updated and 37 were removed this month adding to our knowledge about identified issues. Chris Lamb identified and added a new source_date_epoch_affected_by_timezone_by_d_compiler_gdc issue type, as well as timezone_variant_in_argparse_manpage.

In NixOS this month, it was announced that the GNU Guix Full Source Bootstrap was ported to NixOS as part of Wire Jansen bachelor’s thesis (PDF). At the time of publication, this change has landed in NiX’ stdev distribution.

Lastly, Bernhard M. Wiedemann posted another openSUSE monthly update for his work there.

Tool development

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions, 310 and 311 to Debian.

• Fix test compatibility with u-boot-tools version 2026-01. […]
• Drop the implied Rules-Requires-Root: no entry in debian/control. […]
• Bump Standards-Version to 4.7.3. […]
• Reference the Debian ocaml package instead of ocaml-nox. (#1125094)
• Apply a patch by Jelle van der Waa to adjust a test fixture match new lines. […]
• Also the drop implied Priority: optional from debian/control. […]

In addition, Holger Levsen uploaded two versions of disorderfs, first updating the package from FUSE 2 to FUSE 3 as described in last months report, as well as updating the packaging to the latest Debian standards. A second upload (0.6.2-1) was subsequently made, with Holger adding instructions on how to add the upstream release to our release archive and incorporating changes by Roland Clobus to set _FILE_OFFSET_BITS on 32-bit platforms, fixing a build failure on 32-bit systems. Vagrant Cascadian updated diffoscope in GNU Guix to version 311-2-ge4ec97f7 and disorderfs to 0.6.2.

Two new academic papers

Julien Malka, Stefano Zacchiroli and Théo Zimmermann of Télécom Paris’ in-house research laboratory, the Information Processing and Communications Laboratory (LTCI) published a paper this month titled Docker Does Not Guarantee Reproducibility:

[…] While Docker is frequently cited in the literature as a tool that enables reproducibility in theory, the extent of its guarantees and limitations in practice remains under-explored. In this work, we address this gap through two complementary approaches. First, we conduct a systematic literature review to examine how Docker is framed in scientific discourse on reproducibility and to identify documented best practices for writing Dockerfiles enabling reproducible image building. Then, we perform a large-scale empirical study of 5,298 Docker builds collected from GitHub workflows. By rebuilding these images and comparing the results with their historical counterparts, we assess the real reproducibility of Docker images and evaluate the effectiveness of the best practices identified in the literature.

A PDF of their paper is available online.

Quentin Guilloteau, Antoine Waehren and Florina M. Ciorba of the University of Basel in Sweden also published a Docker-related paper, theirs called Longitudinal Study of the Software Environments Produced by Dockerfiles from Research Artifacts:

The reproducibility crisis has affected all scientific disciplines, including computer science (CS). To address this issue, the CS community has established artifact evaluation processes at conferences and in journals to evaluate the reproducibility of the results shared in publications. Authors are therefore required to share their artifacts with reviewers, including code, data, and the software environment necessary to reproduce the results. One method for sharing the software environment proposed by conferences and journals is to utilize container technologies such as Docker and Apptainer. However, these tools rely on non-reproducible tools, resulting in non-reproducible containers. In this paper, we present a tool and methodology to evaluate variations over time in software environments of container images derived from research artifacts. We also present initial results on a small set of Dockerfiles from the Euro-Par 2024 conference.

A PDF of their paper is available online.

Miscellaneous news

On our mailing list this month:

• kpcyrd started a thread after they noticed that “SWHID (also known as ISO/IEC 18670:2025) was published 1.0 in 2022 and ISO standardized in 2025, but uses the insecure SHA-1 as core cryptographic primitive”, asking whether there have been any attempts to upgrade this to SHA-256 or similar.

• Jan-Benedict Glaw asked about the Reproducibility for Libreoffice [when performing] ODT to PDF conversion after they observed that “simply calling libreoffice --convert-to pdf some.odt results in unreproducible output PDF. After some replies, Jan-Benedict wrote back to observe that it may be an issue with both timestamps and embedded fonts.

Lastly, kpcyrd added a Rust section to the Stable order for outputs page on our website. […]

Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Bernhard M. Wiedemann:

  • clamav
  • kf6-kuserfeedback
  • libaom
  • Nim
  • otp
  • Switcheroo (by Khaleel Al-Adhami)
  • uwsm
  • ZEO

• Chris Lamb:

  • #1124697 filed against sqlalchemy-i18n.
  • #1125671 filed against tea-cli.
  • #1125725 filed against libimage-librsvg-perl.
  • #1125727 filed against seer.
  • #1125729 filed against grabix.
  • #1126038 filed against hovercraft.
  • #1126039 filed against lomiri-location-service.
  • #1126092 filed against argparse-manpage.
  • #1126454 filed against xarray-safe-rcm.
  • #1126512 filed against gcc-15 (forwarded upstream).

• Jochen Sprickerhof:

  • #1124951 filed against rsyslog.
  • #1125000 filed against dh-haskell.

Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.

• Mastodon: @reproducible_builds@fosstodon.org

• Mailing list: rb-general@lists.reproducible-builds.org