Reproducible Builds in May 2026

Welcome to the May 2026 report from the Reproducible Builds project.

These reports outline what we’ve been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.

---

Debian to ship reproducible packages in forky and beyond

In a huge change in Debian’s reproducibility policy, the Debian Release Team announced that:

… we’ve decided it’s time to say that Debian must ship reproducible packages. Since yesterday, we have enabled our migration software to block migration of new packages that can’t be reproduced [on reproduce.debian.net] or existing packages in testing that regress in reproducibility.

That is to say, if newly-uploaded packages are not reproducible, they won’t be considered candidates for inclusion in the next stable release of Debian codenamed forky.

This news generated a number of articles and comments in various news outlets:

• Linux Weekly News (LWN): Debian to require reproducible builds
• Phoronix: Debian Release Team: Debian Must Now Ship Reproducible Packages
• The Register: Debian 14 cracks down on unreproducible packages
• LinuxSecurity.com: Debian 14 Makes Reproducible Builds Mandatory for Linux Packages
• Heise.de: Debian macht ernst: Nur noch reproduzierbare Pakete in „testing“

Kettle: Attested Builds for Verifiable Software

André Arko and Amean Asad published a paper this month on Kettle, a build system that “produces cryptographically verifiable provenance for software built inside Trusted Execution Environments”:

A Kettle build records the source commit, dependency set, toolchain, build environment and output artifact digests in a provenance document produced inside a measured confidential VM. The SHA-256 digest of that document is committed to the TEE platform’s attestation report-data field, so the hardware-signed attestation report is itself the signature on the provenance, with the signing identity chaining to the TEE manufacturer’s root of trust rather than to the build infrastructure operator. Because the CVM image is itself reproducible, its launch measurement is public and stable, which lets a build requester pre-attest the CVM before submitting any input and optionally deliver source over a TLS channel terminated inside it, so the build runs end-to-end confidentially without the host ever seeing source code in plaintext.

A PDF of the paper is available online.

Holger Levsen on reproducing official Debian packages

Reproducible Builds developer Holger Levsen gave a talk at the 2026 Hamburg MiniDebconf this year on the topic of reproduce.debian.net - reproducing what is distributed from ftp.d.o — that is to say, moving away from testing whether a package is reproducible in a theoretical sense (eg. whether we can build it twice in different environments and achieve the same result in our test system), and attempting to reproduce the same .deb files in the official Debian archive itself. This small-sounding distinction is actually essential, as this is the only means through which the reproducible builds technique can determine whether build systems are compromised are not.

A video (32m37s) of the talk is available, as are Holger’s slides.

New rebuilderd version announced

rebuilderd, our server designed monitor the official package repositories of Linux distributions and attempt to reproduce the observed results there; it powers, amongst other things, reproduce.debian.net.

A new version, 0.27.0, was released this month, with the following headline changes:

• Improved .udeb support
• Breaking changes in pkg sync configuration
• Manual cleanup needed for Arch Linux instances

As kpcyrd’s announcement mentions:

The new rebuilderd package is currently available in the extra-testing repository. Note the Arch Linux package is upgraded from v0.25.0 from v0.27.0; please be patient with the database migrations on first restart, and make yourself familiar with the breaking changes in v0.26.0 too.

Distribution work

In Debian this month:

• The loong64 architecture was added to reproduce.debian.net. This is a 64-bit Reduced Instruction Set Computer (RISC) instruction set architecture developed by Loongson.

• 40 reviews of Debian packages were added, 68 were updated and 75 were removed this month adding to our knowledge about identified issues. A number of issue types were updated, such as the addition of a new sphinx_reading_durations toolchain issue […], a golang_mango_generates_manpages_with_build_date issue […] and a random_offset_id_in_cython_linetrace […]. In addition, the timestamps_in_qhc issue was “refocused” to timestamps_in_qhc […].

In Fedora, Jelle van der Waa submitted a request for an official Fedora rebuilderd package which was reviewed by Neal Gompa.

Lastly, Bernhard M. Wiedemann posted another openSUSE monthly update for their reproducibility work there.

Misc news

On our mailing list this month:

• cen posted an interesting question to our list regarding “an interesting case of time-based non-reproducibility” after they noticed that Arch Linux’s rebuilderd instance reports the grep package as being reproducible whilst their own is not. Although the root cause of the issue is that various “translations are fetched from a remote location during bootstrap”, cen argues that:

  Perhaps rebuilderd needs a feature where GOOD packages are also periodically rebuilt in exponential back-off style and compared against current upstream build and also our last GOOD build. This would confirm whether a package is reproducible if built in a short time window but also help uncover longer time window issues that are currently hidden.

• Reproducible Builds developer kpcryd copied-in our mailing list to an existing email thread that was occurring on Debian bug #1137357 regarding deterministic signatures in the Rust-based Sequoia OpenPGP library. This generated some very interesting replies, such as this one by David A. Wheeler on how naïve methods for obtaining determinism in signatures may inadvertently reveal private keys.

• Lastly, David A. Wheeler announced that the 2026 Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED ‘26) conference will be held on October 6 2026 in Prague, Czechia. David specifically notes in their announcement that the conference’s Call for Papers (CfP) explicitly includes “Reproducible builds” and that the submission deadline is July 12, 2026.

Patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where applicable or possible. This month, we wrote a large number of such patches, including:

• Arnout Engelen (1):

  • nftables

• Bernhard M. Wiedemann (5):

  • neomutt
  • ntpsec
  • pacemaker
  • powerdevil6
  • sssd

• Chris Lamb (23):

  • #1135692 filed against dkimpy.
  • #1135873 filed against fortran-stdlib.
  • #1136291 filed against powerline.
  • #1136297 filed against pycayennelpp.
  • #1136298 filed against pycorrfit.
  • #1136424 filed against sphinx-needs.
  • #1136425 filed against ruby-otr-activerecord.
  • #1136426 filed against git-pw.
  • #1136427 filed against golang-github-akavel-rsrc.
  • #1136686 filed against pampi.
  • #1136689 filed against libreoffice-dictionaries.
  • #1137016 filed against vnu.
  • #1137017 filed against golang-github-shirou-gopsutil.
  • #1137018 filed against javacc5.
  • #1137019 filed against rssguard.
  • #1137204 filed against golang-github-containerd-accelerated-container-image.
  • #1137335 filed against docker-credential-gcr.
  • #1137336 filed against xpenguins.
  • #1138232 filed against cairocffi.
  • #1138639 filed against meshy.
  • #1138640 filed against bingo.
  • #1138641 filed against golang-github-cyclonedx-cyclonedx-go.
  • #1138642 filed against nfstest.

• Paul Gevers (1):

  • #1136939 filed against mandos.

• Vagrant Cascadian (2):

  • #1138608 and #1138611 filed against grub2.

Documentation updates

• Chris Lamb:

  • Added a missing + (plus sign) to the GNU Autotools example on the SOURCE_DATE_EPOCH documentation page. […]

• Mattia Rizzolo:

  • Made a number of chnages to the 2026 Gothenberg Summit event page. […][…][…][…]

Reproducible open source messengers

GitHub developer BarbossHack is maintaining an repository/page on GitHub to “track reproducibility status of open source messengers”:

Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.

• Mastodon: @reproducible_builds@fosstodon.org

• Mailing list: rb-general@lists.reproducible-builds.org