Tools

Several tools are available to make your life easier when working on reproducible builds.

Tools to compare build artifacts and/or detect nondeterminism

diffoscope

diffoscope will try to get to the bottom of what makes files or directories different. It will recursively unpack archives of many kinds and transform various binary formats into more human-readable forms for comparison. It can compare two tarballs, ISO images, or PDFs just as easily. See an example HTML and text output.

Homepage Git Issues Merge requests Debian package PyPI Arch Linux package

trydiffoscope

If you wish to just experiment with diffoscope without installing a large number of run-time dependencies, you can use the try.diffoscope.org service directly from your web browser. A lightweight client is also available as the trydiffoscope command-line utility.

Homepage Git Merge requests Debian package PyPI

reprotest

reprotest builds the same source code in different environments and then checks the binaries produced by the builds to see if changing the environment, without changing the source code, changed the generated binaries.

Git Merge requests Debian package Arch Linux package

disorderfs

Problems with unstable order of inputs or other variations introduced by filesystems can sometimes be hard to track down. disorderfs is an overlay FUSE filesystem that deliberately introduces non-determinism into filesystem metadata. For example, it can randomize the order in which directory entries are read.

Git Merge requests Debian package Arch Linux package

The Unreproducible Package

The Unreproducible Package is meant as a practical way to demonstrate the various ways that software can break reproducible builds using just low level primitives without requiring external existing programs that implement these primitives themselves.

It is structured so that one subdirectory demonstrates one class of issues in some variants observed in the wild.

Git Issues Merge Requests

diffoci

diffoci compares Docker and OCI container images for helping reproducible builds.

Git Issues Merge requests

reproducible-apk-tools

reproducible-apk-tools is a collection of scripts to help make APKs reproducible, or find out why they are not.

Git Issues Merge requests PyPI

ismypackagereproducibleyet

ismypackagereproducibleyet is a service for developers, packagers and users to quickly find out if a package builds reproducibly in some Linux distribution.

Git Issues Merge requests

Tools to make builds reproducible (by removing nondeterminism)

strip-nondeterminism

Some tools used in build systems might introduce non-determinism in ways difficult to fix at the source, which requires post-processing. strip-nondeterminism knows how to normalise various file formats such as gzipped files, ZIP archives, and Jar files. It is written in Perl with extensibility in mind.

Git Issues Merge requests Debian package Arch Linux package

disorderfs

Problems with unstable order of inputs or other variations introduced by filesystems can sometimes be hard to track down. disorderfs is an overlay FUSE filesystem that deliberately introduces non-determinism into filesystem metadata. For example, it can randomize the order in which directory entries are read.

Git Merge requests Debian package Arch Linux package

Reproducible Build Maven Plugin

This Maven plugin tries to strip “non reproducible” data from the generated artifacts. It follows the same goals as Debian’s Reproducible Builds project but at the modest scale of a Maven project.

Git Issues

sbt-reproducible-builds

sbt-reproducible-builds is a sbt plugin to make sbt builds more reproducible. Popular with Scala projects.

Git Issues Merge requests

reproducible-apk-tools

reproducible-apk-tools is a collection of scripts to help make APKs reproducible, or find out why they are not.

Git Issues Merge requests PyPI

apksigcopier

apksigcopier is a tool that enables using an android APK signature as a build input, making it possible to create a reproducible build from the source code without having access to the private key used to create the signature. It can also be used to verify that two APKs with different signatures are otherwise identical.

Git Issues Merge requests Debian package PyPI Arch Linux package

Tools for rebuilding

orchestrators

rebuilderd

Independent verification system of binary packages. rebuilderd monitors the package repository of a linux distribution and uses rebuilder backends like archlinux-repro to verify the provided binary packages can be reproduced from the given source code.

Git Issues Merge requests Arch Linux Documentation Arch Linux package

PackageRebuilder

Standalone orchestrator for rebuilding Debian, Fedora and Qubes OS packages in order to generate in-toto metadata which can be used with apt-transport-in-toto or dnf-plugin-in-toto to validate reproducible status.

Git Issues Merge requests Arch Linux package

Reproducible Builds Transparency Log (rbtlog)

rbtlog is a Reproducible Builds transparency log for Android APKs. Its git repository contains:

Git Issues Merge requests IzzyOnDroid rebuilder

rebuilder-backends

Arch Linux repro

repro is intended to be a tool for users to verify packages distributed by Arch Linux. It uses the embedded .BUILDINFO file to reconstruct an identical build environment and repeats the build from source, then compares the input package with the package generated during the verification build.

Git Issues Merge requests Arch Linux package

Arch Linux makerepropkg

makerepropkg - rebuild a package to see if it is reproducible.

Script

Debian debrebuild.pl

Given a buildinfo file from a Debian package, generate instructions for attempting to reproduce the binary packages built from the associated source and build information.

Script

debrebuild

Given a buildinfo file from a Debian package, generate instructions for attempting to reproduce the binary packages built from the associated source and build information. debrebuild can parse buildinfo file having GPG signature and verify its signature with provided key file.

Highly inspired from original Debian tool debrebuild and newer features from https://salsa.debian.org/josch/devscripts/-/commits/debrebuild and https://salsa.debian.org/fepitre/devscripts/-/commits/debrebuild.

Git Issues Merge requests

rpmreproduce

Given a buildinfo file from a RPM package, generate instructions for attempting to reproduce the binary packages built from the associated source and build information.

Git Issues Merge requests

orb: check opam package reproducibility

This tool can check if an opam package build is reproducible. It has two subcommands: build and rebuild.

orb build conducts a build of an opam package, and collects the build result (and hashes thereof) and the build input.

orb rebuild takes this data as input and conducts a second build with the same environment, and compares that the hashes of the produced binaries are identical.

Homepage Git Issues Merge requests

clients/frontends

Rebuilderd Website

The Rebuilderd Website is simple status display with the number of reproducible packages for Arch Linux. Uses rebuilderd’s API to fetch the current status of reproducibility.

Homepage Git Issues Merge requests Arch Linux package

ismyarchverifiedyet

Experimental python script to query results from rebuilderd instances and compares it to your local arch system.

Git Issues Merge Requests

Arch Repro Status

A CLI tool for querying the reproducibility status of the Arch Linux packages using data from a rebuilderd instance such as reproducible.archlinux.org. It can show the reproducibility status of packages that belong to an individual package maintainer and currently installed packages on the system.

Git Issues Merge requests Arch Linux package

Builder-web - a web frontend for reproducible builds (robur)

Builder-web takes in submissions of builds, typically from builder, and displays the produced artifacts in a way that makes it easy to compare checksums and build status. Produced binaries can be downloaded and executed. builds.robur.coop itself runs builder-web.

Homepage Git Issues Merge requests

verifiers?

(I wonder how we can contrast a more thorough attestation verification vs regular client/frontends)

Misc

Signed tarballs are available for our tools.