Tools
Several tools are available to make your life easier when working on reproducible builds.
- Tools to compare build artifacts and/or detect nondeterminism
- Tools to make builds reproducible (by removing nondeterminism)
- Tools for rebuilding
- verifiers?
- Misc
Tools to compare build artifacts and/or detect nondeterminism
diffoscope
diffoscope will try to get to the bottom of what makes files or directories different. It will recursively unpack archives of many kinds and transform various binary formats into more human-readable forms for comparison. It can compare two tarballs, ISO images, or PDFs just as easily. See an example HTML and text output.
Homepage Git Issues Merge requests Debian package PyPI Arch Linux package
trydiffoscope
If you wish to just experiment with diffoscope
without installing a large number of run-time dependencies, you can use the
try.diffoscope.org service directly from your
web browser. A lightweight client is also available as the trydiffoscope
command-line utility.
Homepage Git Merge requests Debian package PyPI
reprotest
reprotest builds the same source code in different environments and then
checks the binaries produced by the builds to see if changing the
environment, without changing the source code, changed the generated
binaries.
Git Merge requests Debian package Arch Linux package
disorderfs
Problems with unstable order of inputs or other
variations introduced by filesystems can sometimes be hard to track down.
disorderfs is an overlay FUSE filesystem that deliberately introduces
non-determinism into filesystem metadata. For example, it can randomize the
order in which directory entries are read.
Git Merge requests Debian package Arch Linux package
The Unreproducible Package
The Unreproducible Package is meant as a practical way to demonstrate the
various ways that software can break reproducible builds using just low
level primitives without requiring external existing programs that implement
these primitives themselves.
It is structured so that one subdirectory demonstrates one class of issues in some variants observed in the wild.
diffoci
diffoci compares Docker and OCI container images for helping reproducible
builds.
reproducible-apk-tools
reproducible-apk-tools is a collection of scripts to help make APKs
reproducible, or find out why they are not.
Git Issues Merge requests PyPI
ismypackagereproducibleyet
ismypackagereproducibleyet is a service for developers, packagers and
users to quickly find out if a package builds reproducibly in some Linux
distribution.
Tools to make builds reproducible (by removing nondeterminism)
strip-nondeterminism
Some tools used in build systems might introduce non-determinism in ways
difficult to fix at the source, which requires post-processing.
strip-nondeterminism knows how to normalise various file formats such as
gzipped files, ZIP archives, and Jar files. It is written in Perl with
extensibility in mind.
Git Issues Merge requests Debian package Arch Linux package
disorderfs
Problems with unstable order of inputs or other
variations introduced by filesystems can sometimes be hard to track down.
disorderfs is an overlay FUSE filesystem that deliberately introduces
non-determinism into filesystem metadata. For example, it can randomize the
order in which directory entries are read.
Git Merge requests Debian package Arch Linux package
Reproducible Build Maven Plugin
This Maven plugin tries to strip “non reproducible” data from the generated artifacts. It follows the same goals as Debian’s Reproducible Builds project but at the modest scale of a Maven project.
sbt-reproducible-builds
sbt-reproducible-builds is a sbt plugin to
make sbt builds more reproducible. Popular with
Scala projects.
reproducible-apk-tools
reproducible-apk-tools is a collection of scripts to help make APKs
reproducible, or find out why they are not.
Git Issues Merge requests PyPI
apksigcopier
apksigcopier is a tool that enables using an android APK signature as a
build input, making it possible to create a reproducible build from the
source code without having access to the private key used to create the
signature. It can also be used to verify that two APKs with different
signatures are otherwise identical.
Git Issues Merge requests Debian package PyPI Arch Linux package
Tools for rebuilding
orchestrators
rebuilderd
Independent verification system of binary packages. rebuilderd monitors
the package repository of a linux distribution and uses rebuilder backends
like archlinux-repro to verify the provided binary packages can be
reproduced from the given source code.
Git Issues Merge requests Arch Linux Documentation Arch Linux package
PackageRebuilder
Standalone orchestrator for rebuilding Debian, Fedora and Qubes OS packages
in order to generate in-toto metadata which can be used with
apt-transport-in-toto or dnf-plugin-in-toto to validate reproducible
status.
Git Issues Merge requests Arch Linux package
Reproducible Builds Transparency Log (rbtlog)
rbtlog is a Reproducible Builds transparency log for Android APKs. Its git
repository contains:
- Scripts forming a rebuilder framework.
- Recipes to build various apps.
- Rebuild Logs forming a transparency log of reproduction attempts.
- GitHub Actions workflows to automate everything.
Git Issues Merge requests IzzyOnDroid rebuilder
rebuilder-backends
Arch Linux repro
repro is intended to be a tool for users to verify packages distributed by
Arch Linux. It uses the embedded .BUILDINFO file to reconstruct an
identical build environment and repeats the build from source, then compares
the input package with the package generated during the verification build.
Git Issues Merge requests Arch Linux package
Arch Linux makerepropkg
makerepropkg - rebuild a package to see if it is reproducible.
Debian debrebuild.pl
Given a buildinfo file from a Debian package, generate instructions for attempting to reproduce the binary packages built from the associated source and build information.
debrebuild
Given a buildinfo file from a Debian package, generate instructions for
attempting to reproduce the binary packages built from the associated source
and build information. debrebuild can parse buildinfo file having GPG
signature and verify its signature with provided key file.
Highly inspired from original Debian tool debrebuild and newer features from https://salsa.debian.org/josch/devscripts/-/commits/debrebuild and https://salsa.debian.org/fepitre/devscripts/-/commits/debrebuild.
rpmreproduce
Given a buildinfo file from a RPM package, generate instructions for attempting to reproduce the binary packages built from the associated source and build information.
orb: check opam package reproducibility
This tool can check if an opam package build is reproducible. It has two subcommands: build and rebuild.
orb build conducts a build of an opam package, and collects the build
result (and hashes thereof) and the build input.
orb rebuild takes this data as input and conducts a second build with the
same environment, and compares that the hashes of the produced binaries are
identical.
Homepage Git Issues Merge requests
clients/frontends
Rebuilderd Website
The Rebuilderd Website is simple status display with the number of reproducible packages for Arch Linux. Uses rebuilderd’s API to fetch the current status of reproducibility.
Homepage Git Issues Merge requests Arch Linux package
ismyarchverifiedyet
Experimental python script to query results from rebuilderd instances and compares it to your local arch system.
Arch Repro Status
A CLI tool for querying the reproducibility status of the Arch Linux packages using data from a rebuilderd instance such as reproducible.archlinux.org. It can show the reproducibility status of packages that belong to an individual package maintainer and currently installed packages on the system.
Git Issues Merge requests Arch Linux package
Builder-web - a web frontend for reproducible builds (robur)
Builder-web takes in submissions of builds, typically from builder, and
displays the produced artifacts in a way that makes it easy to compare
checksums and build status. Produced binaries can be downloaded and
executed. builds.robur.coop itself runs
builder-web.
Homepage Git Issues Merge requests
verifiers?
(I wonder how we can contrast a more thorough attestation verification vs regular client/frontends)
- https://github.com/tweag/trustix
- https://github.com/in-toto/apt-transport-in-toto
- https://github.com/fepitre/dnf-plugin-in-toto
Misc
- Style guide for reproducible-builds.org - this guide aims to provide standards, principles and components to design consistent views related to the Reproducible Builds project.
Signed tarballs are available for our tools.
Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info
