Reproducible Builds in September 2025

Welcome to the September 2025 report from the Reproducible Builds project!

Welcome to the very latest report from the Reproducible Builds project. Our monthly reports outline what we’ve been up to over the past month, and highlight items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.

In this report:

1. Reproducible Builds Summit 2025
2. Can’t we have nice things?
3. Distribution work
4. Tool development
5. Reproducibility testing framework
6. Upstream patches

---

Reproducible Builds Summit 2025

Please join us at the upcoming Reproducible Builds Summit, set to take place from October 28th — 30th 2025 in Vienna, Austria!

We are thrilled to host the eighth edition of this exciting event, following the success of previous summits in various iconic locations around the world, including Venice, Marrakesh, Paris, Berlin, Hamburg and Athens. Our summits are a unique gathering that brings together attendees from diverse projects, united by a shared vision of advancing the Reproducible Builds effort.

During this enriching event, participants will have the opportunity to engage in discussions, establish connections and exchange ideas to drive progress in this vital field. Our aim is to create an inclusive space that fosters collaboration, innovation and problem-solving.

If you’re interesting in joining us this year, please make sure to read the event page which has more details about the event and location. Registration is open until 20th September 2025, and we are very much looking forward to seeing many readers of these reports there!

Can’t we have nice things?

Debian Developer Gunnar Wolf blogged that George V. Neville-Neil’s “Kode Vicious” column in Communications of the ACM in which reproducible builds “is mentioned without needing to introduce it (assuming familiarity across the computing industry and academia)”. Titled, Can’t we have nice things?, the article mentions:

Once the proper measurement points are known, we want to constrain the system such that what it does is simple enough to understand and easy to repeat. It is quite telling that the push for software that enables reproducible builds only really took off after an embarrassing widespread security issue ended up affecting the entire Internet. That there had already been 50 years of software development before anyone thought that introducing a few constraints might be a good idea is, well, let’s just say it generates many emotions, none of them happy, fuzzy ones. […]

Distribution work

In Debian this month, Johannes Starosta filed a bug against the debian-repro-status package, reporting that it does not work on Debian trixie. (An upstream bug report was also filed.) Furthermore, 17 reviews of Debian packages were added, 10 were updated and 14 were removed this month adding to our knowledge about identified issues.

In March’s report, we included the news that Fedora would aim for 99% package reproducibility. This change has now been deferred to Fedora 44 according to Phoronix.

Lastly, Bernhard M. Wiedemann posted another openSUSE monthly update for their work there.

Tool development

diffoscope version 306 was uploaded to Debian unstable by Chris Lamb. It included contributions already covered in previous months as well as some changes by Zbigniew Jędrzejewski-Szmek to address issues with the fdtump support […] and to move away from the deprecated codes.open method. […][…]

strip-nondeterminism version 1.15.0-1 was uploaded to Debian unstable by Chris Lamb. It included a contribution by Matwey Kornilov to add support for inline archive files for Erlang’s escript […].

kpcyrd has released a new version of rebuilderd. As a quick recap, rebuilderd is an automatic build scheduler that tracks binary packages available in a Linux distribution and attempts to compile the official binary packages from their (purported) source code and dependencies. The code for in-toto attestations has been reworked, and the instances now feature a new endpoint that can be queried to fetch the list of public-keys an instance currently identifies itself by. […]

Lastly, Holger Levsen bumped the Standards-Version field of disorderfs, with no changes needed. […][…]

Reproducibility testing framework

The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility. In August, however, a number of changes were made by Holger Levsen, including:

• Setting up six new rebuilderd workers with 16 cores and 16 GB RAM each.

• reproduce.debian.net-related:

  • Do not expose pending jobs; they are confusing without explaination. […]
  • Add a link to v1 API specification. […]
  • Drop rebuilderd-worker.conf on a node. […]
  • Allow manual scheduling for any architectures. […]
  • Update path to trixie graphs. […]
  • Use the same rebuilder-debian.sh script for all hosts. […]
  • Add all other suites to all other archs. […][…][…][…]
  • Update SSH host keys for new hosts. […]
  • Move to the pull184 branch. […][…][…][…][…]
  • Only allow 20 GB cache for workers. […]

• OpenWrt-related:

  • Grant developer aparcar full sudo control on the ionos30 node. […][…]

• Jenkins nodes:

  • Add a number of new nodes. […][…][…][…][…]
  • Dont expect /srv/workspace to exist on OSUOSL nodes. […]
  • Stop hardcoding IP addresses in munin.conf. […]
  • Add maintenance and health check jobs for new nodes. […]
  • Document slight changes in IONOS resources usage. […]

• Misc:

  • Drop disabled Alpine Linux tests for good. […]
  • Move Debian live builds and some other Debian builds to the ionos10 node. […]
  • Cleanup some legacy support from releases before Debian trixie. […]

In addition, Jochen Sprickerhof made the following changes relating to reproduce.debian.net:

• Do not expose pending jobs on the main site. […]
• Switch the frontpage to reference Debian forky […], but do not attempt to build Debian forky on the armel architecture […].
• Use consistent and up to date rebuilder-debian.sh script. […]
• Fix supported worker architectures. […]
• Add a basic ‘excuses’ page. […]
• Move to the pull184 branch. […][…][…][…]
• Fix a typo in the JavaScript. […]
• Update front page for the new v1 API. […][…]

Lastly, Roland Clobus did some maintenance relating to the reproducibility testing of the Debian Live images. […][…][…][…]

Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Aleksei Burlakov:

  • hawk2

• Bernhard M. Wiedemann:

  • ceph
  • clamav
  • cmake/libarchive
  • kf6-kirigami
  • obs-build/librcc+librcd

• Chris Lamb:

  • #1113809 filed against ms-gsl.
  • #1113813 filed against llama.cpp.
  • #1114638 filed against python-mcstasscript.
  • #1114772 filed against rocm-docs-core.
  • #1114869 filed against octave-optics.
  • #1114950 filed against g2o.
  • #1114999 filed against golang-forgejo-forgejo-levelqueue.
  • #1115999 filed against openrgb.

• Roland Clobus:

  • #1114521 filed against mdadm.

Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.

• Mastodon: @reproducible_builds@fosstodon.org

• Mailing list: rb-general@lists.reproducible-builds.org