#reproducible-builds — Public Fediverse posts

Aaand… Welcome to the RB family, Sshd4a 🥳

https://apt.izzysoft.de/packages/com.hardbacknutter.sshd

Sshd4a provides an 'sshd' server with shell access, rsync and scp/sftp services. Thanks to the help of its developer, it could now be confirmed to be reproducible :awesome:

Coming to your favourite repository with the next sync 😉

#IzzyOnDroid #ReproducibleBuilds

Inspired by the Debian 14 announcement, I’ve finally made my json-store #Python package create reproducible builds.

This was super easy thanks to all the work done by the hatch build system.

https://hatch.pypa.io/1.16/config/build/#reproducible-builds

You should too. 😁

#reproduciblebuilds

Dear opensource developers,

I added an "adoption" list to the repro-env README, if you publish pre-compiled binaries and you successfully adopted it to allow anyone to reproduce them from source code to prove the absense of a build server compromise, you are very welcome to add yourself to the list. 😺

https://github.com/kpcyrd/repro-env#adoption

#reproducible #reproduciblebuilds #supplychainsecurity #rust

Debian 14 Forky is mandating bit-for-bit identical builds to stop supply chain attacks. Discover how this shifts trust from servers to auditable source code.

More details here: https://ostechnix.com/debian-linux-reproducible-builds/

#Debian14 #DebianForky #ReproducibleBuilds #Security #Linux #Packages #SupplyChainSecurity

Wow, nice status for the #ReproducibleBuilds at #IzzyOnDroid today – 888 apps (64.9%) :awesome:

Debian alza l'asticella della sicurezza rendendo obbligatorie le "Reproducible Builds" per Debian 14 "Forky".
Ogni pacchetto dovrà poter essere ricompilato partendo dal sorgente originale pena la sua esclusione.
Questo garantisce che il software che installiamo sia esattamente quello dichiarato dagli sviluppatori, proteggendoci da manipolazioni durante la fase di compilazione.
https://itsfoss.com/news/debian-makes-reproducible-builds-mandatory/

@linux

#Debian #Linux #Sicurezza #ReproducibleBuilds #SoftwareLibero #Privacy

"As of May 9, 2026, Debian’s migration software now actively blocks packages from migrating into the testing archive if they fail the reproducibility check. This applies both to new packages that cannot be reproduced and to existing packages whose reproducibility has regressed. Debian 14.0 will be the first major Debian release to ship under this hard mandate."
https://pbxscience.com/debian-mandates-reproducible-packages-for-debian-14-forky/

#reproducibility #debian #debian14 #reproduciblebuilds

“Debian must ship reproducible packages”

––––

bits from the release team

https://lists.debian.org/debian-devel-announce/2026/05/msg00001.html

#debian #reproducibleBuilds

Debian 14 will only contain reproducible packages

Reproducible builds are a set of rules that apply to software development, including applications and libraries, to create a verifiable path from the source code to the binary code. It allows you to build the library or the application bit-for-bit. Reproducible builds tend to have great features, including, but not limited to:

• Security and trust: Allows third-parties to make sure that the software hasn’t been altered or tampered with.
• Transparency in development: Makes sure that developers’ code always works the same way.
• Resilience against attacks: Allows third-parties to verify the developers’ software to prevent your projects from being compromised.

Half way through the development cycle of the upcoming Debian release expected in 2027, Debian 14 Forky, the Debian release team has made a decision regarding the reproducible builds effort. Over the years with the Reproducible Builds effort that makes sure that packages get built consistently bit-for-bit, the Debian release team has decided that reproducible builds must be satisfied for the Debian packages to be approved.

A new mandate for Debian 14 Forky states that the reproducible packages, which are packages that build consistently and with confidence bit-for-bit, must be shipped. The migration software will reject the package addition or update if said package no longer becomes reproducible.

The Debian release team has also provided a link that allows you to check the package reproducibility status for the upcoming version of Debian via https://reproduce.debian.net/.

Via: Phoronix

Debian will require reproducible builds!This is a huge milestone.
https://lists.debian.org/debian-devel-announce/2026/05/msg00001.html
#Debian #reproduciblebuilds

#AndroidAppRain at https://apt.izzysoft.de/fdroid/?radd=1&doFilter=1 today brings you 25 updated and 1 added apps:

* Khushu: a private Muslim app for prayer, tasbih, study, and gentle reminders 🛡️

Enjoy your #free #Android #apps with the #IzzyOnDroid repository :awesome:

Oh, and if your favourite app had its #ReproducibleBuilds fail, you can now hover your mouse over the yellow shield to find a hint on why it failed. It's usually just minor shenanigans, like an embedded build id…

The Fedora Project shipped Fedora 44 on April 28 with the first major-distro reproducible-builds policy at default. Floor 99 percent, bugs filed when packages fail. Reproducible builds means anyone with the source can rebuild a binary and prove it matches byte for byte. That defends against the pipeline compromises behind Bitwarden CLI, Checkmarx, and elementary-data this year. The policy answers every Q1 supply-chain story.

#Fedora #Linux #OpenSource #CyberSecurity #ReproducibleBuilds

Reproducible builds are a valuable property for remote attestation workflows but often hard to maintain. We faced a special challenge building reproducible artifacts that contain signatures.

Together with @Euler I wrote a blog post about how we used ECDSA public key recovery to generate signatures that match exactly one artifact, can be reproduced by a verifier, and are secure, without anyone ever knowing a private key.

https://katexochen.aro.bz/posts/reproducible-secure-signatures/

#ReproducibleBuilds #RemoteAttestation #Cryptography #ConfidentialComputing #Infosec

[arch-dev-public] Arch Linux now has a bit-for-bit reproducible Docker image

https://lists.archlinux.org/archives/list/[email protected]/thread/44PW52T547MACXFU5HZ5U7SIPAX3BAXS/

#Linux #ArchLinux #ReproducibleBuilds #Reproducible

The Nix sandbox aims to provide a pure environment by isolating the build environment from the rest of the system. However, some impurities can still affect builds inside the sandbox and lead to reproducibility issues. One of them is the filesystem.

A common example is builds that implicitly depend on inode numbering or directory entry ordering. In some cases, you might even run into a filesystem bug: a build succeeds on one machine, but fails on another with a different filesystem.

To debug these issues, you can now use nix-buildon. It lets you swap out the filesystem underneath the Nix sandbox. By running the sandbox on disorderfs, you can get a deterministic, sorted, or reverse-sorted view of directory entries. This makes it easy to check whether a build depends on filesystem behavior that should not matter in the first place.

https://github.com/katexochen/nix-buildon

I created this at #OceanSprint. 🌊

#Nix #NixOS #ReproducibleBuilds

Welcome to the RB family, Sav PDF Viewer 🥳

https://apt.izzysoft.de/packages/com.saverio.pdfviewer

Sav PDF Viewer Pro is a simple PDF viewer that lets you easily view PDF files. It automatically saves the last position for each file, lets you place bookmarks, and more – without requiring a single permission.

With some help by its developer, it finally is RB now :awesome:

#ReproducibleBuilds #IzzyOnDroid

For the #NixOS #QubesOS and #reproduciblebuilds nerds out there, I finally found some time to clean this up enough for post my fully-reproducible NixOS template for QubesOS PR: https://github.com/evq/qubes-nixos-template/pull/7

This feels so niche it kind of hurts my soul. FWIW I'll do a lightning talk on the value of build reproducibility on Thursday, so maybe I can get a few more people to care.

For those who use #NeoStore, one of our recommended clients, we have exciting news: they just added a setting that puts you in control of #ReproducibleBuilds.

Settings › Service › Disable auto-update on non-reproducible updates

If you want your RB apps only auto-updated if the update was also confirmed to fully match the source code, consider turning it on for extra security.

You can then still manually update it, regardless of reproducibility status.

Do note …

(1/2)

#IzzyOnDroid

You often see us reporting our RB status, and might wonder what's so important about #ReproducibleBuilds – want a recent example? Take a look at https://web.archive.org/web/20260402133949/https://github.com/Nekogram/Nekogram/issues/336 – and the POC at https://github.com/RomashkaTea/nekogram-proof-of-logging

In short: Release APK was built from different code, including a logger to catch all phone numbers contacted. Oh, and the dev thinks that's fine (https://t.me/NekoUpdates/531).

RB would have failed for that app, and shown the diff.

Stay safe out there!

(1/2)

New guide on getnix.io — "What is Nix?"

A beginner-friendly intro to what Nix actually is, how it differs from Docker/Homebrew/Apt/Ansible, and the core concepts you need before diving in. If you've ever wondered why people keep talking about Nix, this one's for you.

https://getnix.io/guides/what-is-nix/

#Nix #NixOS #Linux #macOS #DevOps #ReproducibleBuilds #PackageManagement