#reproduciblebuilds — Public Fediverse posts

Inspired by the Debian 14 announcement, I’ve finally made my json-store #Python package create reproducible builds.

This was super easy thanks to all the work done by the hatch build system.

https://hatch.pypa.io/1.16/config/build/#reproducible-builds

You should too. 😁

#reproduciblebuilds

Dear opensource developers,

I added an "adoption" list to the repro-env README, if you publish pre-compiled binaries and you successfully adopted it to allow anyone to reproduce them from source code to prove the absense of a build server compromise, you are very welcome to add yourself to the list. 😺

https://github.com/kpcyrd/repro-env#adoption

#reproducible #reproduciblebuilds #supplychainsecurity #rust

Dear opensource developers,

I added an "adoption" list to the repro-env README, if you publish pre-compiled binaries and you successfully adopted it to allow anyone to reproduce them from source code to prove the absense of a build server compromise, you are very welcome to add yourself to the list. 😺

https://github.com/kpcyrd/repro-env#adoption

#reproducible #reproduciblebuilds #supplychainsecurity #rust

Dear opensource developers,

I added an "adoption" list to the repro-env README, if you publish pre-compiled binaries and you successfully adopted it to allow anyone to reproduce them from source code to prove the absense of a build server compromise, you are very welcome to add yourself to the list. 😺

https://github.com/kpcyrd/repro-env#adoption

#reproducible #reproduciblebuilds #supplychainsecurity #rust

Dear opensource developers,

I added an "adoption" list to the repro-env README, if you publish pre-compiled binaries and you successfully adopted it to allow anyone to reproduce them from source code to prove the absense of a build server compromise, you are very welcome to add yourself to the list. 😺

https://github.com/kpcyrd/repro-env#adoption

#reproducible #reproduciblebuilds #supplychainsecurity #rust

Dear opensource developers,

I added an "adoption" list to the repro-env README, if you publish pre-compiled binaries and you successfully adopted it to allow anyone to reproduce them from source code to prove the absense of a build server compromise, you are very welcome to add yourself to the list. 😺

https://github.com/kpcyrd/repro-env#adoption

#reproducible #reproduciblebuilds #supplychainsecurity #rust

Debian 14 Forky is mandating bit-for-bit identical builds to stop supply chain attacks. Discover how this shifts trust from servers to auditable source code.

More details here: https://ostechnix.com/debian-linux-reproducible-builds/

#Debian14 #DebianForky #ReproducibleBuilds #Security #Linux #Packages #SupplyChainSecurity

Debian 14 Forky is mandating bit-for-bit identical builds to stop supply chain attacks. Discover how this shifts trust from servers to auditable source code.

More details here: https://ostechnix.com/debian-linux-reproducible-builds/

#Debian14 #DebianForky #ReproducibleBuilds #Security #Linux #Packages #SupplyChainSecurity

Debian 14 Forky is mandating bit-for-bit identical builds to stop supply chain attacks. Discover how this shifts trust from servers to auditable source code.

More details here: https://ostechnix.com/debian-linux-reproducible-builds/

#Debian14 #DebianForky #ReproducibleBuilds #Security #Linux #Packages #SupplyChainSecurity

Debian 14 Forky is mandating bit-for-bit identical builds to stop supply chain attacks. Discover how this shifts trust from servers to auditable source code.

More details here: https://ostechnix.com/debian-linux-reproducible-builds/

#Debian14 #DebianForky #ReproducibleBuilds #Security #Linux #Packages #SupplyChainSecurity

Debian 14 Forky is mandating bit-for-bit identical builds to stop supply chain attacks. Discover how this shifts trust from servers to auditable source code.

More details here: https://ostechnix.com/debian-linux-reproducible-builds/

#Debian14 #DebianForky #ReproducibleBuilds #Security #Linux #Packages #SupplyChainSecurity

Wow, nice status for the #ReproducibleBuilds at #IzzyOnDroid today – 888 apps (64.9%) :awesome:

Wow, nice status for the #ReproducibleBuilds at #IzzyOnDroid today – 888 apps (64.9%) :awesome:

Wow, nice status for the #ReproducibleBuilds at #IzzyOnDroid today – 888 apps (64.9%) :awesome:

Wow, nice status for the #ReproducibleBuilds at #IzzyOnDroid today – 888 apps (64.9%) :awesome:

Wow, nice status for the #ReproducibleBuilds at #IzzyOnDroid today – 888 apps (64.9%) :awesome:

Debian alza l'asticella della sicurezza rendendo obbligatorie le "Reproducible Builds" per Debian 14 "Forky".
Ogni pacchetto dovrà poter essere ricompilato partendo dal sorgente originale pena la sua esclusione.
Questo garantisce che il software che installiamo sia esattamente quello dichiarato dagli sviluppatori, proteggendoci da manipolazioni durante la fase di compilazione.
https://itsfoss.com/news/debian-makes-reproducible-builds-mandatory/

@linux

#Debian #Linux #Sicurezza #ReproducibleBuilds #SoftwareLibero #Privacy

"As of May 9, 2026, Debian’s migration software now actively blocks packages from migrating into the testing archive if they fail the reproducibility check. This applies both to new packages that cannot be reproduced and to existing packages whose reproducibility has regressed. Debian 14.0 will be the first major Debian release to ship under this hard mandate."
https://pbxscience.com/debian-mandates-reproducible-packages-for-debian-14-forky/

#reproducibility #debian #debian14 #reproduciblebuilds

Debian 14 will only contain reproducible packages

Reproducible builds are a set of rules that apply to software development, including applications and libraries, to create a verifiable path from the source code to the binary code. It allows you to build the library or the application bit-for-bit. Reproducible builds tend to have great features, including, but not limited to:

• Security and trust: Allows third-parties to make sure that the software hasn’t been altered or tampered with.
• Transparency in development: Makes sure that developers’ code always works the same way.
• Resilience against attacks: Allows third-parties to verify the developers’ software to prevent your projects from being compromised.

Half way through the development cycle of the upcoming Debian release expected in 2027, Debian 14 Forky, the Debian release team has made a decision regarding the reproducible builds effort. Over the years with the Reproducible Builds effort that makes sure that packages get built consistently bit-for-bit, the Debian release team has decided that reproducible builds must be satisfied for the Debian packages to be approved.

A new mandate for Debian 14 Forky states that the reproducible packages, which are packages that build consistently and with confidence bit-for-bit, must be shipped. The migration software will reject the package addition or update if said package no longer becomes reproducible.

The Debian release team has also provided a link that allows you to check the package reproducibility status for the upcoming version of Debian via https://reproduce.debian.net/.

Via: Phoronix

Debian 14 will only contain reproducible packages

Reproducible builds are a set of rules that apply to software development, including applications and libraries, to create a verifiable path from the source code to the binary code. It allows you to build the library or the application bit-for-bit. Reproducible builds tend to have great features, including, but not limited to:

• Security and trust: Allows third-parties to make sure that the software hasn’t been altered or tampered with.
• Transparency in development: Makes sure that developers’ code always works the same way.
• Resilience against attacks: Allows third-parties to verify the developers’ software to prevent your projects from being compromised.

Half way through the development cycle of the upcoming Debian release expected in 2027, Debian 14 Forky, the Debian release team has made a decision regarding the reproducible builds effort. Over the years with the Reproducible Builds effort that makes sure that packages get built consistently bit-for-bit, the Debian release team has decided that reproducible builds must be satisfied for the Debian packages to be approved.

A new mandate for Debian 14 Forky states that the reproducible packages, which are packages that build consistently and with confidence bit-for-bit, must be shipped. The migration software will reject the package addition or update if said package no longer becomes reproducible.

The Debian release team has also provided a link that allows you to check the package reproducibility status for the upcoming version of Debian via https://reproduce.debian.net/.

Via: Phoronix

Debian 14 will only contain reproducible packages

Reproducible builds are a set of rules that apply to software development, including applications and libraries, to create a verifiable path from the source code to the binary code. It allows you to build the library or the application bit-for-bit. Reproducible builds tend to have great features, including, but not limited to:

• Security and trust: Allows third-parties to make sure that the software hasn’t been altered or tampered with.
• Transparency in development: Makes sure that developers’ code always works the same way.
• Resilience against attacks: Allows third-parties to verify the developers’ software to prevent your projects from being compromised.

Half way through the development cycle of the upcoming Debian release expected in 2027, Debian 14 Forky, the Debian release team has made a decision regarding the reproducible builds effort. Over the years with the Reproducible Builds effort that makes sure that packages get built consistently bit-for-bit, the Debian release team has decided that reproducible builds must be satisfied for the Debian packages to be approved.

A new mandate for Debian 14 Forky states that the reproducible packages, which are packages that build consistently and with confidence bit-for-bit, must be shipped. The migration software will reject the package addition or update if said package no longer becomes reproducible.

The Debian release team has also provided a link that allows you to check the package reproducibility status for the upcoming version of Debian via https://reproduce.debian.net/.

Via: Phoronix

Debian 14 will only contain reproducible packages

Reproducible builds are a set of rules that apply to software development, including applications and libraries, to create a verifiable path from the source code to the binary code. It allows you to build the library or the application bit-for-bit. Reproducible builds tend to have great features, including, but not limited to:

• Security and trust: Allows third-parties to make sure that the software hasn’t been altered or tampered with.
• Transparency in development: Makes sure that developers’ code always works the same way.
• Resilience against attacks: Allows third-parties to verify the developers’ software to prevent your projects from being compromised.

Half way through the development cycle of the upcoming Debian release expected in 2027, Debian 14 Forky, the Debian release team has made a decision regarding the reproducible builds effort. Over the years with the Reproducible Builds effort that makes sure that packages get built consistently bit-for-bit, the Debian release team has decided that reproducible builds must be satisfied for the Debian packages to be approved.

A new mandate for Debian 14 Forky states that the reproducible packages, which are packages that build consistently and with confidence bit-for-bit, must be shipped. The migration software will reject the package addition or update if said package no longer becomes reproducible.

The Debian release team has also provided a link that allows you to check the package reproducibility status for the upcoming version of Debian via https://reproduce.debian.net/.

Via: Phoronix

Debian 14 will only contain reproducible packages

Reproducible builds are a set of rules that apply to software development, including applications and libraries, to create a verifiable path from the source code to the binary code. It allows you to build the library or the application bit-for-bit. Reproducible builds tend to have great features, including, but not limited to:

• Security and trust: Allows third-parties to make sure that the software hasn’t been altered or tampered with.
• Transparency in development: Makes sure that developers’ code always works the same way.
• Resilience against attacks: Allows third-parties to verify the developers’ software to prevent your projects from being compromised.

Half way through the development cycle of the upcoming Debian release expected in 2027, Debian 14 Forky, the Debian release team has made a decision regarding the reproducible builds effort. Over the years with the Reproducible Builds effort that makes sure that packages get built consistently bit-for-bit, the Debian release team has decided that reproducible builds must be satisfied for the Debian packages to be approved.

A new mandate for Debian 14 Forky states that the reproducible packages, which are packages that build consistently and with confidence bit-for-bit, must be shipped. The migration software will reject the package addition or update if said package no longer becomes reproducible.

The Debian release team has also provided a link that allows you to check the package reproducibility status for the upcoming version of Debian via https://reproduce.debian.net/.

Via: Phoronix

#AndroidAppRain at https://apt.izzysoft.de/fdroid/?radd=1&doFilter=1 today brings you 25 updated and 1 added apps:

* Khushu: a private Muslim app for prayer, tasbih, study, and gentle reminders 🛡️

Enjoy your #free #Android #apps with the #IzzyOnDroid repository :awesome:

Oh, and if your favourite app had its #ReproducibleBuilds fail, you can now hover your mouse over the yellow shield to find a hint on why it failed. It's usually just minor shenanigans, like an embedded build id…

#AndroidAppRain at https://apt.izzysoft.de/fdroid/?radd=1&doFilter=1 today brings you 25 updated and 1 added apps:

* Khushu: a private Muslim app for prayer, tasbih, study, and gentle reminders 🛡️

Enjoy your #free #Android #apps with the #IzzyOnDroid repository :awesome:

Oh, and if your favourite app had its #ReproducibleBuilds fail, you can now hover your mouse over the yellow shield to find a hint on why it failed. It's usually just minor shenanigans, like an embedded build id…

#AndroidAppRain at https://apt.izzysoft.de/fdroid/?radd=1&doFilter=1 today brings you 25 updated and 1 added apps:

* Khushu: a private Muslim app for prayer, tasbih, study, and gentle reminders 🛡️

Enjoy your #free #Android #apps with the #IzzyOnDroid repository :awesome:

Oh, and if your favourite app had its #ReproducibleBuilds fail, you can now hover your mouse over the yellow shield to find a hint on why it failed. It's usually just minor shenanigans, like an embedded build id…

#AndroidAppRain at https://apt.izzysoft.de/fdroid/?radd=1&doFilter=1 today brings you 25 updated and 1 added apps:

* Khushu: a private Muslim app for prayer, tasbih, study, and gentle reminders 🛡️

Enjoy your #free #Android #apps with the #IzzyOnDroid repository :awesome:

Oh, and if your favourite app had its #ReproducibleBuilds fail, you can now hover your mouse over the yellow shield to find a hint on why it failed. It's usually just minor shenanigans, like an embedded build id…

#AndroidAppRain at https://apt.izzysoft.de/fdroid/?radd=1&doFilter=1 today brings you 25 updated and 1 added apps:

* Khushu: a private Muslim app for prayer, tasbih, study, and gentle reminders 🛡️

Enjoy your #free #Android #apps with the #IzzyOnDroid repository :awesome:

Oh, and if your favourite app had its #ReproducibleBuilds fail, you can now hover your mouse over the yellow shield to find a hint on why it failed. It's usually just minor shenanigans, like an embedded build id…

Reproducible builds are a valuable property for remote attestation workflows but often hard to maintain. We faced a special challenge building reproducible artifacts that contain signatures.

Together with @Euler I wrote a blog post about how we used ECDSA public key recovery to generate signatures that match exactly one artifact, can be reproduced by a verifier, and are secure, without anyone ever knowing a private key.

https://katexochen.aro.bz/posts/reproducible-secure-signatures/

#ReproducibleBuilds #RemoteAttestation #Cryptography #ConfidentialComputing #Infosec

[arch-dev-public] Arch Linux now has a bit-for-bit reproducible Docker image

https://lists.archlinux.org/archives/list/[email protected]/thread/44PW52T547MACXFU5HZ5U7SIPAX3BAXS/

#Linux #ArchLinux #ReproducibleBuilds #Reproducible

[arch-dev-public] Arch Linux now has a bit-for-bit reproducible Docker image

https://lists.archlinux.org/archives/list/[email protected]/thread/44PW52T547MACXFU5HZ5U7SIPAX3BAXS/

#Linux #ArchLinux #ReproducibleBuilds #Reproducible

[arch-dev-public] Arch Linux now has a bit-for-bit reproducible Docker image

https://lists.archlinux.org/archives/list/[email protected]/thread/44PW52T547MACXFU5HZ5U7SIPAX3BAXS/

#Linux #ArchLinux #ReproducibleBuilds #Reproducible

[arch-dev-public] Arch Linux now has a bit-for-bit reproducible Docker image

https://lists.archlinux.org/archives/list/[email protected]/thread/44PW52T547MACXFU5HZ5U7SIPAX3BAXS/

#Linux #ArchLinux #ReproducibleBuilds #Reproducible

[arch-dev-public] Arch Linux now has a bit-for-bit reproducible Docker image

https://lists.archlinux.org/archives/list/[email protected]/thread/44PW52T547MACXFU5HZ5U7SIPAX3BAXS/

#Linux #ArchLinux #ReproducibleBuilds #Reproducible

For the #NixOS #QubesOS and #reproduciblebuilds nerds out there, I finally found some time to clean this up enough for post my fully-reproducible NixOS template for QubesOS PR: https://github.com/evq/qubes-nixos-template/pull/7

This feels so niche it kind of hurts my soul. FWIW I'll do a lightning talk on the value of build reproducibility on Thursday, so maybe I can get a few more people to care.

For those who use #NeoStore, one of our recommended clients, we have exciting news: they just added a setting that puts you in control of #ReproducibleBuilds.

Settings › Service › Disable auto-update on non-reproducible updates

If you want your RB apps only auto-updated if the update was also confirmed to fully match the source code, consider turning it on for extra security.

You can then still manually update it, regardless of reproducibility status.

Do note …

(1/2)

#IzzyOnDroid

New guide on getnix.io — "What is Nix?"

A beginner-friendly intro to what Nix actually is, how it differs from Docker/Homebrew/Apt/Ansible, and the core concepts you need before diving in. If you've ever wondered why people keep talking about Nix, this one's for you.

https://getnix.io/guides/what-is-nix/

#Nix #NixOS #Linux #macOS #DevOps #ReproducibleBuilds #PackageManagement

What's if you could ~$ git clone SWHID?

"You’d end up with git clone as a content-addressed fetch primitive rather than just a URL fetch, which is an interesting building block for reproducible builds and supply chain verification."

A nice write-up by @andrewnez on git remote helpers 👉 https://nesbitt.io/2026/03/18/git-remote-helpers.html

#Git #SWHID #ReproducibleBuilds

Supply chain security meets reproducible builds.
ExpressVPN is sponsoring PlanetNix 2026, highlighting the intersection of privacy, open-source infrastructure, and build reproducibility.
Event focus areas:
• Deterministic builds
• Secure deployment pipelines
• DevSecOps integration
• Team-level onboarding models
• Production-grade Nix environments

Reproducibility is increasingly tied to:
– Software supply chain integrity
– Auditability
– Compliance frameworks
– Infrastructure security baselines
As build determinism becomes more relevant to threat modeling, open-source tooling like Nix may play a critical role.

Source: https://planetnix.com/

Are reproducible systems now essential for modern security architecture?

Engage in the comments.
Follow TechNadu for high-signal infosec reporting.
Repost to amplify open-source security discussions.

#Infosec #DevSecOps #SupplyChainSecurity #ReproducibleBuilds #NixOS #OpenSourceSecurity #ExpressVPN #CloudSecurity #InfrastructureSecurity #ThreatModeling

Supply chain security meets reproducible builds.
ExpressVPN is sponsoring PlanetNix 2026, highlighting the intersection of privacy, open-source infrastructure, and build reproducibility.
Event focus areas:
• Deterministic builds
• Secure deployment pipelines
• DevSecOps integration
• Team-level onboarding models
• Production-grade Nix environments

Reproducibility is increasingly tied to:
– Software supply chain integrity
– Auditability
– Compliance frameworks
– Infrastructure security baselines
As build determinism becomes more relevant to threat modeling, open-source tooling like Nix may play a critical role.

Source: https://planetnix.com/

Are reproducible systems now essential for modern security architecture?

Engage in the comments.
Follow TechNadu for high-signal infosec reporting.
Repost to amplify open-source security discussions.

#Infosec #DevSecOps #SupplyChainSecurity #ReproducibleBuilds #NixOS #OpenSourceSecurity #ExpressVPN #CloudSecurity #InfrastructureSecurity #ThreatModeling

Supply chain security meets reproducible builds.
ExpressVPN is sponsoring PlanetNix 2026, highlighting the intersection of privacy, open-source infrastructure, and build reproducibility.
Event focus areas:
• Deterministic builds
• Secure deployment pipelines
• DevSecOps integration
• Team-level onboarding models
• Production-grade Nix environments

Reproducibility is increasingly tied to:
– Software supply chain integrity
– Auditability
– Compliance frameworks
– Infrastructure security baselines
As build determinism becomes more relevant to threat modeling, open-source tooling like Nix may play a critical role.

Source: https://planetnix.com/

Are reproducible systems now essential for modern security architecture?

Engage in the comments.
Follow TechNadu for high-signal infosec reporting.
Repost to amplify open-source security discussions.

#Infosec #DevSecOps #SupplyChainSecurity #ReproducibleBuilds #NixOS #OpenSourceSecurity #ExpressVPN #CloudSecurity #InfrastructureSecurity #ThreatModeling

Supply chain security meets reproducible builds.
ExpressVPN is sponsoring PlanetNix 2026, highlighting the intersection of privacy, open-source infrastructure, and build reproducibility.
Event focus areas:
• Deterministic builds
• Secure deployment pipelines
• DevSecOps integration
• Team-level onboarding models
• Production-grade Nix environments

Reproducibility is increasingly tied to:
– Software supply chain integrity
– Auditability
– Compliance frameworks
– Infrastructure security baselines
As build determinism becomes more relevant to threat modeling, open-source tooling like Nix may play a critical role.

Source: https://planetnix.com/

Are reproducible systems now essential for modern security architecture?

Engage in the comments.
Follow TechNadu for high-signal infosec reporting.
Repost to amplify open-source security discussions.

#Infosec #DevSecOps #SupplyChainSecurity #ReproducibleBuilds #NixOS #OpenSourceSecurity #ExpressVPN #CloudSecurity #InfrastructureSecurity #ThreatModeling

Supply chain security meets reproducible builds.
ExpressVPN is sponsoring PlanetNix 2026, highlighting the intersection of privacy, open-source infrastructure, and build reproducibility.
Event focus areas:
• Deterministic builds
• Secure deployment pipelines
• DevSecOps integration
• Team-level onboarding models
• Production-grade Nix environments

Reproducibility is increasingly tied to:
– Software supply chain integrity
– Auditability
– Compliance frameworks
– Infrastructure security baselines
As build determinism becomes more relevant to threat modeling, open-source tooling like Nix may play a critical role.

Source: https://planetnix.com/

Are reproducible systems now essential for modern security architecture?

Engage in the comments.
Follow TechNadu for high-signal infosec reporting.
Repost to amplify open-source security discussions.

#Infosec #DevSecOps #SupplyChainSecurity #ReproducibleBuilds #NixOS #OpenSourceSecurity #ExpressVPN #CloudSecurity #InfrastructureSecurity #ThreatModeling

Flathub now testing for reproducibility and the Reproducibility team helping identify software projects that will fail to build in 2038 when the UNIX Epoch will no longer fit into a signed 32-bit integer are two of several highlights in January's Reproducible Builds report at https://reproducible-builds.org/reports/2026-01/
#reproducible #reproduciblebuilds

@nixos_org @nzbr

While we're on the topic: work on minimal-bootstrap in #nixpkgs has actually been picked up again since this thesis was written (October 2025).

Not only that but, as of a few hours ago, the PR implementing the last step of hooking it up to become the actual bootstrap stdenv in Nixpkgs has been merged!

https://github.com/NixOS/nixpkgs/pull/479322

#fullsourcebootstrap #reproduciblebuilds #stage0 #minimalbootstrap #bootstrappablebuilds

@nixos_org @nzbr

While we're on the topic: work on minimal-bootstrap in #nixpkgs has actually been picked up again since this thesis was written (October 2025).

Not only that but, as of a few hours ago, the PR implementing the last step of hooking it up to become the actual bootstrap stdenv in Nixpkgs has been merged!

https://github.com/NixOS/nixpkgs/pull/479322

#fullsourcebootstrap #reproduciblebuilds #stage0 #minimalbootstrap #bootstrappablebuilds

@nixos_org @nzbr

While we're on the topic: work on minimal-bootstrap in #nixpkgs has actually been picked up again since this thesis was written (October 2025).

Not only that but, as of a few hours ago, the PR implementing the last step of hooking it up to become the actual bootstrap stdenv in Nixpkgs has been merged!

https://github.com/NixOS/nixpkgs/pull/479322

#fullsourcebootstrap #reproduciblebuilds #stage0 #minimalbootstrap #bootstrappablebuilds

@nixos_org @nzbr

While we're on the topic: work on minimal-bootstrap in #nixpkgs has actually been picked up again since this thesis was written (October 2025).

Not only that but, as of a few hours ago, the PR implementing the last step of hooking it up to become the actual bootstrap stdenv in Nixpkgs has been merged!

https://github.com/NixOS/nixpkgs/pull/479322

#fullsourcebootstrap #reproduciblebuilds #stage0 #minimalbootstrap #bootstrappablebuilds

@nixos_org @nzbr

While we're on the topic: work on minimal-bootstrap in #nixpkgs has actually been picked up again since this thesis was written (October 2025).

Not only that but, as of a few hours ago, the PR implementing the last step of hooking it up to become the actual bootstrap stdenv in Nixpkgs has been merged!

https://github.com/NixOS/nixpkgs/pull/479322

#fullsourcebootstrap #reproduciblebuilds #stage0 #minimalbootstrap #bootstrappablebuilds

🤔 Is this a #Composer normalization quirk caused by how #PHP encodes empty vs non-empty maps when regenerating composer.lock?

`stability-flags` is logically a map, but when empty Composer may serialize it as `[]` instead of `{}` especially after;

composer update --prefer-dist --prefer-stable

- Same dependency graph
- Different lockfile bytes / hash

Semantic determinism ✅
Byte-level determinism ❌

#Nix #BuildSystems #ReproducibleBuilds