{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreif6323cnwldzry4gdwlyrq2of473y4lywkrljimfbf3jymwfkxfca",
"uri": "at://did:plc:46ti67tc37qcmwp2vaynk6fq/app.bsky.feed.post/3mlcbr5xsyjd2"
},
"path": "/reports/2026-04/",
"publishedAt": "2026-05-07T22:37:51.864Z",
"site": "https://reproducible-builds.org",
"tags": [
"Reproducible Builds",
"Contribute",
"Tor stateless relays and Reproducible Builds",
"Civil Infrastructure Platform celebrates 10 years of supporting industrial grade Linux",
"Reproducible Builds at LinuxFest NorthWest",
"Reproducibility issues in Rust binaries that embed random bytes",
"Distribution work",
"Patches",
"diffoscope development",
"Documentation updates",
"Misc news",
"Tor Project blog",
"Osservatorio Nessuno OdV",
"Tor exit relays",
"A Server That Forgets: Exploring Stateless Relays",
"Trusted Platform Module",
"Civil Infrastructure Platform",
"reaching their 10-year anniversary",
"in CIP’s press release",
"LinuxFest NorthWest",
"slides are available",
"source code",
"build them reproducibly",
"opened a ticket",
"Rustsec",
"Hash Collision DoS mitigation",
"kpcyrd notes in his message",
"providing a bit-for-bit reproducible image",
"a related announcement and implementation details",
"mailing list",
"Robin Candau",
"Arch Linux Now Has a Bit-for-Bit Reproducible Docker Image",
"pacman",
"…",
"also discussed on Hacker News",
"our knowledge about identified issues",
"Non-Maintainer Uploads",
"jakarta-jmeter",
"wxmplot",
"critcl",
"vcsh",
"magic-wormhole-transit-relay",
"APT package manager",
"APT should ignore [a] 0 epoch when downloading or installing with a version specifier",
"optional epoch prefix",
"NixOS",
"Lila: Decentralized Build Reproducibility Monitoring for the Functional Package Management Model",
"Mining Software Repositories",
"ACM",
"MSR 2026 FOSS Impact Award",
"openSUSE",
"Open Build Service",
"monthly update",
"python-PyBrowserID",
"waywall",
"1132876",
"wapiti",
"1133008",
"mage",
"1133174",
"vim-youcompleteme",
"1133958",
"python-observabilityclient",
"1133960",
"gwcs",
"1134236",
"php-dompdf",
"1134490",
"supercell",
"1134552",
"gunicorn",
"1134666",
"fonts-spleen",
"1134667",
"geoalchemy2",
"1134668",
"rust-opam-file-rs",
"1135003",
"spaln",
"1135104",
"python-msgspec",
"1135192",
"golang-github-go-ini-ini",
"1135193",
"golang-github-deruina-timberjack",
"1135269",
"ruby-timers",
"1135279",
"node-yarnpkg",
"1133772",
"gcc-15",
"1134412",
"chromium",
"open-build-service",
"cef",
"ltsp",
"diffoscope",
"316",
"317",
"318",
"updated diffoscope in GNU Guix to version 317",
"Stable inputs",
"GNU Make",
"Archives",
"Fedora",
"2026 Gothenberg Summit",
"WalletScrutiny.com",
"Projects",
"our mailing list",
"Reproducible Builds Summit 2025 in Vienna",
"repro-env",
"KTH Royal Institute of Technology",
"Eric Cornelissen",
"CHAINS",
"monitor the reproducibility of GitHub Actions",
"GitHub Actions",
"Docker",
"diffoci",
"@reproducible_builds@fosstodon.org",
"rb-general@lists.reproducible-builds.org"
],
"textContent": "**Welcome to our April 2026 report from the Reproducible Builds project!**\n\nOur reports outline what we’ve been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.\n\nIn this month’s report, we cover:\n\n 1. Tor stateless relays and Reproducible Builds\n 2. Civil Infrastructure Platform celebrates 10 years of supporting industrial grade Linux\n 3. Reproducible Builds at LinuxFest NorthWest\n 4. Reproducibility issues in Rust binaries that embed random bytes\n 5. Distribution work\n 6. Patches\n 7. diffoscope development\n 8. Documentation updates\n 9. Misc news\n\n\n\n* * *\n\n\n\n\n### Tor stateless relays and Reproducible Builds\n\nAn interesting post was published on Tor Project blog by Osservatorio Nessuno OdV this month on “stateless relays”. These are stateless, diskless operating systems that are designed to be used as Tor exit relays. According to the post, which is titled A Server That Forgets: Exploring Stateless Relays:\n\n> For relay operators, this approach raises the security bar by enforcing better behaviors by design: […]\n>\n> 1. **Reproducibility**. A system that doesn’t change between reboots is easier to verify and, eventually, to reproduce and audit.\n>\n\n\nFurthermore, using a Trusted Platform Module (TPM), could allow for greater integrity in the future:\n\n> **Transparency logs**. Once you have a measured boot chain, you can publish it. A relay operator provides a recipe for a reproducible build; anyone can recompute the expected hash and verify it matches what the TPM reports. An append-only transparency log can make these attestations publicly auditable. The Tor community could run an independent monitor to track this across the relay fleet.\n\n\n\n\n### Civil Infrastructure Platform celebrates 10 years of supporting industrial grade Linux\n\nCongratulations to the Civil Infrastructure Platform (CIP) for reaching their 10-year anniversary last month. CIP has been a supporter of Reproducible Builds for many years, and we have collaborated on a number of technical issues that overlap. As Chris Lamb mentions in CIP’s press release:\n\n> The collaboration between the Reproducible Builds project and CIP highlights a critical shift in how we approach industrial software. Through verifiability, CIP ensures that the open source foundation of our critical infrastructure is not only sustainable but also demonstrably secure. This commitment to transparency is vital for the trust and resilience required by critical systems over decades of operation.”\n\n\n\n\n### Reproducible Builds at LinuxFest NorthWest\n\nVagrant Cascadian and Chris Lamb hosted a table in the exposition hall at LinuxFest NorthWest 2026 this month in Bellingham, WA, USA, introducing many people to Reproducible Builds and answering questions both days of the conference.\n\nIn addition, Vagrant presented _Beyond Trusting Open Source Software_ on Sunday afternoon, exploring the intersection of Free/Open Source Software, Reproducible Builds and Bootstrappable builds, and how they all reinforce each other. Vagrant’s slides are available online, including source code to build them reproducibly.\n\n\n\n\n### Reproducibility issues in Rust binaries that embed random bytes\n\nReproducible Builds developer _kpcyrd_ opened a ticket on the Rustsec issue tracker regarding binaries that deliberately inject random bytes into their binaries “as a secret seed for a Hash Collision DoS mitigation.”\n\nAs kpcyrd notes in his message, this causes issues for reproducibility, and because the relevant end-user binaries are “mostly distributed pre-compiled through package managers, those binaries (and by extension the secret seed) are public knowledge”. _kpcyrd_ goes on to note:\n\n> This is somewhat unique to Rust because Python/JavaScript doesn’t compile binaries, and Go (to my knowledge) is too restrictive during build for any library to pull something like this.\n\n\n\n\n### Distribution work\n\nIn **Arch Linux** this month, Robin Candau and Mark Hegreberg worked at adding a new `repro` tag/version to the Arch Linux Docker images providing a bit-for-bit reproducible image. Robin also shared a related announcement and implementation details on our mailing list.\n\nArch Linux developer Robin Candau posted a blog post announcing that “Arch Linux Now Has a Bit-for-Bit Reproducible Docker Image”. Robin mentions one interesting caveat:\n\n> to ensure reproducibility, the pacman [package manager] keys have to be stripped from the image, meaning that `pacman` is not usable out of the box in this image. While waiting to find a suitable solution to this technical constraint, we are therefore providing this reproducible image under a dedicated tag as a first milestone. […]\n\nThe blog post was also discussed on Hacker News.\n\n\n\n\nIn **Debian** this month, 24 reviews of Debian packages were added, 7 were updated and 16 were removed this month adding to our knowledge about identified issues.\n\nVagrant Cascadian performed Non-Maintainer Uploads (NMUs) in Debian for several packages with outstanding patches over a year old jakarta-jmeter, wxmplot, critcl, vcsh and magic-wormhole-transit-relay.\n\nIn addition, Reproducible Builds developer Jochen Sprickerhof filed a bug against the APT package manager to request that “APT should ignore [a] 0 epoch when downloading or installing with a version specifier”. This is related to the special-case handling of the optional epoch prefix in Debian package version numbers.\n\n\n\n\nIn NixOS, Julien Malka presented Lila: Decentralized Build Reproducibility Monitoring for the Functional Package Management Model, a paper written together with Arnout Engelen at the Mining Software Repositories (MSR) ACM conference, where it was awarded the MSR 2026 FOSS Impact Award. Congratulations!\n\n\n\n\nLastly, in openSUSE, Michael Schroeder added reproducibility verification support in the Open Build Service […] and Bernhard M. Wiedemann posted another openSUSE monthly update for their reproducibility work there.\n\n\n\n\n### Patches\n\nThe Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where applicable or possible. This month, we wrote a large number of such patches, including:\n\n * Bernhard M. Wiedemann:\n\n * python-PyBrowserID\n * waywall\n * Chris Lamb:\n\n * #1132876 filed against wapiti.\n * #1133008 filed against mage.\n * #1133174 filed against vim-youcompleteme.\n * #1133958 filed against python-observabilityclient.\n * #1133960 filed against gwcs.\n * #1134236 filed against php-dompdf.\n * #1134490 filed against supercell.\n * #1134552 filed against gunicorn.\n * #1134666 filed against fonts-spleen.\n * #1134667 filed against geoalchemy2.\n * #1134668 filed against rust-opam-file-rs.\n * #1135003 filed against spaln.\n * #1135104 filed against python-msgspec.\n * #1135192 filed against golang-github-go-ini-ini.\n * #1135193 filed against golang-github-deruina-timberjack.\n * #1135269 filed against ruby-timers.\n * #1135279 filed against node-yarnpkg.\n * Jochen Sprickerhof:\n\n * #1133772 filed against gcc-15.\n * #1134412 filed against chromium.\n * Michael Schroeder:\n\n * open-build-service\n * Robin Candau:\n\n * cef\n * Chris Lamb and Vagrant Cascadian:\n\n * ltsp\n\n\n\n\n\n\n### _diffoscope_ development\n\ndiffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes, including preparing and uploading versions, 316, 317 and 318 to Debian.\n\n * Chris Lamb:\n\n * Bump Standards-Version to `4.7.4`. […]\n * Correct ordering of `python3-guestfs` architecture restrictions. […]\n * Limit `python3-guestfs` Build-Dependency to architectures that are not `i386`. […]\n * Try to fix `PYPI_ID_TOKEN` debugging. […]\n * Holger Levsen:\n\n * Add `ppc64el` to the list of `python3-guestfs` architecture whitelist. (Closes: #1132974). […]\n * Manuel Jacob:\n\n * Remove a misleading comment. […]\n\n\n\nIn addition, Vagrant Cascadian updated diffoscope in GNU Guix to version 317.\n\n\n\n\n### Documentation updates\n\nYet again, there were a number of improvements made to our website this month including:\n\n * Manuel Jacob:\n\n * Fix a number of issues on the Stable inputs page, including using the present tense instead of future […], clarifying a case-dependent sorting issue […], clarifying when the ordering should be stable […], and update information about the sorting behavior of GNU Make. […]\n * On the Archives page, remove information about deterministic archives in historical Fedora versions […], add a note about `.tar` file portability […], correct a section about `.tar` PAX headers […] and a missing word […].\n * Mattia Rizzolo:\n\n * Add a basic draft, subject to change, of the 2026 Gothenberg Summit event page. […][…]\n * _kpcyrd_ :\n\n * Remove a link from the 2026 Gothenberg Summit event page. […]\n * _ktecho_ :\n\n * Add WalletScrutiny.com to the Projects page. […]\n\n\n\n\n\n\n### Misc news\n\nOn our mailing list this month:\n\n * Timo Pohl posted our list inviting people to “online group discussions with 4-6 participants each to talk about your perception of terms and requirements for reproducibility.” As Timo notes:\n\n> During our research of the existing literature, as well as my experience at the Reproducible Builds Summit 2025 in Vienna, we noticed that some of the terminology in the field is not used consistently across different groups of people, and that the precise meaning of some core terms like “reproducibility of an artifact” in itself is not uniform.\n\nAs Timo mentions, the sessions will last roughly 90 minutes and will be rewarded with 50€ per participant.\n\n * _kpcyrd_ posted to the list asking for assistance with fixing an issue after updating the `flake.lock` file for their repro-env project.\n\n * Aman Sharma of the KTH Royal Institute of Technology, Sweden, posted to our list in order to share that Eric Cornelissen, a PhD student in KTH’s CHAINS group, is maintaining an open-source project to monitor the reproducibility of GitHub Actions:\n\n> The goal of the project is to assess whether GitHub Actions can be reproduced. Currently, it focuses on two types of Actions: JavaScript-based actions and Docker-based actions (composite actions are not considered). For JavaScript actions, the project rebuilds the distributed files and compares them bit-by-bit with the repository contents. For Docker actions, it rebuilds images from the `Dockerfile` and checks for semantic equivalence, using diffoci, across builds.\n\n\n\n\n\n\n\n\nFinally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:\n\n * IRC: `#reproducible-builds` on `irc.oftc.net`.\n\n * Mastodon: @reproducible_builds@fosstodon.org\n\n * Mailing list: rb-general@lists.reproducible-builds.org\n\n\n",
"title": "Reproducible Builds: Reproducible Builds in April 2026",
"updatedAt": "2026-05-07T21:16:02.000Z"
}