fidzu : debian

Welcome to the first monthly report in 2026 from the Reproducible Builds project!

These reports outline what we've been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.

1. Flathub now testing for reproducibility
2. Reproducibility identifying projects that will fail to build in 2038
3. Distribution work
4. Tool development
5. Two new academic papers
6. Upstream patches

Flathub now testing for reproducibility

Flathub, the primary repository/app store for Flatpak-based applications, has begun checking for build reproducibility. According to a recent blog post:

We have started testing binary reproducibility of x86_64 builds targeting the stable repository. This is possible thanks to flathub-repro-checker, a tool doing the necessary legwork to recreate the build environment and compare the result of the rebuild with what is published on Flathub. While these tests have been running for a while now, we have recently restarted them from scratch after enabling S3 storage for diffoscope artifacts.

The test results and status is available on their reproducible builds page.

Reproducibility identifying software projects that will fail to build in 2038

Longtime Reproducible Builds developer Bernhard M. Wiedemann posted on Reddit on "Y2K38 commemoration day T-12" - that is to say, twelve years to the day before the UNIX Epoch will no longer fit into a signed 32-bit integer variable on 19th January 2038.

Bernhard's comment succinctly outlines the problem as well as notes some of the potential remedies, as well as links to a discussion with the GCC developers regarding "adding warnings for int → time_t conversions".

At the time of publication, Bernard's topic had generated 50 comments in response.

Distribution work

Conda is language-agnostic package manager which was originally developed to help Python data scientists and is now a popular package manager for Python and R.

conda-forge, a community-led infrastructure for Conda recently revamped their dashboards to rebuild packages straight to track reproducibility. There have been changes over the past two years to make the conda-forge build tooling fully reproducible by embedding the 'lockfile' of the entire build environment inside the packages.

In Debian this month:

• Scott Talbert uploaded a new version of dh-haskell (0.6.13), reverting parallel support as it broke reproducibility, thereby fixing Debian bug #1125000.

• Vagrant Cascadian posted to our mailing list on the topic of "Duplicate Debian packages with matching name-version-arch problem". The issue is that .buildinfo files only "record the package name, version and architecture of the build-dependencies (and perhaps a bit more), but there are corner cases where multiple artifacts have the same name, version and architecture". This generated some discussion on the mailing list as well as elsewhere in Debian.

• Roland Clobus also posted to our mailing list regarding Building Debian Live images from snapshot.debian.org. This surfaced an issue regarding the timestamps of the .deb file, leading to Roland filing Debian bug #1126000 to liaise with the developers of the snapshot.debian.org service.

• A change was made to migrate away from using the results from tests.reproducible-builds.org in deciding whether a package is a suitable candidate for the Debian testing distribution (the staging area for the next stable Debian release) to use the results from reproduce.debian.net instead. This was, according to Paul Gevers' merge request, because the former service "does so by building twice in a row with varying build environment. What we are actually interested in is if the binaries that we ship can be reproduced". The information provided by reproduce.debian.net is currently being used to delay or speed up packages' migration time based on their reproducibility status, but it has the potential, in the future, be used to block unreproducible packages from migrating entirely.

• 41 reviews of Debian packages were added, 7 were updated and 37 were removed this month adding to our knowledge about identified issues. Chris Lamb identified and added a new source_date_epoch_affected_by_timezone_by_d_compiler_gdc issue type, as well as timezone_variant_in_argparse_manpage.

In NixOS this month, it was announced that the GNU Guix Full Source Bootstrap was ported to NixOS as part of Wire Jansen bachelor's thesis (PDF). At the time of publication, this change has landed in NiX' stdev distribution.

Lastly, Bernhard M. Wiedemann posted another openSUSE monthly update for his work there.

Tool development

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions, 310 and 311 to Debian.

• Fix test compatibility with u-boot-tools version 2026-01. […]
• Drop the implied Rules-Requires-Root: no entry in debian/control. […]
• Bump Standards-Version to 4.7.3. […]
• Reference the Debian ocaml package instead of ocaml-nox. (#1125094)
• Apply a patch by Jelle van der Waa to adjust a test fixture match new lines. […]
• Also the drop implied Priority: optional from debian/control. […]

In addition, Holger Levsen uploaded two versions of disorderfs, first updating the package from FUSE 2 to FUSE 3 as described in last months report, as well as updating the packaging to the latest Debian standards. A second upload (0.6.2-1) was subsequently made, with Holger adding instructions on how to add the upstream release to our release archive and incorporating changes by Roland Clobus to set _FILE_OFFSET_BITS on 32-bit platforms, fixing a build failure on 32-bit systems. Vagrant Cascadian updated diffoscope in GNU Guix to version 311-2-ge4ec97f7 and disorderfs to 0.6.2.

Two new academic papers

Julien Malka, Stefano Zacchiroli and Théo Zimmermann of Télécom Paris' in-house research laboratory, the Information Processing and Communications Laboratory (LTCI) published a paper this month titled Docker Does Not Guarantee Reproducibility:

[…] While Docker is frequently cited in the literature as a tool that enables reproducibility in theory, the extent of its guarantees and limitations in practice remains under-explored. In this work, we address this gap through two complementary approaches. First, we conduct a systematic literature review to examine how Docker is framed in scientific discourse on reproducibility and to identify documented best practices for writing Dockerfiles enabling reproducible image building. Then, we perform a large-scale empirical study of 5,298 Docker builds collected from GitHub workflows. By rebuilding these images and comparing the results with their historical counterparts, we assess the real reproducibility of Docker images and evaluate the effectiveness of the best practices identified in the literature.

A PDF of their paper is available online.

Quentin Guilloteau, Antoine Waehren and Florina M. Ciorba of the University of Basel in Sweden also published a Docker-related paper, theirs called Longitudinal Study of the Software Environments Produced by Dockerfiles from Research Artifacts:

The reproducibility crisis has affected all scientific disciplines, including computer science (CS). To address this issue, the CS community has established artifact evaluation processes at conferences and in journals to evaluate the reproducibility of the results shared in publications. Authors are therefore required to share their artifacts with reviewers, including code, data, and the software environment necessary to reproduce the results. One method for sharing the software environment proposed by conferences and journals is to utilize container technologies such as Docker and Apptainer. However, these tools rely on non-reproducible tools, resulting in non-reproducible containers. In this paper, we present a tool and methodology to evaluate variations over time in software environments of container images derived from research artifacts. We also present initial results on a small set of Dockerfiles from the Euro-Par 2024 conference.

A PDF of their paper is available online.

Miscellaneous news

On our mailing list this month:

• kpcyrd started a thread after they noticed that "SWHID (also known as ISO/IEC 18670:2025) was published 1.0 in 2022 and ISO standardized in 2025, but uses the insecure SHA-1 as core cryptographic primitive", asking whether there have been any attempts to upgrade this to SHA-256 or similar.

• Jan-Benedict Glaw asked about the Reproducibility for Libreoffice [when performing] ODT to PDF conversion after they observed that "simply calling libreoffice --convert-to pdf some.odt results in unreproducible output PDF. After some replies, Jan-Benedict wrote back to observe that it may be an issue with both timestamps and embedded fonts.

Lastly, kpcyrd added a Rust section to the Stable order for outputs page on our website. […]

Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Bernhard M. Wiedemann:

  • clamav
  • kf6-kuserfeedback
  • libaom
  • Nim
  • otp
  • Switcheroo (by Khaleel Al-Adhami)
  • uwsm
  • ZEO

• Chris Lamb:

  • #1124697 filed against sqlalchemy-i18n.
  • #1125671 filed against tea-cli.
  • #1125725 filed against libimage-librsvg-perl.
  • #1125727 filed against seer.
  • #1125729 filed against grabix.
  • #1126038 filed against hovercraft.
  • #1126039 filed against lomiri-location-service.
  • #1126092 filed against argparse-manpage.
  • #1126454 filed against xarray-safe-rcm.
  • #1126512 filed against gcc-15 (forwarded upstream).

• Jochen Sprickerhof:

  • #1124951 filed against rsyslog.
  • #1125000 filed against dh-haskell.

Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.

• Mastodon: @reproducible_builds@fosstodon.org

• Mailing list: rb-general@lists.reproducible-builds.org

06 Feb 2026 8:04pm GMT

January was a slow month, I only did three uploads to Debian unstable:

• xdg-desktop-portal-wlr updated to 0.8.1-1
• swayimg updated to 4.7-1
• usbguard updated to 1.1.4+ds-2, which closed #1122733

I was very happy to see the new dfsg-new-queue and that there are more hands now processing the NEW queue. I also finally got one of the packages accepted that I uploaded after the Trixie release: wayback which I uploaded last August. There has been another release since then, I'll try to upload that in the next few days.

There was a bug report for carl asking for Windows support. carl used the xdg create for looking up the XDG directories, but xdg does not support windows systems (and it seems this will not change) The reporter also provided a PR to replace the dependency with the directories crate which more system agnostic. I adapted the PR a bit and merged it and released version 0.6.0 of carl.

At my dayjob I refactored django-grouper. django-grouper is a package we use to find duplicate objects in our data. Our users often work with datasets of thousands of historical persons, places and institutions and in projects that run over years and ingest data from multiple sources, it happens that entries are created several times. I wrote the initial app in 2024, but was never really happy about the approach I used back then. It was based on this blog post that describes how to group spreadsheet text cells. It uses sklearns TfidfVectorizer with a custom analyzer and the library sparse_dot_topn for creating the matrix. All in all the module to calculate the clusters was 80 lines and with sparse_dot_topn it pulled in a rather niche Python library. I was pretty sure that this functionality could also be implemented with basic sklearn functionality and it was: we are now using DictVectorizer because in a Django app we are working with objects that can be mapped to dicts anyway. And for clustering the data, the app now uses the DBSCAN algorithm (with the manhattan distance as metric). The module is now only half the size and the whole app lost one dependency! I released those changes as version 0.3.0 of the app.

At the end of January together with friends I went to Brussels to attend FOSDEM. We took the night train but there were a couple of broken down trains so the ride took 26 hours instead of one night. It is a good thing we had a one day buffer and FOSDEM only started on Saturday. As usual there were too many talks to visit, so I'll have to watch some of the recordings in the next few weeks.

Some examples of talks I found interesting so far:

• a talk about supporting Python web deployments with Rust in the Rust Developer room
• a talk about duckdb in the Python Developer room
• an introduction to particleos in the Distributions Developer room

06 Feb 2026 5:28am GMT

The diffoscope maintainers are pleased to announce the release of diffoscope version 312. This version includes the following changes:

[ Jelle van der Waa ]
* Adjust u-boot-tools/fit diff to match new lines.

You find out more by visiting the project homepage.

06 Feb 2026 12:00am GMT