fidzu : debian

Welcome to the February 2026 report from the Reproducible Builds project!

These reports outline what we've been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.

1. reproduce.debian.net
2. Tool development
3. Distribution work
4. Miscellaneous news
5. Upstream patches
6. Documentation updates
7. Four new academic papers

---

reproduce.debian.net

The last year has seen the introduction, development and deployment of reproduce.debian.net. In technical terms, this is an instance of rebuilderd, our server designed monitor the official package repositories of Linux distributions and attempt to reproduce the observed results there.

This month, however, Holger Levsen added suite-based navigation (eg. Debian trixie vs forky) to the service (in addition to the already existing architecture based navigation) which can be observed on, for instance, the Debian trixie-backports or trixie-security pages.

Tool development

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes, including preparing and uploading versions, 312 and 313 to Debian.

In particular, Chris updated the post-release deployment pipeline to ensure that the pipeline does not fail if the automatic deployment to PyPI fails […]. In addition, Vagrant Cascadian updated an external reference for the 7z tool for GNU Guix. […]. Vagrant Cascadian also updated diffoscope in GNU Guix to version 312 and 313.

Distribution work

In Debian this month:

• 26 reviews of Debian packages were added, 5 were updated and 19 were removed this month adding to our extensive knowledge about identified issues.

• A new debsbom package was uploaded to unstable. According to the package description, this package "generates SBOMs (Software Bill of Materials) for distributions based on Debian in the two standard formats, SPDX and CycloneDX. The generated SBOM includes all installed binary packages and also contains Debian Source packages."

• In addition, a sbom-toolkit package was uploaded, which "provides a collection of scripts for generating SBOM. This is the tooling used in Apertis to generate the Licenses SBOM and the Build Dependency SBOM. It also includes dh-setup-copyright, a Debhelper addon to generate SBOMs from DWARF debug information, which are "extracted from DWARF debug information by running dwarf2sources on every ELF binaries in the package and saving the output."

Lastly, Bernhard M. Wiedemann posted another openSUSE monthly update for their work there.

Miscellaneous news

• Sören Tempel (nmeum) wrote up their insightful notes on Debugging Reproducibility Issues in Rust Software after nondeterministic issues were found and investigated for pimsync in the GNU Guix review process

• Jeremy Bicha reported a bug in GNOME Clocks after they noticed that version 50.beta regressed in reproducibility compared to 49.0. Specifically, "the new generated .oga files differ in their Serial No. and Checksum [fields]". However, Jeremy ended up fixing the issue by replacing ffmpeg with oggenc.

• kpcyrd shared some information from the archlinux-dev-public mailing list on our mailing list this month after a discussion at our latest Summit meeting on the topic of Link-Time Optimisation (LTO) - specifically on the reasons why LTO often needs to be disabled in relation to Arch Linux's approach to binary hardening.

• Janneke Nieuwenhuizen posed a question to our list about whether there might be situations where using the UNIX epoch itself (i.e. 0) may materially differ from using SOURCE_DATE_EPOCH) when a situation demands the use of a fixed timestamp.

• Laurent Huberdeau announced that they had recently finished their masters thesis "arguing for the use of POSIX shell for diverse double-compilation and reproducible builds". Laurent also presents pnut, a C compiler capable of bootstrapping itself and TCC from "any POSIX-compliant shell and human-readable source files."

Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Bernhard M. Wiedemann:

  • aiohttp
  • lima
  • meson
  • obs-studio
  • paracon
  • pyshark
  • python-flake8-comprehensions
  • server
  • vlang

• Gioele Barabucci:

  • #1127641 filed against bitsnpicas.
  • #1127643 filed against fonts-topaz-unicode.
  • #1128901 filed against bitsnpicas.

Documentation updates

Once again, there were a number of improvements made to our website this month including:

• Aman Sharma added a Java reproducible builds paper to the Academic publications page. […]

• Chris Lamb added a reference to the repro-build to the Tools page. […]

• Michiel Hendriks corrected an issue on the JVM page in relation to .properties files. […]

• kpcyrd added Homebrew to the Who is involved page. […][…]

Four new academic papers

Julien Malka and Arnout Engelen published a paper titled Lila: Decentralized Build Reproducibility Monitoring for the Functional Package Management Model:

[While] recent studies have shown that high reproducibility rates are achievable at scale - demonstrated by the Nix ecosystem achieving over 90% reproducibility on more than 80,000 packages - the problem of effective reproducibility monitoring remains largely unsolved. In this work, we address the reproducibility monitoring challenge by introducing Lila, a decentralized system for reproducibility assessment tailored to the functional package management model. Lila enables distributed reporting of build results and aggregation into a reproducibility database […].

A PDF of their paper is available online.

Javier Ron and Martin Monperrus of KTH Royal Institute of Technology, Sweden, also published a paper, titled Verifiable Provenance of Software Artifacts with Zero-Knowledge Compilation:

Verifying that a compiled binary originates from its claimed source code is a fundamental security requirement, called source code provenance. Achieving verifiable source code provenance in practice remains challenging. The most popular technique, called reproducible builds, requires difficult matching and reexecution of build toolchains and environments. We propose a novel approach to verifiable provenance based on compiling software with zero-knowledge virtual machines (zkVMs). By executing a compiler within a zkVM, our system produces both the compiled output and a cryptographic proof attesting that the compilation was performed on the claimed source code with the claimed compiler. […]

A PDF of the paper is available online.

Oreofe Solarin of Department of Computer and Data Sciences, Case Western Reserve University, Cleveland, Ohio, USA, published It's Not Just Timestamps: A Study on Docker Reproducibility:

Reproducible container builds promise a simple integrity check for software supply chains: rebuild an image from its Dockerfile and compare hashes. We built a Docker measurement pipeline and apply it to a stratified sample of 2,000 GitHub repositories that contained a Dockerfile. We found that only 56% produce any buildable image, and just 2.7% of those are bitwise reproducible without any infrastructure configurations. After modifying infrastructure configurations, we raise bitwise reproducibility by 18.6%, but 78.7% of buildable Dockerfiles remain non-reproducible.

A PDF of Oreofe's paper is available online.

Lastly, Jens Dietrich and Behnaz Hassanshahi published On the Variability of Source Code in Maven Package Rebuilds:

[In] this paper we test the assumption that the same source code is being used [by] alternative builds. To study this, we compare the sources released with packages on Maven Central, with the sources associated with independently built packages from Google's Assured Open Source and Oracle's Build-from-Source projects. […]

A PDF of their paper is available online.

Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.

• Mastodon: @reproducible_builds@fosstodon.org

• Mailing list: rb-general@lists.reproducible-builds.org

12 Mar 2026 7:08pm GMT

Another minor maintenance release for the RcppBDT package is now on CRAN, and had been built as binary for r2u.

The RcppBDT package is an early adopter of Rcpp and was one of the first packages utilizing Boost and its Date_Time library. The now more widely-used package anytime is a direct descentant of RcppBDT.

This release is again primarily maintenance. We aid Rcpp in the transition away from calling Rf_error() by relying in Rcpp::stop() which has better behaviour and unwinding when errors or exceptions are encountered. No feature or interface changes.

The NEWS entry follows:

Changes in version 0.2.8 (2026-03-12)

• Replaced Rf_error with Rcpp::stop in three files

• Maintenance updates to continuous integration

Courtesy of my CRANberries, there is also a diffstat report for this release. For questions, suggestions, or issues please use the issue tracker at the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can now sponsor me at GitHub.

12 Mar 2026 6:03pm GMT

On 25th Oct 2025, I announced via my personal blog and on Mastodon that Fre(i)e Software GmbH was hiring. The hiring process was a mix of asking developers I know and waiting for new people to apply.

At the beginning of November 2025 / in mid November 2025, we started with 13 developers (all part-time) to work on various topics around Lomiri (upstream and downstream). Note that the below achievements don't document the overall activity in the Lomiri project, but that part that our team at Fre(i)e Software GmbH contributed to.

Organizational Achievements

• Setup management board for Qt6 migration in Lomiri [1]
• Setup management board for salsa2ubports package syncing [2]
• Bootstrap Qt 6.8 in UBports APT repository
• Bootstrap Qt 6.8 in Lomiri PPA
• Fix Salsa CI for all Lomiri-related Debian packages
• Facilitate contributor's project around XDG Desktop Portal support for Lomiri.
• Plan how to bring DeltaTouch and DeltaChat core to Debian

Maintenance Development

• Replace libofono-qt by libqofono in telepathy-ofono
• Rework unit tests in telepathy-ofono utilizing ofone-phonesim
• Obsolete not-used-anymore u1db-qt
• Fixing wrong bin:pkg names regarding snapd-glib's QML module

Qt6 Porting

• qmake -> CMake porting (if needed) and Qt6 porting of shared libraries and QML modules consumed by Lomiri shell and Lomiri apps:
  • biometryd
  • libqofono
  • libqofonoext
  • libqtdbusmock
  • lomiri-account-polld
  • lomiri-action-api
  • lomiri-api
  • lomiri-download-manager
  • lomiri-location-service
  • lomiri-online-accounts
  • lomiri-push-qml
  • lomiri-push-service
  • maliit-framework
  • mediascanner2
  • qtlomiri-appmenutheme
  • qtpim (started, work in progress)
  • qwebdavlib
  • signond (flaws spotted in Debian's porting of signond to Qt6)

Feature Development

• Continuing with Morph Browser Qt6 / LUITK
  • Build, run and fix LUITK unit tests for Qt6
  • various bug fixes and improvements for Morph Qt6
• Add mbim modem support to ofono upstream
• Improve ofono support in Network Manager
• Improve mbim modem support in lomiri-indicator-network
• Package kazv (convergent Matrix client) and dependencies for Debian
• Provide Lomiri images for Mobian

Research

• Research on fuse-based caching Webdav client for lomiri-cloudsync-app.
• Research on alternative ORM instead of QDjango in libusermetrics

[1] https://gitlab.com/groups/ubports/development/-/boards/9895029?label_name%5B%5D=Topic%3A%20Qt%206
[2] https://gitlab.com/groups/ubports/development/-/boards/10037876?label_name[]=Topic%3A%20salsa2ubports%20DEB%20syncing

12 Mar 2026 8:59am GMT