fidzu : debian

• Debian packages:
  • debian-cd:
    • Bugs:
      • replied to #1120055: Please include ifenslave, vlan and possibly bridge-utils to netinst CD
  • firmware-nonfree:
    • Bugs:
      • closed #1106074: include potentially non-redistributable C\&M firmware
      • replied to and closed #1112208: firmware-nvidia-graphics: Missing gsp symlink for nvidia ad107
      • closed #1116997: firmware-amd-graphics: Please update to current VCN firmware on gitlab
      • closed #1118195: firmware-misc-nonfree: no longer actually ships Arm Mali firmware, only link to non-existing file
      • closed #1118199: firmware-mediatek: mt7921e stops working with latest version (20250917-1)
    • Merge requests:
      • reviewed !128: Draft: Add Provides: based ABI versioning mechanism
    • Uploads:
      • uploaded version 20251011-1 to unstable
      • uploaded version 20251021-1 to unstable
      • uploaded version 20251021-1~bpo13+1 to trixie-backports
      • uploaded version 20251111-1 to unstable
  • initramfs-tools:
    • Bugs:
      • closed #894294: Comment in the source of unmkinitramfs is ambiguous
      • replied to #944779: initramfs-tools-core: debug setting does not turn on tracing for scripts called by init
      • replied to #945854: Please include additional virtio modules used for boot into initramfs for MODULES=most
      • closed #1003427: COMPRESS=zstd and COMPRESS=lz4 hard-coded to bad COMPRESSLEVELs
      • closed #1020718: should at least suggest the expected compressors
      • replied to #1032610: reliably composable initramfs - zero-pad output to allow concatenation
      • replied to #1042094: initramfs-tools: Please support systemd-cryptsetup unlocked root filesystem
      • closed #1062968: initramfs-tools-core: Use zstdmt instead of zstd by default
      • closed #1065698: update-initramfs: -k all stopped working
      • closed #1084232: initramfs-tools: update-initramfs fails with "No space left on device" due to 2 temporary initrd copies in /boot
    • Merge requests:
      • reviewed !172: Use 3cpio for unmkinitramfs/lsinitramfs if available
      • merged !185: Run wrap-and-sort
      • reviewed !186: update-initramfs: support loading post-update hooks from /usr/share/ too
      • merged !189: silence incorrect shellcheck SC2329
  • ktls-utils:
    • Merge requests:
      • merged !1: Update for version 1.3.0
      • opened and merged !2: Move config to new upstream preferred name /etc/tlshd/config on upgrade
    • Uploads:
      • uploaded version 1.3.0-1 to unstable
  • linux:
    • Bugs:
      • replied to #1000966: amdgpu: output to VR headset fails with "*ERROR* dc_stream_state is NULL for crtc '1'!"
      • closed #1117256: linux-image-6.12.48+deb13-amd64: Kernel can no longer activate ethernet on Dell WD19S docking station
      • closed #1118653: linux-image-6.17.2-amd64: Please restore CONFIG_NETFILTER_XT_TARGET_MASQUERADE
      • replied to #1120277: linux: I'm filing this because I have a serious, persistent bug with my Intel AX210 Bluetooth audio on Debian. The problem isn't configuration; it's a kernel driver failure. My Bluetooth headset connects, but I get absolutely no sound.
      • replied to #1120854: linux-image-arm64: Enable dma engine for Renesas RZ platform
    • Merge requests:
      • reviewed !1661: Introduce a base package for version sync
      • opened !1698: CI: Backport source package handling changes to 6.1
    • Uploads:
      • uploaded version 6.12.57-1~bpo12+1 to bookworm-backports
      • uploaded version 6.16.12-1~bpo13+1 to trixie-backports
      • uploaded version 6.17.8-1~bpo13+1 to trixie-backports
  • linux-base:
    • Bugs:
      • replied to #1121366: linux-run-hooks uses wrong directory name for headers postinst
• Debian non-package bugs:
  • general:
    • replied to #1120386: startx error on Trixie
• Mailing lists:
  • debian-devel:
    • replied to ORed build profiles
    • replied to salsa-ci.yml did not have the desired effect
  • debian-kernel:
    • posted Agenda items for kernel-team meeting on 2025-11-05
  • debian-lts-announce:
    • posted [SECURITY] [DLA 4379-1] linux-6.1 security update
  • stable:
    • replied to [PATCH 5.10 171/332] lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older

04 Dec 2025 2:59pm GMT

Welcome to the report for November 2025 from the Reproducible Builds project!

These monthly reports outline what we've been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As always, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.

In this report:

1. "10 years of Reproducible Build" at SeaGL
2. Distribution work
3. Tool development
4. Website updates
5. Miscellaneous news
6. Software Supply Chain Security of Web3
7. Upstream patches

---

'10 years of Reproducible Builds' at SeaGL 2025

On Friday 8th November, Chris Lamb gave a talk called 10 years of Reproducible Builds at SeaGL in Seattle, WA.

Founded in 2013, SeaGL is a free, grassroots technical summit dedicated to spreading awareness and knowledge about free source software, hardware and culture. Chris' talk:

[…] introduces the concept of reproducible builds, its technical underpinnings and its potentially transformative impact on software security and transparency. It is aimed at developers, security professionals and policy-makers who are concerned with enhancing trust and accountability in our software. It also provides a history of the Reproducible Builds project, which is approximately ten years old. How are we getting on? What have we got left to do? Aren't all the builds reproducible now?

Distribution work

In Debian this month, Jochen Sprickerhof created a merge request to replace the use of reprotest in Debian's Salsa Continuous Integration (CI) pipeline with debrebuild. Joschen cites the advantages as being threefold: firstly, that "only one extra build needed"; it "uses the same sbuild and ccache tooling as the normal build"; and "works for any Debian release". The merge request was merged by Emmanuel Arias and is now active.

kpcyrd posted to our mailing list announcing the initial release of repro-threshold, which implements an APT transport that "defines a threshold of at least X of my N trusted rebuilders need to confirm they reproduced the binary" before installing Debian packages. "Configuration can be done through a config file, or through a curses-like user interface.

Holger then merged two commits by Jochen Sprickerhof in order to address a fakeroot-related reproducibility issue in the debian-installer, and Jörg Jaspert deployed a patch by Ivo De Decker for a bug originally filed by Holger in February 2025 related to some Debian packages not being archived on snapshot.debian.org.

Elsewhere, Roland Clobus performed some analysis on the "live" Debian trixie images, which he determined were not reproducible. However, in a follow-up post, Roland happily reports that the issues have been handled. In addition, 145 reviews of Debian packages were added, 12 were updated and 15 were removed this month adding to our knowledge about identified issues.

Lastly, Jochen Sprickerhof filed a bug announcing their intention to "binary NMU" a very large number of the R programming language after a reproducibility-related toolchain bug was fixed.

Bernhard M. Wiedemann posted another openSUSE monthly update for their work there.

Julien Malka and Arnout Engelen launched the new hash collection server for NixOS. Aside from improved reporting to help focus reproducible builds efforts within NixOS, it collects build hashes as individually-signed attestations from independent builders, laying the groundwork for further tooling.

Tool development

diffoscope version 307 was uploaded to Debian unstable (as well as version 309). These changes included further attempts to automatically attempt to deploy to PyPI by liaising with the PyPI developers/maintainers (with this experimental feature). […][…][…]

In addition, reprotest versions 0.7.31 and 0.7.32 were uploaded to Debian unstable by Holger Levsen, who also made the following changes:

• Do not vary the architecture personality if the kernel is not varied. (Thanks to Raúl Cumplido). […]
• Drop the debian/watch file, as Lintian now flags this as error for 'native' Debian packages. […][…]
• Bump Standards-Version to 4.7.2, with no changes needed. […]
• Drop the Rules-Requires-Root header as it is no longer required.. […]

In addition, however, Vagrant Cascadian fixed a build failure by removing some extra whitespace from an older changelog entry. […]

Website updates

Once again, there were a number of improvements made to our website this month including:

• Bernhard M. Wiedemann updated the SOURCE_DATE_EPOCH page to fix the Lisp example syntax. […]

• Holger Levsen updated a number of pages on our website related to our recent summit in Vienna […][…][…][…][…], and added a link to the YouTube video of his recent talk at Transparency.dev in Gothenburg, Sweden […].

• James Addison replaced a broken link on the Reproducibility Troubleshooting page with one using Archive.org. […]

• kpcyrd also updated the Vienna summit page in order to update group picture […] as well as to expand the project list […].

• Robert Stupp added a new Helm page […][…], and fleshed out some Gradle specifics, etc. on the JVM page […].

Miscellaneous news

• It was noticed that the Comparison of Linux distributions Wikipedia page now has a "Reproducible builds" column.

• The popular Ruby on Rails web development framework had a reproducibility-related test failure due to daylight savings time changes.

• Debian Developer Otto Kekäläinen appeared on the Open Source Security podcast, relating to their blog post about the XZ backdoor. The video, audio, as well as a full transcript of the show are available on the Open Source Security podcast page for this episode.

• Thomas Weißschuh posted to our mailing list in order to look for feedback on their CONFIG_MODULE_HASHES patchset for the Linux kernel, "which aims to enable reproducible kernel packages for Linux distributions".

• kpcyrd also posted our list with a post entitled "Github Actions and the hashFiles incident".

• Simon Mudd posted to the list as well "looking for reproducible RPM building / rebuilding tooling". Simon had watched a recent talk by Holger Levsen and was trying to ensure that he could rebuild various MySQL .rpms.

• Lastly, there was a thread related to the hosting of the website powering this very report.

Software Supply Chain Security of Web3

Via our mailing list, Martin Monperrus let us know about their recently-published page on the Software Supply Chain Security of Web3. The abstract of their paper is as follows:

Web3 applications, built on blockchain technology, manage billions of dollars in digital assets through decentralized applications (dApps) and smart contracts. These systems rely on complex, software supply chains that introduce significant security vulnerabilities. This paper examines the software supply chain security challenges unique to the Web3 ecosystem, where traditional Web2 software supply chain problems intersect with the immutable and high-stakes nature of blockchain technology. We analyze the threat landscape and propose mitigation strategies to strengthen the security posture of Web3 systems.

Their paper lists reproducible builds as one of the mitigating strategies. A PDF of the full text is available to download.

Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Bernhard M. Wiedemann:

  • SARndbox (race)
  • clamav (rust toolchain)
  • contrast/identity/loupe/mousai (need glib-macros update)
  • cosmic (cosmic* HashMap)
  • dealers-choice (nocheck)
  • falcon (python-falcon date)
  • FreeDoko (date)
  • gnutls (FTBFS-CPU)
  • gods-deluxe (jar mtimes)
  • Kinect (date)
  • libplasma6 (qmlcachegen race)
  • llvm (rocm-omp date)
  • rnp (FTBFS-2041)
  • rocsolver (FTBFS-j1)
  • switcheroo (FTBFS-j1)
  • vdrift (date)

• Arnout Engelen:

  • ibus (parallelism)
  • qmlcachegen (with Ulf Hermann)

• Chris Lamb:

  • #1120066 filed against python-gffutils.
  • #1120068 filed against python-biom-format.
  • #1120069 filed against python-requests-cache.
  • #1120070 filed against python-tld.
  • #1120121 filed against smart-open.
  • #1120122 filed against vanguards.
  • #1120123 filed against pycifrw.
  • #1120124 filed against golang-github-apptainer-container-library-client.
  • #1120330 filed against python-ofxhome.
  • #1120331 filed against python-lupa.
  • #1120332 filed against mu-editor.
  • #1120340 filed against python-spdx-tools.
  • #1120342 filed against python-django-waffle.
  • #1120351 filed against biosquid.
  • #1120352 filed against dateparser.
  • #1120353 filed against parsinsert.
  • #1120357 filed against rdf2rml.
  • #1120405 filed against python-et-xmlfile.
  • #1120528 filed against deblur.
  • #1120529 filed against ytcc.
  • #1120530 filed against pgpainless.
  • #1120531 filed against trillian.
  • #1120532 filed against pywavelets.
  • #1120591 filed against jsonpath-ng.
  • #1120592 filed against presto.
  • #1120593 filed against python-pyutil.
  • #1120629 filed against python-os-apply-config.
  • #1120631 filed against pydata-sphinx-theme.
  • #1120632 filed against python-ciso8601.
  • #1120633 filed against python-pymummer.
  • #1120634 filed against qcat.
  • #1120870 filed against tkgate.
  • #1120871 filed against tkgate.
  • #1120872 filed against ruby-gnuplot.
  • #1120873 filed against python-nixio.
  • #1120874 filed against python-altair.
  • #1120875 filed against python-graphene.
  • #1120876 filed against python-phabricator.
  • #1120877 filed against python-slimmer.
  • #1120878 filed against python-kafka.
  • #1120879 filed against python-sshsig.
  • #1120880 filed against python-babelgladeextractor.
  • #1120881 filed against python-genson.
  • #1120882 filed against flawfinder.
  • #1120883 filed against crasm.
  • #1121064 filed against insilicoseq.
  • #1121065 filed against pychopper.
  • #1121066 filed against pycparser.
  • #1121067 filed against whipper.
  • #1121068 filed against vt.
  • #1121069 filed against pyxnat.
  • #1121070 filed against golang-github-kshedden-statmodel.
  • #1121071 filed against nim-hts.
  • #1121072 filed against golang-github-emicklei-dot.
  • #1121073 filed against golang-gonum-v1-plot.
  • #1121074 filed against beangulp.
  • #1121075 filed against virulencefinder.
  • #1121076 filed against ansible-lint.
  • #1121077 filed against entropybroker.
  • #1121078 filed against namecheap.
  • #1121141 filed against spopt.
  • #1121142 filed against pyasn.
  • #1121143 filed against python-pyvcf.
  • #1121147 filed against python-pysaml2.

• Jochen Sprickerhof:

  • #1121500 filed against cython.

• Vagrant Cascadian:

  • #1121406 filed against clhep.

Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.

• Mastodon: @reproducible_builds@fosstodon.org

• Mailing list: rb-general@lists.reproducible-builds.org

03 Dec 2025 8:28pm GMT

As with libvirt 11.10 a new flag for backup operation has been inroduced: VIR_DOMAIN_BACKUP_BEGIN_PRESERVE_SHUTDOWN_DOMAIN.

According to the documentation "It instructs libvirt to avoid termination of the VM if the guest OS shuts down while the backup is still running. The VM is in that scenario reset and paused instead of terminated allowing the backup to finish. Once the backup finishes the VM process is terminated."

Added support for this in virtnbdbackup 2.40.

03 Dec 2025 12:00am GMT