May 2025 in Reproducible Builds:
* Security audit of Reproducible Builds tools published
* "When good pseudorandom numbers go bad" @jdnavarro
* Academic articles
* Distribution work
* @debian
* @fdroidorg @eighthave
* @nixos_org @raboof
* @opensuse
* @fedora @jelly
* diffoscope and disorderfs
* Website updates
* Reproducibility testing framework
* Upstream patches
Alright, this year at #FOSSY in Portland, I will both be hosting a booth for #ReproducibleBuilds and also presenting a talk...
"Never Mind the Checkboxes, Here's Reproducible Builds"
The Health policy is weaker than I would personally like with #Masking but at least last year there was significant voluntary compliance.
#AndroidAppRain at https://apt.izzysoft.de/fdroid today brings you 13 updated and 1 added apps:
* App2Proxy: redirect the traffic of selected apps through a local proxy using iptables (root needed) 🛡️
And with that, we reached a new milestone: 600 of the apps at #IzzyOnDroid are #reproducibleBuilds now 🥳
Enjoy your #free #Android #apps with the #IzzyOnDroid repo :awesome:
@Billie oof, misconfiguration at our end 🙈 Sincere apologies! Corrected now, 0.62.9 will show up with the next sync (and future releases in time again).
Oh, and btw: at #IzzyOnDroid of course as #reproducibleBuilds :awesome:
#AndroidAppRain today brings 16 updated and removes 1 app: Infinity for Reddit was removed as it was not fully FOSS (no offense to the dev, but that branch the APK was built from is not public).
How did we figure? Well, ALL attempts to achieve #reproducibleBuilds failed, as the commit the APK was built from could not be found. That's what we mean when we say RB proves it's build from that exact code, with NOTHING ADDED or taken away.
So: enjoy your 46.1% RB apps with the #IzzyOnDroid repo!
Welcome to the RB family, QRServ 🥳
https://apt.izzysoft.de/packages/dev.uint.qrserv
QRServ takes any selected file on your device and makes it available through its own HTTP server at an unused port number. The selected file can then be downloaded via web browser on another device or software that allows file downloads over HTTP from QR codes.
This was made possible thanks to the efforts by its author – and thanks to his SteamDeck running our RB framework :awesome:
IzzyOnDroid got mentioned in the reproducible-builds.org blog for the April report with a huge block of multiple paragraphs 🥳
https://reproducible-builds.org/reports/2025-04/#distribution-roundup
Yes, our RB-framework is available for everyone to use. And today, we even got the first report of an installation running on a Steam Deck :awesome:
We have no new apps to report today (well, 10 updated apps is also good, right?) – but reached round numbers with our RBs once more:
590 apps (45%) of the #android #apps at the #IzzyOnDroid repo are now #reproducibleBuilds :awesome:
Ok, getting excited for #FOSSY2025
Will have a #ReproducibleBuilds booth and also proposed a couple talks that I had fun writing...
When diffoscope is just giving noise, https://github.com/noseglasses/elf_diff/ has been very handy to me.
So sad to hear #OSUOSL is in a bit of a pinch...
They support so many free software projects that I work on, including #Debian and #ReproducibleBuilds and probably several more I did not even realize!
Please support those that support so many others if you can and spread the word!
Congrats to @luj and @Zimm_i48, for the ACM SIGSOFT Distinguished Paper #award at #MSR2025, for our joint paper «Does Functional Package Management Enable #ReproducibleBuilds at Scale? Yes.»
Details, including link to an #openaccess preprint, at: https://2025.msrconf.org/details/msr-2025-technical-papers/32/Does-Functional-Package-Management-Enable-Reproducible-Builds-at-Scale-Yes-
The paper is going to be presented this afternoon at the conf here in Ottawa.
Welcome to the RB family, LinkGuardian 🥳
https://apt.izzysoft.de/packages/dev.elbullazul.linkguardian
LinkGuardian is an Android client for Linkwarden, helping you to manage your link collection. Thanks to joint efforts with its developer, @elbullazul, the app is now RB :awesome:
Meanwhile, Gilmore makes an analogy between “reproducible builds” and “pure functions”:
https://lists.reproducible-builds.org/pipermail/rb-general/2025-April/003736.html
It sure feels like a déjà vu to the Nix and Guix folks but it’s good to see it brought up from a different perspective.
@signalapp As a supporter of #Signal, it is important to point out a key detail: Signal's own code is #OpenSource, but Signal uses multiple #proprietary libraries from #Google. Those cannot be scrutinized since the source code is not open. We believe Signal should offer an actual open source version, and are ready to help. This exists already in the fork https://fosstodon.org/@MollyIM Also, apps like #Element #Threema #Wire are #FOSS, and have #ReproducibleBuilds on @fdroidorg #FDroid
Impatient to get a #Backport of #Dino 0.5 for #Debian #Bookworm
... but the build logs were already published, including the hashes of all the binaries, I went ahead and performed a #ReproducibleBuilds check of locally built packages for amd64, arm64 and the "all" architecture... and came up with bit-for-bit identical results!
https://people.debian.org/~vagrant/dino-im-reproduced/
By the time you read this, identical binaries may already land on the Debian archive. I have a newer dino installed now! Try for yourself!
@jerome_herbinet Thanks for giving us a boost 🤗 And as you use the 🛡️ symbol: #IzzyOnDroid also supports #reproducibleBuilds (yes, we can also build from source – but we ALWAYS ship the APKs provided by their resp. developers), see https://android.izzysoft.de/articles/named/iod-rbs-mirrors-clients :awesome:
(our toots use the 🛡️ to indicate RB. Our repo browser indicates RBs by shields, too, for the apps covered by one of our builders)
Welcome to the RB family, MSM 🥳
https://apt.izzysoft.de/packages/com.prinzpiuz.msm
MSM works as wrapper around your Media server (emby, jellyfin, kodi, plex) and helps you to manage your media files.
Thanks to the help from its developer, starting with v1.9.0 the app is now reproducible :awesome:
A lot of global improvements and achievements during this past month regarding reproducible builds 🎉
I also got a few upstream patches merged again 🥳
