Reproducible Builds: Reproducible Builds in May 2025
Welcome to our 5th report from the Reproducible Builds project in 2025! Our monthly reports outline what we ve been up to over the past month, and highlight items of news from elsewhere in the increasingly-important area of software supply-chain security. If you are interested in contributing to the Reproducible Builds project, please do visit the Contribute page on our website.
In this report:
- Security audit of Reproducible Builds tools published
- When good pseudorandom numbers go bad
- Academic articles
- Distribution work
- diffoscope and disorderfs
- Website updates
- Reproducibility testing framework
- Upstream patches
Security audit of Reproducible Builds tools published
The Open Technology Fund s (OTF) security partner Security Research Labs recently an conducted audit of some specific parts of tools developed by Reproducible Builds. This form of security audit, sometimes called a whitebox audit, is a form testing in which auditors have complete knowledge of the item being tested. They auditors assessed the various codebases for resilience against hacking, with key areas including differential report formats in diffoscope, common client web attacks, command injection, privilege management, hidden modifications in the build process and attack vectors that might enable denials of service.
The audit focused on three core Reproducible Builds tools: diffoscope, a Python application that unpacks archives of files and directories and transforms their binary formats into human-readable form in order to compare them; strip-nondeterminism, a Perl program that improves reproducibility by stripping out non-deterministic information such as timestamps or other elements introduced during packaging; and reprotest, a Python application that builds source code multiple times in various environments in order to to test reproducibility.
OTF s announcement contains more of an overview of the audit, and the full 24-page report is available in PDF form as well.
When good pseudorandom numbers go bad
Danielle Navarro published an interesting and amusing article on their blog on When good pseudorandom numbers go bad. Danielle sets the stage as follows:
[Colleagues] approached me to talk about a reproducibility issue they d been having with some R code. They d been running simulations that rely on generating samples from a multivariate normal distribution, and despite doing the prudent thing and using set.seed() to control the state of the random number generator (RNG), the results were not computationally reproducible. The same code, executed on different machines, would produce different random numbers. The numbers weren t just a little bit different in the way that we ve all wearily learned to expect when you try to force computers to do mathematics. They were painfully, brutally, catastrophically, irreproducible different. Somewhere, somehow, something broke.
Thanks to David Wheeler for posting about this article on our mailing list
Academic articles
There were two scholarly articles published this month that related to reproducibility:
Daniel Hugenroth and Alastair R. Beresford of the University of Cambridge in the United Kingdom and Mario Lins and Ren Mayrhofer of Johannes Kepler University in Linz, Austria published an article titled Attestable builds: compiling verifiable binaries on untrusted systems using trusted execution environments. In their paper, they:
present attestable builds, a new paradigm to provide strong source-to-binary correspondence in software artifacts. We tackle the challenge of opaque build pipelines that disconnect the trust between source code, which can be understood and audited, and the final binary artifact, which is difficult to inspect. Our system uses modern trusted execution environments (TEEs) and sandboxed build containers to provide strong guarantees that a given artifact was correctly built from a specific source code snapshot. As such it complements existing approaches like reproducible builds which typically require time-intensive modifications to existing build configurations and dependencies, and require independent parties to continuously build and verify artifacts.
The authors compare attestable builds with reproducible builds by noting an attestable build requires only minimal changes to an existing project, and offers nearly instantaneous verification of the correspondence between a given binary and the source code and build pipeline used to construct it , and proceed by determining that t he overhead (42 seconds start-up latency and 14% increase in build duration) is small in comparison to the overall build time.
Timo Pohl, Pavel Nov k, Marc Ohm and Michael Meier have published a paper called Towards Reproducibility for Software Packages in Scripting Language Ecosystems. The authors note that past research into Reproducible Builds has focused primarily on compiled languages and their ecosystems, with a further emphasis on Linux distribution packages:
However, the popular scripting language ecosystems potentially face unique issues given the systematic difference in distributed artifacts. This Systemization of Knowledge (SoK) [paper] provides an overview of existing research, aiming to highlight future directions, as well as chances to transfer existing knowledge from compiled language ecosystems. To that end, we work out key aspects in current research, systematize identified challenges for software reproducibility, and map them between the ecosystems.
Ultimately, the three authors find that the literature is sparse , focusing on few individual problems and ecosystems, and therefore identify space for more critical research.
Distribution work
In Debian this month:
-
Ian Jackson filed a bug against the
debian-policy package in order to delve into an issue affecting Debian s support for cross-architecture compilation, multiple-architecture systems, reproducible builds SOURCE_DATE_EPOCH environment variable and the ability to recompile already-uploaded packages to Debian with a new/updated toolchain (binNMUs). Ian identifies a specific case, specifically in the libopts25-dev package, involving a manual page that had interesting downstream effects, potentially affecting backup systems. The bug generated a large number of replies, some of which have references to similar or overlapping issues, such as this one from 2016/2017.
-
Chris Hofstaedtler filed a bug against the metasnap.debian.net service to note that some packages are not available in metasnap API.
-
22 reviews of Debian packages were added, 24 were updated and 11 were removed this month, all adding to our knowledge about identified issues.
Hans-Christoph Steiner of the F-Droid catalogue of open source applications for the Android platform published a blog post on Making reproducible builds visible. Noting that Reproducible builds are essential in order to have trustworthy software , Hans also mentions that F-Droid has been delivering reproducible builds since 2015 . However:
There is now a Reproducibility Status link for each app on f-droid.org, listed on every app s page. Our verification server shows or based on its build results, where means our rebuilder reproduced the same APK file and means it did not. The IzzyOnDroid repository has developed a more elaborate system of badges which displays a for each rebuilder. Additionally, there is a sketch of a five-level graph to represent some aspects about which processes were run.
Hans compares the approach with projects such as Arch Linux and Debian that provide developer-facing tools to give feedback about reproducible builds, but do not display information about reproducible builds in the user-facing interfaces like the package management GUIs.
Arnout Engelen of the NixOS project has been working on reproducing the minimal installation ISO image. This month, Arnout has successfully reproduced the build of the minimal image for the 25.05 release without relying on the binary cache. Work on also reproducing the graphical installer image is ongoing.
In openSUSE news, Bernhard M. Wiedemann posted another monthly update for their work there.
Lastly in Fedora news, Jelle van der Waa opened issues tracking reproducible issues in Haskell documentation, Qt6 recording the host kernel and R packages recording the current date. The R packages can be made reproducible with packaging changes in Fedora.
diffoscope & disorderfs
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions 295, 296 and 297 to Debian:
- Don t rely on zipdetails
--walk argument being available, and only add that argument on newer versions after we test for that. [ ]
- Review and merge support for NuGet packages from Omair Majid. [ ]
- Update copyright years. [ ]
- Merge support for an
lzma comparator from Will Hollywood. [ ][ ]
Chris also merged an impressive changeset from Siva Mahadevan to make disorderfs more portable, especially on FreeBSD. disorderfs is our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues [ ]. This was then uploaded to Debian as version 0.6.0-1.
Lastly, Vagrant Cascadian updated diffoscope in GNU Guix to version 296 [ ][ ] and 297 [ ][ ], and disorderfs to version 0.6.0 [ ][ ].
Website updates
Once again, there were a number of improvements made to our website this month including:
-
Chris Lamb:
- Merged four or five suggestions from Guillem Jover for the GNU Autotools examples on the
SOURCE_DATE_EPOCH example page [ ]
- Incorporated a number of fixes for the JavaScript
SOURCE_DATE_EPOCH snippet from Sebastian Davis, which did not handle non-integer values correctly. [ ]
-
David A. Wheeler:
-
Hans-Christoph Steiner:
- Add the F-Droid Verification Server to the Tools page. [ ]
- Add the Creative Commons Attribution-ShareAlike 4.0 International as the website s root
LICENSE file. [ ]
- Updated the Recording the build environment page to add a section pertaining to how F-Droid handles this. [ ]
-
Jochen Sprickerhof:
- Add Chris Hofstaedtler to the Who is involved? page. [ ]
-
Sebastian Davids:
- Fix the CoffeeScript example on the
SOURCE_DATE_EPOCH page. [ ]
- Remove the JavaScript example that uses a fixed timezone on the
SOURCE_DATE_EPOCH page. [ ]
Reproducibility testing framework
The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility.
However, Holger Levsen posted to our mailing list this month in order to bring a wider awareness to funding issues faced by the Oregon State University (OSU) Open Source Lab (OSL). As mentioned on OSL s public post, recent changes in university funding makes our current funding model no longer sustainable [and that] unless we secure $250,000 in committed funds, the OSL will shut down later this year . As Holger notes in his post to our mailing list, the Reproducible Builds project relies on hardware nodes hosted there. Nevertheless, Lance Albertson of OSL posted an update to the funding situation later in the month with broadly positive news.
Separate to this, there were various changes to the Jenkins setup this month, which is used as the backend driver of for both tests.reproducible-builds.org and reproduce.debian.net, including:
- Migrating the central
jenkins.debian.net server AMD Opteron to Intel Haswell CPUs. Thanks to IONOS for hosting this server since 2012.
- After testing it for almost ten years, the
i386 architecture has been dropped from tests.reproducible-builds.org. This is because that, with the upcoming release of Debian trixie, i386 is no longer supported as a regular architecture there will be no official kernel and no Debian installer for i386 systems. As a result, a large number of nodes hosted by Infomaniak have been retooled from i386 to amd64.
- Another node,
ionos17-amd64.debian.net, which is used for verifying packages for all.reproduce.debian.net (hosted by IONOS) has had its memory increased from 40 to 64GB, and the number of cores doubled to 32 as well. In addition, two nodes generously hosted by OSUOSL have had their memory doubled to 16GB.
- Lastly, we have been granted access to more
riscv64 architecture boards, so now we have seven such nodes, all with 16GB memory and 4 cores that are verifying packages for riscv64.reproduce.debian.net. Many thanks to PLCT Lab, ISCAS for providing those.
Outside of this, a number of smaller changes were also made by Holger Levsen:
-
reproduce.debian.net-related:
- Only use two workers for the
ppc64el architecture due to RAM size. [ ]
- Monitor
nginx_request and nginx_status with the Munin monitoring system. [ ][ ]
- Detect various variants of network and memory errors. [ ][ ][ ][ ]
- Add a prominent link to reproducible-builds.org. [ ]
- Add a
rebuilderd-cache-cleanup.service and run it daily via timer. [ ][ ][ ][ ][ ]
- Be more verbose what sources are being downloaded. [ ]
- Correctly deal with packages with an epoch in their version [ ] and deal with binNMUs versions with an epoch as well [ ][ ].
- Document how to reschedule all other errors on all archs. [ ]
- Misc documentation improvements. [ ][ ][ ][ ]
- Include the
$HOSTNAME variable in the rebuilderd logfiles. [ ]
- Install the
equivs package on all worker nodes. [ ][ ]
-
Jenkins nodes:
- Permit the
sudo tool to fix up permission issues. [ ][ ]
- Document how to manage diskspace with OpenStack. [ ]
- Ignore a number of spurious monitoring errors on
riscv64, FreeBSD, etc.. [ ][ ][ ][ ]
- Install
ntpsec-ntpdate (instead of ntpdate) as the former is available on Debian trixie and bookworm. [ ][ ]
- Use the same SSH
ControlPath for all nodes. [ ]
- Make sure the
munin user uses the same SSH config as the jenkins user. [ ]
-
tests.reproducible-builds.org-related:
-
Misc:
In addition, Jochen Sprickerhof made a series of changes related to reproduce.debian.net:
- Add out of memory detection to the statistics page. [ ]
- Reverse the sorting order on the statistics page. [ ][ ][ ][ ]
- Improve the spacing between statistics groups. [ ]
- Update a (hard-coded) line number in error message detection pertaining to a
debrebuild line number. [ ]
- Support Debian unstable in the
rebuilder-debian.sh script. [ ] ]
- Rely on
rebuildctl to sync only arch-specific packages. [ ][ ]
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. This month, we wrote a large number of such patches, including:
-
Bernhard M. Wiedemann:
cmake/musescorenetdiscoverautotrace, ck, cmake, crash, cvsps, gexif, gq, gtkam, ibus-table-others, krb5-appl, ktoblzcheck-data, leafnode, lib2geom, libexif-gtk, libyui, linkloop, meson, MozillaFirefox, ncurses, notify-sharp, pcsc-acr38, pcsc-asedriveiiie-serial, pcsc-asedriveiiie-usb, pcsc-asekey, pcsc-eco5000, pcsc-reflex60, perl-Crypt-RC, python-boto3, python-gevent, python-pytest-localserver, qt6-tools, seamonkey, seq24, smictrl, sobby, solfege, urfkill, uwsgi, wsmancli, xine-lib, xkeycaps, xquarto, yast-control-center, yast-ruby-bindings and yastlibmfx-gen, libmfx, liboqs
-
Chris Hofstaedtler:
- #1104578 filed against
jabber-muc.
-
Chris Lamb:
- #1105171 filed against
golang-github-lucas-clemente-quic-go.
-
Jelle van der Waa:
-
Jochen Sprickerhof:
-
Zhaofeng Li:
- Add support for
--mtime and --clamp-mtime to bsdtar.
-
James Addison:
- #1105119 for
python3 requested enabling a LTO-adjacent option that should improve build reproducibility.
- #1106274 upstream fix merged for
freezegun for a timezone issue causing unit tests to fail during testing.
- Opened a pull request for
tutanota in an attempt to resolve a long-standing reproducibility issue.
-
Zbigniew J drzejewski-Szmek:
0xFFFF: Use SOURCE_DATE_EPOCH for date in manual pages.
Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
-
IRC:
#reproducible-builds on irc.oftc.net.
-
Mastodon: @reproducible_builds@fosstodon.org
-
Mailing list:
rb-general@lists.reproducible-builds.org
[Colleagues] approached me to talk about a reproducibility issue they d been having with some R code. They d been running simulations that rely on generating samples from a multivariate normal distribution, and despite doing the prudent thing and using set.seed() to control the state of the random number generator (RNG), the results were not computationally reproducible. The same code, executed on different machines, would produce different random numbers. The numbers weren t just a little bit different in the way that we ve all wearily learned to expect when you try to force computers to do mathematics. They were painfully, brutally, catastrophically, irreproducible different. Somewhere, somehow, something broke.
Thanks to David Wheeler for posting about this article on our mailing list
Academic articles
There were two scholarly articles published this month that related to reproducibility:
Daniel Hugenroth and Alastair R. Beresford of the University of Cambridge in the United Kingdom and Mario Lins and Ren Mayrhofer of Johannes Kepler University in Linz, Austria published an article titled Attestable builds: compiling verifiable binaries on untrusted systems using trusted execution environments. In their paper, they:
present attestable builds, a new paradigm to provide strong source-to-binary correspondence in software artifacts. We tackle the challenge of opaque build pipelines that disconnect the trust between source code, which can be understood and audited, and the final binary artifact, which is difficult to inspect. Our system uses modern trusted execution environments (TEEs) and sandboxed build containers to provide strong guarantees that a given artifact was correctly built from a specific source code snapshot. As such it complements existing approaches like reproducible builds which typically require time-intensive modifications to existing build configurations and dependencies, and require independent parties to continuously build and verify artifacts.
The authors compare attestable builds with reproducible builds by noting an attestable build requires only minimal changes to an existing project, and offers nearly instantaneous verification of the correspondence between a given binary and the source code and build pipeline used to construct it , and proceed by determining that t he overhead (42 seconds start-up latency and 14% increase in build duration) is small in comparison to the overall build time.
Timo Pohl, Pavel Nov k, Marc Ohm and Michael Meier have published a paper called Towards Reproducibility for Software Packages in Scripting Language Ecosystems. The authors note that past research into Reproducible Builds has focused primarily on compiled languages and their ecosystems, with a further emphasis on Linux distribution packages:
However, the popular scripting language ecosystems potentially face unique issues given the systematic difference in distributed artifacts. This Systemization of Knowledge (SoK) [paper] provides an overview of existing research, aiming to highlight future directions, as well as chances to transfer existing knowledge from compiled language ecosystems. To that end, we work out key aspects in current research, systematize identified challenges for software reproducibility, and map them between the ecosystems.
Ultimately, the three authors find that the literature is sparse , focusing on few individual problems and ecosystems, and therefore identify space for more critical research.
Distribution work
In Debian this month:
-
Ian Jackson filed a bug against the
debian-policy package in order to delve into an issue affecting Debian s support for cross-architecture compilation, multiple-architecture systems, reproducible builds SOURCE_DATE_EPOCH environment variable and the ability to recompile already-uploaded packages to Debian with a new/updated toolchain (binNMUs). Ian identifies a specific case, specifically in the libopts25-dev package, involving a manual page that had interesting downstream effects, potentially affecting backup systems. The bug generated a large number of replies, some of which have references to similar or overlapping issues, such as this one from 2016/2017.
-
Chris Hofstaedtler filed a bug against the metasnap.debian.net service to note that some packages are not available in metasnap API.
-
22 reviews of Debian packages were added, 24 were updated and 11 were removed this month, all adding to our knowledge about identified issues.
Hans-Christoph Steiner of the F-Droid catalogue of open source applications for the Android platform published a blog post on Making reproducible builds visible. Noting that Reproducible builds are essential in order to have trustworthy software , Hans also mentions that F-Droid has been delivering reproducible builds since 2015 . However:
There is now a Reproducibility Status link for each app on f-droid.org, listed on every app s page. Our verification server shows or based on its build results, where means our rebuilder reproduced the same APK file and means it did not. The IzzyOnDroid repository has developed a more elaborate system of badges which displays a for each rebuilder. Additionally, there is a sketch of a five-level graph to represent some aspects about which processes were run.
Hans compares the approach with projects such as Arch Linux and Debian that provide developer-facing tools to give feedback about reproducible builds, but do not display information about reproducible builds in the user-facing interfaces like the package management GUIs.
Arnout Engelen of the NixOS project has been working on reproducing the minimal installation ISO image. This month, Arnout has successfully reproduced the build of the minimal image for the 25.05 release without relying on the binary cache. Work on also reproducing the graphical installer image is ongoing.
In openSUSE news, Bernhard M. Wiedemann posted another monthly update for their work there.
Lastly in Fedora news, Jelle van der Waa opened issues tracking reproducible issues in Haskell documentation, Qt6 recording the host kernel and R packages recording the current date. The R packages can be made reproducible with packaging changes in Fedora.
diffoscope & disorderfs
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions 295, 296 and 297 to Debian:
- Don t rely on zipdetails
--walk argument being available, and only add that argument on newer versions after we test for that. [ ]
- Review and merge support for NuGet packages from Omair Majid. [ ]
- Update copyright years. [ ]
- Merge support for an
lzma comparator from Will Hollywood. [ ][ ]
Chris also merged an impressive changeset from Siva Mahadevan to make disorderfs more portable, especially on FreeBSD. disorderfs is our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues [ ]. This was then uploaded to Debian as version 0.6.0-1.
Lastly, Vagrant Cascadian updated diffoscope in GNU Guix to version 296 [ ][ ] and 297 [ ][ ], and disorderfs to version 0.6.0 [ ][ ].
Website updates
Once again, there were a number of improvements made to our website this month including:
-
Chris Lamb:
- Merged four or five suggestions from Guillem Jover for the GNU Autotools examples on the
SOURCE_DATE_EPOCH example page [ ]
- Incorporated a number of fixes for the JavaScript
SOURCE_DATE_EPOCH snippet from Sebastian Davis, which did not handle non-integer values correctly. [ ]
-
David A. Wheeler:
-
Hans-Christoph Steiner:
- Add the F-Droid Verification Server to the Tools page. [ ]
- Add the Creative Commons Attribution-ShareAlike 4.0 International as the website s root
LICENSE file. [ ]
- Updated the Recording the build environment page to add a section pertaining to how F-Droid handles this. [ ]
-
Jochen Sprickerhof:
- Add Chris Hofstaedtler to the Who is involved? page. [ ]
-
Sebastian Davids:
- Fix the CoffeeScript example on the
SOURCE_DATE_EPOCH page. [ ]
- Remove the JavaScript example that uses a fixed timezone on the
SOURCE_DATE_EPOCH page. [ ]
Reproducibility testing framework
The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility.
However, Holger Levsen posted to our mailing list this month in order to bring a wider awareness to funding issues faced by the Oregon State University (OSU) Open Source Lab (OSL). As mentioned on OSL s public post, recent changes in university funding makes our current funding model no longer sustainable [and that] unless we secure $250,000 in committed funds, the OSL will shut down later this year . As Holger notes in his post to our mailing list, the Reproducible Builds project relies on hardware nodes hosted there. Nevertheless, Lance Albertson of OSL posted an update to the funding situation later in the month with broadly positive news.
Separate to this, there were various changes to the Jenkins setup this month, which is used as the backend driver of for both tests.reproducible-builds.org and reproduce.debian.net, including:
- Migrating the central
jenkins.debian.net server AMD Opteron to Intel Haswell CPUs. Thanks to IONOS for hosting this server since 2012.
- After testing it for almost ten years, the
i386 architecture has been dropped from tests.reproducible-builds.org. This is because that, with the upcoming release of Debian trixie, i386 is no longer supported as a regular architecture there will be no official kernel and no Debian installer for i386 systems. As a result, a large number of nodes hosted by Infomaniak have been retooled from i386 to amd64.
- Another node,
ionos17-amd64.debian.net, which is used for verifying packages for all.reproduce.debian.net (hosted by IONOS) has had its memory increased from 40 to 64GB, and the number of cores doubled to 32 as well. In addition, two nodes generously hosted by OSUOSL have had their memory doubled to 16GB.
- Lastly, we have been granted access to more
riscv64 architecture boards, so now we have seven such nodes, all with 16GB memory and 4 cores that are verifying packages for riscv64.reproduce.debian.net. Many thanks to PLCT Lab, ISCAS for providing those.
Outside of this, a number of smaller changes were also made by Holger Levsen:
-
reproduce.debian.net-related:
- Only use two workers for the
ppc64el architecture due to RAM size. [ ]
- Monitor
nginx_request and nginx_status with the Munin monitoring system. [ ][ ]
- Detect various variants of network and memory errors. [ ][ ][ ][ ]
- Add a prominent link to reproducible-builds.org. [ ]
- Add a
rebuilderd-cache-cleanup.service and run it daily via timer. [ ][ ][ ][ ][ ]
- Be more verbose what sources are being downloaded. [ ]
- Correctly deal with packages with an epoch in their version [ ] and deal with binNMUs versions with an epoch as well [ ][ ].
- Document how to reschedule all other errors on all archs. [ ]
- Misc documentation improvements. [ ][ ][ ][ ]
- Include the
$HOSTNAME variable in the rebuilderd logfiles. [ ]
- Install the
equivs package on all worker nodes. [ ][ ]
-
Jenkins nodes:
- Permit the
sudo tool to fix up permission issues. [ ][ ]
- Document how to manage diskspace with OpenStack. [ ]
- Ignore a number of spurious monitoring errors on
riscv64, FreeBSD, etc.. [ ][ ][ ][ ]
- Install
ntpsec-ntpdate (instead of ntpdate) as the former is available on Debian trixie and bookworm. [ ][ ]
- Use the same SSH
ControlPath for all nodes. [ ]
- Make sure the
munin user uses the same SSH config as the jenkins user. [ ]
-
tests.reproducible-builds.org-related:
-
Misc:
In addition, Jochen Sprickerhof made a series of changes related to reproduce.debian.net:
- Add out of memory detection to the statistics page. [ ]
- Reverse the sorting order on the statistics page. [ ][ ][ ][ ]
- Improve the spacing between statistics groups. [ ]
- Update a (hard-coded) line number in error message detection pertaining to a
debrebuild line number. [ ]
- Support Debian unstable in the
rebuilder-debian.sh script. [ ] ]
- Rely on
rebuildctl to sync only arch-specific packages. [ ][ ]
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. This month, we wrote a large number of such patches, including:
-
Bernhard M. Wiedemann:
cmake/musescorenetdiscoverautotrace, ck, cmake, crash, cvsps, gexif, gq, gtkam, ibus-table-others, krb5-appl, ktoblzcheck-data, leafnode, lib2geom, libexif-gtk, libyui, linkloop, meson, MozillaFirefox, ncurses, notify-sharp, pcsc-acr38, pcsc-asedriveiiie-serial, pcsc-asedriveiiie-usb, pcsc-asekey, pcsc-eco5000, pcsc-reflex60, perl-Crypt-RC, python-boto3, python-gevent, python-pytest-localserver, qt6-tools, seamonkey, seq24, smictrl, sobby, solfege, urfkill, uwsgi, wsmancli, xine-lib, xkeycaps, xquarto, yast-control-center, yast-ruby-bindings and yastlibmfx-gen, libmfx, liboqs
-
Chris Hofstaedtler:
- #1104578 filed against
jabber-muc.
-
Chris Lamb:
- #1105171 filed against
golang-github-lucas-clemente-quic-go.
-
Jelle van der Waa:
-
Jochen Sprickerhof:
-
Zhaofeng Li:
- Add support for
--mtime and --clamp-mtime to bsdtar.
-
James Addison:
- #1105119 for
python3 requested enabling a LTO-adjacent option that should improve build reproducibility.
- #1106274 upstream fix merged for
freezegun for a timezone issue causing unit tests to fail during testing.
- Opened a pull request for
tutanota in an attempt to resolve a long-standing reproducibility issue.
-
Zbigniew J drzejewski-Szmek:
0xFFFF: Use SOURCE_DATE_EPOCH for date in manual pages.
Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
-
IRC:
#reproducible-builds on irc.oftc.net.
-
Mastodon: @reproducible_builds@fosstodon.org
-
Mailing list:
rb-general@lists.reproducible-builds.org
In Debian this month:
-
Ian Jackson filed a bug against the
debian-policypackage in order to delve into an issue affecting Debian s support for cross-architecture compilation, multiple-architecture systems, reproducible buildsSOURCE_DATE_EPOCHenvironment variable and the ability to recompile already-uploaded packages to Debian with a new/updated toolchain (binNMUs). Ian identifies a specific case, specifically in thelibopts25-devpackage, involving a manual page that had interesting downstream effects, potentially affecting backup systems. The bug generated a large number of replies, some of which have references to similar or overlapping issues, such as this one from 2016/2017. - Chris Hofstaedtler filed a bug against the metasnap.debian.net service to note that some packages are not available in metasnap API.
- 22 reviews of Debian packages were added, 24 were updated and 11 were removed this month, all adding to our knowledge about identified issues.
Hans-Christoph Steiner of the F-Droid catalogue of open source applications for the Android platform published a blog post on Making reproducible builds visible. Noting that Reproducible builds are essential in order to have trustworthy software , Hans also mentions that F-Droid has been delivering reproducible builds since 2015 . However:
There is now a Reproducibility Status link for each app on f-droid.org, listed on every app s page. Our verification server shows or based on its build results, where means our rebuilder reproduced the same APK file and means it did not. The IzzyOnDroid repository has developed a more elaborate system of badges which displays a for each rebuilder. Additionally, there is a sketch of a five-level graph to represent some aspects about which processes were run.
Hans compares the approach with projects such as Arch Linux and Debian that provide developer-facing tools to give feedback about reproducible builds, but do not display information about reproducible builds in the user-facing interfaces like the package management GUIs.
Arnout Engelen of the NixOS project has been working on reproducing the minimal installation ISO image. This month, Arnout has successfully reproduced the build of the minimal image for the 25.05 release without relying on the binary cache. Work on also reproducing the graphical installer image is ongoing.
In openSUSE news, Bernhard M. Wiedemann posted another monthly update for their work there.
Lastly in Fedora news, Jelle van der Waa opened issues tracking reproducible issues in Haskell documentation, Qt6 recording the host kernel and R packages recording the current date. The R packages can be made reproducible with packaging changes in Fedora.
diffoscope & disorderfs
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions 295, 296 and 297 to Debian:
- Don t rely on zipdetails
--walk argument being available, and only add that argument on newer versions after we test for that. [ ]
- Review and merge support for NuGet packages from Omair Majid. [ ]
- Update copyright years. [ ]
- Merge support for an
lzma comparator from Will Hollywood. [ ][ ]
Chris also merged an impressive changeset from Siva Mahadevan to make disorderfs more portable, especially on FreeBSD. disorderfs is our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues [ ]. This was then uploaded to Debian as version 0.6.0-1.
Lastly, Vagrant Cascadian updated diffoscope in GNU Guix to version 296 [ ][ ] and 297 [ ][ ], and disorderfs to version 0.6.0 [ ][ ].
Website updates
Once again, there were a number of improvements made to our website this month including:
-
Chris Lamb:
- Merged four or five suggestions from Guillem Jover for the GNU Autotools examples on the
SOURCE_DATE_EPOCH example page [ ]
- Incorporated a number of fixes for the JavaScript
SOURCE_DATE_EPOCH snippet from Sebastian Davis, which did not handle non-integer values correctly. [ ]
-
David A. Wheeler:
-
Hans-Christoph Steiner:
- Add the F-Droid Verification Server to the Tools page. [ ]
- Add the Creative Commons Attribution-ShareAlike 4.0 International as the website s root
LICENSE file. [ ]
- Updated the Recording the build environment page to add a section pertaining to how F-Droid handles this. [ ]
-
Jochen Sprickerhof:
- Add Chris Hofstaedtler to the Who is involved? page. [ ]
-
Sebastian Davids:
- Fix the CoffeeScript example on the
SOURCE_DATE_EPOCH page. [ ]
- Remove the JavaScript example that uses a fixed timezone on the
SOURCE_DATE_EPOCH page. [ ]
Reproducibility testing framework
The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility.
However, Holger Levsen posted to our mailing list this month in order to bring a wider awareness to funding issues faced by the Oregon State University (OSU) Open Source Lab (OSL). As mentioned on OSL s public post, recent changes in university funding makes our current funding model no longer sustainable [and that] unless we secure $250,000 in committed funds, the OSL will shut down later this year . As Holger notes in his post to our mailing list, the Reproducible Builds project relies on hardware nodes hosted there. Nevertheless, Lance Albertson of OSL posted an update to the funding situation later in the month with broadly positive news.
Separate to this, there were various changes to the Jenkins setup this month, which is used as the backend driver of for both tests.reproducible-builds.org and reproduce.debian.net, including:
- Migrating the central
jenkins.debian.net server AMD Opteron to Intel Haswell CPUs. Thanks to IONOS for hosting this server since 2012.
- After testing it for almost ten years, the
i386 architecture has been dropped from tests.reproducible-builds.org. This is because that, with the upcoming release of Debian trixie, i386 is no longer supported as a regular architecture there will be no official kernel and no Debian installer for i386 systems. As a result, a large number of nodes hosted by Infomaniak have been retooled from i386 to amd64.
- Another node,
ionos17-amd64.debian.net, which is used for verifying packages for all.reproduce.debian.net (hosted by IONOS) has had its memory increased from 40 to 64GB, and the number of cores doubled to 32 as well. In addition, two nodes generously hosted by OSUOSL have had their memory doubled to 16GB.
- Lastly, we have been granted access to more
riscv64 architecture boards, so now we have seven such nodes, all with 16GB memory and 4 cores that are verifying packages for riscv64.reproduce.debian.net. Many thanks to PLCT Lab, ISCAS for providing those.
Outside of this, a number of smaller changes were also made by Holger Levsen:
-
reproduce.debian.net-related:
- Only use two workers for the
ppc64el architecture due to RAM size. [ ]
- Monitor
nginx_request and nginx_status with the Munin monitoring system. [ ][ ]
- Detect various variants of network and memory errors. [ ][ ][ ][ ]
- Add a prominent link to reproducible-builds.org. [ ]
- Add a
rebuilderd-cache-cleanup.service and run it daily via timer. [ ][ ][ ][ ][ ]
- Be more verbose what sources are being downloaded. [ ]
- Correctly deal with packages with an epoch in their version [ ] and deal with binNMUs versions with an epoch as well [ ][ ].
- Document how to reschedule all other errors on all archs. [ ]
- Misc documentation improvements. [ ][ ][ ][ ]
- Include the
$HOSTNAME variable in the rebuilderd logfiles. [ ]
- Install the
equivs package on all worker nodes. [ ][ ]
-
Jenkins nodes:
- Permit the
sudo tool to fix up permission issues. [ ][ ]
- Document how to manage diskspace with OpenStack. [ ]
- Ignore a number of spurious monitoring errors on
riscv64, FreeBSD, etc.. [ ][ ][ ][ ]
- Install
ntpsec-ntpdate (instead of ntpdate) as the former is available on Debian trixie and bookworm. [ ][ ]
- Use the same SSH
ControlPath for all nodes. [ ]
- Make sure the
munin user uses the same SSH config as the jenkins user. [ ]
-
tests.reproducible-builds.org-related:
-
Misc:
In addition, Jochen Sprickerhof made a series of changes related to reproduce.debian.net:
- Add out of memory detection to the statistics page. [ ]
- Reverse the sorting order on the statistics page. [ ][ ][ ][ ]
- Improve the spacing between statistics groups. [ ]
- Update a (hard-coded) line number in error message detection pertaining to a
debrebuild line number. [ ]
- Support Debian unstable in the
rebuilder-debian.sh script. [ ] ]
- Rely on
rebuildctl to sync only arch-specific packages. [ ][ ]
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. This month, we wrote a large number of such patches, including:
-
Bernhard M. Wiedemann:
cmake/musescorenetdiscoverautotrace, ck, cmake, crash, cvsps, gexif, gq, gtkam, ibus-table-others, krb5-appl, ktoblzcheck-data, leafnode, lib2geom, libexif-gtk, libyui, linkloop, meson, MozillaFirefox, ncurses, notify-sharp, pcsc-acr38, pcsc-asedriveiiie-serial, pcsc-asedriveiiie-usb, pcsc-asekey, pcsc-eco5000, pcsc-reflex60, perl-Crypt-RC, python-boto3, python-gevent, python-pytest-localserver, qt6-tools, seamonkey, seq24, smictrl, sobby, solfege, urfkill, uwsgi, wsmancli, xine-lib, xkeycaps, xquarto, yast-control-center, yast-ruby-bindings and yastlibmfx-gen, libmfx, liboqs
-
Chris Hofstaedtler:
- #1104578 filed against
jabber-muc.
-
Chris Lamb:
- #1105171 filed against
golang-github-lucas-clemente-quic-go.
-
Jelle van der Waa:
-
Jochen Sprickerhof:
-
Zhaofeng Li:
- Add support for
--mtime and --clamp-mtime to bsdtar.
-
James Addison:
- #1105119 for
python3 requested enabling a LTO-adjacent option that should improve build reproducibility.
- #1106274 upstream fix merged for
freezegun for a timezone issue causing unit tests to fail during testing.
- Opened a pull request for
tutanota in an attempt to resolve a long-standing reproducibility issue.
-
Zbigniew J drzejewski-Szmek:
0xFFFF: Use SOURCE_DATE_EPOCH for date in manual pages.
Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
-
IRC:
#reproducible-builds on irc.oftc.net.
-
Mastodon: @reproducible_builds@fosstodon.org
-
Mailing list:
rb-general@lists.reproducible-builds.org
--walk argument being available, and only add that argument on newer versions after we test for that. [ ]lzma comparator from Will Hollywood. [ ][ ]
Once again, there were a number of improvements made to our website this month including:
-
Chris Lamb:
- Merged four or five suggestions from Guillem Jover for the GNU Autotools examples on the
SOURCE_DATE_EPOCHexample page [ ] - Incorporated a number of fixes for the JavaScript
SOURCE_DATE_EPOCHsnippet from Sebastian Davis, which did not handle non-integer values correctly. [ ]
- Merged four or five suggestions from Guillem Jover for the GNU Autotools examples on the
- David A. Wheeler:
-
Hans-Christoph Steiner:
- Add the F-Droid Verification Server to the Tools page. [ ]
- Add the Creative Commons Attribution-ShareAlike 4.0 International as the website s root
LICENSEfile. [ ] - Updated the Recording the build environment page to add a section pertaining to how F-Droid handles this. [ ]
-
Jochen Sprickerhof:
- Add Chris Hofstaedtler to the Who is involved? page. [ ]
-
Sebastian Davids:
- Fix the CoffeeScript example on the
SOURCE_DATE_EPOCHpage. [ ] - Remove the JavaScript example that uses a fixed timezone on the
SOURCE_DATE_EPOCHpage. [ ]
- Fix the CoffeeScript example on the
Reproducibility testing framework
The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility.
However, Holger Levsen posted to our mailing list this month in order to bring a wider awareness to funding issues faced by the Oregon State University (OSU) Open Source Lab (OSL). As mentioned on OSL s public post, recent changes in university funding makes our current funding model no longer sustainable [and that] unless we secure $250,000 in committed funds, the OSL will shut down later this year . As Holger notes in his post to our mailing list, the Reproducible Builds project relies on hardware nodes hosted there. Nevertheless, Lance Albertson of OSL posted an update to the funding situation later in the month with broadly positive news.
Separate to this, there were various changes to the Jenkins setup this month, which is used as the backend driver of for both tests.reproducible-builds.org and reproduce.debian.net, including:
- Migrating the central
jenkins.debian.net server AMD Opteron to Intel Haswell CPUs. Thanks to IONOS for hosting this server since 2012.
- After testing it for almost ten years, the
i386 architecture has been dropped from tests.reproducible-builds.org. This is because that, with the upcoming release of Debian trixie, i386 is no longer supported as a regular architecture there will be no official kernel and no Debian installer for i386 systems. As a result, a large number of nodes hosted by Infomaniak have been retooled from i386 to amd64.
- Another node,
ionos17-amd64.debian.net, which is used for verifying packages for all.reproduce.debian.net (hosted by IONOS) has had its memory increased from 40 to 64GB, and the number of cores doubled to 32 as well. In addition, two nodes generously hosted by OSUOSL have had their memory doubled to 16GB.
- Lastly, we have been granted access to more
riscv64 architecture boards, so now we have seven such nodes, all with 16GB memory and 4 cores that are verifying packages for riscv64.reproduce.debian.net. Many thanks to PLCT Lab, ISCAS for providing those.
Outside of this, a number of smaller changes were also made by Holger Levsen:
-
reproduce.debian.net-related:
- Only use two workers for the
ppc64el architecture due to RAM size. [ ]
- Monitor
nginx_request and nginx_status with the Munin monitoring system. [ ][ ]
- Detect various variants of network and memory errors. [ ][ ][ ][ ]
- Add a prominent link to reproducible-builds.org. [ ]
- Add a
rebuilderd-cache-cleanup.service and run it daily via timer. [ ][ ][ ][ ][ ]
- Be more verbose what sources are being downloaded. [ ]
- Correctly deal with packages with an epoch in their version [ ] and deal with binNMUs versions with an epoch as well [ ][ ].
- Document how to reschedule all other errors on all archs. [ ]
- Misc documentation improvements. [ ][ ][ ][ ]
- Include the
$HOSTNAME variable in the rebuilderd logfiles. [ ]
- Install the
equivs package on all worker nodes. [ ][ ]
-
Jenkins nodes:
- Permit the
sudo tool to fix up permission issues. [ ][ ]
- Document how to manage diskspace with OpenStack. [ ]
- Ignore a number of spurious monitoring errors on
riscv64, FreeBSD, etc.. [ ][ ][ ][ ]
- Install
ntpsec-ntpdate (instead of ntpdate) as the former is available on Debian trixie and bookworm. [ ][ ]
- Use the same SSH
ControlPath for all nodes. [ ]
- Make sure the
munin user uses the same SSH config as the jenkins user. [ ]
-
tests.reproducible-builds.org-related:
-
Misc:
In addition, Jochen Sprickerhof made a series of changes related to reproduce.debian.net:
- Add out of memory detection to the statistics page. [ ]
- Reverse the sorting order on the statistics page. [ ][ ][ ][ ]
- Improve the spacing between statistics groups. [ ]
- Update a (hard-coded) line number in error message detection pertaining to a
debrebuild line number. [ ]
- Support Debian unstable in the
rebuilder-debian.sh script. [ ] ]
- Rely on
rebuildctl to sync only arch-specific packages. [ ][ ]
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. This month, we wrote a large number of such patches, including:
-
Bernhard M. Wiedemann:
cmake/musescorenetdiscoverautotrace, ck, cmake, crash, cvsps, gexif, gq, gtkam, ibus-table-others, krb5-appl, ktoblzcheck-data, leafnode, lib2geom, libexif-gtk, libyui, linkloop, meson, MozillaFirefox, ncurses, notify-sharp, pcsc-acr38, pcsc-asedriveiiie-serial, pcsc-asedriveiiie-usb, pcsc-asekey, pcsc-eco5000, pcsc-reflex60, perl-Crypt-RC, python-boto3, python-gevent, python-pytest-localserver, qt6-tools, seamonkey, seq24, smictrl, sobby, solfege, urfkill, uwsgi, wsmancli, xine-lib, xkeycaps, xquarto, yast-control-center, yast-ruby-bindings and yastlibmfx-gen, libmfx, liboqs
-
Chris Hofstaedtler:
- #1104578 filed against
jabber-muc.
-
Chris Lamb:
- #1105171 filed against
golang-github-lucas-clemente-quic-go.
-
Jelle van der Waa:
-
Jochen Sprickerhof:
-
Zhaofeng Li:
- Add support for
--mtime and --clamp-mtime to bsdtar.
-
James Addison:
- #1105119 for
python3 requested enabling a LTO-adjacent option that should improve build reproducibility.
- #1106274 upstream fix merged for
freezegun for a timezone issue causing unit tests to fail during testing.
- Opened a pull request for
tutanota in an attempt to resolve a long-standing reproducibility issue.
-
Zbigniew J drzejewski-Szmek:
0xFFFF: Use SOURCE_DATE_EPOCH for date in manual pages.
Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
-
IRC:
#reproducible-builds on irc.oftc.net.
-
Mastodon: @reproducible_builds@fosstodon.org
-
Mailing list:
rb-general@lists.reproducible-builds.org
jenkins.debian.net server AMD Opteron to Intel Haswell CPUs. Thanks to IONOS for hosting this server since 2012.i386 architecture has been dropped from tests.reproducible-builds.org. This is because that, with the upcoming release of Debian trixie, i386 is no longer supported as a regular architecture there will be no official kernel and no Debian installer for i386 systems. As a result, a large number of nodes hosted by Infomaniak have been retooled from i386 to amd64.ionos17-amd64.debian.net, which is used for verifying packages for all.reproduce.debian.net (hosted by IONOS) has had its memory increased from 40 to 64GB, and the number of cores doubled to 32 as well. In addition, two nodes generously hosted by OSUOSL have had their memory doubled to 16GB.riscv64 architecture boards, so now we have seven such nodes, all with 16GB memory and 4 cores that are verifying packages for riscv64.reproduce.debian.net. Many thanks to PLCT Lab, ISCAS for providing those.- Only use two workers for the
ppc64elarchitecture due to RAM size. [ ] - Monitor
nginx_requestandnginx_statuswith the Munin monitoring system. [ ][ ] - Detect various variants of network and memory errors. [ ][ ][ ][ ]
- Add a prominent link to reproducible-builds.org. [ ]
- Add a
rebuilderd-cache-cleanup.serviceand run it daily via timer. [ ][ ][ ][ ][ ] - Be more verbose what sources are being downloaded. [ ]
- Correctly deal with packages with an epoch in their version [ ] and deal with binNMUs versions with an epoch as well [ ][ ].
- Document how to reschedule all other errors on all archs. [ ]
- Misc documentation improvements. [ ][ ][ ][ ]
- Include the
$HOSTNAMEvariable in the rebuilderd logfiles. [ ] - Install the
equivspackage on all worker nodes. [ ][ ]
- Permit the
sudotool to fix up permission issues. [ ][ ] - Document how to manage diskspace with OpenStack. [ ]
- Ignore a number of spurious monitoring errors on
riscv64, FreeBSD, etc.. [ ][ ][ ][ ] - Install
ntpsec-ntpdate(instead ofntpdate) as the former is available on Debian trixie and bookworm. [ ][ ] - Use the same SSH
ControlPathfor all nodes. [ ] - Make sure the
muninuser uses the same SSH config as thejenkinsuser. [ ]
debrebuild line number. [ ]rebuilder-debian.sh script. [ ] ]rebuildctl to sync only arch-specific packages. [ ][ ]-
Bernhard M. Wiedemann:
cmake/musescorenetdiscoverautotrace,ck,cmake,crash,cvsps,gexif,gq,gtkam,ibus-table-others,krb5-appl,ktoblzcheck-data,leafnode,lib2geom,libexif-gtk,libyui,linkloop,meson,MozillaFirefox,ncurses,notify-sharp,pcsc-acr38,pcsc-asedriveiiie-serial,pcsc-asedriveiiie-usb,pcsc-asekey,pcsc-eco5000,pcsc-reflex60,perl-Crypt-RC,python-boto3,python-gevent,python-pytest-localserver,qt6-tools,seamonkey,seq24,smictrl,sobby,solfege,urfkill,uwsgi,wsmancli,xine-lib,xkeycaps,xquarto,yast-control-center,yast-ruby-bindingsandyastlibmfx-gen,libmfx,liboqs
-
Chris Hofstaedtler:
- #1104578 filed against
jabber-muc.
- #1104578 filed against
-
Chris Lamb:
- #1105171 filed against
golang-github-lucas-clemente-quic-go.
- #1105171 filed against
- Jelle van der Waa:
- Jochen Sprickerhof:
-
Zhaofeng Li:
- Add support for
--mtimeand--clamp-mtimetobsdtar.
- Add support for
-
James Addison:
- #1105119 for
python3requested enabling a LTO-adjacent option that should improve build reproducibility. - #1106274 upstream fix merged for
freezegunfor a timezone issue causing unit tests to fail during testing. - Opened a pull request for
tutanotain an attempt to resolve a long-standing reproducibility issue.
- #1105119 for
-
Zbigniew J drzejewski-Szmek:
0xFFFF: UseSOURCE_DATE_EPOCHfor date in manual pages.
Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
-
IRC:
#reproducible-buildsonirc.oftc.net. - Mastodon: @reproducible_builds@fosstodon.org
-
Mailing list:
rb-general@lists.reproducible-builds.org
Debian 13 "Trixie" 
After cartridge pleating, the next fabric manipulation technique I
wanted to try was smocking, of the honeycombing variety, on a shirt.
My current go-to pattern for shirts is the 
In my stash I had a cut of purple-blue hopefully cotton [#cotton] I had
bought for a cheap price and used for my first attempt at an
Of course I wanted some honeycombing on the front, but I was afraid that
the slit in the middle of it would interfere with the honeycombing and
gape, so I decided to have the shirt open in an horizontal line at the
yoke.
I added instructions 
I also used a row of honeycombing on the back and two on the upper part
of the sleeves, instead of the gathering, and of course some rows to
gather the cuffs.
The honeycombing on the back was a bit too far away from the edge, so
it s a bit of an odd combination of honeycombing and pleating that I
don t hate, but don t love either. It s on the back, so I don t mind. On
the sleeves I ve done the honeycombing closer to the edge and I ve
decided to sew the sleeve as if it was a cartridge pleated sleeve, and
that worked better.
Because circumstances are still making access to my sewing machine
more of a hassle than I d want it to be, this was completely sewn by
hand, and at a bit more than a month I have to admit that near the end
it felt like it had been taken forever. I m not sure whether it was the
actual sewing being slow, some interruptions that happened when I had
little time to work on it, or the fact that I ve just gone through a
time when my brain kept throwing new projects at me, and I kept thinking
of how to make those. Thanks brain.
Even when on a hurry to finish it, however, it was still enjoyable
sewing, and I think I ll want to do more honeycombing in the future.
Anyway, it s done! And it s going straight into my daily garment
rotation, because the weather is getting hot, and that means it s
definitely shirt time.
University of Nairobi.
Our group at the conference.
View of Nairobi's skyline from the open area on the fifth floor.
A library in Mahatma Gandhi wing of the University of Nairobi.
One of the conference halls where talks took place.
One of the lunch meals served during the conference.
Minibus which took us from the university to Bao Box restaurant.
This minibus in the picture gave a sense of a real matatu.
To ease my nerves, I struck up a conversation with a man seated nearby who was
also traveling to Abu Dhabi for work. He provided helpful information about
safety and transportation in Abu Dhabi, which reassured me. With the boarding
process complete and my anxiety somewhat eased. I found my window seat on the
flight and settled in, excited for the journey ahead. Next to me was a young
man from Ranchi(Zarkhand, India), heading to Abu Dhabi for work at a mining
factory. We had an engaging conversation about work culture in Abu Dhabi and
recruitment from India.
Upon arriving in Abu Dhabi, I completed my transit, collected my luggage, and
began finding my way to the hotel 
I reached Tirana, Albania after a six hours flight, feeling exhausted and I was
suffering from a headache. The air pressure had blocked my ears, and jet lag
added to my fatigue. After collecting my checked luggage, I headed to the first
ATM machine at the airport. Struggling to insert my card, I asked a nearby
gentleman for help. He tried his best, but my card got stuck inside the
machine. Panic set in as I worried about how I would survive without money.
Taking a deep breath, I found an airport employee and explained the situation.
The gentleman stayed with me, offering support and repeatedly apologizing for
his mistake. However, it wasn t his fault, the ATM was out of order, which I
hadn t noticed. My focus was solely on retrieving my ATM card. The airport
employee worked diligently, using a hairpin to carefully extract my card.
Finally, the card was freed, and I felt an immense sense of relief, grateful
for the help of these kind strangers. I used another ATM, successfully withdrew
money, and then went to an airport mobile SIM shop to buy a new SIM card for
local internet and connectivity.
I found my top bunk bed, only to realize I had booked a mixed-gender
dormitory. This detail had completely escaped my notice during the booking
process. I felt unsure about how to handle the situation. Coincidentally,
my experience mirrored what Kangana faced in the movie Queen .
Feeling acidic due to an empty stomach and the exhaustion of heavy
traveling, I wasn t up to cooking in the hostel s kitchen.
I asked the front desk about the nearest restaurant. It was nearly 9:30 PM,
and the streets were deserted. To avoid any mishaps like in the movie
Queen, I kept my passport securely locked in my bag, ensuring it wouldn t
be a victim of theft.
Venturing out for dinner, I felt uneasy on the quiet streets. I eventually
found a restaurant recommended by the hostel, but the menu was almost
entirely non-vegetarian. I struggled to ask about vegetarian options and was
uncertain if any dishes contained eggs, as some people consider eggs to be
vegetarian. Feeling frustrated and unsure, I left the restaurant without
eating.
I noticed a nearby grocery store that was about to close and managed to get
a few extra minutes to shop. I bought some snacks, wafers, milk, and tea
bags (though I couldn t find tea powder to make Indian-style tea). Returning
to the hostel, I made do with wafers, cookies, and milk for dinner. That day
was incredibly tough for me, I filled with exhaustion and struggle in a new
country, I was on the verge of tears .
I made a video call home before sleeping on the top bunk bed. It was a new
experience for me, sharing a room with both unknown men and women. I kept my
passport safe inside my purse and under my pillow while sleeping, staying
very conscious about its security.
I took a bus from Shkod r to the southern part of Albania, heading to
Sarand . The journey lasted about five to six hours, and I had booked a stay
at 
And then up we went!
Martha was so proud when we landed! We went to Stearman Field, just a short 10-minute flight away, and parked the plane right in front of the restaurant.
We flew back, and Martha thought we should get a photo of her standing on the wing by the door. Great idea!
She was happily jabbering about the flight all the way home. She told us several times about the pin she got, watching out the window, watching all the screens in the airplane, and also that she didn t get sick at all despite some turbulence.
And, she says, Now just you and I can go flying!
Yes, that s something I m looking forward to!
(no site yet)
in October 2021. they generally seem to keep up with
shipping. update (august 2022): they rolled out a second line of
laptops (12th gen), first batch shipped, second batch