Changes in version 0.2.5 (2025-03-26)

• The continuous integration setup was updated several times
• Badges and URLs in README.md have been updated
• An updated interface from RApiSerialize is now used, and a versioned dependency on version 0.1.4 or later has been added
• The DESCRIPTION file now uses Authors@R
• Two possible bashisms have been converted in configure.ac
• The (fallback if needed) build of libhiredis.a now sets -DNDEBUG, four uses of sprintf converted to snprintf

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub.

• Bo Yu (vimer)
• Maytham Alsudany (maytham)
• Rebecca Natalie Palmer (mpalmer)

• NoisyCoil
• Arif Ali
• Julien Plissonneau Duqu ne
• Maarten Van Geijn
• Ben Collins

Debian Contributions: 2025-02 Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

Debian.Social administration, by Stefano Rivera Over the last year, the Debian.social services outgrew the infrastructure that was supporting them. The matrix bridge in particular was hosted on a cloud instance backed by a large expensive storage volume. Debian.CH rented a new large physical server to host all these instances, earlier this year. Stefano set up Incus on the new physical machine and migrated all the old debian.social LXC Containers, libvirt VMs, and cloud instances into Incus-managed LXC containers. Stefano set up Prometheus monitoring and alerts for the new infrastructure and a Grafana dashboard. The current stack of debian.social services seem to comfortably fit on the new machine, with good room to grow.

DebConf 25, by Santiago Ruano Rinc n and Stefano Rivera DebConf 25 preparations continue. The team is currently finalizing a budget. Stefano helped to review the current budget proposals and suggest approaches for balancing it. Stefano installed a Zammad instance to organize queries from attendees, for the registration and visa teams. Santiago continued discussions with possible caterers so we can have options for the different diet requirements and that could fit into the DebConf budget. Also, in collaboration with Anupa, Santiago pushed the first draft changes to document the venue information in the DebConf 25 website and how to get to Brest.

Time-based test failure in requests, by Colin Watson Colin fixed a fun bug in the Python requests package. Santiago Vila has been running tests of what happens when Debian packages are built on a system in which time has been artificially set to somewhere around the end of the support period for the next Debian release, in order to make it easier to do things like issuing security updates for the lifetime of that release. In this case, the failure indicated an expired test certificate, and since the repository already helpfully included scripts to regenerate those certificates, it seemed natural to try regenerating them just before running tests. However, this failed for more obscure reasons and Colin spent some time investigating. This turned out to be because the test CA was missing the CA constraint and so recent versions of OpenSSL reject it; Colin sent a pull request to fix this.

Priority list for outdated packages, by Santiago Ruano Rinc n Santiago started a discussion on debian-devel about packages that have a history of security issues and that are outdated regarding new upstream releases. The goal of the mentioned effort is to have a prioritized list of packages needing some work, from a security point of view. Moreover, the aim of publicly sharing the list of packages with the Debian Developers community is to make it easier to look at the packages maintained by teams, or even other maintainers where help could be welcome. Santiago is planning to take into account the feedback provided in debian-devel and to propose a tooling that could help to regularly bring collective awareness of these packages.

Miscellaneous contributions

• Carles worked on English to Catalan po-debconf translations: reviewed translations, created merge requests and followed up with developers for more than 30 packages using po-debconf-manager.
• Carles helped users, fixed bugs and implemented downloading updated templates on po-debconf-manager.
• Carles packaged a new upstream version of python-pyaarlo.
• Carles improved reproducibility of qnetload (now reported as reproducible) and simplemonitor (followed up with upstream and pending update of Debian package).
• Carles collaborated with debian-history package: fixed FTBFS from master branch, enabled salsa-ci and investigated reproducibility.
• Emilio improved support for automatically marking CVEs as NOT-FOR-US in the security-tracker, closing #1073012.
• Emilio updated xorg-server and xwayland in unstable, fixing the last round of security vulnerabilities.
• Stefano prepared a few PyPy and cPython uploads, and started the python3.13-only transition.
• Helmut Grohne sent patches for 24 cross build failures.
• Helmut fixed two problems in the Debian /usr-merge analysis tool. In one instance, it would overmatch Debian bugs to issues and in another it would fail to recognize Pre-Depends as a conflict mechanism.
• Helmut attempted making rebootstrap work for gcc-15 with limited success as very many packages FTBFS with gcc-15 due to using function declarations without arguments.
• Helmut provided a change to the security-tracker that would pre-compute /data/json during database updates rather than on demand resulting in a reduced response time.
• Colin uploaded OpenSSH security updates for testing/unstable, bookworm, bullseye, buster, and stretch.
• Colin fixed upstream monitoring for 26 Python packages, and upgraded 54 packages (mostly Python-related, but also PuTTY) to new upstream versions.
• Colin updated python-django in bookworm-backports to 4.2.18 (issuing BSA-121), and added new backports of python-django-dynamic-fixture and python-django-pgtrigger, all of which are dependencies of debusine.
• Thorsten Alteholz finally managed to upload hplip to fix two release critical and some normal bugs. The next step in March would be to upload the latest version of hplip.
• Faidon updated crun in unstable & trixie, resolving a long-standing request of enabling criu support and thus enabling podman with checkpoint/restore functionality (With gratitude to Salvatore Bonaccorso and Reinhard Tartler for the cooperation and collaboration).
• Faidon uploaded a number of packages (librdkafka, libmaxminddb, python-maxminddb, lowdown, tox, tox-uv, pyproject-api, xiccd and gdnsd) bringing them up to date with new upstream releases, resolving various bugs.
• Lucas Kanashiro uploaded some ruby packages involved in the Rails 7 transition with new upstream releases.
• Lucas triaged a ruby3.1 bug (#1092595)) and prepared a fix for the next stable release update.
• Lucas set up the needed wiki pages and updated the Debian Project status in the Outreachy portal, in order to send out a call for projects and mentors for the next round of Outreachy.
• Anupa joined Santiago to prepare a list of companies to contact via LinkedIn for DebConf 25 sponsorship.
• Anupa printed Debian stickers and sponsorship brochures, flyers for DebConf 25 to be distributed at FOSS ASIA summit 2025.
• Anupa participated in the Debian publicity team meeting and discussed the upcoming events and tasks.
• Rapha l packaged zim 0.76.1 and integrated an upstream patch for another regression that he reported.
• Rapha l worked with the Debian System Administrators for tracker.debian.org to better cope with gmail s requirement for mails to be authenticated.

• 06 rooms in parallel on Saturday;
• 02 auditoriums in parallel on Monday and Tuesday;
• 30 talks/BoFs of all levels;
• 05 workshops for hands-on activities;
• 09 lightning talks on general topics;
• 01 Live Electronics performance with Free Software;
• Install fest to install Debian on attendees' laptops;
• BSP (Bug Squashing Party);
• Uploads of new or updated packages.

• Total people registered: 399
• Total attendees in the event: 224

• Food: 69
• Accommodation: 20
• Travel: 18

• Youtube - Peertube
• video.debian.net And see the photos taken by several collaborators in the links below:
• Google photos
• Nextcloud

• Collabora

• Jedai.ai
• Toradex Brasil
• Globo.com
• Policorp Tecnologia

• BRDSoft - Tecnologias para TI e Telecomunica es
• EITA - Cooperativa de Trabalho Educa o, Informa o e Tecnologia para Autogest o Supporters
• ICTL - Instituto para Conserva o de Tecnologias Livres - Nazinha Alimentos
• DACOMPSI

• Projeto Debian
• Comunidade Debian Brasil
• Comunidade Debian MG
• DCC/UFMG - Departamento de Ci ncia da Computa o da Universidade Federal de Minas Gerais

1. Reproducible Builds at FOSDEM 2025
2. Reproducible Builds at PyCascades 2025
3. Does Functional Package Management Enable Reproducible Builds at Scale?
4. reproduce.debian.net updates
5. Upstream patches
6. Distribution work
7. diffoscope & strip-nondeterminism
8. Website updates
9. Reproducibility testing framework

Reproducible Builds at FOSDEM 2025 Similar to last year s event, there was considerable activity regarding Reproducible Builds at FOSDEM 2025, held on on 1st and 2nd February this year in Brussels, Belgium. We count at least four talks related to reproducible builds. (You can also read our news report from last year s event in which Holger Levsen presented in the main track.)
Jelle van der Waa, Holger Levsen and kpcyrd presented in the Distributions track on A Tale of several distros joining forces for a common goal. In this talk, three developers from two different Linux distributions (Arch Linux and Debian), discuss this goal which is, of course, reproducible builds. The presenters discuss both what is shared and different between the two efforts, touching on the history and future challenges alike. The slides of this talk are available to view, as is the full video (30m02s). The talk was also discussed on Hacker News.
Zbigniew J drzejewski-Szmek presented in the ever-popular Python track a on Rewriting .pyc files for fun and reproducibility, i.e. the bytecode files generated by Python in order to speed up module imports: It s been known for a while that those are not reproducible: on different architectures, the bytecode for exactly the same sources ends up slightly different. The slides of this talk are available, as is the full video (28m32s).
In the Nix and NixOS track, Julien Malka presented on the Saturday asking How reproducible is NixOS: We know that the NixOS ISO image is very close to be perfectly reproducible thanks to reproducible.nixos.org, but there doesn t exist any monitoring of Nixpkgs as a whole. In this talk I ll present the findings of a project that evaluated the reproducibility of Nixpkgs as a whole by mass rebuilding packages from revisions between 2017 and 2023 and comparing the results with the NixOS cache. Unfortunately, no video of the talk is available, but there is a blog and article on the results.
Lastly, Simon Tournier presented in the Open Research track on the confluence of GNU Guix and Software Heritage: Source Code Archiving to the Rescue of Reproducible Deployment. Simon s talk describes design and implementation we came up and reports on the archival coverage for package source code with data collected over five years. It opens to some remaining challenges toward a better open and reproducible research. The slides for the talk are available, as is the full video (23m17s).

Reproducible Builds at PyCascades 2025 Vagrant Cascadian presented at this year s PyCascades conference which was held on February 8th and 9th February in Portland, OR, USA. PyCascades is a regional instance of PyCon held in the Pacific Northwest. Vagrant s talk, entitled Re-Py-Ducible Builds caught the audience s attention with the following abstract:

Crank your Python best practices up to 11 with Reproducible Builds! This talk will explore Reproducible Builds by highlighting issues identified in Python projects, from the simple to the seemingly inscrutable. Reproducible Builds is basically the crazy idea that when you build something, and you build it again, you get the exact same thing or even more important, if someone else builds it, they get the exact same thing too.

More info is available on the talk s page.

Does Functional Package Management Enable Reproducible Builds at Scale? On our mailing list last month, Julien Malka, Stefano Zacchiroli and Th o Zimmermann of T l com Paris in-house research laboratory, the Information Processing and Communications Laboratory (LTCI) announced that they had published an article asking the question: Does Functional Package Management Enable Reproducible Builds at Scale? (PDF). This month, however, Ludovic Court s followed up to the original announcement on our mailing list mentioning, amongst other things, the Guix Data Service and how that it shows the reproducibility of GNU Guix over time, as described in a GNU Guix blog back in March 2024.

reproduce.debian.net updates The last few months have seen the introduction of reproduce.debian.net. Announced first at the recent Debian MiniDebConf in Toulouse, reproduce.debian.net is an instance of rebuilderd operated by the Reproducible Builds project. Powering this work is rebuilderd, our server which monitors the official package repositories of Linux distributions and attempt to reproduce the observed results there. This month, however, Holger Levsen:

• Split packages that are not specific to any architecture away from amd64.reproducible.debian.net service into a new all.reproducible.debian.net page.
• Increased the number of riscv64 nodes to a total of 4, and added a new amd64 node added thanks to our (now 10-year sponsor), IONOS.
• Discovered an issue in the Debian build service where some new incoming build-dependencies do not end up historically archived.
• Uploaded the devscripts package, incorporating changes from Jochen Sprickerhof to the debrebuild script specifically to fix the handling the Rules-Requires-Root header in Debian source packages.
• Uploaded a number of Rust dependencies of rebuilderd (rust-libbz2-rs-sys, rust-actix-web, rust-actix-server, rust-actix-http, rust-actix-server, rust-actix-http, rust-actix-web-codegen and rust-time-tz) after they were prepared by kpcyrd :

Jochen Sprickerhof also updated the sbuild package to:

• Obey requests from the user/developer for a different temporary directory.
• Use the root/superuser for some values of Rules-Requires-Root.
• Don t pass --root-owner-group to old versions of dpkg.

and additionally requested that many Debian packages are rebuilt by the build servers in order to work around bugs found on reproduce.debian.net. [ ][[ ][ ]
Lastly, kpcyrd has also worked towards getting rebuilderd packaged in NixOS, and Jelle van der Waa picked up the existing pull request for Fedora support within in rebuilderd and made it work with the existing Koji rebuilderd script. The server is being packaged for Fedora in an unofficial copr repository and in the official repositories after all the dependencies are packaged.

Upstream patches The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Andrea Manzini:
  • rust-i8n (random HashMap order)
  • starship/shadow
• Andreas Stieger:
  • tucnak
• Bernhard M. Wiedemann:
  • aioquic
  • built
  • difftastic
  • ghostscript
  • gputils/sdcc
  • hdf5
  • html5ever (fixed upstream)
  • khal
  • lkl
  • neovim
  • nlopt
  • nushell
  • palo
  • python-numpy
  • schismtracker
  • sequoia (2)
  • tvm
  • uhd
  • wsjtx
  • xmlgraphics-fop
  • zig
• Chris Lamb:
  • #1095209 filed against python-assertpy.
  • #1096188 filed against terminaltables3.
  • #1098249 filed against acme.sh.
  • #1098251 filed against node-svgdotjs-svg.js.
  • #1098253 filed against onevpl-intel-gpu.
  • #1098350 filed against rocdbgapi.
  • #1098895 filed against siege.
  • #1098945 filed against pkg-rocm-tools.
• Christian Goll:
  • warewulf4 (embeds CPU core count)
• Jay Adddison:
  • linux-docs
• Jochen Sprickerhof:
  • #1098867 filed against spdlog.
• kpcyrd:
  • perl (hostname)
  • pam (timestamp)
• Leonidas Spyropoulos:
  • curl ( (bug, terminal size undeterministic)
• Robin Candau (Antiz):
  • highlight (timestamp)
  • arch-wiki-lite (timestamp)
  • f3d (timestamp)
  • jacktrip (timestamp)
  • prometheus (timestamp)
• Wolfgang Frisch:
  • bcc (instruct Lua to be deterministic)
  • crash (Makefile race)
• Hongxu Jia:
  • go (clear GOROOT for func ldShared when -trimpath is used)

Distribution work There as been the usual work in various distributions this month, such as: In Debian, 17 reviews of Debian packages were added, 6 were updated and 8 were removed this month adding to our knowledge about identified issues.
Fedora developers Davide Cavalca and Zbigniew J drzejewski-Szmek gave a talk on Reproducible Builds in Fedora (PDF), touching on SRPM-specific issues as well as the current status and future plans.
Thanks to an investment from the Sovereign Tech Agency, the FreeBSD project s work on unprivileged and reproducible builds continued this month. Notable fixes include:

• pkg (hash ordering)
• makefs (source filesystem inode number leakage)
• FreeBSD base system packages (timestamp)

The Yocto Project has been struggling to upgrade to the latest Go and Rust releases due to reproducibility problems in the newer versions. Hongxu Jia tracked down the issue with Go which meant that the project could upgrade from the 1.22 series to 1.24, with the fix being submitted upstream for review (see above). For Rust, however, the project was significantly behind, but has made recent progress after finally identifying the blocking reproducibility issues. At time of writing, the project is at Rust version 1.82, with patches under review for 1.83 and 1.84 and fixes being discussed with the Rust developers. The project hopes to improve the tests for reproducibility in the Rust project itself in order to try and avoid future regressions. Yocto continues to maintain its ability to binary reproduce all of the recipes in OpenEmbedded-Core, regardless of the build host distribution or the current build path.
Finally, Douglas DeMaio published an article on the openSUSE blog on announcing that the Reproducible-openSUSE (RBOS) Project Hits [Significant] Milestone. In particular:

The Reproducible-openSUSE (RBOS) project, which is a proof-of-concept fork of openSUSE, has reached a significant milestone after demonstrating a usable Linux distribution can be built with 100% bit-identical packages.

This news was also announced on our mailing list by Bernhard M. Wiedemann, who also published another report for openSUSE as well.

diffoscope & strip-nondeterminism diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions 288 and 289 to Debian:

• Add asar to DIFFOSCOPE_FAIL_TESTS_ON_MISSING_TOOLS in order to address Debian bug #1095057) [ ]
• Catch a CalledProcessError when calling html2text. [ ]
• Update the minimal Black version. [ ]

Additionally, Vagrant Cascadian updated diffoscope in GNU Guix to version 287 [ ][ ] and 288 [ ][ ] as well as submitted a patch to update to 289 [ ]. Vagrant also fixed an issue that was breaking reprotest on Guix [ ][ ]. strip-nondeterminism is our sister tool to remove specific non-deterministic results from a completed build. This month version 1.14.1-2 was uploaded to Debian unstable by Holger Levsen.

Website updates There were a large number of improvements made to our website this month, including:

• Bernhard M. Wiedemann fixed an issue on the Commandments of reproducible builds fixing a link to the readdir component of Bernhard s own Unreproducible Package. [ ]
• Holger Levsen clarified the name of a link to our old Wiki pages on the History page [ ] and added a number of new links to the Talks & Resources page [ ][ ].
• James Addison update the website s own README file to document a couple of additional dependencies [ ][ ], as well as did more work on a future Getting Started guide page [ ][ ].

Reproducibility testing framework The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility. In January, a number of changes were made by Holger Levsen, including:

• reproduce.debian.net-related:
  • Add a helper script to manually schedule packages. [ ][ ][ ][ ][ ]
  • Fix a link in the website footer. [ ]
  • Strip the emojis from package names on the manual rebuilder in order to ease copy-and-paste. [ ]
  • On the various statistics pages, provide the number of affected source packages [ ][ ] as well as provide various totals [ ][ ].
  • Fix graph labels for the various architectures [ ][ ] and make them clickable too [ ][ ][ ].
  • Break the displayed HTML in blocks of 256 packages in order to address rendering issues. [ ][ ]
  • Add monitoring jobs for riscv64 archicture nodes and integrate them elsewhere in our infrastructure. [ ][ ]
  • Add riscv64 architecture nodes. [ ][ ][ ][ ][ ]
  • Update much of the documentation. [ ][ ][ ]
  • Make a number of improvements to the layout and style. [ ][ ][ ][ ][ ][ ][ ]
  • Remove direct links to JSON and database backups. [ ]
  • Drop a Blues Brothers reference from frontpage. [ ]
• Debian-related:
  • Deal with /boot/vmlinuz* being called vmlinux* on the riscv64 architecture. [ ]
  • Add a new ionos17 node. [ ][ ][ ][ ][ ]
  • Install debian-repro-status on all Debian trixie and unstable jobs. [ ]
• FreeBSD-related:
  • Switch to run latest branch of FreeBSD. [ ]
• Misc:
  • Fix /etc/cron.d and /etc/logrotate.d permissions for Jenkins nodes. [ ]
  • Add support for riscv64 architecture nodes. [ ][ ]
  • Grant Jochen Sprickerhof access to the o4 node. [ ]
  • Disable the janitor-setup-worker. [ ][ ]

In addition:

• kpcyrd fixed the /all/api/ API endpoints on reproduce.debian.net by altering the nginx configuration. [ ]
• James Addison updated reproduce.debian.net to display the so-called bad reasons hyperlink inline [ ] and merged the Categorized issues links into the Reproduced builds column [ ].
• Jochen Sprickerhof also made some reproduce.debian.net-related changes, adding support for detecting a bug in the mmdebstrap package [ ] as well as updating some documentation [ ].
• Roland Clobus continued their work on reproducible live images for Debian, making changes related to new clustering of jobs in openQA. [ ]

And finally, both Holger Levsen [ ][ ][ ] and Vagrant Cascadian performed significant node maintenance. [ ][ ][ ][ ][ ]
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.
• Mastodon: @reproducible_builds@fosstodon.org
• Mailing list: rb-general@lists.reproducible-builds.org
• Twitter/X: @ReproBuilds

Why arm64? The arm64 platform is already popular on (cloud) servers and is being pushed quite actively by the cloud vendors. AWS calls their cpu graviton , GCS calls it axion . General servers call the cpu ampere ; on laptop / desktops it is branded snapdragon or cortex or something else. Apple calls their variant M1, M2, up to M4 by now (and Linux support exists for the brave, it is less straightforward). What these have in common is a generally more favourable power consumed to ops provided ratio. That makes these cheaper to run or rent on cloud providers. And in laptops they tend to last longer on a single charge too. Distributions such as Debian, Ubuntu, Fedora had arm64 for many years. In fact, the CRAN binaries of R, being made as builds at launchpad.net long provided arm64 in Michael s repo, we now also mirror these to CRAN. Similarly, Docker has long supported containers. And last but not least two issue tickets (#40, #55) had asked a while back.

So Why Now? Good question. I still do not own any hardware with it, and I have not (yet?) bothered with the qemu-based emulation layer. The real difference maker was the recent availability of GitHub Actions instances of ubuntu-24.04-arm (and now apparently also for 22.04). So I started some simple experiments which made it clear this was viable.

What Does It Mean for a CRAN Repo? Great question. As is commonly known, of the (currently) 22.1k CRAN packages, a little under 5k are compiled . Why does this matter? Because the Linux distributions know what they are doing. The 17k (give or take) packages that do not contain compiled code can be used as is (!!) on another platform. Debian and Ubuntu call these builds binary: all as they work all platforms as is . The others go by binary: any and will work on any platform for which they have been built. So we are looking at roughly 5k new binaries.

So How Many Are There? As I write this in early March, roughly 4.5k of the 5k. Plus the 17.1k binary: all and we are looking at near complete coverage!

So What Is The Current State? Pretty complete. Compare to the amd64 side of things, we do not (yet ?) have BioConductor support; this may be added. A handful of packages do not compile because their builds seem to assume Linux so must be amd64 and fail over cpu instructions. Similarly, a few packages want to download binary build blobs (my own Rblpapi among them) but none exist for arm64. Such is life. We will try to fix builds as time permits and report build issues to the respective upstream repos. Help in that endeavour would be most welcome. But all the big and slow compiles one may care about (hello duckdb, hello arrow, ) are there. Which is pretty exciting!

How Does One Get Started? In GitHub Actions, just pick ubuntu-24.04-arm as the platform, and use the r-ci or r2u-setup actiions. A first test yaml exists worked (though this last version had the arm64 runner commented out again). (And no, arm64 was not faster than amd64. More tests needed.) For simple tests, Docker. The rocker/r-ubuntu:24.04 container exists for arm64 (see here), and one can add r2u support as is done in this Dockerfile which is used by the builds and available as eddelbuettel/r2u_build:noble. I will add the standard rocker/r2u:24.04 container (or equally rocker/r2u:noble) in a day or two, I had not realised I wasn t making them for arm64. One a real machine such as a cloud instance or a proper instance, just use the standard r2u script for noble aka 24.04 available here. The key lines are the two lines

echo "deb [arch=amd64,arm64] https://r2u.stat.illinois.edu/ubuntu noble main" \
    > /etc/apt/sources.list.d/cranapt.list

# ...

echo "deb [arch=amd64,arm64] https://cloud.r-project.org/bin/linux/ubuntu noble-cran40/" \
     > /etc/apt/sources.list.d/cran_r.list

creating the apt entry and which are now arm64-aware. After that, apt works as usual, and of course r2u works as usual thanks also to bspm so you can just do, say

install.packages(c("tidyverse", "brms", "rstan", "sf", "terra"))

and enjoy the binaries rolling in. So give it a whirl if you have access to such hardware. We look forward to feedback, suggestes, feature requests or bug reports. Let us know how it goes!

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can now sponsor me at GitHub.

• icoutils (contributed upstream)
• kali
• parted
• python-setproctitle
• vigor

• cssutils (this in particular was very out of date due to a new and active upstream maintainer since 2021)
• django-assets
• django-celery-email
• django-sass
• django-yarnpkg
• json-tricks
• mercurial-extension-utils
• pydbus
• pydispatcher
• pylint-celery
• pyspread
• pytest-pretty
• python-apptools
• python-django-libsass (contributed a packaging fix upstream in passing)
• python-django-postgres-extra
• python-django-waffle
• python-ephemeral-port-reserve
• python-ifaddr
• python-log-symbols
• python-msrest
• python-msrestazure
• python-netdisco
• python-pathtools
• python-user-agents
• sinntp
• wchartype

• cssutils (contributed a packaging tweak upstream)
• django-iconify
• django-sass
• domdf-python-tools
• extra-data (fixing a numpy 2.0 failure)
• flufl.i18n
• json-tricks
• jsonpickle
• mercurial-extension-utils
• mod-wsgi
• nbconvert
• orderly-set
• pydispatcher (contributed a Python 3.12 fix upstream)
• pylint
• pytest-rerunfailures
• python-asyncssh
• python-box (contributed a packaging fix upstream)
• python-charset-normalizer
• python-django-constance
• python-django-guid
• python-django-pgtrigger
• python-django-waffle
• python-djangorestframework-simplejwt
• python-formencode
• python-holidays (contributed a test fix upstream)
• python-legacy-cgi
• python-marshmallow-polyfield (fixing a test failure)
• python-model-bakery
• python-mrcz (fixing a numpy 2.0 failure)
• python-netdisco
• python-npe2
• python-persistent
• python-pkginfo (fixing a test failure)
• python-proto-plus
• python-requests-ntlm
• python-roman
• python-semantic-release
• python-setproctitle
• python-stdlib-list
• python-trustme
• python-typeguard (fixing a test failure)
• python-tzlocal
• pyzmq
• setuptools-scm
• sqlfluff
• stravalib
• tomopy
• trove-classifiers
• xhtml2pdf (fixing CVE-2024-25885)
• xonsh
• zodbpickle
• zope.deprecation
• zope.testrunner

• cython
• dask
• deepdish
• hickle (contributed upstream)
• mdp (contributed upstream)
• mypy
• pillow
• pynput
• python-fonticon-fontawesome6
• python-persistent (contributed upstream)
• python-srsly

• django-memoize: autopkgtest must be marked superficial
• extra-data: extra-data: please add autopkgtests (to add coverage for python3-numpy)
• fpylll: missing dependency on numpy abi
• python-box: autopkgtest must be marked superficial
• python-hdmedians: missing dependency on numpy abi
• python-legacy-cgi: missing requirement: openstack-pkg-tools
• python-tzlocal: doesn t run any tests during the build or as autopkgtest
• requests: will FTBFS during trixie support period (contributed supporting fix upstream)
• setuptools-scm: project was renamed from setuptools_scm to setuptools-scm

Debian LTS contributors In January, 20 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 8.0h (out of 14.0h assigned), thus carrying over 6.0h to the next month.
• Adrian Bunk did 36.5h (out of 47.75h assigned and 52.25h from previous period), thus carrying over 63.5h to the next month.
• Andrej Shadura did 11.0h (out of 11.0h assigned and 4.0h from previous period), thus carrying over 4.0h to the next month.
• Arturo Borrero Gonzalez did 9.0h (out of 10.0h assigned), thus carrying over 1.0h to the next month.
• Bastien Roucari s did 22.0h (out of 22.0h assigned).
• Ben Hutchings did 8.0h (out of 21.0h assigned and 3.0h from previous period), thus carrying over 16.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 20.0h (out of 23.0h assigned and 3.0h from previous period), thus carrying over 6.0h to the next month.
• Emilio Pozuelo Monfort did 34.0h (out of 7.0h assigned and 27.75h from previous period), thus carrying over 0.75h to the next month.
• Guilhem Moulin did 3.25h (out of 20.0h assigned), thus carrying over 16.75h to the next month.
• Jochen Sprickerhof did 23.0h (out of 15.0h assigned and 8.0h from previous period).
• Lee Garrett did 15.75h (out of 8.5h assigned and 51.5h from previous period), thus carrying over 44.25h to the next month.
• Lucas Kanashiro did 8.0h (out of 32.0h assigned and 32.0h from previous period), thus carrying over 56.0h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Roberto C. S nchez did 14.75h (out of 13.5h assigned and 10.5h from previous period), thus carrying over 9.25h to the next month.
• Santiago Ruano Rinc n did 21.75h (out of 18.75h assigned and 6.25h from previous period), thus carrying over 3.25h to the next month.
• Sean Whitton did 8.5h (out of 8.5h assigned).
• Sylvain Beucler did 10.5h (out of 0.0h assigned and 49.5h from previous period), thus carrying over 39.0h to the next month.
• Thorsten Alteholz did 11.0h (out of 11.0h assigned).
• Tobias Frost did 12.0h (out of 12.0h assigned).

Evolution of the situation In January, we have released 33 DLAs. There were numerous security and non-security updates to Debian 11 (codename bullseye ) during January.

• Notable security updates:
  • rsync, prepared by Thorsten Alteholz, fixed several CVEs (including information leak and path traversal vulnerabilities)
  • tomcat9, prepared by Markus Koschany, fixed several CVEs (including denial of service and information disclosure vulnerabilities)
  • ruby2.7, prepared by Bastien Roucari s, fixed several CVEs (including denial of service vulnerabilities)
  • tiff, prepared by Adrian Bunk, fixed several CVEs (including NULL ptr, buffer overflow, use-after-free, and segfault vulnerabilities)
• Notable non-security updates:
  • linux-6.1, prepared by Ben Hutchings, has been packaged for bullseye (this was done specifically to provide a supported upgrade path for systems that currently use kernel packages from the bullseye-backports suite)
  • debian-security-support, prepared by Santiago Ruano Rinc n, which formalized the EOL of intel-mediasdk and node-matrix-js-sdk

In addition to the security and non-security updates targeting bullseye , various LTS contributors have prepared uploads targeting Debian 12 (codename bookworm ) with fixes for a variety of vulnerabilities. Abhijith PA prepared an upload of puma; Bastien Roucari s prepared an upload of node-postcss with fixes for data processing and denial of service vulnerabilities; Daniel Leidert prepared updates for setuptools, python-asyncssh, and python-tornado; Lee Garrett prepared an upload of ansible-core; and Guilhem Moulin prepared updates for python-urllib3, sqlparse, and opensc. Santiago Ruano Rinc n also worked on tracking and filing some issues about packages that need an update in recent releases to avoid regressions on upgrade. This relates to CVEs that were fixed in buster or bullseye, but remain open in bookworm. These updates, along with Santiago s work on identifying and tracking similar issues, underscore the LTS Team s commitment to ensuring that the work we do as part of LTS also benefits the current Debian stable release. LTS contributor Sean Whitton also prepared an upload of jinja2 and Santiago Ruano Rinc n prepared an upload of openjpeg2 for Debian unstable (codename sid ), as part of the LTS Team effort to assist with package uploads to unstable.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • Toshiba Corporation (for 112 months)
  • Civil Infrastructure Platform (CIP) (for 80 months)
  • VyOS Inc (for 44 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 122 months)
  • Akamai - Linode (for 116 months)
  • Babiel GmbH (for 106 months)
  • Plat Home (for 105 months)
  • University of Oxford (for 62 months)
  • Deveryware (for 49 months)
  • EDF SA (for 34 months)
  • Dataport A R (for 9 months)
  • CERN (for 7 months)
• Silver sponsors:
  • Domeneshop AS (for 127 months)
  • Nantes M tropole (for 121 months)
  • Univention GmbH (for 113 months)
  • Universit Jean Monnet de St Etienne (for 113 months)
  • Ribbon Communications, Inc. (for 107 months)
  • Exonet B.V. (for 97 months)
  • Leibniz Rechenzentrum (for 91 months)
  • Minist re de l Europe et des Affaires trang res (for 75 months)
  • Cloudways by DigitalOcean (for 64 months)
  • Dinahosting SL (for 62 months)
  • Bauer Xcel Media Deutschland KG (for 56 months)
  • Platform.sh SAS (for 56 months)
  • Moxa Inc. (for 50 months)
  • sipgate GmbH (for 48 months)
  • OVH US LLC (for 46 months)
  • Tilburg University (for 46 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 37 months)
  • Soliton Systems K.K. (for 34 months)
  • THINline s.r.o. (for 10 months)
  • Copenhagen Airports A/S (for 4 months)
• Bronze sponsors:
  • Evolix (for 127 months)
  • Seznam.cz, a.s. (for 127 months)
  • Intevation GmbH (for 124 months)
  • Linuxhotel GmbH (for 124 months)
  • Daevel SARL (for 123 months)
  • Bitfolk LTD (for 122 months)
  • Megaspace Internet Services GmbH (for 122 months)
  • Greenbone AG (for 121 months)
  • NUMLOG (for 121 months)
  • WinGo AG (for 120 months)
  • Entr ouvert (for 111 months)
  • Adfinis AG (for 109 months)
  • Tesorion (for 104 months)
  • GNI MEDIA (for 103 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 103 months)
  • Bearstech (for 95 months)
  • LiHAS (for 95 months)
  • Catalyst IT Ltd (for 90 months)
  • Supagro (for 85 months)
  • Demarcq SAS (for 84 months)
  • Universit Grenoble Alpes (for 70 months)
  • TouchWeb SAS (for 62 months)
  • SPiN AG (for 59 months)
  • CoreFiling (for 55 months)
  • Institut des sciences cognitives Marc Jeannerod (for 50 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 46 months)
  • Tem Innovations GmbH (for 41 months)
  • WordFinder.pro (for 40 months)
  • CNRS DT INSU R sif (for 39 months)
  • Alter Way (for 32 months)
  • Institut Camille Jordan (for 22 months)
  • SOBIS Software GmbH (for 7 months)

Debian Contributions: 2025-01 Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

Python 3.13 is now the default Python 3 version in Debian, by Stefano Rivera and Colin Watson The Python 3.13 as default transition has now completed. The next step is to remove Python 3.12 from the archive, which should be very straightforward, it just requires rebuilding C extension packages in no particular order. Stefano fixed some miscellaneous bugs blocking the completion of the 3.13 as default transition.

Fixing qtpaths6 for cross compilation, by Helmut Grohne While Qt5 used to use qmake to query installation properties, Qt6 is moving more and more to CMake and to ease that transition it relies on more qtpaths. Since this tool is not naturally aware of the architecture it is called for, it tends to produce results for the build architecture. Therefore, more than 100 packages were picking up a multiarch directory for the build architecture during cross builds. In collaboration with the Qt/KDE team and Sandro Knau in particular (none affiliated with Freexian), we added an architecture-specific wrapper script in the same way qmake has one for Qt5 and Qt6 already. The relevant CMake module has been updated to prefer the triplet-prefixed wrapper. As a result, most of the KDE packages now cross build on unstable ready in time for the trixie release.

/usr-move, by Helmut Grohne In December, Emil S dergren reported that a live-build was not working for him and in January, Colin Watson reported that the proposed mitigation for debian-installer-utils would practically fail. Both failures were to be attributed to a wrong understanding of implementation-defined behavior in dpkg-divert. As a result, all M18 mitigations had to be reviewed and many of them replaced. Many have been uploaded already and all instances have received updated patches. Even though dumat has been in operation for more than a year, it gained recent changes. For one thing, analysis of architectures other than amd64 was requested. Chris Hofstaedler (not affiliated with Freexian) kindly provided computing resources for repeatedly running it on the larger set. Doing so revealed various cross-architecture undeclared file conflicts in gcc, glibc, and binutils-z80, but it also revealed a previously unknown /usr-move issue in rpi.rpi-common. On top of that, dumat produced false positive diagnostics and wrongly associated Debian bugs in some cases, both of which have now been fixed. As a result, a supposedly fixed python3-sepolicy issue had to be reopened.

rebootstrap, by Helmut Grohne As much as we think of our base system as stable, it is changing a lot and the architecture cross bootstrap tooling is very sensitive to such changes requiring permanent maintenance. A problem that recently surfaced was that building a binutils cross toolchain would result in a binutils-for-host package that would not be practically installable as it would depend on a binutils-common package that was not built. This turned into an examination of binutils-common and noticing that it actually differed across architectures even though it should not. Johannes Schauer Marin Rodrigues (not affiliated with Freexian) and Colin Watson kindly helped brainstorm possible solutions. Eventually, Helmut provided a patch to move gprofng bits out of binutils-common. Independently, Matthias Klose (not affiliated with Freexian) split out binutils-gold into a separate source package. As a result, binutils-common is now equal across architectures and can be marked Multi-Arch: foreign resolving the initial problem.

Salsa CI, by Santiago Ruano Rinc n Santiago continued the work about the sbuild support for Salsa CI, that was mentioned in the previous month report. The !568 merge request that created the new build image was merged, making it easier to test !569 with external projects. Santiago used a fork of the debusine repo to try the draft !569, and some issues were spotted, and part of them fixed. This is the last debusine pipeline run with the current !569: https://salsa.debian.org/santiago/debusine/-/pipelines/794233. One of the last improvements relates to how to enable projects to customize the pipeline, in an equivalent way than they currently do in the extract-source and build jobs. While this is work-in-progress, the results are rather promising. Next steps include deciding on introducing schroot support for bookworm, bookworm-security, and older releases, as they are done in the official debian buildd.

DebConf preparations, by Stefano Rivera and Santiago Ruano Rinc n DebConf will be happening in Brest, France, in July. Santiago continued the DebConf 25 organization work, looking for catering providers. Both Stefano and Santiago have been reaching out to some potential sponsors. DebConf depends on sponsors to cover the organization cost, if your company depends on Debian, please consider sponsoring DebConf. Stefano has been winding up some of the finances from previous DebConfs. Finalizing reimbursements to team members from DebConf 23, and handling some outstanding issues from DebConf 24. Stefano and the rest of the DebConf committee have been reviewing bids for DebConf 26, to select the next venue.

Ruby 3.3 is now the default Ruby interpreter, by Lucas Kanashiro Ruby 3.3 is about to become the default Ruby interpreter for Trixie. Many bugs were fixed by Lucas and the Debian Ruby team during the sprint hold in Paris during Jan 27-31. The next step is to remove support of Ruby 3.1, which is the alternative Ruby interpreter for now. Thanks to the Debian Release team for all the support, especially Emilio Pozuelo Monfort.

Rails 7 transition, by Lucas Kanashiro Rails 6 has been shipped by Debian since Bullseye, and as a WEB framework, many issues (especially security related issues) have been encountered and the maintainability of it becomes harder and harder. With that in mind, during the Debian Ruby team sprint last month, the transition to Rack 3 (an important dependency of rails containing many breaking changes) was started in Debian unstable, it is ongoing. Once it is done, the Rails 7 transition will take place, and Rails 7 should be shipped in Debian Trixie.

Miscellaneous contributions

• Stefano improved a poor ImportError for users of the turtle module on Python 3, who haven t installed the python3-tk package.
• Stefano updated several packages to new upstream releases.
• Stefano added the Python extension to the re2 package, allowing for the use of the Google RE2 regular expression library as a direct replacement for the standard library re module.
• Stefano started provisioning a new physical server for the debian.social infrastructure.
• Carles improved simplemonitor (documentation on systemd integration, worked with upstream for fixing a bug).
• Carles upgraded packages to new upstream versions: python-ring-doorbell and python-asyncclick.
• Carles did po-debconf translations to Catalan: reviewed 44 packages and submitted translations to 90 packages (via salsa merge requests or bugtracker bugs).
• Carles maintained po-debconf-manager with small fixes.
• Rapha l worked on some outstanding DEP-14 merge request and participated in the associated discussion. The discussions have been more contentious than anticipated, somewhat exacerbated by Otto s desire to conclude fast while the required tool support is not yet there.
• Rapha l, with the help of Philipp Kern from the DSA team, upgraded tracker.debian.org to use Django 4.2 (from bookworm-backports) which in turn enabled him to configure authentication via salsa.debian.org. It s now possible to login to tracker.debian.org with your salsa credentials!
• Rapha l updated zim a nice desktop wiki that is very handy to organize your day-to-day digital life to the latest upstream version (0.76).
• Helmut sent patches for 10 cross build failures.
• Helmut continued working on a tool for memory-based concurrency limit of builds.
• Helmut NMUed libtool, opensysusers and virtualbox.
• Enrico tried to support Helmut in working out tricky usrmerge situations
• Thorsten Alteholz uploaded a new upstream version of brlaser.
• Colin Watson upgraded 33 Python packages to new upstream versions, including fixes for CVE-2024-42353, CVE-2024-47532, and CVE-2025-22153.
• Emilio Pozuelo managed various transitions, and fixed various RC bugs (telepathy-glib, xorg, xserver-xorg-video-vesa, apitrace, mesa).
• Anupa attended the monthly team meeting for Debian publicity team and shared the social media stats.
• Anupa assisted Jean-Pierre Giraud in the point release announcement for Debian 12.9 and published the Micronews.
• Anupa took part in multiple Debian publicity team discussions regarding our presence in social media platforms.

The future
I still think the work we do in Debian is important, as much as I see a lack of appreciation in a world full of containers. We are reaping most of the benefits of standing on the shoulders of giants and of great decisions made in the past (e.g. the excellent Debian policy, but also the organizational model) that made Debian what it is today.Given the increase in size and complexity of what Debian ships - and the somewhat dwindling resource of developer time, it would benefit us to have better processes for large-scale changes across all packages. I greatly respect the horizontal effects that are currently being driven and that suck up a lot of energy.A lot of our infrastructure is also aging and not super well maintained. Many take it for granted that the services we have keep existing, but most are only maintained by a person or two, if even. Software stacks are aging and it is even a struggle to have all necessary packages in the next release.Hopefully I can contribute a bit or two to these efforts in the future.

• [DLA 4014-1] gnuchess security update to fix one CVE related to arbitrary code execution via crafted PGN (Portable Game Notation) data.
• [DLA 4015-1] rsync update to fix five CVEs related leaking information from the server or writing files outside of the client s intended destination.
• [DLA 4015-2] rsync update to fix an upstream regression.
• [DLA 4039-1] ffmpeg update to fix three CVEs related to possible integer overflows, double-free on errors and out-of-bounds access.

• [ELA-1290-1] rsync update to fix five CVEs in Buster, Stretch and Jessie related leaking information from the server or writing files outside of the client s intended destination.
• [ELA-1290-2] rsync update to fix an upstream regression.
• [ELA-1313-1] ffmpeg update to fix six CVEs in Buster related to possible integer overflows, double-free on errors and out-of-bounds access.
• [ELA-1314-1] ffmpeg update to fix six CVEs in Stretch related to possible integer overflows, double-free on errors and out-of-bounds access.

• brlaser new upstream release (in new upstream repository)

• less.php fixing an RC bug

• calceph sponsored upload of new upstream version
• libxisf sponsored upload of new upstream version

• osmo-tetra fixing bugs
• libosmo-sccp fixing more bugs

• setserial
• texify

1. reproduce.debian.net
2. Two new academic papers
3. Distribution work
4. On our mailing list
5. Upstream patches
6. diffoscope
7. Website updates
8. Reproducibility testing framework

reproduce.debian.net The last few months saw the introduction of reproduce.debian.net. Announced at the recent Debian MiniDebConf in Toulouse, reproduce.debian.net is an instance of rebuilderd operated by the Reproducible Builds project. Powering that is rebuilderd, our server designed monitor the official package repositories of Linux distributions and attempt to reproduce the observed results there. This month, however, we are pleased to announce that in addition to the existing amd64.reproduce.debian.net and i386.reproduce.debian.net architecture-specific pages, we now build for a three more architectures (for a total of five) arm64 armhf and riscv64.

Two new academic papers Giacomo Benedetti, Oreofe Solarin, Courtney Miller, Greg Tystahl, William Enck, Christian K stner, Alexandros Kapravelos, Alessio Merlo and Luca Verderame published an interesting article recently. Titled An Empirical Study on Reproducible Packaging in Open-Source Ecosystem, the abstract outlines its optimistic findings:

[We] identified that with relatively straightforward infrastructure configuration and patching of build tools, we can achieve very high rates of reproducible builds in all studied ecosystems. We conclude that if the ecosystems adopt our suggestions, the build process of published packages can be independently confirmed for nearly all packages without individual developer actions, and doing so will prevent significant future software supply chain attacks.

The entire PDF is available online to view.
In addition, Julien Malka, Stefano Zacchiroli and Th o Zimmermann of T l com Paris in-house research laboratory, the Information Processing and Communications Laboratory (LTCI) published an article asking the question: Does Functional Package Management Enable Reproducible Builds at Scale?. Answering strongly in the affirmative, the article s abstract reads as follows:

In this work, we perform the first large-scale study of bitwise reproducibility, in the context of the Nix functional package manager, rebuilding 709,816 packages from historical snapshots of the nixpkgs repository[. We] obtain very high bitwise reproducibility rates, between 69 and 91% with an upward trend, and even higher rebuildability rates, over 99%. We investigate unreproducibility causes, showing that about 15% of failures are due to embedded build dates. We release a novel dataset with all build statuses, logs, as well as full diffoscopes: recursive diffs of where unreproducible build artifacts differ.

As above, the entire PDF of the article is available to view online.

Distribution work There as been the usual work in various distributions this month, such as:

• Arch Linux developer kpcyrd has provided a status report for January 2025 related to Arch s progress towards full reproducibility. kpcyrd notes in particular progress towards to making a minimal reproducible bootable system that is, an Arch installation containing only reproducible packages.

• 10+ reviews of Debian packages were added, 11 were updated and 10 were removed this month adding to our knowledge about identified issues. A number of issue types were updated also.
• The FreeBSD Foundation announced that a planned project to deliver zero-trust builds has begun in January 2025 . Supported by the Sovereign Tech Agency, this project is centered on the various build processes, and that the primary goal of this work is to enable the entire release process to run without requiring root access, and that build artifacts build reproducibly that is, that a third party can build bit-for-bit identical artifacts. The full announcement can be found online, which includes an estimated schedule and other details.

• Finally, for openSUSE, Bernhard M. Wiedemann published another report for that distribution.

On our mailing list On our mailing list this month:

• Following-up to a substantial amount of previous work pertaining the Sphinx documentation generator, James Addison asked a question pertaining to the relationship between SOURCE_DATE_EPOCH environment variable and testing that generated a number of replies.
• Adithya Balakumar of Toshiba asked a question about whether it is possible to make ext4 filesystem images reproducible. Adithya s issue is that even the smallest amount of post-processing of the filesystem results in the modification of the Last mount and Last write timestamps.
• James Addison also investigated an interesting issue surrounding our disorderfs filesystem. In particular:

  FUSE (Filesystem in USErspace) filesystems such as disorderfs do not delete files from the underlying filesystem when they are deleted from the overlay. This can cause seemingly straightforward tests for example, cases that expect directory contents to be empty after deletion is requested for all files listed within them to fail.

Upstream patches The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Bernhard M. Wiedemann:
  • Komikku (nocheck)
  • abseil-cpp (race)
  • dunst (date)
  • eclipse-egit (jar-mtime minor)
  • exaile (race)
  • gawk (bug)
  • gimp3 (png date)
  • intel (ASLR)
  • ioquake3 (debugsource contains date and time)
  • joker (sort)
  • libchardet
  • llama.cpp (random)
  • llama.cpp (-march=native-related issue)
  • nethack (race)
  • netrek-client-cow (date)
  • nvidia-modprobe (date)
  • nvidia-persistenced (date)
  • obs-build (toolchain bug, mis-parses changelog)
  • perl-libconfigfile (race)
  • pgvector (CPU)
  • python-Django4 (FTBFS-2038)
  • python-python-datamatrix (FTBFS)
  • qore-ssh2-module (GIGO-bug)
  • rpm (UID in cpio header from rpmbuild)
  • zig (CPU-related issue)
• Chris Lamb:
  • #1092251 filed against kmetronome.
  • #1092917 filed against rust-xh.
  • #1093198 filed against parser.
  • #1093199 filed against parser.
  • #1093201 filed against rsync.
  • #1094611 filed against wasistlos.
• Egbert Eich:
  • apptainer (randomness)
  • spack (core-count and date)
• Valentin Lefebvre:
  • uki-tool (toolchain)
• Marvin Friedrich:
  • cargo-packaging/rusty_v8 (upstream toolchain bugfix)
• James Addison:
  • #1092870 filed against binutils.
• Pol Dellaiera:
  • PHP Ecosystem: composer/composer#12090 which was then gracefully fixed by Jordi Boggiano at composer/composer#12263.

diffoscope diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions 285, 286 and 287 to Debian:

• Security fixes:
  • Validate the --css command-line argument to prevent a potential Cross-site scripting (XSS) attack. Thanks to Daniel Schmidt from SRLabs for the report. [ ]
  • Prevent XML entity expansion attacks. Thanks to Florian Wilkens from SRLabs for the report.. [ ][ ]
  • Print a warning if we have disabled XML comparisons due to a potentially vulnerable version of pyexpat. [ ]
• Bug fixes:
  • Correctly identify changes to only the line-endings of files; don t mark them as Ordering differences only. [ ]
  • When passing files on the command line, don t call specialize( ) before we ve checked that the files are identical or not. [ ]
  • Do not exit with a traceback if paths are inaccessible, either directly, via symbolic links or within a directory. [ ]
  • Don t cause a traceback if cbfstool extraction failed.. [ ]
  • Use the surrogateescape mechanism to avoid a UnicodeDecodeError and crash when any decoding zipinfo output that is not UTF-8 compliant. [ ]
• Testsuite improvements:
  • Don t mangle newlines when opening test fixtures; we want them untouched. [ ]
  • Move to assert_diff in test_text.py. [ ]
• Misc improvements:
  • Drop unused subprocess imports. [ ][ ]
  • Drop an unused function in iso9600.py. [ ]
  • Inline a call and check of Config().force_details; no need for an additional variable in this particular method. [ ]
  • Remove an unnecessary return value from the Difference.check_for_ordering_differences method. [ ]
  • Remove unused logging facility from a few comparators. [ ]
  • Update copyright years. [ ][ ]

In addition, fridtjof added support for the ASAR .tar-like archive format. [ ][ ][ ][ ] and lastly, Vagrant Cascadian updated diffoscope in GNU Guix to version 285 [ ][ ] and 286 [ ][ ].
strip-nondeterminism is our sister tool to remove specific non-deterministic results from a completed build. This month version 1.14.1-1 was uploaded to Debian unstable by Chris Lamb, making the following the changes:

• Clarify the --verbose and non --verbose output of bin/strip-nondeterminism so we don t imply we are normalizing files that we are not. [ ]
• Bump Standards-Version to 4.7.0. [ ]

Website updates There were a large number of improvements made to our website this month, including:

• Arnout Engelen:
  • Update the link to NixOS reproducibility-related issue template on the NixOS-specific contribute page [ ] and remove an outdated link. [ ]
• Holger Levsen:
  • Check, deduplicate, update and generally cleanup a number of presentations linked on our Talks & Resources page. [ ][ ][ ][ ]
• James Addison:
  • Add some file permissions hints and guidance on the Archive metadata page. [ ]
• Michael R. Crusoe:
  • Add an R example to the SOURCE_DATE_EPOCH documentation. [ ]
  • Update the website s README to make the setup command copy & paste friendly. [ ]

Reproducibility testing framework The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility. In January, a number of changes were made by Holger Levsen, including:

• reproduce.debian.net-related:
  • Add support for rebuilding the armhf architecture. [ ][ ]
  • Add support for rebuilding the arm64 architecture. [ ][ ][ ][ ]
  • Add support for rebuilding the riscv64 architecture. [ ][ ]
  • Move the i386 builder to the osuosl5 node. [ ][ ][ ][ ]
  • Don t run our rebuilders on a public port. [ ][ ]
  • Add database backups on all builders and add links. [ ][ ]
  • Rework and dramatically improve the statistics collection and generation. [ ][ ][ ][ ][ ][ ]
  • Add contact info to the main page [ ], thumbnails [ ] as well as the new, missing architectures. [ ]
  • Move the amd64 worker to the osuosl4 and node. [ ]
  • Run the underlying debrebuild script under nice. [ ]
  • Try to use TMPDIR when calling debrebuild. [ ][ ]
• buildinfos.debian.net-related:
  • Stop creating buildinfo-pool_$ suite _$ arch .list files. [ ]
  • Temporarily disable automatic updates of pool links. [ ]
• FreeBSD-related:
  • Fix the sudoers to actually permit builds. [ ]
  • Disable debug output for FreeBSD rebuilding jobs. [ ]
  • Upgrade to FreeBSD 14.2 [ ] and document that bmake was installed on the underlying FreeBSD virtual machine image [ ].
• Misc:
  • Update the real year to 2025. [ ]
  • Don t try to install a Debian bookworm kernel from backports on the infom08 node which is running Debian trixie. [ ]
  • Don t warn about system updates for systems running Debian testing. [ ]
  • Fix a typo in the ZOMBIES definition. [ ][ ]

In addition:

• Ed Maste modified the FreeBSD build system to the clean the object directory before commencing a build. [ ]
• Gioele Barabucci updated the rebuilder stats to first add a category for network errors [ ] as well as to categorise failures without a diffoscope log [ ].
• Jessica Clarke also made some FreeBSD-related changes, including:
  • Ensuring we clean up the object directory for second build as well. [ ][ ]
  • Updating the sudoers for the relevant rm -rf command. [ ]
  • Update the cleanup_tmpdirs method to to match other removals. [ ]
• Jochen Sprickerhof:
  • Fix logic for old files saved on buildinfos.debian.net. [ ]
  • Rework and simplify the generation of statistics linked from reproduce.debian.net. [ ][ ][ ][ ]
• Roland Clobus:
  • Update the reproducible_debstrap job to call Debian s debootstrap with the full path [ ] and to use eatmydata as well [ ][ ].
  • Make some changes to deduce the CPU load in the debian_live_build job. [ ]

Lastly, both Holger Levsen [ ] and Vagrant Cascadian [ ] performed some node maintenance.
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.
• Mastodon: @reproducible_builds@fosstodon.org
• Mailing list: rb-general@lists.reproducible-builds.org
• Twitter: @ReproBuilds

Focus This month I didn't have any particular focus. I just worked on issues in my info bubble.

Changes

• zygolophodon: support Iceshrimp URLs
• reportbug: arch menu fixes
• Debian website: add arch data reportbug sync note
• Debian wiki pages: DeveloperNews, Exploits, PortsDocs/New, Teams/Debbugs/ArchitectureTags

Sponsors All work was done on a volunteer basis.

• The team is in charge of deciding the most suitable publication venue or venues for announcements and when they are published.

• dnarrange (contributed upstream)
• docker-compose
• ionit (contributed upstream)
• nbclassic
• pymilter
• pyspf (contributed upstream)
• python-django
• python-handy-archives
• sinntp
• wireless-regdb

• jupyter-console (contributed upstream)
• python-ewmh (reviewed patch from a contributor)
• python-gplearn (contributed upstream)

• django-sitetree (thanks to an Ubuntu patch)
• python-django-parler (thanks to an Ubuntu patch

• cerealizer
• pyinotify
• pyspf
• python-holidays

• awesomeversion
• django-graphiql-debug-toolbar
• django-iconify
• flask-sqlalchemy (contributed upstream)
• freezegun
• napari (somewhat inconclusive, but I contributed fixes upstream to napari and npe2)
• pyglet
• python-construct-classes
• python-django-guid
• python-pyfakefs
• python-ring-doorbell
• recommonmark
• spectral-cube
• sphinx (helped with an upstream fix)
• sphinxcontrib-openapi (contributed upstream)
• sqlfluff
• terminator (contributed upstream)
• trac-wikiprint
• vcr.py (investigated and reported findings upstream, confirming that disabling these tests in the Debian packaging seems reasonable for now)

• buildbot
• cloudpickle
• dask (fixing a Python 3.13 failure and working around a build failure due to sphinx-book-theme
• distributed (fixing a Python 3.13 failure; also contributed a fix upstream)
• importlib-resources (fixing a test failure on s390x and a test failure on all architectures)
• isort
• nbconvert
• psycopg3
• pydantic
• pydantic-settings
• pydoctor
• pypandoc
• python-argcomplete
• python-cai
• python-colormap (fixing a build failure with poetry-core 2.0, for which I contributed a fix upstream)
• python-django-guid
• python-easydev (fixing a build failure with poetry-core 2.0)
• python-holidays
• python-launchpadlib
• python-limits
• python-model-bakery
• python-openapi-schema-validator
• python-pathvalidate
• python-pyftpdlib
• python-quart-trio
• python-urllib3 (contributed a test fix upstream)
• python-telethon
• python-webob (fixing CVE-2024-42353)
• responses
• restrictedpython (fixing CVE-2024-47532 and CVE-2025-22153)
• sqlfluff
• vcr.py (fixing a build failure with python-urllib3 2.3.0
• xonsh (fixing a Python 3.13 failure)

• Fix crash when switching bitween some fractional scales (MR)
• Make layer surface code more flexible and fade in system modal dialogs (MR)
• Auto close quick setting status pages (MR)
• Cleanup and undraft the captive portal (MR). If this lands we have another 2y old MR out of the way.
• Brush up monitor scaling quick setting originally submitted by Adam Honse (MR)
• Fix modem interface regression introduced by the rework for cell broadcast (MR)
• Fill background with primary color (MR), also ensures fallback
• Release Phosh 0.44.1 (MR)
• Don't forget to update background on dark uri changes (MR) when background can't be loaded
• Fix crash in mpris widget (MR)
• Reduce restyling on state changes (MR)
• Dev Doc updates (MR)
• Drop long unused widget (MR)
• Improve Wi-Fi portal notification handling (MR)
• Support sound capability on the notification server (MR)
• Use systemd-cat to launch session (MR)

• layer-surface: Don't arrange surfaces / set focus on finalize (MR
• Update to wlroots 0.18.2 and some cleanups (MR)
• Run scan-build in CI and fix detected issues (MR)
• Simplify XWayland handling in PhocDesktop (MR)
• Handle xdg's suspended surface state (in phone mode) (MR)
• Invalidate layer shell list less often and take opacity into account for visibility check (MR)
• Unbreak touch point debugging / deduplicate code (MR)
• Release Phoc 0.44.1 (MR)
• Fix initial alpha == 0.0 (MR)
• Fix leak in output-shield and allow to set easing function (MR)
• Smoothen mode/scale/orientation changes (MR)
• Fix thumbnail rendering of floating windows (MR)
• Fix damage tracking debugging (MR)
• Allow to toggle some debugging flags at runtime (MR)
• Fix subsurface damage tracking regression caused by the wlroots 0.18.x switch (MR)
• Catch up with wlroots 0.19.x again (MR)
• Backport the sensible bits of the 0.19.x branch to main to smoothen the next upgrade (MR)
• Fix touch drag (MR) - basically the wlroots patch from below.
• Make PhocViewChild less of a snow flake (MR)
• Fix popup reposition damage (MR)
• Draft: Deduplicate the View and LayerSurface subsurface/popup handling (MR). Needs 625 to land first.
• popup: Try harder to find a suitable output (MR)

• Let long press on shift toggle CapsLock (MR)
• Add minimal GObject for application (MR). Lets merge the bits of the 1y old MR that still apply.
• Unbrush 2y old MR to get rid of more globals (MR)
• Update Unicode data, thanks GTK devs! (MR)

• Use GTK 4.17's portal avoidance (MR)

• Bring back weekly snapshots by switching to a faster runner
• Use xz compression (MR)

• Use Authorization header: (MR)

• Ship example greetd config (MR)

• Update libphosh-rs (MR)
• Update phoc to new git snapshot (MR)
• Upload phosh 0.44.1)
• Backport touch fix (MR)

• Make it work with Python 3.13, sigh (MR)
• Typo fixes (MR)
• Release 0.9.37 (MR)
• Run codespell in CI (MR)

• Suspend video stream when toplevel is suspende (MR) - saves battery
• Release 0.3.1 (MR)

• Allow events to override the sound feedback with custom sounds (MR). Allows desktop/mobile shells like phosh to honour application prefs for notifications.

• Propose notch/cuttout support protocol MR)

• Allow to access opacity boolean (MR)
• Unbreak drag and drop via touch (MR)

• udev regression affecting gmobile (Bug). Many thanks to Yu Watanabe for providing the fix so quickly

• phosh: Uninstall action (MR) - merged
• phosh: Add home-enabled property (MR) - merged
• phosh: Emergency prefs dialog improvements (MR) - merged
• phosh: Bump gtk versions in ui file (MR - merged
• phosh: Show week number (MR) - merged
• phosh: compile schemas for plugins (MR) - merged
• phosh: Reduce API surface (MR)
• phosh: Use AdwEntryRow (MR) - merged
• phosh-osk-stub: Il layout additions (MR) - merged
• phosh-mobile-settings: Use 'meson setup' in CI (MR) - merged
• phosh-tour autostart (MR)
• livi flatpak update (MR) - merged
• debian: phosh: Recommend kbd (MR) - merged
• iio-sensor-proxy libssc support (MR)
• git-buildpackage: Spelling fixes (MR) - merged
• git-buildpackage: DEP spelling consistency (MR) - merged
• git-buildpackage: Add branch layout diagram (MR) - merged

• [1] https://www.youtube.com/watch?v=hR9dLdEGn9o
• [2] https://tinyurl.com/249k5cbf
• [3] https://tinyurl.com/2asnzwbz
• [4] https://www.youtube.com/watch?v=es5aPICeXOU
• [5] https://tinyurl.com/27qabt9x
• [6] https://blog.rongarret.info/2010/09/what-would-you-do.html
• [7] https://www.hulver.com/scoop/story/2008/12/14/10333/990
• [8] http://www.aaronsw.com/weblog/epiphany
• [9] https://tinyurl.com/2aobxz4p
• [10] https://www.youtube.com/watch?v=IbaJ97-_dOM
• [11] https://pluralistic.net/2025/01/20/capitalist-unrealism/

Changes in version 0.0.14 (2025-01-23)

• Synchronized with QuantLib 1.37 released two days ago
• Calendar updates for United States and New Zealand
• The demo/ file is now in inst/examples/

edd@rob:~/git/qlcal-r/inst/examples(master)$ Rscript allUScalendars.R 
           LiborImpact NYSE GovernmentBond NERC FederalReserve SOFR
2025-01-01        TRUE TRUE           TRUE TRUE           TRUE TRUE
2025-01-09          NA TRUE             NA   NA             NA   NA
2025-01-20        TRUE TRUE           TRUE   NA           TRUE TRUE
2025-02-17        TRUE TRUE           TRUE   NA           TRUE TRUE
2025-04-18          NA TRUE           TRUE   NA             NA TRUE
2025-05-26        TRUE TRUE           TRUE TRUE           TRUE TRUE
2025-06-19        TRUE TRUE           TRUE   NA           TRUE TRUE
2025-07-04        TRUE TRUE           TRUE TRUE           TRUE TRUE
2025-09-01        TRUE TRUE           TRUE TRUE           TRUE TRUE
2025-10-13        TRUE   NA           TRUE   NA           TRUE TRUE
2025-11-11        TRUE   NA           TRUE   NA           TRUE TRUE
2025-11-27        TRUE TRUE           TRUE TRUE           TRUE TRUE
2025-12-25        TRUE TRUE           TRUE TRUE           TRUE TRUE
edd@rob:~/git/qlcal-r/inst/examples(master)$ 

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.