Reproducible Builds: August 2025 Report
Welcome to the latest report from the Reproducible Builds project for August 2025. These monthly reports outline what we’ve been up to over the past month, and highlight items of news from elsewhere in the increasingly-important area of software supply-chain security.
If you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website. Please join us at the upcoming Reproducible Builds Summit, set to take place from October 28th — 30th 2025 in Vienna, Austria!
We are thrilled to host the eighth edition of this exciting event, following the success of previous summits in various iconic locations around the world, including Venice, Marrakesh, Paris, Berlin, Hamburg and Athens. Our summits are a unique gathering that brings together attendees from diverse projects, united by a shared vision of advancing the Reproducible Builds effort.
During this enriching event, participants will have the opportunity to engage in discussions, establish connections and exchange ideas to drive progress in this vital field. Our aim is to create an inclusive space that fosters collaboration, innovation and problem-solving.
If you’re interesting in joining us this year, please make sure to read the event page which has more details about the event and location. Registration is open until 20th September 2025, and we are very much looking forward to seeing many readers of these reports there!
Reproducibility regression identifies issue with AppArmor security policies
Tails developer intrigeri has tracked and followed a reproducibility regression in the generation of AppArmor policy caches, and has identified an issue with the 4.1.0 version of AppArmor.
Although initially tracked on the Tails issue tracker, intrigeri filed an issue on the upstream bug tracker. AppArmor developer John Johansen replied, confirming that they can reproduce the issue and went to work on a draft patch.
Through this, John revealed that it was caused by an actual underlying security bug in AppArmor — that is to say, it resulted in permissions not (always) matching what the policy intends and, crucially, not merely a cache reproducibility issue.
Rust Clippy
Rust Clippy is a linting tool for the Rust programming language. It provides a collection of lints (rules) designed to identify common mistakes, stylistic issues, potential performance problems and unidiomatic code patterns in Rust projects.
This month, however, Sosthène Guédon filed a new issue in the GitHub requesting a new check that “would lint against non deterministic operations in proc-macros, such as iterating over a HashMap”.
DALEQ Explainable Equivalence for Java Bytecode
Jens Dietrich of the Victoria University of Wellington, New Zealand and Behnaz Hassanshahi of Oracle Labs, Australia published an article this month entitled DALEQ — Explainable Equivalence for Java Bytecode.
This explores the options and difficulties when Java binaries are not identical despite being from the same sources, and what avenues are available for proving equivalence despite the lack of bitwise correlation:
Java binaries are often not bitwise identical; however, in most cases, the differences can be attributed to variations in the build environment, and the binaries can still be considered equivalent.
LIVE-BOOST at WHY2025
Reproducibility of Live Boot is an important topic in the Reproducible Builds project. To learn more about this, Frans Faase gave a talk on live-bootstrap, an attempt to “provide a reproducible, automatic, complete end-to-end bootstrap from a minimal number of binary seeds to a supported fully functioning operating system”.
Frans’ talk is available to watch on video and his slides are available as well.
OpenSUSE Monthly Update
Bernhard M. Wiedemann posted another openSUSE monthly update for their work there. diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
This month, Chris Lamb made the following changes, including preparing and uploading versions, 303, 304 and 305 to Debian:
…and Zbigniew Jędrzejewski-Szmek fixed compatibility with RPM 6 […].
Website Improvements
Once again, there were a number of improvements made to our website this month including:
Jochen Sprickerhof made various improvements to the Vienna summit page.[…]
Mattia Rizzolo also made various improvements to the Vienna summit page. […][…][…][…][…][…][…]
Reproduce Debian Monthly Update
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible.
We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
…
Get in Touch or Contribute!
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website.
However, you can get in touch with us via: