What happened in the reproducible builds effort this week:

Toolchain fixes

  • Stefano Rivera uploaded python-cffi/1.3.0-1 which makes the generated code order deterministic for anonymous unions and anonymous structs. Reported by Tristan Seligmann, and fixed uptream.

Mattia Rizzolo created a bug report to continue the discussion on storing cryptographic checksums of the installed .deb in dpkg database. This follows the discussion that happened in June and is a pre-requisite to add checksums to .buildinfo files.

Niko Tyni identified why the Vala compiler would generate code in varying order. A better patch than his initial attempt still needs to be written.

Packages fixed

The following 15 packages became reproducible due to changes in their build dependencies: alt-ergo, approx, bin-prot, caml2html, coinst, dokujclient, libapreq2, mwparserfromhell, ocsigenserver, python-cryptography, python-watchdog, slurm-llnl, tyxml, unison2.40.102, yojson.

The following packages became reproducible after getting fixed:

Some uploads fixed some reproducibility issues but not all of them:


pbuilder has been updated to version 0.219~bpo8+1 on all eight build nodes. (Mattia Rizzolo, h01ger)

Packages that FTBFS but for which no open bugs have been recorded are now tested again after 3 days. Likewise for “depwait” packages. (h01ger)

Out of disk situations will not cause IRC notifications anymore. (h01ger)

Documentation update

Lunar continued to work on writing documentation for the future reproducible-builds.org website.

Package reviews

44 reviews have been removed, 81 added and 48 updated this week.

Chris West and Chris Lamb identified 70 “fail to build from source” issues.


h01ger presented the project in Mexico City at the 3er Congreso de Seguridad de la Información where it became clear that we lack academic papers related to reproducible builds.

Bryan has been doing hard work to improve reproducibility for OpenWrt. He wrote a report linking to the patches and test results he published.