sigmoid.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A social space for people researching, working with, or just interested in AI!

Server stats:

599
active users

#reproduciblebuilds

0 posts0 participants0 posts today
bbhtt<p>I started working on a reproducibility checker, à la `buildstream-reprotest` for Flatpak apps on Flathub. It basically automates the process of rebuilding and comparison and makes it a single command. </p><p><a href="https://github.com/flathub-infra/flathub-repro-checker" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/flathub-infra/flath</span><span class="invisible">ub-repro-checker</span></a></p><p>Most of the initial 0.1.0 code was written between 11 PM to 2 AM on this Wednesday night, so there may be bugs 😅</p><p>0.1.0 is usable with some caveats. The CI has artifacts of non-reproducible and reproducible packages.</p><p>Initial impressions:</p><p>— There is a lot of benefits to build on Flathub infra and maintain consistency for this type of checking to work. Certain assumptions don't hold for direct uploads.</p><p>— Direct uploads are missing a bunch of pieces on their side to make them testable with this. I'm on to some of them, but not sure if some other things can be done.</p><p>— I was pleasantly suprised to see some apps I thought would be unreproducible, were reproducible.</p><p>— I tried only 10-11 out of 2500, but one immediate difference is Flatpaks here do and are generally encouraged to remove man pages, docs etc. out of the final artifact. They are avoiding one of the common sources of embedded dates etc. these days.</p><p>— The debuginfo generation process done by flatpak-builder is sometimes inconsistently introducing unreproducibility in debug data. I can't see it in GitHub CI (Ubuntu 22.04) but I can see it locally. Probably something to do with elfutils. I need to investigate more but I guess I need to set up a consistent environment to run the checks as well.</p><p>— There are some things that need to be done at the Flatpak or Flatpak Builder level. I documented some at <a href="https://docs.flathub.org/docs/for-users/rebuilding#notes" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">docs.flathub.org/docs/for-user</span><span class="invisible">s/rebuilding#notes</span></a> when that page was written.</p><p>— Data generated by Appstream is unreproducible, and I think that's expected. I ignore those, since app maintainers have no control over that.</p><p><a href="https://social.treehouse.systems/tags/reproduciblebuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproduciblebuilds</span></a></p>
IzzyOnDroid ✅<p>(2/2)</p><p>And just 15 days before the first anniversary of our public RB GoLive (which happened on August 1st, 2024), we've reached 50% coverage:</p><p>Every 2nd app at IzzyOnDroid is now RB! 🥳</p><p><a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a> <a href="https://floss.social/tags/IzzyOnDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IzzyOnDroid</span></a></p>
Hans-Christoph Steiner<p>Some <a href="https://social.librem.one/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Android</span></a> <a href="https://social.librem.one/tags/SDK" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SDK</span></a> packages are updated with a revision number, but <a href="https://social.librem.one/tags/sdkmanager" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sdkmanager</span></a> does not allow installs to use that revision number. This sometimes breaks <a href="https://social.librem.one/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a>. There is an issue open since 2017 about this:<br><a href="https://issuetracker.google.com/issues/38045649" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">issuetracker.google.com/issues</span><span class="invisible">/38045649</span></a></p><p>If anyone wants this feature, it should be easy to implement in <a href="https://social.librem.one/tags/FDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FDroid</span></a>'s sdkmanager:<br><a href="https://gitlab.com/fdroid/sdkmanager/-/issues/26" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">gitlab.com/fdroid/sdkmanager/-</span><span class="invisible">/issues/26</span></a></p>
mmu_man<p>Round of applause for Lunar who started <a href="https://m.g3l.org/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a> at <a href="https://m.g3l.org/tags/Debian" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Debian</span></a> .</p><p><a href="https://m.g3l.org/tags/DebConf25" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DebConf25</span></a> <a href="https://m.g3l.org/tags/DebConf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DebConf</span></a></p>
IzzyOnDroid ✅<p>Welcome to the RB family, KeePassDX 🥳 </p><p>Both, the libre and the free flavor were just confirmed:</p><p><a href="https://apt.izzysoft.de/packages/com.kunzisoft.keepass.libre" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">apt.izzysoft.de/packages/com.k</span><span class="invisible">unzisoft.keepass.libre</span></a></p><p><a href="https://apt.izzysoft.de/packages/com.kunzisoft.keepass.free" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">apt.izzysoft.de/packages/com.k</span><span class="invisible">unzisoft.keepass.free</span></a></p><p>KeePassDX is a password safe and manager allows editing encrypted data in a single file in the open KeePass format and fill in the forms in a secure way, requires no Internet connection and integrates Android design standards.</p><p><a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a> <a href="https://floss.social/tags/IzzyOnDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IzzyOnDroid</span></a></p>
IzzyOnDroid ✅<p>Welcome to the RB Family, Jerboa 🥳</p><p><a href="https://apt.izzysoft.de/packages/com.jerboa" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">apt.izzysoft.de/packages/com.j</span><span class="invisible">erboa</span></a></p><p>Jerboa is a client for Lemmy, made by Lemmy's developers. And Lemmy is the Fediverse alternative to Reddit, Lobste.rs, HN &amp; Co.</p><p>The current version finally passed RB, so the shield is up now!</p><p><a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a> <a href="https://floss.social/tags/IzzyOnDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IzzyOnDroid</span></a></p>
IzzyOnDroid ✅<p><span class="h-card" translate="no"><a href="https://chaos.social/@SylvieLorxu" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>SylvieLorxu</span></a></span> sorry, but I had to boost this again now. <span class="h-card" translate="no"><a href="https://floss.social/@fdroidorg" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>fdroidorg</span></a></span> can you please make optically clear which APKs you reproduced? Developers knock our doors wondering why we say their app is not RB, while you claim it is – and checking, EACH SINGLE TIME we find the app is NOT set up RB at your end, and the JSON at your verification server clearly states you verified YOUR OWN build. Yes, that might show your build is deterministic – but not that theirs is RB. It's confusing.</p><p><a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a></p>
IzzyOnDroid ✅<p>Speaking of RB:</p><p>DavDroid 4.5.1 unfortunately failed RB. Which shows the thin line between "deterministic" and "reproducible":</p><p>We were able to build the app umpteen times, and got the very same, byte identical APK on each build: deterministic. So, it was reproducible, right? Well: no. It didn't match the APK built by the developer. A very slight difference in this case, an "off-by-one" in the baseline (so don't you worry, it's just the optimizer).</p><p><a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a> <a href="https://floss.social/tags/IzzyOnDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IzzyOnDroid</span></a> (1/2)</p>
Simon Tournier<p>Reading « This Week in Rust » 601 (28th May), there is this item:</p><p>The <a href="https://social.sciences.re/tags/GCC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GCC</span></a> compiler backend can now fully bootstrap the <a href="https://social.sciences.re/tags/Rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rust</span></a> compiler!</p><p>Wow!</p><p>Then it points to some Reddit messages. Do you know more on the current status?</p><p><a href="https://this-week-in-rust.org/blog/2025/05/28/this-week-in-rust-601/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">this-week-in-rust.org/blog/202</span><span class="invisible">5/05/28/this-week-in-rust-601/</span></a></p><p><a href="https://old.reddit.com/r/rust/comments/1ktph3c/media_the_gcc_compiler_backend_can_now_fully/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">old.reddit.com/r/rust/comments</span><span class="invisible">/1ktph3c/media_the_gcc_compiler_backend_can_now_fully/</span></a></p><p><a href="https://social.sciences.re/tags/Bootstrap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Bootstrap</span></a> <a href="https://social.sciences.re/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a></p>
Hans-Christoph Steiner<p><a href="https://social.librem.one/tags/Apple" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Apple</span></a> is not the only one dreaming up new features. There are many of us. <span class="h-card"><a href="https://floss.social/@fdroidorg" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>fdroidorg</span></a></span> on making the most trustworthy app distribution platform, following as many best practices as possible. Many Apple has not implemented, like app reviews of source code rather than binaries, or <a href="https://social.librem.one/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a>. We require human review or apps. Over 60% of our apps are reproducibly built. Apple encrypts app files, making reproducible builds impossible. It continues to only review binaries apps not source code</p>
Paul Meyer<blockquote><p>I don’t think reproducible builds are a particularly durable property to maintain over a project’s lifetime, especially if everything is expected to shift to confidential computing. [...] When toolchains and other dependencies are updated, non-determinism tends to creep in. Most starting points for common dependencies do not include reproducible builds. Not every project for libraries and packages used for confidential computing environments are fully committed to maintaining binary reproducibility of their build configurations.</p></blockquote><p><a href="https://infosec.exchange/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a></p>
Paul Meyer<blockquote><p>CSPs MUST allow customer-provided virtual firmware (with a well-documented interface for achieving UEFI variable persistence and ACPI table information) OR publish the sources for their virtual firmware. </p></blockquote><p>Transparency has value by <span class="h-card" translate="no"><a href="https://tech.lgbt/@drdeeglaze" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>drdeeglaze</span></a></span> <br><a href="https://deeglaze.github.io/blog/2025/Transparency-has-value/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">deeglaze.github.io/blog/2025/T</span><span class="invisible">ransparency-has-value/</span></a></p><p><a href="https://infosec.exchange/tags/ConfidentialComputing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConfidentialComputing</span></a> <a href="https://infosec.exchange/tags/Attestation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Attestation</span></a> <a href="https://infosec.exchange/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a></p>
Esther Payne :bisexual_flag:<p>So I had some more thoughts about FOSS sustainability. I've had them for some time. But this weeks issues reminded me of them.</p><p>So here's a mild spruik for some of the orgs who make my digital spaces for myself and my project and also package <span class="h-card" translate="no"><a href="https://chaos.social/@librecast" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>librecast</span></a></span> <br><a href="https://www.onepict.com/20250628-plussustain.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">onepict.com/20250628-plussusta</span><span class="invisible">in.html</span></a></p><p><a href="https://chaos.social/tags/FossSustainability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FossSustainability</span></a> <a href="https://chaos.social/tags/Matrix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Matrix</span></a> <a href="https://chaos.social/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a> <a href="https://chaos.social/tags/Outreachy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Outreachy</span></a></p>
Simon Tournier<p>Blog post: What Guix could offer in computational medical environments?</p><p>French national agency for secure drug and medicine (ANSM) requires for a medical device to have unambiguous identifications:</p><p>1. reference of the product<br>2. reference of the maker<br>3. serial number</p><p>Well, through my lenses applied to software, it reads:</p><p>1. <a href="https://social.sciences.re/tags/SoftwareHeritage" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SoftwareHeritage</span></a> identifier (<a href="https://social.sciences.re/tags/SWHID" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SWHID</span></a>)<br>2. <a href="https://social.sciences.re/tags/Guix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Guix</span></a></p><p>and 3. is redundant. 😁</p><p>Well, a quick summary of a 30min talk I gave past week.</p><p>Thanks my previous colleague Sam from APHP to give me the opportunity to brainstorm on this topic. 🤩</p><p><a href="https://simon.tournier.info/posts/2025-06-04-aphp-guix.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">simon.tournier.info/posts/2025</span><span class="invisible">-06-04-aphp-guix.html</span></a></p><p><a href="https://social.sciences.re/tags/ReproducibleResearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleResearch</span></a> <a href="https://social.sciences.re/tags/OpenScience" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenScience</span></a> <a href="https://social.sciences.re/tags/Debian" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Debian</span></a> <a href="https://social.sciences.re/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a></p>
Reproducible Builds<p>May 2025 in Reproducible Builds:</p><p> * Security audit of Reproducible Builds tools published<br> * "When good pseudorandom numbers go bad" <span class="h-card" translate="no"><a href="https://fosstodon.org/@jdnavarro" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jdnavarro</span></a></span><br> * Academic articles <br> * Distribution work<br> * <span class="h-card" translate="no"><a href="https://framapiaf.org/@debian" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>debian</span></a></span><br> * <span class="h-card" translate="no"><a href="https://floss.social/@fdroidorg" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>fdroidorg</span></a></span> <span class="h-card" translate="no"><a href="https://social.librem.one/@eighthave" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>eighthave</span></a></span> <br> * <span class="h-card" translate="no"><a href="https://chaos.social/@nixos_org" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>nixos_org</span></a></span> <span class="h-card" translate="no"><a href="https://merveilles.town/@raboof" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>raboof</span></a></span> <br> * <span class="h-card" translate="no"><a href="https://fosstodon.org/@opensuse" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>opensuse</span></a></span><br> * <span class="h-card" translate="no"><a href="https://fosstodon.org/@fedora" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>fedora</span></a></span> <span class="h-card" translate="no"><a href="https://gts.dodgy.download/@jelly" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jelly</span></a></span> <br> * diffoscope and disorderfs<br> * Website updates<br> * Reproducibility testing framework<br> * Upstream patches</p><p><a href="https://reproducible-builds.org/reports/2025-05/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">reproducible-builds.org/report</span><span class="invisible">s/2025-05/</span></a></p><p><a href="https://fosstodon.org/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a></p>
Vagrant Cascadian<p>Alright, this year at <a href="https://floss.social/tags/FOSSY" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSSY</span></a> in Portland, I will both be hosting a booth for <a href="https://floss.social/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a> and also presenting a talk...</p><p>"Never Mind the Checkboxes, Here's Reproducible Builds"</p><p>The Health policy is weaker than I would personally like with <a href="https://floss.social/tags/Masking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Masking</span></a> but at least last year there was significant voluntary compliance.</p><p><a href="https://floss.social/tags/PDX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PDX</span></a></p>
IzzyOnDroid ✅<p><a href="https://floss.social/tags/AndroidAppRain" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AndroidAppRain</span></a> today brings 16 updated and removes 1 app: Infinity for Reddit was removed as it was not fully FOSS (no offense to the dev, but that branch the APK was built from is not public).</p><p>How did we figure? Well, ALL attempts to achieve <a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a> failed, as the commit the APK was built from could not be found. That's what we mean when we say RB proves it's build from that exact code, with NOTHING ADDED or taken away.</p><p>So: enjoy your 46.1% RB apps with the <a href="https://floss.social/tags/IzzyOnDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IzzyOnDroid</span></a> repo!</p>
IzzyOnDroid ✅<p>We have no new apps to report today (well, 10 updated apps is also good, right?) – but reached round numbers with our RBs once more:</p><p>590 apps (45%) of the <a href="https://floss.social/tags/android" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>android</span></a> <a href="https://floss.social/tags/apps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>apps</span></a> at the <a href="https://floss.social/tags/IzzyOnDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IzzyOnDroid</span></a> repo are now <a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a> :awesome:</p>
Vagrant Cascadian<p>So sad to hear <a href="https://floss.social/tags/OSUOSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OSUOSL</span></a> is in a bit of a pinch...</p><p>They support so many free software projects that I work on, including <a href="https://floss.social/tags/Debian" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Debian</span></a> and <a href="https://floss.social/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a> and probably several more I did not even realize!</p><p>Please support those that support so many others if you can and spread the word!</p><p><a href="https://osuosl.org/blog/osl-future/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">osuosl.org/blog/osl-future/</span><span class="invisible"></span></a></p>
Stefano Zacchiroli<p>Congrats to <span class="h-card" translate="no"><a href="https://chaos.social/@luj" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>luj</span></a></span> and <span class="h-card" translate="no"><a href="https://fediscience.org/@Zimm_i48" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Zimm_i48</span></a></span>, for the ACM SIGSOFT Distinguished Paper <a href="https://mastodon.xyz/tags/award" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>award</span></a> at <a href="https://mastodon.xyz/tags/MSR2025" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MSR2025</span></a>, for our joint paper «Does Functional Package Management Enable <a href="https://mastodon.xyz/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a> at Scale? Yes.»</p><p>Details, including link to an <a href="https://mastodon.xyz/tags/openaccess" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openaccess</span></a> preprint, at: <a href="https://2025.msrconf.org/details/msr-2025-technical-papers/32/Does-Functional-Package-Management-Enable-Reproducible-Builds-at-Scale-Yes-" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">2025.msrconf.org/details/msr-2</span><span class="invisible">025-technical-papers/32/Does-Functional-Package-Management-Enable-Reproducible-Builds-at-Scale-Yes-</span></a></p><p>The paper is going to be presented this afternoon at the conf here in Ottawa.</p><p><a href="https://mastodon.xyz/tags/Nix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nix</span></a> cc: <span class="h-card" translate="no"><a href="https://fosstodon.org/@reproducible_builds" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>reproducible_builds</span></a></span></p>