(2/2) RB coverage seems a bit to stagnate currently, for multiple reasons: extra work due to AGP updates – and extra work due to … err … other "upstream things".
Dear developers, please take a look at our https://izzyondroid.org/docs/reproducibleBuilds/RBDevHints/ – and maybe also watch my (20 min) talk on this at FOSDEM https://fosdem.org/2026/schedule/event/8VDKQR-reproducible_builds_for_android_apps/ (slides included). Thanks a lot!
If you missed it: the video of my talk on Reproducible Builds of Android Apps at FOSDEM is live now. Feedback welcome 😊
https://fosdem.org/2026/schedule/event/8VDKQR-reproducible_builds_for_android_apps/
Eagerly waiting for the talk by @SylvieLorxu on our Download Statistics to become available, as I unfortunately could not attend it myself in person…
Heading for #FOSDEM tomorrow!
Reach out if you wanna chat about Secure Boot distro security, TPMs/attestation, reprobuilds or other adjacent topics!
I'll also be at the #ReproducibleBuilds and #ArchLinux BOFs!
While we're on the topic: work on minimal-bootstrap in #nixpkgs has actually been picked up again since this thesis was written (October 2025).
Not only that but, as of a few hours ago, the PR implementing the last step of hooking it up to become the actual bootstrap stdenv in Nixpkgs has been merged!
https://github.com/NixOS/nixpkgs/pull/479322
#fullsourcebootstrap #reproduciblebuilds #stage0 #minimalbootstrap #bootstrappablebuilds
🤔 Is this a #Composer normalization quirk caused by how #PHP encodes empty vs non-empty maps when regenerating composer.lock?
`stability-flags` is logically a map, but when empty Composer may serialize it as `[]` instead of `{}` especially after;
composer update --prefer-dist --prefer-stable
- Same dependency graph
- Different lockfile bytes / hash
Semantic determinism ✅
Byte-level determinism ❌
Fun fact: about 2/3 of the apps in our repository are confirmed as #ReproducibleBuilds – and (rough guess) about 90% of those are hosted at Github.
Now: Github being marked "malicious" by Google "Safebrowsing" – when? That's where all the malicious code lives then, no? And where all those (90%) "malicious" APKs are attached to releases (which we scrutinize with a bunch of extra scans; you can compare the file hashes to confirm) 🤔
GNU Guix 1.5 arrives after three long years, and it was worth the wait
https://fed.brid.gy/r/https://nerds.xyz/2026/01/gnu-guix-1-5-linux/
RE: https://mathstodon.xyz/@glocq/114773451205359662
Bumping this again. I found this library https://github.com/INRIA/libpointing but had trouble building it. Like #krita , it seems to be based on #Qt , so I guess Qt might be a good bet. Problem is 1/ it seems I would be pretty tied to C++ 2/ it seems hard to build reliably.
Ideally I would like to find a library that:
1/ is cross-platform
2/ builds reproducibly, meaning there is or I can make a #nix flake out of it
3/ is able to receive pointer data (not just mouse coordinates, by also at least pen pressure),
4/ can capture the pointer, meaning the library's user can make it so that the end user's pointer doesn't interact with anything except for sending its data to their program.
Any info/advice/experience welcome :)
More good progress and achievements for Reproducible Builds in December 2025:
https://fosstodon.org/@reproducible_builds/115861936233442294
Welcome to the RB family, Presents 🥳
https://apt.izzysoft.de/packages/com.lezsoft.presents
Presents is an app that helps you keep your wishes organized, and instantly share them with all your friends. Its developer having identified and fixed the final culprit keeping it from being reproducible, it now is :awesome:
Welcome to the RB family, APlayer 🥳
https://apt.izzysoft.de/packages/remix.myplayer
APlayer is a beautiful and powerful music player with lyrics support, a built-in equalizer, sleep timer, tag editor, and more.
Thanks to some help by its developer, this app can now be built reproducible :awesome:
Here's my FOSS recap 2025 edition blog post:
https://antiz.fr/blog/foss-recap-2025/
Pretty happy and proud about everything I had the chance to work on and achieve this year! 😃
Thanks to everyone involved, whether directly or indirectly! 🤗
Looking forward to another great year, happy new year everyone! 🥳 🎉
@danirabbit similarly, do not try to get clever and insert the copyright year at build time... this does not generate copyrightable content, so is simply wrong, and also breaks #ReproducibleBuilds
Welcome to the RB family, Interstellar 🥳
https://apt.izzysoft.de/packages/one.jwr.interstellar
Interstellar is a Fediverse client for Mbin/Lemmy/PieFed accounts. Having found the final culprit that kept it from being RB (after 6 months, and it was just a single thing to toggle! RBs can be bitches sometimes…), we finally succeeded :awesome:
So raising the bar a little again, RB status is now at 774 apps (60.5%)
Welcome to the RB family, FileBin 🥳
https://apt.izzysoft.de/packages/de.varakh.fbmobile
FileBin is a mobile client for FileBin, a self-hostable service to manage your pastes. We finally managed to get it RB, as we were able to locate a culprit in Gradle not dealing correctly with per-ABI builds when only building a single ABI…
So, current RB status: 773 apps (60.4%)
On the heels of the NixOS 25.11 release, I reproduced the minimal
installation ISO again.
My approach is to take a NixOS VM from 2020, and then build the ISO (almost) without relying on the binary cache. This means it builds essentially all of the build-time dependencies and all of the items that make it into the ISO
from source, without directly relying on Nix-specific prebuilt packages. On the other hand, NixOS is somewhat less strict than for example Debian in
requiring package 'sources' are actually sources, so a few builds (notably go) are actually 'built' from upstream binary releases.
It's very satisfying to see such a long (albeit well-controlled) Rube Goldberg machine of builds results in a single hash that is identical to the one from the ISO you can download from the website.
Full write-up with all details at https://arnout.engelen.eu/blog/reproducing-nixos-25.11-minimal-iso/
I worked on making the @archlinux WSL image bit-for-bit reproducible (in the context of @reproducible_builds) and I wrote a little blog post about it! :arch: 😄
https://antiz.fr/blog/the-archlinux-wsl-image-is-now-reproducible/
Reproducible Guix Container Images #guix #containers #docker #podman #reproduciblebuilds https://blog.josefsson.org/2025/12/07/reproducible-guix-container-images/
Well, "only" 12 updates today and no added apps, BUUUUT…
New milestone reached: 3 out of 5 apps at #IzzyOnDroid are now #ReproducibleBuilds 🥳
==> RB status: 758 apps (60%) <==
You can read more about what that means at our website: https://izzyondroid.org/about/security/ReproducibleBuilds/
(and we hope to reach the "2 out of 3" (aka 66.666%) until FOSDEM 2026 🤞)
Just watched FOSDEM talk from 2024:
« Documenting and Fixing Non-Reproducible Builds due to Configuration Options »
by Georges Aaron Randrianaina
Super interesting! Quoting:
« The approach we propose in this presentation is capable of identifying 10 configuration options that caused this non-reproducibility. When confronted to the Linux documentation, none of these are documented as non-reproducible. »
