--------------------------------------------------------------------
o
⬋ ⬊ October 2024 in Reproducible Builds
o o
⬊ ⬋ https://reproducible-builds.org/reports/2024-10/
o
--------------------------------------------------------------------
Welcome to the October 2024 report from the Reproducible Builds
project!
Our reports attempt to outline what we've been up to over the past
month, highlighting news items from elsewhere in tech where they are
related.
As ever, if you are interested in contributing to the project,
please visit our Contribute [1] page on our website.
[0] https://reproducible-builds.org
[1] https://reproducible-builds.org/contribute/
§
Table of contents:
* Beyond bitwise equality for Reproducible Builds?
* ‘Two Ways to Trustworthy’ at SeaGL 2024
* Number of cores affected Android compiler output
* On our mailing list
* diffoscope
* IzzyOnDroid passed 25% of reproducible apps
* Distribution work
* Website updates
* Reproducibility testing framework
* Supply-chain security at Open Source Summit EU
* Upstream patches
§
Beyond bitwise equality for Reproducible Builds?
------------------------------------------------
Jens Dietrich, Tim White, of Victoria University of Wellington, New
Zealand along with Behnaz Hassanshahi and Paddy Krishnan of Oracle Labs
Australia published a paper entitled "Levels of Binary Equivalence for
the Comparison of Binaries from Alternative Builds [3]":
> The availability of multiple binaries built from the same sources
> creates new challenges and opportunities, and raises questions such
> as: “Does build A confirm the integrity of build B?” or “Can build A
> reveal a compromised build B?”. To answer such questions requires a
> notion of equivalence between binaries. We demonstrate that the
> obvious approach based on bitwise equality has significant
> shortcomings in practice, and that there is value in opting for
> alternative notions. We conceptualise this by introducing levels of
> equivalence, inspired by clone detection types.
A PDF [4] of the paper is freely available.
[3] https://doi.org/10.48550/arXiv.2410.08427
[4] https://arxiv.org/pdf/2410.08427v1
§
"Two Ways to Trustworthy" at SeaGL 2024
---------------------------------------
On Friday 8th November, Vagrant Cascadian will present a talk entitled
"Two Ways to Trustworthy" [6] at SeaGL [5] in Seattle, WA.
Founded in 2013, SeaGL is a free, grassroots technical summit dedicated
to spreading awareness and knowledge about free source software,
hardware and culture. Vagrant's talk:
> […] delves into how two project[s] approaches fundamental security
> features through Reproducible Builds, Bootstrappable Builds, code
> auditability, etc. to improve trustworthiness, allowing independent
> verification; trustworthy projects require little to no trust.
>
> Exploring the challenges that each project faces due to very
> different technical architectures, but also contextually relevant
> social structure, adoption patterns, and organizational history
> should provide a good backdrop to understand how different
> approaches to security might evolve, with real-world merits and
> downsides.
[5] https://seagl.org/
[6] https://pretalx.seagl.org/2024/talk/W73ACM/
§
Number of cores affected Android compiler output
------------------------------------------------
Fay Stegerman wrote [8] that the cause of the Android toolchain bug from
September's report [9] that she reported to the Android issue tracker
[10] has been found and the bug has been fixed.
> the D8 Java to DEX [11] compiler (part of the Android toolchain)
> eliminated a redundant field load if running the class's static
> initialiser was known to be free of side effects, which ended up
> accidentally depending on the sharding of the input, which is
> dependent on the number of CPU cores used during the build.
To make it easier to understand the bug and the patch, Fay also made a
small example [12] to illustrate when and why the optimisation
involved is valid.
[8] https://tech.lgbt/@obfusk/113403959098151861
[9]
https://reproducible-builds.org/reports/2024-09/#android-toolchain-core-count-issue-reported
[10] https://issuetracker.google.com/issues/366412380
[11] https://source.android.com/docs/core/runtime/dex-format
[12] https://gist.github.com/obfusk/83822140509dad4148b14bba41adf008
§
On our mailing list…
--------------------
On our mailing list [13] this month:
* Following-up to previous work, James Addison informed the list that
the recently-released Sphinx [14] documentation generator includes
improvements to the next copyright notice substitutions [15].
[13] https://lists.reproducible-builds.org/listinfo/rb-general/
[14] https://www.sphinx-doc.org/en/master/
[15]
https://lists.reproducible-builds.org/pipermail/rb-general/2024-October/003562.html
* Pol Dellaiera wrote to the list in order to seek advice around
introducing the concept of reproducibility [16] to computer science
Masters students at the University of Mons, Belgium [17].
[16]
https://lists.reproducible-builds.org/pipermail/rb-general/2024-October/003560.html
[17] https://web.umons.ac.be/
* James Addison also followed up to a previous thread on
"CONFIG_MODULE_SIG and the unreproducible Linux Kernel" [18] to add:
"I wonder whether it would be possible to use the Linux kernel's
Integrity Policy Enforcement [19] to deploy a policy that would
prevent loading of anything except a set of expected kernel
modules." [20]
[18]
https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003530.html
[19] https://docs.kernel.org/admin-guide/LSM/ipe.html
[20]
https://lists.reproducible-builds.org/pipermail/rb-general/2024-October/003553.html
* There were also two informative replies from David Wheeler [21] to a
broad-based discussion on Reproducible Builds being defined in
various standards. [22][23]
[21] https://dwheeler.com/
[22]
https://lists.reproducible-builds.org/pipermail/rb-general/2024-October/003550.html
[23]
https://lists.reproducible-builds.org/pipermail/rb-general/2024-October/003551.html
§
diffoscope
----------
diffoscope [25] is our in-depth and content-aware diff utility that can
locate and diagnose reproducibility issues. This month, Chris Lamb made
the following changes, including preparing and uploading versions 279,
280, 281 and 282 to Debian:
* Ignore errors when listing .ar archives (#1085257 [26]). [27]
* Don't try and test with systemd-ukify in the Debian stable
distribution. [28]
* Drop Depends on the deprecated python3-pkg-resources (#1083362
[29]). [30]
[25] https://diffoscope.org
[26] https://bugs.debian.org/1085257
[27] https://salsa.debian.org/reproducible-builds/diffoscope/commit/e0e10c41
[28] https://salsa.debian.org/reproducible-builds/diffoscope/commit/0736b361
[29] https://bugs.debian.org/1083362
[30] https://salsa.debian.org/reproducible-builds/diffoscope/commit/997c6adb
In addition, Jelle van der Waa added support for Unified Kernel Image
[31] (UKI) files. [32][33][34] Furthermore, Vagrant Cascadian updated
diffoscope in GNU Guix [35] to version 282. [36][37]
[31] https://wiki.archlinux.org/title/Unified_kernel_image
[32] https://salsa.debian.org/reproducible-builds/diffoscope/commit/9d5b5d32
[33] https://salsa.debian.org/reproducible-builds/diffoscope/commit/2d7f54bf
[34] https://salsa.debian.org/reproducible-builds/diffoscope/commit/153d6185
[35] https://guix.gnu.org/
[36] https://debbugs.gnu.org/74072
[37]
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=d6f775c30c6f47e174f6110d1089edc6315600e4
§
IzzyOnDroid passed 25% reproducible apps
----------------------------------------
The IzzyOnDroid [39] project has reached a good milestone by reaching
over 25% [40] of the ~1,200 Android apps provided by their repository
(of official APKs built by the original application developers) having
been confirmed to be reproducible by a rebuilder [41].
[39] https://apt.izzysoft.de/fdroid/
[40] https://floss.social/@IzzyOnDroid/113350034406251501
[41] https://codeberg.org/IzzyOnDroid/rbtlog
§
Distribution work
-----------------
In Debian this month:
* Holger Levsen uploaded devscripts version 2.24.2 [42], including many
changes to the debootsnap, debrebuild and reproducible-check scripts.
This is the first time that debrebuild actually works (using sbuild's
unshare backend). As part of this, Holger also fixed an issue in the
reproducible-check script where a typo in the code led to incorrect
results [43]
[42]
https://tracker.debian.org/news/1581399/accepted-devscripts-2242-source-into-unstable/
[43]
https://salsa.debian.org/debian/devscripts/-/commit/4b3cf6bfbb3940700aab407879bf411c58b97847
* Recently, a news entry was added to snapshot.debian.org [44]'s
homepage, describing the recent changes that made the system
stable again:
> The new server has no problems keeping up with importing the
> full archives on every update, as each run finishes comfortably
> in time before it's time to run again. [While] the new server is
> the one doing all the importing of updated archives, the HTTP
> interface [45] is being served by both the new server and one of
> the VM's at LeaseWeb [46].
The entry list a number of specific updates surrounding the API
endpoints and rate limiting.
[44] http://snapshot.debian.org/
[45] https://snapshot.debian.org/
[46] https://www.leaseweb.com/
* Lastly, 12 reviews of Debian packages were added, 3 were updated and
18 were removed this month adding to our knowledge about identified
issues [47].
[47] https://tests.reproducible-builds.org/debian/index_issues.html
Elsewhere in distribution news, Zbigniew Jędrzejewski-Szmek performed
another rebuild of Fedora [48] 42 packages, with the headline result
being that 91% of the packages are reproducible [49]. Zbigniew also
reported a reproducibility problem with QImage [50].
[48] https://fedoraproject.org
[49] https://in.waw.pl/~zbyszek/fedora/builds-f42-with-add-det-4.x.summary.txt
[50]
https://lists.fedoraproject.org/archives/list/de...@lists.fedoraproject.org/thread/67ICWGGE3TUPG5RH32GZAXICO4T5BXFG/
Finally, in openSUSE, Bernhard M. Wiedemann published another report
[51] for that distribution.
[51]
https://lists.opensuse.org/archives/list/fact...@lists.opensuse.org/thread/NRT3XWO4ZRSIMAPSHD7HVSD5Z62WQWAA/
§
Website updates
---------------
There were an *enormous* number of improvements made to our website this
month, including:
* Alba Herrerias:
* Improve consistency across distribution-specific guides. [52]
* Fix a number of links on the "Contribute" page. [53]
[52]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/12826f09
[53]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1274584d
* Chris Lamb:
* Correct the name of Civil Infrastructure Platform [54] name and
update image on the "Projects" [55] page. [56]
* Update broken link on the "Value Initialization" [57] page. [58]
* Try and make pipeline/branch builds of the website easier to
browse. [59][60][61][62]
[54] https://www.cip-project.org/
[55] https://reproducible-builds.org/who/projects/
[56]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e53ecbc7
[57] https://reproducible-builds.org/docs/value-initialization/
[58]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/56f708d7
[59]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8bff7574
[60]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/df01bf5f
[61]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a3faf5be
[62]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0c735ea6
* hulkoba
* Contribute to the new 'Success stories [63]' page. [64]
[63] https://reproducible-builds.org/success-stories/
[64]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/4ca4e410
* James Addison:
* Huge and significant work on a (as-yet-merged) quickstart guide
to be linked from the homepage [65][66][67][68][69]
* On the homepage [70], link directly to the Projects [71]
subpage. [72]
* Relocate "dependency-drift" notes to the Volatile inputs [73]
page. [74]
[65]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/30d226e0
[66]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6ccad0f4
[67]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/aeb73a4a
[68]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5ee3ac46
[69]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8e8f7d55
[70] https://reproducible-builds.org/
[71] https://reproducible-builds.org/who/projects
[72]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ca047d2e
[73] https://reproducible-builds.org/docs/volatile-inputs/
[74]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/63d58e09
* Ninette Adhikari:
* Add a brand new 'Success stories [75]' page that "highlights the
success stories of Reproducible Builds, showcasing real-world
examples of projects shipping with verifiable, reproducible
builds". [76][77][78][79][80][81]
[75] https://reproducible-builds.org/success-stories/
[76]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/12f4df01
[77]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ddc6df7c
[78]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6b3dba82
[79]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/19a17974
[80]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/28d82a04
[81]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/115ed658
* Pol Dellaiera:
* Update the website's README page for building the website under
NixOS [82]. [83][84][85][86][87]
* Add a new academic paper citation. [88]
[82] https://nixos.org/
[83]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5428366d
[84]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f90aba5c
[85]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/13a338ab
[86]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/b9e51c38
[87]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/39598567
[88]
https://salsa.debian.org/reproducible-builds/reproducible-website/commit/62aa449b
Lastly, Holger Levsen filed an extensive issue detailing a request to
create an overview of recommendations and standards [89] in relation to
reproducible builds.
[89]
https://salsa.debian.org/reproducible-builds/reproducible-website/-/issues/59
§
Reproducibility testing framework
---------------------------------
The Reproducible Builds project operates a comprehensive testing
framework running primarily at tests.reproducible-builds.org [90] in
order to check packages and other artifacts for reproducibility. In
October, a number of changes were made by Holger Levsen, including:
* Add a basic index.html for rebuilderd. [91]
* Update the nginx.conf configuration file for rebuilderd. [92]
* Document how to use a rescue system for Infomaniak's OpenStack
cloud. [93]
* Update usage info for two particular nodes. [94]
* Fix up a version skew check to fix the name of the riscv64
architecture. [95]
* Update the rebuilderd-related TODO. [96]
[90] https://tests.reproducible-builds.org
[91] https://salsa.debian.org/qa/jenkins.debian.net/commit/2fdfe56c1
[92] https://salsa.debian.org/qa/jenkins.debian.net/commit/e43de52e2
[93] https://salsa.debian.org/qa/jenkins.debian.net/commit/254f86399
[94] https://salsa.debian.org/qa/jenkins.debian.net/commit/fbf8d89a4
[95] https://salsa.debian.org/qa/jenkins.debian.net/commit/8eae72e56
[96] https://salsa.debian.org/qa/jenkins.debian.net/commit/6a383397b
In addition, Mattia Rizzolo added a new IP address for the inos5 node
[97] and Vagrant Cascadian brought 4 virt nodes back online [98].
[97] https://salsa.debian.org/qa/jenkins.debian.net/commit/5cea8f4a8
[98] https://salsa.debian.org/qa/jenkins.debian.net/commit/114838df4
§
Supply-chain security at Open Source Summit EU
----------------------------------------------
The Open Source Summit EU [100] took place recently, and covered plenty
of topics related to supply-chain security, including:
* Public Sector & OpenSSF: Principles for Package Repository
Security [101]
* The Model Openness Framework: Promoting Completeness and Openness for
Reproducibility, Transparency and Usability in AI [102]
* Structured Scorecard Results: Tailor Your Own Supply-Chain Security
Policies [103]
* Lightning Talk: Elephant in the Room: How Supply Chain Security
Standards Are Not Standard and What to Do About It [104]
* Lightning Talk: Charting the Course for Secure Software Supply Chain
with Guac-AI-Mole! [105]
* TPMs, Merkle Trees and TEEs: Enhancing SLSA with Hardware-Assisted
Build Environment Verification [106]
* Accountability Taxonomy for AI Software Bill of Materials [107]
* Securing Your Supply Chain with an Open Source Ecosystem [108]
* OSS Supply Chain Threats and Why You Need a Holistic Security
Strategy [109]
* A Step Closer to in-Toto’lly Secure: Using in-Toto and OPA Gatekeeper
to Verify Artifact Integrity [110]
* Panel Discussion: Improving Supply Chain Integrity with OpenSSF
Technologies [111]
* Case Study: 10+ Years of Developing an SBOM System and the Dos and
Don’ts [112]
* SBOM in SaaS Environments: An Update [113]
* Securing Git Repositories with Gittuf [114]
[100] https://events.linuxfoundation.org/open-source-summit-europe/
[101]
https://www.youtube.com/watch?v=EyzFZYeSj5g&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=124
[102]
https://www.youtube.com/watch?v=-GFcUgT77oE&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=114
[103]
https://www.youtube.com/watch?v=ZT3XdMF6U5A&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=106
[104]
https://www.youtube.com/watch?v=ICrlIlWAiGA&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=103
[105]
https://www.youtube.com/watch?v=mHjsaDDkbKo&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=102
[106]
https://www.youtube.com/watch?v=Gk0LDi05KRg&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=100
[107]
https://www.youtube.com/watch?v=nSQ3rsaqpaQ&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=47
[108]
https://www.youtube.com/watch?v=154gKafXhnc&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=33
[109]
https://www.youtube.com/watch?v=cLPZ7dYndH0&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=30
[110]
https://www.youtube.com/watch?v=b_ImE70Vhd8&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=28
[111]
https://www.youtube.com/watch?v=6EPROzPfqD8&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=26
[112]
https://www.youtube.com/watch?v=1LTqB4czzEs&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=142
[113]
https://www.youtube.com/watch?v=4rA9JOESvL8&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=182
[114]
https://www.youtube.com/watch?v=eCSeIEdMbCw&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=179
§
Upstream patches
----------------
The Reproducible Builds project detects, dissects and attempts to fix as
many currently-unreproducible packages as possible. We endeavour to send
all of our patches upstream where appropriate. This month, we wrote a
large number of such patches, including:
* Bernhard M. Wiedemann
* apache-ivy [115] (.zip modification time)
* ccache [116] (build failure)
* colord [117] (CPU)
* efivar [118] (CPU/march=native)
* gsl [119] (no check)
* libcamera [120] (date/copyright year)
* libreoffice [121] (possible rpm/build toolchain corruption bug)
* moto [122] (.gz modification time)
* openssl-1_1 [123] (date-related issue)
* python-pygraphviz [124] (benchmark)
* sphinx/python-pygraphviz [125] (benchmark)
* python-panel [126] (package.lock has random port)
* python-propcache [127] (random temporary path)
* python314 [128] (.gz-related modification time)
* rusty_v8 [129] (random .o files)
* scapy [130] (date)
* wine [131] (parallelism)
* ibmtss [132] (FTBFS-2026 [133])
* pymol [134] (date)
* pandas [135] (ASLR)
* linutil [136] (drop date)
* lsof [137] (also filed in openSUSE [138]: uname -r in LSOF_VSTR)
* schily [139] (also filed in openSUSE [140]: uname -r)
* superlu [141] (nocheck)
* util [142] (random test failure)
* ceph [143] (year-2038 variation from embedded boost)
[115] https://build.opensuse.org/request/show/1206032
[116] https://github.com/ccache/ccache/pull/1525
[117] https://github.com/hughsie/colord/issues/174
[118] https://bugzilla.opensuse.org/show_bug.cgi?id=1231368
[119] https://build.opensuse.org/request/show/1206278
[120]
https://lists.libcamera.org/pipermail/libcamera-devel/2024-October/045731.html
[121] https://bugzilla.opensuse.org/show_bug.cgi?id=1231580
[122] https://github.com/getmoto/moto/pull/8218
[123] https://bugzilla.opensuse.org/show_bug.cgi?id=1231667
[124] https://github.com/pygraphviz/pygraphviz/pull/544
[125] https://github.com/sphinx-gallery/sphinx-gallery/pull/1385
[126] https://bugzilla.opensuse.org/show_bug.cgi?id=1231254
[127] https://build.opensuse.org/request/show/1207574
[128] https://github.com/python/cpython/pull/125261
[129] https://bugzilla.opensuse.org/show_bug.cgi?id=1231548
[130] https://build.opensuse.org/request/show/1205217
[131] https://bugzilla.opensuse.org/show_bug.cgi?id=1231620
[132]
https://github.com/kgoldman/ibmtss/commit/3a17ac01bea73d3568272d61b895a16a0bd85440
[133] https://sourceforge.net/p/ibmtpm20tss/tickets/49/
[134] https://github.com/schrodinger/pymol-open-source/pull/404
[135] https://github.com/pandas-dev/pandas/issues/60078
[136] https://github.com/ChrisTitusTech/linutil/pull/869
[137] https://build.opensuse.org/request/show/1218747
[138] https://bugzilla.opensuse.org/show_bug.cgi?id=1232425
[139] https://codeberg.org/schilytools/schilytools/pulls/81
[140] https://bugzilla.opensuse.org/show_bug.cgi?id=1232434
[141] https://bugzilla.opensuse.org/show_bug.cgi?id=1232550
[142] https://github.com/util-linux/util-linux/issues/3259
[143] https://tracker.ceph.com/issues/68778
* Chris Lamb:
* #1085097 [144] filed against python-roborock [145].
* #1085280 [146] filed against pywayland [147].
* #1085283 [148] filed against readsb [149].
* #1085381 [150] filed against xraylarch [151].
[144] https://bugs.debian.org/1085097
[145] https://tracker.debian.org/pkg/python-roborock
[146] https://bugs.debian.org/1085280
[147] https://tracker.debian.org/pkg/pywayland
[148] https://bugs.debian.org/1085283
[149] https://tracker.debian.org/pkg/readsb
[150] https://bugs.debian.org/1085381
[151] https://tracker.debian.org/pkg/xraylarch
* James Addison:
* #1085112 [152] filed against distro-info [153].
[152] https://bugs.debian.org/1085112
[153] https://tracker.debian.org/pkg/distro-info
* Zbigniew Jędrzejewski-Szmek:
* calibre [154] (two sort issues) [155][156]
[154] https://github.com/kovidgoyal/calibre
[155] https://github.com/kovidgoyal/calibre/pull/2483
[156] https://github.com/kovidgoyal/calibre/pull/2484
§
Finally, If you are interested in contributing to the Reproducible
Builds project, please visit our "Contribute" [157] page on our website.
However, you can get in touch with us via:
* IRC: #reproducible-builds on irc.oftc.net.
* Mastodon: @reproducible_bui...@fosstodon.org [158]
* Mailing list: rb-gene...@lists.reproducible-builds.org [159]
* Twitter: @ReproBuilds [160]
[157] https://reproducible-builds.org/contribute/
[158] https://fosstodon.org/@reproducible_builds
[159] https://lists.reproducible-builds.org/listinfo/rb-general
[160] https://twitter.com/ReproBuilds
--
o
⬋ ⬊
o o reproducible-builds.org 💠
⬊ ⬋
o
_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/reproducible-builds
