IzzyOnDroid ✅<p><span class="h-card" translate="no"><a href="https://chaos.social/@SylvieLorxu" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>SylvieLorxu</span></a></span> And you can be affirmed it's the very same FOSS build, as at IzzyOnDroid it is a Reproducible Build – meaning, our builders built the APK from Sylvia's code, and ended up with a byte-by-byte identical APK.</p><p>Bonus points: updates usually reach you within 24h of Sylvia making them available. Our build cycles are pretty short: just a few hours, instead of a few days 😉 </p><p><a href="https://floss.social/tags/IzzyOnDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IzzyOnDroid</span></a> <a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a> <a href="https://floss.social/tags/updates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>updates</span></a></p>
dice.camp is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Mastodon server for RPG folks to hang out and talk. Not owned by a billionaire.
Administered by:
Server stats:
1.6Kactive users
dice.camp: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.3
#reproduciblebuilds
1 post · 1 participant · 0 posts today
Vagrant Cascadian<p><a href="https://floss.social/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a> talk at <a href="https://floss.social/tags/FOSSY2025" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSSY2025</span></a> went pretty well today, presented by myself and my colleague Chris Lamb...</p><p>For bonus fun, I used the <a href="https://floss.social/tags/MNTReform" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MNTReform</span></a> to present!</p><p>Slides available:</p><p><a href="https://people.debian.org/~vagrant/fossy-2025/Nevermind-the-Checkboxes-heres-Reproducible-Builds.pdf" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">people.debian.org/~vagrant/fos</span><span class="invisible">sy-2025/Nevermind-the-Checkboxes-heres-Reproducible-Builds.pdf</span></a></p><p>... as well as a .buildinfo file if you want to try and bit-for-bit reproduce the slides, although I did it using an arm64 machine:</p><p><a href="https://people.debian.org/~vagrant/fossy-2025/nevermind-the-checkboxes_2025.08.02+fossy_all.buildinfo.asc" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">people.debian.org/~vagrant/fos</span><span class="invisible">sy-2025/nevermind-the-checkboxes_2025.08.02+fossy_all.buildinfo.asc</span></a></p><p>Video should be available in a month or so, hopefully?</p>
IzzyOnDroid ✅<p>W00t, w00t! New NeoStore (one of our F-Droid clients) arrived, now showing the RB status directly next to the versions of each app 🥳 </p><p><a href="https://floss.social/tags/IzzyOnDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IzzyOnDroid</span></a> <a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a></p>
🌈☔🌦️🍄🌱🍉<p>Reproducible here means you can compile a package/piece of software from source and end up with the exact same binary package on different machines and later in time. This isn't a feature one can just asume fron software but a serious security benefit as you can compare packages compiled on different systems and lowering the odds of compiler or toolchain code injections or exploits.</p><p><a href="https://chaos.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://chaos.social/tags/reproduciblebuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproduciblebuilds</span></a></p>
🌈☔🌦️🍄🌱🍉<p>92.04% of all packages in debian trixie are reproducible, 96.40% of the amd64 packages and 96.30% for arm64. ppc64el scores worst with 89.50%.</p><p><a href="https://reproduce.debian.net/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">reproduce.debian.net/</span><span class="invisible"></span></a></p><p><a href="https://chaos.social/tags/debian" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>debian</span></a> <a href="https://chaos.social/tags/trixie" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>trixie</span></a> <a href="https://chaos.social/tags/reproduciblebuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproduciblebuilds</span></a></p>
Vagrant Cascadian<p><span class="h-card" translate="no"><a href="https://social.vmbrasseur.com/@vmbrasseur" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>vmbrasseur</span></a></span> </p><p>So there!</p><p>Will be holding down a <a href="https://floss.social/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a> table and giving a related talk or two!</p><p>Looking forward to seeing folks!</p>
Luke T. Shumaker<p>ugg, `kicad-cli fp upgrade` UUIDs aren't deterministic :(</p><p><a href="https://social.coop/tags/KiCad" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KiCad</span></a> <a href="https://social.coop/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a></p>
Hans-Christoph Steiner<p>Some <a href="https://social.librem.one/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Android</span></a> <a href="https://social.librem.one/tags/SDK" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SDK</span></a> packages are updated with a revision number, but <a href="https://social.librem.one/tags/sdkmanager" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sdkmanager</span></a> does not allow installs to use that revision number. This sometimes breaks <a href="https://social.librem.one/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a>. There is an issue open since 2017 about this:<br><a href="https://issuetracker.google.com/issues/38045649" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">issuetracker.google.com/issues</span><span class="invisible">/38045649</span></a></p><p>If anyone wants this feature, it should be easy to implement in <a href="https://social.librem.one/tags/FDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FDroid</span></a>'s sdkmanager:<br><a href="https://gitlab.com/fdroid/sdkmanager/-/issues/26" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">gitlab.com/fdroid/sdkmanager/-</span><span class="invisible">/issues/26</span></a></p>
mmu_man<p>Round of applause for Lunar who started <a href="https://m.g3l.org/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a> at <a href="https://m.g3l.org/tags/Debian" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Debian</span></a> .</p><p><a href="https://m.g3l.org/tags/DebConf25" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DebConf25</span></a> <a href="https://m.g3l.org/tags/DebConf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DebConf</span></a></p>
IzzyOnDroid ✅<p>Welcome to the RB family, KeePassDX 🥳 </p><p>Both, the libre and the free flavor were just confirmed:</p><p><a href="https://apt.izzysoft.de/packages/com.kunzisoft.keepass.libre" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">apt.izzysoft.de/packages/com.k</span><span class="invisible">unzisoft.keepass.libre</span></a></p><p><a href="https://apt.izzysoft.de/packages/com.kunzisoft.keepass.free" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">apt.izzysoft.de/packages/com.k</span><span class="invisible">unzisoft.keepass.free</span></a></p><p>KeePassDX is a password safe and manager allows editing encrypted data in a single file in the open KeePass format and fill in the forms in a secure way, requires no Internet connection and integrates Android design standards.</p><p><a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a> <a href="https://floss.social/tags/IzzyOnDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IzzyOnDroid</span></a></p>
IzzyOnDroid ✅<p>June news at reproducible-builds.org have been released, stating IzzyOnDroid passed 48% coverage (48.8% now), and that <span class="h-card" translate="no"><a href="https://floss.social/@bg443" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bg443</span></a></span> made shields available to show the current RB status of an app. And on we go!</p><p><a href="https://reproducible-builds.org/reports/2025-06/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">reproducible-builds.org/report</span><span class="invisible">s/2025-06/</span></a></p><p><a href="https://floss.social/tags/IzzyOnDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IzzyOnDroid</span></a> <a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a></p>
IzzyOnDroid ✅<p>Welcome to the RB Family, Jerboa 🥳</p><p><a href="https://apt.izzysoft.de/packages/com.jerboa" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">apt.izzysoft.de/packages/com.j</span><span class="invisible">erboa</span></a></p><p>Jerboa is a client for Lemmy, made by Lemmy's developers. And Lemmy is the Fediverse alternative to Reddit, Lobste.rs, HN & Co.</p><p>The current version finally passed RB, so the shield is up now!</p><p><a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a> <a href="https://floss.social/tags/IzzyOnDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IzzyOnDroid</span></a></p>
IzzyOnDroid ✅<p><span class="h-card" translate="no"><a href="https://chaos.social/@SylvieLorxu" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>SylvieLorxu</span></a></span> sorry, but I had to boost this again now. <span class="h-card" translate="no"><a href="https://floss.social/@fdroidorg" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>fdroidorg</span></a></span> can you please make optically clear which APKs you reproduced? Developers knock our doors wondering why we say their app is not RB, while you claim it is – and checking, EACH SINGLE TIME we find the app is NOT set up RB at your end, and the JSON at your verification server clearly states you verified YOUR OWN build. Yes, that might show your build is deterministic – but not that theirs is RB. It's confusing.</p><p><a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a></p>
Hans-Christoph Steiner<p><a href="https://social.librem.one/tags/Apple" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Apple</span></a> is not the only one dreaming up new features. There are many of us. <span class="h-card"><a href="https://floss.social/@fdroidorg" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>fdroidorg</span></a></span> on making the most trustworthy app distribution platform, following as many best practices as possible. Many Apple has not implemented, like app reviews of source code rather than binaries, or <a href="https://social.librem.one/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a>. We require human review or apps. Over 60% of our apps are reproducibly built. Apple encrypts app files, making reproducible builds impossible. It continues to only review binaries apps not source code</p>
Paul Meyer<blockquote><p>I don’t think reproducible builds are a particularly durable property to maintain over a project’s lifetime, especially if everything is expected to shift to confidential computing. [...] When toolchains and other dependencies are updated, non-determinism tends to creep in. Most starting points for common dependencies do not include reproducible builds. Not every project for libraries and packages used for confidential computing environments are fully committed to maintaining binary reproducibility of their build configurations.</p></blockquote><p><a href="https://infosec.exchange/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a></p>
Paul Meyer<blockquote><p>CSPs MUST allow customer-provided virtual firmware (with a well-documented interface for achieving UEFI variable persistence and ACPI table information) OR publish the sources for their virtual firmware. </p></blockquote><p>Transparency has value by <span class="h-card" translate="no"><a href="https://tech.lgbt/@drdeeglaze" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>drdeeglaze</span></a></span> <br><a href="https://deeglaze.github.io/blog/2025/Transparency-has-value/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">deeglaze.github.io/blog/2025/T</span><span class="invisible">ransparency-has-value/</span></a></p><p><a href="https://infosec.exchange/tags/ConfidentialComputing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConfidentialComputing</span></a> <a href="https://infosec.exchange/tags/Attestation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Attestation</span></a> <a href="https://infosec.exchange/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a></p>
Esther Payne :bisexual_flag:<p>So I had some more thoughts about FOSS sustainability. I've had them for some time. But this weeks issues reminded me of them.</p><p>So here's a mild spruik for some of the orgs who make my digital spaces for myself and my project and also package <span class="h-card" translate="no"><a href="https://chaos.social/@librecast" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>librecast</span></a></span> <br><a href="https://www.onepict.com/20250628-plussustain.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">onepict.com/20250628-plussusta</span><span class="invisible">in.html</span></a></p><p><a href="https://chaos.social/tags/FossSustainability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FossSustainability</span></a> <a href="https://chaos.social/tags/Matrix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Matrix</span></a> <a href="https://chaos.social/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a> <a href="https://chaos.social/tags/Outreachy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Outreachy</span></a></p>
IzzyOnDroid ✅<p>Dear developers of <a href="https://floss.social/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Android</span></a> <a href="https://floss.social/tags/apps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>apps</span></a> which are listed at <a href="https://floss.social/tags/IzzyOnDroid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IzzyOnDroid</span></a> and have been confirmed as <a href="https://floss.social/tags/reproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reproducibleBuilds</span></a> by one (or more) of our builders:</p><p>I've been told by a dev:</p><p>> There are only 3 things devs want. Stickers, badges and a good dev environment (and I'm not sure the last one is important)</p><p>So there you go if you want to show the RB status of your app:</p><p><a href="https://shields.rbtlog.dev/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">shields.rbtlog.dev/</span><span class="invisible"></span></a></p><p>:awesome:</p>
Simon Tournier<p>Blog post: What Guix could offer in computational medical environments?</p><p>French national agency for secure drug and medicine (ANSM) requires for a medical device to have unambiguous identifications:</p><p>1. reference of the product<br>2. reference of the maker<br>3. serial number</p><p>Well, through my lenses applied to software, it reads:</p><p>1. <a href="https://social.sciences.re/tags/SoftwareHeritage" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SoftwareHeritage</span></a> identifier (<a href="https://social.sciences.re/tags/SWHID" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SWHID</span></a>)<br>2. <a href="https://social.sciences.re/tags/Guix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Guix</span></a></p><p>and 3. is redundant. 😁</p><p>Well, a quick summary of a 30min talk I gave past week.</p><p>Thanks my previous colleague Sam from APHP to give me the opportunity to brainstorm on this topic. 🤩</p><p><a href="https://simon.tournier.info/posts/2025-06-04-aphp-guix.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">simon.tournier.info/posts/2025</span><span class="invisible">-06-04-aphp-guix.html</span></a></p><p><a href="https://social.sciences.re/tags/ReproducibleResearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleResearch</span></a> <a href="https://social.sciences.re/tags/OpenScience" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenScience</span></a> <a href="https://social.sciences.re/tags/Debian" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Debian</span></a> <a href="https://social.sciences.re/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a></p>
Reproducible Builds<p>May 2025 in Reproducible Builds:</p><p> * Security audit of Reproducible Builds tools published<br> * "When good pseudorandom numbers go bad" <span class="h-card" translate="no"><a href="https://fosstodon.org/@jdnavarro" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jdnavarro</span></a></span><br> * Academic articles <br> * Distribution work<br> * <span class="h-card" translate="no"><a href="https://framapiaf.org/@debian" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>debian</span></a></span><br> * <span class="h-card" translate="no"><a href="https://floss.social/@fdroidorg" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>fdroidorg</span></a></span> <span class="h-card" translate="no"><a href="https://social.librem.one/@eighthave" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>eighthave</span></a></span> <br> * <span class="h-card" translate="no"><a href="https://chaos.social/@nixos_org" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>nixos_org</span></a></span> <span class="h-card" translate="no"><a href="https://merveilles.town/@raboof" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>raboof</span></a></span> <br> * <span class="h-card" translate="no"><a href="https://fosstodon.org/@opensuse" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>opensuse</span></a></span><br> * <span class="h-card" translate="no"><a href="https://fosstodon.org/@fedora" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>fedora</span></a></span> <span class="h-card" translate="no"><a href="https://gts.dodgy.download/@jelly" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jelly</span></a></span> <br> * diffoscope and disorderfs<br> * Website updates<br> * Reproducibility testing framework<br> * Upstream patches</p><p><a href="https://reproducible-builds.org/reports/2025-05/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">reproducible-builds.org/report</span><span class="invisible">s/2025-05/</span></a></p><p><a href="https://fosstodon.org/tags/ReproducibleBuilds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReproducibleBuilds</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload