Mastodawn

Arch Linux ya tiene imagen Docker reproducible

Arch Linux lanzó en abril de 2026 su imagen Docker reproducible bit a bit bajo el tag repro. Cómo usarla, verificarla y qué limitaciones tiene con pacman.

https://blog.donweb.com/arch-linux-imagen-docker-reproducible-tag-repro/

#archlinux #docker #reproduciblebuilds #supplychain #contenedores

Arch Linux imagen Docker reproducible: tag repro

Arch Linux lanzó en abril de 2026 su imagen Docker reproducible bit a bit bajo el tag repro. Cómo usarla, verificarla y qué limitaciones tiene con pacman.

Blog Donweb

Robin Candau 4d ago

I worked on creating & providing a bit-for-bit reproducible Docker image for Arch Linux and I wrote a little blog post about it 🤗

https://antiz.fr/blog/archlinux-now-has-a-reproducible-docker-image/

#archlinux #reproduciblebuilds

Arch Linux now has a bit-for-bit reproducible Docker image

As a follow-up to the similar milestone reached for our WSL image a few months ago, I’m happy to share that Arch Linux now has a bit-for-bit reproducible Docker image! This bit-for-bit reproducible image is distributed under a new “repro” tag. The reason for this is due to one noticeable caveat: to ensure reproducibility, the pacman keys have to be stripped from the image, meaning that pacman is not usable out of the box in this image. While waiting to find a suitable solution to this technical constraint, we are therefore providing this reproducible image under a dedicated tag as a first milestone.

Robin Candau

Arch Linux

6d ago

[arch-dev-public] Arch Linux now has a bit-for-bit reproducible Docker image

https://lists.archlinux.org/archives/list/[email protected]/thread/44PW52T547MACXFU5HZ5U7SIPAX3BAXS/

#Linux #ArchLinux #ReproducibleBuilds #Reproducible

Paul Meyer Apr 18

The Nix sandbox aims to provide a pure environment by isolating the build environment from the rest of the system. However, some impurities can still affect builds inside the sandbox and lead to reproducibility issues. One of them is the filesystem.

A common example is builds that implicitly depend on inode numbering or directory entry ordering. In some cases, you might even run into a filesystem bug: a build succeeds on one machine, but fails on another with a different filesystem.

To debug these issues, you can now use nix-buildon. It lets you swap out the filesystem underneath the Nix sandbox. By running the sandbox on disorderfs, you can get a deterministic, sorted, or reverse-sorted view of directory entries. This makes it easy to check whether a build depends on filesystem behavior that should not matter in the first place.

https://github.com/katexochen/nix-buildon

I created this at #OceanSprint. 🌊

#Nix #NixOS #ReproducibleBuilds

GitHub - katexochen/nix-buildon: Discover filesystem-based reproducibility issues by running the Nix sandbox on different filesystems

Discover filesystem-based reproducibility issues by running the Nix sandbox on different filesystems - katexochen/nix-buildon

GitHub

Izzy Apr 9

Welcome to the RB family, Sav PDF Viewer 🥳

https://apt.izzysoft.de/packages/com.saverio.pdfviewer

Sav PDF Viewer Pro is a simple PDF viewer that lets you easily view PDF files. It automatically saves the last position for each file, lets you place bookmarks, and more – without requiring a single permission.

With some help by its developer, it finally is RB now

#ReproducibleBuilds #IzzyOnDroid

„Sav PDF Viewer“ – IzzyOnDroid F-Droid Repository

The simplest PDF viewer

IzzyOnDroid Repo Browser

Show thread

uniq Apr 8

@johan @gaxeliy

Correct #FDroid guarantees that their app builds correspond to the publicly available source code. Fore some apps it's just a promise, but when the app developers support #ReproducibleBuilds it's also possible to verify this promise. https://reproducible-builds.org/

Reproducible Builds — a set of software development practices that create an independently-verifiable path from source to binary code

Show thread

Seine Angst ist Meine Angst Apr 6

For the #NixOS #QubesOS and #reproduciblebuilds nerds out there, I finally found some time to clean this up enough for post my fully-reproducible NixOS template for QubesOS PR: https://github.com/evq/qubes-nixos-template/pull/7

This feels so niche it kind of hurts my soul. FWIW I'll do a lightning talk on the value of build reproducibility on Thursday, so maybe I can get a few more people to care.

IzzyOnDroidOrg Apr 5

For those who use #NeoStore, one of our recommended clients, we have exciting news: they just added a setting that puts you in control of #ReproducibleBuilds.

Settings › Service › Disable auto-update on non-reproducible updates

If you want your RB apps only auto-updated if the update was also confirmed to fully match the source code, consider turning it on for extra security.

You can then still manually update it, regardless of reproducibility status.

Do note …

(1/2)

#IzzyOnDroid

Izzy Apr 2

You often see us reporting our RB status, and might wonder what's so important about #ReproducibleBuilds – want a recent example? Take a look at https://web.archive.org/web/20260402133949/https://github.com/Nekogram/Nekogram/issues/336 – and the POC at https://github.com/RomashkaTea/nekogram-proof-of-logging

In short: Release APK was built from different code, including a logger to catch all phone numbers contacted. Oh, and the dev thinks that's fine (https://t.me/NekoUpdates/531).

RB would have failed for that app, and shown the diff.

Stay safe out there!

(1/2)

[Spyware, Malicious code] Malicious Code Injection and User Data Leaking in Release Binaries · Issue #336 · Nekogram/Nekogram

Steps to reproduce Install and login to your telegram account Now your phone number belongs to Xi Jinping... jk. to Nekogram creator Expected behaviour Not leaking phone numbers Actual behaviour Ma...