Stay in touch

Task suggestions

To get help, feel free to ask on the IRC channel or the mailing list. We want to be friendly, supportive, and have fun experimenting together.

How to report bugs

All bugs relevant to the reproducible builds project should use usertags with user Also use X-Debbugs-Cc to notify the list, but please use our list for this header.

To usertag a bug after it has been submitted use:

bts user . usertag XXXXXX + timestamps toolchain

Current usertags in use:

affects a tool used by other package build systems
affects the whole Debian infrastructure or policies
time of build in recorded during the build process
build output varies with readdir() order
path of sources is recorded during the build process
username is recorded during the build process
hostname is recorded during the build process
uname output is recorded during the build process
environment variables are recorded during the build process
some build aspects are dependent on (pseudo-)randomness
some build aspects are dependent on CPU features or computation speed
uses a cryptographic signatures as part of the build process
permissions depend on current umask
issues related to .buildinfo control files
fails to build from source
varying locales lead to differing behavior (e.g. sorting)

Control commands to update the view on the BTS.

Example email to submit a patch:

From: J. Random Hacker <>
Subject: <PACKAGE>: please make the build reproducible (timestamps, fileordering)

Source: <PACKAGE>
Version: <VERSION>
Severity: wishlist
Tags: patch
Usertags: timestamps fileordering


While working on the “reproducible builds” effort [1], we have noticed
that <PACKAGE> could not be built reproducibly.

The attached patch removes extra timestamps from the build system and
ensure a stable file order when creating the source archive. Once applied,
<PACKAGE> can be built reproducibly in our current experimental framework.


Inventorying issues

The easiest way to find issues is to examine the list of packages failing to build reproducibly as found by continuous integration. The first packages in the list are the one who have been tried most recently.

Notes about packages are kept in the notes Git repository in packages.yml. The list of known common issues is kept in the issues.yml file.

The page for a given package should open on the diffoscope output. Read the list of known issues to get an idea of what you may found. Here are some more advices:

The clean-notes script in the misc repository will detect outdated notes and re-order packages by alphabetical order. It should be run before committing changes to the notes repository.

Fixing issues

Fixing reproducibility issues falls into two categories: either the problem is specific to a single package or the cause is the output of another package (then referenced as “toolchain” package).

Fixing a single package

The usual steps are:

  1. Use debcheckout or apt-get source to retrieve the source code.

  2. Do the changes. With packages using the 3.0 (quilt) format, dpkg-source --commit can be useful.

  3. Update debian/changelog. New version is usually original version with .0~reproducible1.

  4. Use dpkg-buildpackage -S to create source package.

  5. Use the prebuilder script to test reproducibility. If the package is not reproducible, examine diffoscope output logs/PACKAGE.diffoscope.html or compare build logs logs/PACKAGE.build1 and logs/PACKAGE.build2, then repeat from step 2 unless the issue comes from another package. In that case, see about “toolchain” packages below.

  6. Use debdiff or git format-patch to create patches.

  7. Create a new bug report, and don't forget to attach the patch!

  8. Add an entry or reference the bug in packages.yml in notes.git.

Fixing a toolchain package

Fixing an issue in a package that affects the reproducibility of other packages requires some more steps, but the general process is the same:

  1. Use debcheckout or apt-get source to retrieve the source code.

  2. Do the changes. With packages using the 3.0 (quilt) format, dpkg-source --commit can be useful.

  3. Update debian/changelog. New version is usually original version with .0~reproducible1.

  4. Use pdebuild or gbp buildpackage to build the package.

  5. Backup base-reproducible.tgz.

  6. Use pbuilder --login --save-after-exec --basetgz base-reproducible.tgz to install the newly built package.

  7. Test a package affected with prebuilder. If the issue is still not fixed, repeat from step 2.

  8. If the package is in Git, use SSH to login on Go to /git/reproducible. Use ./setup-repository to create a new repository. Push your changes to a (rebasable) pu/reproducible_builds branch.

  9. Subscribe to the upload-source notification for the package on the Package Tracking System. This is needed so you don't forget to update the custom package when a new version hits the archive.

  10. Upload the package to the reproducible APT repository.

  11. Document the changes on the wiki.

  12. Reference the bug in issues.yml in notes.git and on the wiki page about the issue if there's one.

  13. Everybody in the reproducible builds team can schedule source packages to be rebuilt by running the script in /srv/home/groups/reproducible/ on alioth. If you are not part of the team you can find somebody in the #debian-reproducible IRC channel.

  14. If the changes don't break anything, create a new bug report. Don't forget to attach patches and to use the toolchain usertag.

Working on the continuous integration platform

Several jobs have been created to regularly test packages (from sid main) on As a result there is the reproducible build overview of packages.

The setup is explained in this blog post only, but this post is somewhat outdated by now and needs to be amended.

See the various reproducible_* scripts in the Jenkins Git repository.

Working on installation media or live systems

Having installation and live systems which can be built reproducibly would also be great. There is an analyze_image bash script that creates sha512 hashes of all files included within an image, access rights, symlinks, partition table, bootloader and more. Doing this with two images that should match and comparing the reports the script creates can help to identify sources of non-determinism in images.

See also: