Debian’s release team now blocks any package from migrating to testing if it fails reproducible build checks, enforcing reproducibility as a hard requirement.
Key Takeaways
Migration software on reproduce.debian.net blocks new packages that fail reproducibility and flags regressions in existing testing packages.
amd64 forky is currently at 97.02% reproducible (17,586 good, 511 bad, 30 fail).
A new architecture, loong64, was added two weeks ago, triggering large rebuild queues and a backlog in CI autopkgtest runs.
binNMUs now run autopkgtests like source-full uploads, tightening QA across the board.
Uploaders are responsible for ensuring their packages migrate; RC bugs must be filed when reverse dependencies regress.
Hacker News Comment Review
Commenters broadly celebrated the milestone, noting the Reproducible Builds project took nearly two decades of sustained community effort to reach enforced gating.
Skeptics pushed back on the contribution burden, arguing reproducibility requirements raise the bar for new maintainers without a concrete, proven attack prevention record.
The comparison to NetBSD’s 2017 fully-reproducible achievement surfaced, with context that NetBSD’s smaller, slower-changing package set (still on CVS) made the problem structurally easier.
Notable Comments
@tofflos: Posts live amd64 stats directly from reproduce.debian.net: 97.02% reproduced, 511 bad, 30 fail.
@suprjami: Notes that commercial RHEL/Ubuntu vendors, with enterprise customers demanding verifiable binaries, have not led this effort.
