Free software activities in November 2025

Here is my monthly update covering what I have been doing in the free software world during November 2025 (previous month).

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

This month, I:

• Submitted 64 patches to fix specific reproducibility issues in ansible-lint, beangulp, biosquid, crasm, dateparser, deblur, entropybroker, flawfinder, golang-github-apptainer-container-library-client, golang-github-emicklei-dot, golang-github-kshedden-statmodel, golang-gonum-v1-plot, insilicoseq, jsonpath-ng, mu-editor, namecheap, nim-hts, parsinsert, pgpainless, presto, pyasn, pychopper, pycifrw, pycparser, pydata-sphinx-theme, python-altair, python-babelgladeextractor, python-biom-format, python-ciso8601, python-django-waffle, python-et-xmlfile, python-genson, python-gffutils, python-graphene, python-kafka, python-lupa, python-nixio, python-ofxhome, python-os-apply-config, python-phabricator, python-pymummer, python-pysaml2, python-pyutil, python-pyvcf, python-requests-cache, python-slimmer, python-spdx-tools, python-sshsig, python-tld, pywavelets, pyxnat, qcat, rdf2rml, ruby-gnuplot, smart-open, spopt, tkgate, tkgate, trillian, vanguards, virulencefinder, vt, whipper & ytcc.

• I also filed two bugs for packages where I could not fix the reproducibility issue. The first was against dh-haskell (later assigned to the ghc package) as I identified that a recent change in the Haskell toolchain results in different binary packages when the tests are built or not. I also filed a bug against the sphinx-book-theme package, which appeared to be generating broken packages if tests were skipped.

• In Debian, I kept isdebianreproducibleyet.com up to date. [...]

• Drafted, published and publicised our monthly report for October 2025.

• I also categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

Elsewhere in our tooling, I made a number of changes to diffoscope, including uploading version 308 and version 309 to Debian. These changes included further attempts to automatically attempt to deploy to PyPI by liaising with the PyPI developers/maintainers (with this experimental feature). [...][...][...]

Lastly, I presented at SeaGL in Seattle, WA on the topic if "10 years of Reproducible Builds". The abstract of the talk is as follows:

The integrity of software has become an increasingly critical concern in an era where digital systems underpin everything from financial transactions to critical infrastructure. Despite advancements in software security, a fundamental vulnerability still remains overlooked: the lack of verifiability in how open source software is constructed from its source code. This talk introduces the concept of reproducible builds, its technical underpinnings and its potentially transformative impact on software security and transparency. It is aimed at developers, security professionals and policy-makers who are concerned with enhancing trust and accountability in our software. It also provides a history of the Reproducible Builds project, which is approximately ten years old. How are we getting on? What have we got left to do? Aren't all the builds reproducible now?

Debian uploads

• redis (8.0.5-1) — New upstream release

• python-django:

  • 4.2.26-1 — New upstream security release.
  • 6.0~rc1-1 — New upstream release candidate.

• xtrlock (2.18) — Apply a patch from Takeshi Hamasaki to fix a mistake in the manpage. (#1121176)

Debian LTS

This month I have worked 30 hours on Debian Long Term Support (LTS) its sister Extended LTS project.

• Investigated and triaged: calibre (CVE-2025-64486), gnutls28 (CVE-2025-9820), golang-go.crypto (CVE-2025-47914 & CVE-2025-58181), libpng1.6 (CVE-2025-65018, CVE-2025-64720, CVE-2025-64506 & CVE-2025-64505), mako (CVE-2022-40023), openvpn (CVE-2025-13086), pdfminer (CVE-2025-64512), python-django, rail (CVE-2022-32224) & rsync (CVE-2025-10158).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 4374-1 as it was discovered that there was a potential arbitrary code execution in pdfminer, a tool for extracting information from PDF documents. A malicious, zipped pickle file could have contained code that might have been executed when the PDF was processed.

• Work on an extensive update of the python-django package, due to be released in early December.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.