Debian’s release team now blocks packages from migrating to testing if they fail reproducibility checks, enforcing the Reproducible Builds standard across the archive.
Key Takeaways
Migration software at reproduce.debian.net now rejects new packages that cannot be reproduced and flags existing testing packages that regress in reproducibility.
This is described as a mid-cycle policy shift for the forky release, backed by years of Reproducible Builds project infrastructure.
binNMUs now run autopkgtests just like source-full uploads, tightening QA on binary-only rebuilds.
loong64 was added as a new architecture two weeks ago, triggering a large CI queue backlog due to required archive-wide rebuilds.
Uploaders are responsible for ensuring their packages migrate, including filing RC bugs against reverse dependencies that block them.
Hacker News Comment Review
Skeptics argue reproducibility does not address upstream supply chain compromise: a package that reproducibly builds malicious code is still malicious.
Counter-position: Debian’s source-based, centrally audited model has historically insulated it from the class of supply chain attacks that have hit npm and similar ecosystems, making reproducibility a meaningful incremental improvement rather than a false promise.
