The Debian Release Team announced that the distro now blocks packages that fail reproducible-build checks from migrating into testing, making a long-standing supply-chain goal an enforced release requirement.
This rule also applies to packages already in testing if a later update causes a reproducibility regression. The change has been active since May 9, during the current Forky development cycle.
Reproducible builds mean that the same source code, built in the same controlled environment, produces identical binary packages. This allows Debian maintainers and independent rebuilders to verify that the binaries distributed to users match the published source code.
The main benefits include package integrity, build transparency, and stronger supply-chain verification. This way, Debian can more effectively confirm that distributed binaries match their source, detect unexpected build changes, reduce the risk of compromised infrastructure producing altered packages, and prevent reproducibility regressions from entering testing.
For users, this change does not affect the current stable release. Its direct impact is on Debian testing, where packages are prepared for the next stable version (14 Forky, expected mid-2027). If a package cannot be reproduced, or if an update breaks reproducibility for a package already in testing, migration will be blocked until the issue is resolved.
These checks rely on Debian’s reproduce.debian.net infrastructure, which attempts to rebuild binary packages bit-for-bit using .buildinfo files created during the original build process. The dashboard already shows a high reproducibility rate for Forky. At the time of writing, all architectures report over 98% reproduced builds, with 23,728 good packages.
The Release Team described the move as “a small step in code, but a giant leap in commitment,” stating that Debian has decided the distribution must ship reproducible packages.
Additionally, the devs say that Debian’s migration software can now run autopkgtests for binary-only non-maintainer uploads (binNMUs), as it already does for full source uploads.
For more details, see the announcement.
