Hi, I had my reproducible builds verification machinery run at packages in SUSE:SLE-15-SP2:GA Background reading on this topic: https://www.suse.com/c/extending-trust-in-our-binaries-no-backdoors-have-been-found/ total source packages: 1254 grep verified....1 .reproducible.json |wc -l 973 grep verified....0 .reproducible.json |wc -l 218 If you wonder why the numbers do not add up: some pkgs like 00* do not produce binaries. Other archs and pkgs with _link or buggy _multibuild were also skipped. For packages with verified==0 I also did a local double-build to see if it is possible to get the same output twice and most failed that test - the json has that as "status" : "unreproducible" and "build_compare_status" : "unreproducible" . raw result status output: https://rb.zq1.de/sle/15.2/reproducible-v1.json Here is what I found from that: 1. We are missing one tiny upstream rpm fix: https://build.suse.de/request/show/218899 - helps openssh, libqt5-qttools and postfix 2. Our kmp (kernel module packages) such as crash, drbd or oracleasm still suffer from https://github.com/openSUSE/pesign-obs-integration/issues/9 An earlier simple fix there was reverted for problems in virtualbox. Maybe also affects kernel-livepatch-SLE15-SP2_Update_0 but embedded signatures are generally a hard problem for reproducibility. 3. There are still packages that embed the build system's kernel-version such as xmlgraphics-commons: +++ new//usr/share/java/META-INF/MANIFEST.MF 2020-05-22 23:00:53.472171613 +0000 @@ -5,7 +5,7 @@ Implementation-Version: 2.3 Implementation-Vendor: The Apache Software Foundation (http://xmlgraph ics.apache.org/) -Build-Id: 20190119-120000-UTC (abuild [Linux 5.3.18-19-default amd64, +Build-Id: 20190119-120000-UTC (abuild [Linux 5.3.18-20-default amd64, Java 11.0.6+10-suse-3.39.2-x8664]) Bundle-SymbolicName: org.apache.xmlgraphics 4. The others were known-bad packages with a lot of Java in there. Possibly some of the 6 Debian patches added in https://build.opensuse.org/package/show/home:bmwiedemann:reproducible:test/java-11-openjdk could help there. xmvn also needs some love: https://bugzilla.opensuse.org/show_bug.cgi?id=1162112 bad pkgs: antlr3 antlr4 apache-commons-lang apache-logging-parent auto aws-sdk-java bsh2 cbi-plugins cdrtools codenarc colord conky corosync crmsh decentxml disruptor easymock eclipse eclipse-ecf eclipse-egit eclipse-emf eclipse-jgit eclipse-license erlang exec-maven-plugin extra166y ezmorph fasterxml-oss-parent felix-gogo-command felix-gogo-runtime felix-gogo-shell felix-scr felix-shell findbugs fmpp freemarker glassfish-jax-rs-api glassfish-jsp glassfish-servlet-api glassfish-transaction-api gmavenplus-plugin gmetrics google-gson google-guice google-http-java-client google-oauth-java-client gpars gradle-bootstrap gradle groovy18 groovy grub2 gstreamer-plugins-bad gstreamer-plugins-base hamcrest http-builder httpcomponents-client ibus-chewing ibus-libzhuyin jackson-annotations jackson jackson-core jackson-databind jackson-dataformats-binary jackson-parent janino jarjar jatl java-1_8_0-openj9 javacc-maven-plugin javaewah javaparser javapoet javassist jawn jboss-logging jboss-logmanager jboss-marshalling jboss-modules jboss-parent jboss-websocket-1.0-api jcsp jctools jdo2-api jettison jetty-artifact-remote-resources jetty-minimal jetty-parent jetty-schemas jetty-toolchain jhighlight jopt-simple jsch-agent-proxy json4s json-lib jsonp jsr-311 junit5 kernel-livepatch-SLE15-SP2_Update_0 kryo kxml libqt5-qtdoc libqt5-qtscript libqt5-qttools librsvg log4j logback maven2 maven-antrun-plugin maven-archiver maven-artifact-resolver maven-artifact-transfer maven-assembly-plugin maven maven-clean-plugin maven-common-artifact-filters maven-compiler-plugin maven-dependency-analyzer maven-dependency-plugin maven-dependency-tree maven-doxia maven-doxia-sitetools maven-enforcer maven-file-management maven-filtering maven-install-plugin maven-invoker-plugin maven-jar-plugin maven-javadoc-plugin maven-plugin-build-helper maven-plugin-bundle maven-plugin-testing maven-plugin-tools maven-remote-resources-plugin maven-reporting-api maven-reporting-impl maven-resolver maven-resources-plugin maven-script-interpreter maven-shade-plugin maven-shared-incremental maven-shared-io maven-source-plugin maven-surefire maven-verifier minlog mockito mojo-executor mstflint msv multiverse nailgun native-platform nekohtml netty3 netty netty-tcnative nodejs12 opae openssh oracleasm os-maven-plugin paradise paranamer perf php7 picocli plexus-build-api plexus-cipher plexus-component-factories-pom postfix proguard qdox rabbitmq-server reflectasm release-notes-bcl release-notes-ha release-notes-sled release-notes-sle_hpc release-notes-sle_rt release-notes-sles release-notes-sles-for-sap replacer sbt sbt-launcher scala scala-pickling serialization signpost-core sisu sle-rt-hw_en sle-rt-quick_en sle-rt-shielding_en sle-rt-virtguide_en spec-version-maven-plugin stax2-api stringtemplate4 string-template-maven-plugin tesla-polyglot test-interface testng tomcat treelayout tycho tycho-extras update-test-trivial woodstox-core xbean xmlgraphics-commons xml-maven-plugin xstream zinc