[Git][reproducible-builds/reproducible-presentations][master] Strip parts less relevant to Debian audience

Steven Chamberlain gitlab at salsa.debian.org
Sat May 19 10:58:23 CEST 2018 

Steven Chamberlain pushed to branch master at Reproducible Builds / reproducible-presentations


Commits:
5ff7ae2a by Steven Chamberlain at 2018-05-19T08:58:11+00:00
Strip parts less relevant to Debian audience

- - - - -


1 changed file:

- 2018-05-20-MiniDebConf-Hamburg/2018-05-20-MiniDebConf-Hamburg.tex


Changes:

=====================================
2018-05-20-MiniDebConf-Hamburg/2018-05-20-MiniDebConf-Hamburg.tex
=====================================
--- a/2018-05-20-MiniDebConf-Hamburg/2018-05-20-MiniDebConf-Hamburg.tex
+++ b/2018-05-20-MiniDebConf-Hamburg/2018-05-20-MiniDebConf-Hamburg.tex
@@ -127,34 +127,6 @@ buster}
  \titlepage
 \end{frame}
 
-\placelogotrue
-
-\begin{frame}
- \frametitle{about h01ger}
-
- \begin{itemize}
-  \item \small{\texttt{B8BF 5413 7B09 D35C F026  FE9D 091A B856 069A AA1C}}
-  \item Debian user since 1995, contributor since 2001, official developer
-  status since 2007
-  \item DebConf organizer,
-  founded the DebConf video team
-   \begin{itemize}
-    \item \texttt{http://video.debian.net}
-   \end{itemize}
- \item Debian-Edu (Debian for education)
-  \item Debian QA (quality assurance)
-  \begin{itemize}
-   \item \texttt{https://piuparts.debian.org}
-   \item \texttt{https://jenkins.debian.net} (~1200 jobs continously testing Debian)
-  \end{itemize}
-  \item Debian Reproducible builds team member
-  \begin{itemize}
-   \item since April 2015 funded by the Linux Foundation
-   \item currently until December 2017…
- \end{itemize}
- \end{itemize}
-\end{frame}
-
 \begin{frame}
  \frametitle{Debian reproducible builds contributors}
  \begin{center}
@@ -228,130 +200,6 @@ buster}
 \placelogofalse
 
 \begin{frame}
- \frametitle{Who are you?}
- \begin{itemize}
-  \item<2-4> Seen a talk about reproducible builds?
-  \item<3-4> Contributed to these efforts?
-  \item<4> Used reproducible builds as a user?
- \end{itemize}
-\end{frame}
-
-\begin{frame}
- \frametitle{Who are you?}
- \begin{itemize}
-  \item Seen a talk about reproducible builds?
-  \item Contributed to these efforts?
-  \item Has verified locally running software (but which was built elsewhere) to actually be reproducible? IOW: Did a rebuild and got the exact same bits?
- \end{itemize}
-\end{frame}
-
-
-
-\section{Motivation}
-
-\begin{frame}[fragile]
- \frametitle{The problem: we need to believe}
- \begin{itemize}
-  \item Free Software is great: one can study, modify, share and use it!
-  \item<2-4> We study, modify and share source code.
-  \item<2-4> We use binaries.
-  \item<3-4> We need to believe our binaries come from the source code they are said to made from.
-  \item<4> \textbf{I don't want to believe.}
- 
- \end{itemize}
-\end{frame}
-
-
-\begin{frame}
- \frametitle{The solution}
-
- \begin{center}
- \Large{
- Promise that anyone can always and independently generate
- bit by bit identical binary packages from a given source}
-\end{center}
-\end{frame}
-
-
-\begin{frame}
- \frametitle{The solution}
-
- \begin{center}
- We call this:
-
- \Huge{ “Reproducible builds” }
- \end{center}
-\end{frame}
-
-\begin{frame}
- \frametitle{The problem in greater detail}
-
- \begin{center}
-  \includegraphics[width=0.7\textwidth]{images/31c3.png}
-
-  Available on \url{media.ccc.de}, 31c3
- \end{center}
-\end{frame}
-
-\begin{frame}[fragile]
- \frametitle{A few examples from that 31c3 talk}
- \begin{itemize}
-  \item CVE-2002-0083: remote root exploit in \texttt{sshd}, a single bit difference in the binary
-  \item<2-5> 31c3 talk had a live demo with a kernel module modifying source code in memory only
-  \item<3-5> How can you be sure what's running on your machine or on a build
-  daemon network connected to the net? Do you ever leave your computers
-  physically alone? 
-  \item<4-5> How much do you pay your admins? Enough to withstand a multi million
-  dollar attack?
-  \item<5> Legal challanges. Could you be forced to backdoor (some of) your
-  software (for some customers)?
- \end{itemize}
-\end{frame}
-
-\begin{frame}[fragile]
- \frametitle{Another example from real life}
-
- At a CIA conference in 2012:
- \begin{center}
-  \includegraphics[width=0.8\textwidth]{images/strawhorse.png}
-
-  {\footnotesize
-  \url{firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-apples-secrets/}
-  }
- \end{center}
-\end{frame}
-
-
-
-\placelogotrue
-
-\begin{frame}
- \frametitle{Debian demo (skipped)}
- \begin{itemize}
- \item Build a package 5 times, get 5 .debs with different checksums
- \item Build a package 5 times, get 5 .debs with the same checksum\\
- \item<2-4>{Yes, it's really this simple.}
- \item<3-4>{And works the same with RPMs.}
- \item<4>{Signed RPMs are a bit more complicated but the principle stays the
-same.}
- \end{itemize}
-% show this once running in plain sid,
-% and then in sid with our modified toolchain.
-%
-% prepare demo:
-% mkdir demo ; cd demo ; apt-get source giftrans
-%
-% do demo:
-% PTH=$(mktemp -d); OPTH=$PWD; P=giftrans; cp ${P}_* $PTH/; cd $PTH ;
-%   dpkg-source -x ${P}*.dsc ; for X in 1 2 3 4 5 ; do (cd ${P}-*/;
-%   dpkg-buildpackage -b -uc -us); mkdir -p .$X ; cp $P_*.deb .$X; done ; rm
-%   *.deb ; echo; sha1sum *dsc *z .*/*.deb | grep -v giftrans-dbgsym ; cd - ;
-% rm -r $PTH
-\end{frame}
-
-\placelogofalse
-
-\begin{frame}
  \frametitle{The solution: Reproducible Builds}
 
  \begin{center}
@@ -449,19 +297,6 @@ same.}
 
 \section{Common ressources}
 
-\begin{frame}
- \frametitle{reproducible-builds.org}
-
- \begin{itemize}
-  \item \texttt{https://reproducible-builds.org}
-  \item git repositories, IRC channels, mailinglists, webspace
- \end{itemize}
- \begin{center}
- \includegraphics[width=0.7\textwidth]{images/rbwww1.png}
- \end{center}
-\end{frame}
-
-
 {
 \usebackgroundtemplate{%
  \begin{tikzpicture}[remember picture,overlay]%
@@ -579,73 +414,6 @@ hour, minute & \multicolumn{2}{l}{hour is usually the same… usually, the minut
  \end{center}
 \end{frame}
 
-\placelogofalse
-
-\begin{frame}
- \frametitle{Common problems}
-
- \begin{itemize}
-  \item time stamps
-  \item timezones
-  \item locales
-  \item build paths
-  \item everything else (seperated into known issues and the blurry rest)
- \end{itemize}
-\end{frame}
-
-\begin{frame}
- \frametitle{Documentation about common problems}
- \begin{itemize}
-  \item \texttt{https://reproducible-builds.org/docs}
-  \item Lunar's talk from CCCamp 2015 also on
-  \texttt{https://media.ccc.de}
- \begin{tikzpicture}[remember picture]
-  \node[shift={(-1.05\paperwidth, -0.3\paperheight)},at=(current page.south east)] {
-    \includegraphics[width=0.83\textwidth]{images/cccamp2015_lunar_random.png}
-  };
- \end{tikzpicture}
- \end{itemize}
-\end{frame}
-
-
-\begin{frame}
- \frametitle{\texttt{SOURCE\_DATE\_EPOCH}}
-
- \begin{itemize}
-  \item Build date (timestamps) usually not useful for the user
-  \item \texttt{SOURCE\_DATE\_EPOCH} is defined as the last modification of
-  the source, since the epoch (1970-01-01)
-  \item can be used instead of current date
-  \item can also be used for random seeds etc.
-  \item in Debian, set from the latest \texttt{debian/changelog} entry
-  \item can be set to the latest git commit too or the latest file
-  modification date
- \end{itemize}
-\end{frame}
-
-\begin{frame}
- \frametitle{\texttt{SOURCE\_DATE\_EPOCH}}
-
- \begin{itemize}
-  \item \texttt{SOURCE\_DATE\_EPOCH} spec available:
-  \item \texttt{https://reproducible-builds.org/specs/}
-  \item many upstreams support it already
-  \item has been adopted by other distributions
-  (openSUSE, OpenWrt, LEDE, NetBSD, FreeBSD, Arch Linux, coreboot, Guix, …) and many many
-  upstreams (GCC, dpkg, rpm, mkisofs, ghostscript, libxslt, sphinx,
-  texlive-bin, …)
- \end{itemize}
-\end{frame}
-
-\begin{frame}
- \frametitle{two more tools}
-
- \begin{itemize}
-  \item \texttt{strip-nondeterminism} 
-  \item<2> \texttt{reprotest} 
- \end{itemize}
-\end{frame}
-
 \section{Status Debian}
 
 \begin{frame}
@@ -797,151 +565,6 @@ hour, minute & \multicolumn{2}{l}{hour is usually the same… usually, the minut
 
 
 
-\section{Status Non-Debian World}
-
-\placelogofalse
-
-\begin{frame}
- \frametitle{Skipping some…}
- \begin{itemize}
-  \item \texttt{https://tests.r-b.org/coreboot}
-  \item \texttt{https://tests.r-b.org/netbsd}
-  \item \texttt{https://tests.r-b.org/freebsd}
-  \item \texttt{https://tests.r-b.org/lede}
-  \item almost there: \texttt{https://tests.r-b.org/f-droid}
-  \item paused: \texttt{https://tests.r-b.org/archlinux}
-  \item paused: {https://tests.r-b.org/openwrt}
- \end{itemize}
- \begin{center}
-  \includegraphics[height=0.13\paperheight]{images/coreboot.png}
-  \hspace{0.05\paperwidth}
-  \includegraphics[height=0.13\paperheight]{images/netbsd.png}
-  \hspace{0.05\paperwidth}
-  \includegraphics[height=0.13\paperheight]{images/freebsd.png}
-  \hspace{0.05\paperwidth}
-  \includegraphics[height=0.15\paperheight]{images/lede.png}
-  \hspace{0.05\paperwidth}
-  \includegraphics[height=0.13\paperheight]{images/f-droid.png}
-  \hspace{0.05\paperwidth}
-  \includegraphics[height=0.13\paperheight]{images/archlinux.png}
-\end{center}
-\end{frame}
-
-
-\begin{frame}
- \frametitle{Skipping some more…}
- \begin{itemize}
-\item Bitcoin
-\item Tor
-\item NixOS, GNU Guix, ElectroBSD, Yocto
-\item Qubes, Tails, webconverger
-\item Google Bazel
-\item Civil Infrastructure Plattform
-\item Signal
-\item ducible (build tool for Windows)
-\item very few commercial, propietary software
- \end{itemize}
-\end{frame}
-
-
-\begin{frame}
- \frametitle{Detour: what, reproducible commercial Software???}
- \begin{itemize}
-\item Guess which:
-\item <2-3>   windows? (the source is available)
-\item <2-3>   medical devices in your body?
-\item <2-3>   arms?
-\item <2-3>   critical infrastructure like in nuclear powerplants?
-\item <2-3>   cars?
-\item <2-3>   spaceships? satelites?
-\item <3> gambling machines!
- \end{itemize}
-\end{frame}
-
-
-\section{Status RPM world: Fedora and openSUSE}
-
-\begin{frame}
- \frametitle{reproducible openSUSE}
- \begin{itemize}
-	 \item \url{https://en.opensuse.org/openSUSE:Reproducible\_Builds}
-  \item Bernhard Wiedemann started this in 2016
-  \begin{itemize}
-   \item build-succeeded: 11594
-   \item bit-by-bit-identical: 11111
-   \item not-bit-by-bit-identical: 478
- \end{itemize}
-  \begin{itemize}
-   \item<2-4> 102 undeterministic from javadoc output
-   \item<2-4> 22 undeterministic from latex
-   \item<2-4> 12 undeterministic from mono
-   \item<2-4> 20 undeterministic from Qt
- \end{itemize}
- \item<3-4> Results not included into \url{tests.r-b.o} yet.
- \item<4> Bernhard also deserves credit for creating \texttt{https://github.com/orgs/distropatches} and sending many patches upstream.
- \end{itemize}
- \begin{tikzpicture}[remember picture,overlay]
-  \node[shift={(-0.1\paperwidth, 0.13\paperheight)},at=(current page.south east)] {
-    \includegraphics[height=0.15\paperheight]{images/openSUSE.png}
-  };
- \end{tikzpicture}
-\end{frame}
-
-
-\begin{frame}
- \frametitle{What's going well in the rpmworld}
- \begin{itemize}
-  \item \texttt{rpm} respects SOURCE\_DATE\_EPOCH.
-  \item \texttt{yum} and \texttt{dnf} might create non-identical environments
-  \item \texttt{diffoscope} is available in Fedora and openSUSE:
-  \item signed RPMs -> re-apply signature, will match for identical builds
-  \item<2> Bernhard.
-  \end{itemize}
- \begin{center}
-  \includegraphics[height=0.1\paperheight]{images/openSUSE.png}
-  \hspace{0.1\paperwidth}
- \includegraphics[height=0.1\paperheight]{images/fedora.png}
-  \hspace{0.1\paperwidth}
- \end{center}
-
-\end{frame}
-
-
-\begin{frame}
- \frametitle{Not going so well in the rpmworld yet}
- \begin{itemize}
-	 \item Bernhard (and very few others)
-  \end{itemize}
- \begin{center}
-  \includegraphics[height=0.1\paperheight]{images/openSUSE.png}
-  \hspace{0.1\paperwidth}
- \includegraphics[height=0.1\paperheight]{images/fedora.png}
-  \hspace{0.1\paperwidth}
- \end{center}
-
-\end{frame}
-
-\begin{frame}
- \frametitle{Not going so well in the rpmworld…}
- \begin{itemize}
-	 \item No wide / community commitment.
-	 \item<2-3> no \texttt{.buildinfo} files, thus no tools to use them…
-	 \item<2-3> no user tooling yet.	 
-	\item<3> This is not limited to the rpmworld :/
-  \end{itemize}
- \begin{center}
-  \includegraphics[height=0.1\paperheight]{images/openSUSE.png}
-  \hspace{0.1\paperwidth}
- \includegraphics[height=0.1\paperheight]{images/fedora.png}
-  \hspace{0.1\paperwidth}
- \end{center}
-
-\end{frame}
-
-
-
-
-
 \section{Future work}
 
 \begin{frame}
@@ -1001,46 +624,6 @@ hour, minute & \multicolumn{2}{l}{hour is usually the same… usually, the minut
 \end{frame}
 
 
-\section{Getting involved}
-
-
-\begin{frame}
- \frametitle{As a software developer}
- \begin{itemize}
-  \item Stop using build dates
-  \item Use \texttt{SOURCE\_DATE\_EPOCH} instead
-  \item See \url{https://reproducible-builds.org/specs/}
- \end{itemize}
-\end{frame}
-
-
-\begin{frame}
- \frametitle{Form your reproducible builds team!}
- \begin{itemize}
-  \item Why?
-   \begin{itemize}
-    \item Every distribution should be reproducible!
-    \item Learn something new everyday
-    \item Change the (software) world!
-    \item \texttt{https://tests.reproducible-builds.org/XYZ} needs \textbf{your} help
-   \end{itemize}
-  \item How to get started?
-   \begin{itemize}
-    \item Build something twice, run diffoscope on the results.
-    \item Experiment - learning by doing
-    \item RTFM, there is lots of documentation
-    \item Talk to us (or myself) on IRC or via mail.
-   \end{itemize}
- \end{itemize}
-\end{frame}
-
-\begin{frame}
- \frametitle{Attend the summit}
- \begin{itemize}
-  \item Attend the summit in Berlin! (31 Oct. + 1+2 Nov)
- \end{itemize}
-\end{frame}
-
 \section{Questions, comments, ideas?}
 
 \placelogofalse
@@ -1067,7 +650,6 @@ hour, minute & \multicolumn{2}{l}{hour is usually the same… usually, the minut
   \item
     {All “Reproducible Builds” contributors \\
         {\small (you are just \textbf{so} awesome!)}}
-  \item Open Source Summit Europe
 \end{itemize}
 
  \begin{center}
@@ -1076,15 +658,6 @@ hour, minute & \multicolumn{2}{l}{hour is usually the same… usually, the minut
   \includegraphics[height=0.1\paperheight]{images/cii_logo.png}
  \end{center}
 
- \vfill
- \begin{center}
-  \resizebox{0.9\textwidth}{!}{%
-   \begin{tabular}{rl}
-    \texttt{holger at debian.org} & \texttt{B8BF 5413 7B09 D35C F026} \\
-                               & \texttt{FE9D 091A B856 069A AA1C}
-\end{tabular}
-  }
- \end{center}
 \end{frame}
 
 



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/commit/5ff7ae2ae959ad5b2e65fb5b3a24469ff1e22de5

---
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/commit/5ff7ae2ae959ad5b2e65fb5b3a24469ff1e22de5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20180519/d417e02b/attachment.html>

More information about the rb-commits mailing list