[Git][reproducible-builds/reproducible-presentations][master] 3 commits: 2020-05-LFNW: Beyond Trusting Open Source Software
Vagrant Cascadian
gitlab at salsa.debian.org
Fri May 8 04:09:38 UTC 2020
Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-presentations
Commits:
a4e73452 by Vagrant Cascadian at 2020-05-06T09:22:18-07:00
2020-05-LFNW: Beyond Trusting Open Source Software
- - - - -
3727dce5 by Vagrant Cascadian at 2020-05-07T20:09:58-07:00
2020-05-LFNW: split praxis into verification and "by who" slides.
- - - - -
63c70cbd by Vagrant Cascadian at 2020-05-07T21:08:10-07:00
2020-05-LFNW: bootstrap map
- - - - -
9 changed files:
- + 2020-05-LFNW-beyond-trusting-open-source-software/Beyond-Trusting-Open-Source-Software.org
- + 2020-05-LFNW-beyond-trusting-open-source-software/Makefile
- + 2020-05-LFNW-beyond-trusting-open-source-software/images/diffoscope.png
- + 2020-05-LFNW-beyond-trusting-open-source-software/images/r-b-projects.png
- + 2020-05-LFNW-beyond-trusting-open-source-software/images/r-b-projects.xcf
- + 2020-05-LFNW-beyond-trusting-open-source-software/images/reprobuilds-display.jpeg
- + 2020-05-LFNW-beyond-trusting-open-source-software/images/reproducible-builds.png
- + 2020-05-LFNW-beyond-trusting-open-source-software/images/stats_pkg_state.png
- + 2020-05-LFNW-beyond-trusting-open-source-software/images/vagrantupsidedown.png
Changes:
=====================================
2020-05-LFNW-beyond-trusting-open-source-software/Beyond-Trusting-Open-Source-Software.org
=====================================
@@ -0,0 +1,335 @@
+#+TITLE: Reproducible Builds: Beyond Trusting Open Source Software
+#+AUTHOR: Vagrant Cascadian
+#+EMAIL: vagrant at reproducible-builds.org
+#+DATE: LinuxFest NorthWest, 2020-05
+#+LANGUAGE: en
+#+OPTIONS: H:1 num:t toc:nil \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
+#+OPTIONS: TeX:t LaTeX:t skip:nil d:nil todo:t pri:nil tags:not-in-toc
+#+OPTIONS: ^:nil
+#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
+#+EXPORT_SELECT_TAGS: export
+#+EXPORT_EXCLUDE_TAGS: noexport
+#+startup: beamer
+#+LaTeX_CLASS: beamer
+#+LaTeX_CLASS_OPTIONS: [bigger]
+#+latex_header: \mode<beamer>{\usetheme{Madrid}}
+#+LaTeX_CLASS_OPTIONS: [aspectratio=169]
+#+BEGIN_comment
+Reproducible Builds: Beyond Trusting Open Source Software
+LinuxFest NorthWest 2020, The Internet
+
+Reproducible Builds: Beyond Trusting Open Source Software
+shedding light on black boxes
+
+Software released under an open-source license and developed using an
+open-source model come with many benefits, allowing the ability to
+use, study, change, and share not only the software itself, but
+similarly engage with a community around the software in a transparent
+manner.
+
+One of the strongest assertions is that open-source software is more
+secure, as many parties are able to inspect the code. But most code in
+the modern day is distributed as precompiled binary code,
+indistinguishable from gibberish to many very savvy humans; this makes
+the binary code largely impractical to audit. Blind trust is a bit
+frightening for a security model!
+
+Reproducible Builds provides a way to build trust that the binaries
+produced are the intended result of the source code, by making it
+possible for independent third-party verification of binaries to
+produce bit-for-bit identical binaries.
+
+This talk will introduce the concepts of Reproducible Builds,
+including best practices for developing and releasing software, the
+tools available to help diagnose issues, and touch on progress towards
+solving a decades-old deeply pervasive security issue...
+
+Learn how to demonstrate trust, rather than simply hoping for it!
+
+https://reproducible-builds.org
+#+END_comment
+
+* Who am I
+
+** image
+ :PROPERTIES:
+ :BEAMER_col: 0.4
+ :END:
+
+[[./images/vagrantupsidedown.png]]
+
+
+** text
+ :PROPERTIES:
+ :BEAMER_col: 0.4
+ :END:
+
+ | | Vagrant |
+ |---------------------+---------|
+ | debian user | 2001 |
+ | debian developer | 2010 |
+ | reproducible builds | 2015 |
+
+* When we say reproducible
+
+** text
+ :PROPERTIES:
+ :BEAMER_col: 0.7
+ :END:
+
+https://reproducible-builds.org/docs/definition/
+
+\vspace{\baselineskip}
+
+A build is reproducible if given the same source code, build
+environment and build instructions, any party can recreate bit-by-bit
+identical copies of all specified artifacts.
+
+** image
+ :PROPERTIES:
+ :BEAMER_col: 0.3
+ :END:
+
+[[./images/reproducible-builds.png]]
+
+* Once upon a time
+
+#+ATTR_BEAMER: :overlay <+->
+- Historically software was reproducible! Every bit counted.
+- Things eventually got more complicated...
+- Bit for bit reproducible GNU toolchain in the early 90s on 10(?) architectures.
+- *And then we all forgot.*
+- Then, in 2011 and 2012, Bitcoin and Torbrowser were made reproducible.
+
+* Debian
+
+** text
+ :PROPERTIES:
+ :BEAMER_col: 0.60
+ :END:
+
+#+ATTR_BEAMER: :overlay <+->
+- A list mail in 1997, very few more in 2001 and 2003.
+- In 2013 people in Debian began to investigate
+- In 2014 systematic testing, classifications and weekly blogs.
+- Since 2017 in Debian Policy
+
+** image
+ :PROPERTIES:
+ :BEAMER_col: 0.40
+ :END:
+
+[[./images/stats_pkg_state.png]]
+
+
+* Community
+
+[[./images/r-b-projects.png]]
+
+* Shared research and developments
+
+https://tests.reproducible-builds.org
+
+\vspace{\baselineskip}
+
+#+ATTR_BEAMER: :overlay <+->
+- Test/research setup for many but not all projects.
+- Since end of 2018 shared database for some of those.
+- Sharing issues, patches and upstreaming them.
+- Shared public blog, now called monthly report.
+- More collaboration is possible!
+
+* Common issues
+
+#+ATTR_BEAMER: :overlay <+->
+- timestamps
+- build paths
+- timezones
+- locales
+- timestamps
+- hundreds of classes of causes !
+- also timestamps
+- It's fun to discover these! Well, mostly.
+
+* diffocope
+
+https://diffoscope.org
+
+\vspace{\baselineskip}
+
+#+ATTR_BEAMER: :overlay <+->
+- Recursive and human-readable "diff"
+ - locates and diagnoses reproducibility issues
+ - *not* used for determining whether something is reproducible!
+ - used for analysing *why*
+
+* diffoscope example
+
+[[./images/diffoscope.png]]
+
+* beyond reproducible builds
+
+https://diffoscope.org
+
+\vspace{\baselineskip}
+
+useful beyond reproducible builds, eg.
+
+#+ATTR_BEAMER: :overlay <+->
+ - security updates
+ - code refactoring
+
+* diffoscope, supported file types
+
+Android APK files, Android boot images, Ar(1) archives, Berkeley DB database files, Bzip2 archives, Character/block devices, ColorSync colour profiles (.icc), Coreboot CBFS filesystem images, Cpio archives, Dalvik .dex files, Debian .buildinfo files, Debian .changes files, Debian source packages (.dsc), Device Tree Compiler blob files, Directories, ELF binaries, Ext2/ext3/ext4/btrfs filesystems, FreeDesktop Fontconfig cache files, FreePascal files (.ppu), Gettext message catalogues, GHC Haskell .hi files, GIF image files, Git repositories, GNU R database files (.rdb), GNU R Rscript files (.rds), Gnumeric spreadsheets, Gzipped files, ISO 9660 CD images, Java .class files, JavaScript files, JPEG images, JSON files, LLVM IR bitcode files, MacOS binaries, Microsoft Windows icon files, Microsoft Word .docx files, Mono 'Portable Executable' files, Ogg Vorbis audio files, OpenOffice .odt files, OpenSSH public keys, OpenWRT package archives (.ipk), PDF documents, PGP signed/encrypted messages, PNG images, PostScript documents, RPM archives, Rust object files (.deflate), SQLite databases, SquashFS filesystems, Statically-linked binaries, Symlinks, Tape archives (.tar), Tcpdump capture files (.pcap), Text files, TrueType font files, XML binary schemas (.xsb), XML files, XZ compressed files, etc.
+
+* try diffoscope
+
+https://diffoscope.org
+
+\vspace{\baselineskip}
+
+#+ATTR_BEAMER: :overlay <+->
+- available for Debian, Fedora, OpenSUSE, Archlinux, GNU Guix, NixOS, FreeBSD, NetBSD, Homebrew, PypI, ...
+- and on the web: https://try.diffoscope.org
+
+* Reprotest
+
+reprotest
+
+#+ATTR_BEAMER: :overlay <+->
+- builds something twice with many variations
+- https://salsa.debian.org/reproducible/reprotest
+- if unreproducible: "bisect" the variations
+
+* Reproducible builds
+
+[[./images/reproducible-builds.png]]
+
+** text
+ :PROPERTIES:
+ :BEAMER_col: 0.67
+ :END:
+
+https://reproducible-builds.org
+
+* There is a lot of practice in theory
+
+#+ATTR_BEAMER: :overlay <+->
+- 93% is a wonderful fantasy
+- 7% of 30000 source packages means 2100 unreproducible source packages.
+- And there's new software every hour
+- Getting software reproducible in theory is only part of the way
+
+* Verification
+
+#+ATTR_BEAMER: :overlay <+->
+- distributed multi-party verification
+- Implemented in Arch Linux:
+ https://wiki.archlinux.org/index.php/Rebuilderd
+
+* Verifyable by who?
+
+#+ATTR_BEAMER: :overlay <+->
+ - meaningful end-user interfaces
+
+* Wearing the adventurous boots
+
+https://bootstrappable.org/
+
+What compiler do you use to compile your compiler?
+
+* Trusting Trust
+
+ Reflections on Trusting Trust by Ken Thompson 1984
+
+- https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
+
+* Diverse Double-Compilation
+
+ Diverse Double-Compilation by David A. Wheeler 2005/2009
+
+- https://www.dwheeler.com/trusting-trust/
+
+* Untangling the bootstraping Mes
+
+https://savannah.gnu.org/projects/mes
+
+GNU Mes
+
+Mutual self-hosting Scheme interpreter written in ~5,000 LOC of simple
+C and a Nyacc-based C compiler written in Scheme.
+
+* planets, comets, stars and hexes
+
+https://github.com/oriansj/talk-notes/blob/master/Current%20bootstrap%20map.pdf
+
+* Events
+
+https://reproducible-builds.org/events/
+
+\vspace{\baselineskip}
+
+Reproducible builds summits:
+
+#+ATTR_BEAMER: :overlay <+->
+- Athens 2015
+- Berlin 2016
+- Berlin 2017
+- Paris 2018
+- Marrakesh 2019
+- ??? 2020
+
+* Collaboration
+
+https://reproducible-builds.org/contribute/
+
+\vspace{\baselineskip}
+
+** image
+ :PROPERTIES:
+ :BEAMER_col: 0.4
+ :END:
+
+[[./images/reprobuilds-display.jpeg]]
+
+* Questions?
+
+Thank you for your time and contributions.
+
+\vspace{\baselineskip}
+
+[[./images/reproducible-builds.png]]
+
+** text
+ :PROPERTIES:
+ :BEAMER_col: 0.67
+ :END:
+
+https://reproducible-builds.org
+
+* Copyright and attributions
+\addtocounter{framenumber}{-1}
+\tiny
+
+ Copyright 2019-2020 Vagrant Cascadian <vagrant at reproducible-builds.org>
+
+ Copyright 2019 Holger Levsen <holger at layer-acht.org>
+
+ This work is licensed under the Creative Commons
+ Attribution-ShareAlike 4.0 International License.
+
+ To view a copy of this license, visit
+ https://creativecommons.org/licenses/by-sa/4.0/
+
+\vspace{\baselineskip}
+
+ And the logos, which are under their respective licenses. The compilation made by Holger is CC-SA 4.0 intl.
+
+ reprobuilds-display from Jelle is under MIT:
+
+ https://github.com/jelly/reproduciblebuilds-display
+
+ stats_pkg_state has been generated by code licensed under GPL2, written by Holger and was downloaded from:
+
+ https://tests.reproducible-builds.org/debian/unstable/amd64/stats_pkg_state.png
=====================================
2020-05-LFNW-beyond-trusting-open-source-software/Makefile
=====================================
@@ -0,0 +1,16 @@
+# thanks to dima for walking me through this!
+#
+# needs: apt install emacs texlive-latex-extra org-mode
+
+export FORCE_SOURCE_DATE = 1
+export SOURCE_DATE_EPOCH := $(shell date --utc --date '2020-05-10 16:30 PDT' +%s)
+
+all: $(patsubst %.org,%.pdf,$(wildcard *.org))
+
+%.pdf: %.org
+ emacs -Q --batch --eval '(progn (random "0") (find-file "$<") (org-beamer-export-to-pdf))'
+
+clean:
+ rm -f *.pdf *.tex *.png
+
+.PHONY:clean
=====================================
2020-05-LFNW-beyond-trusting-open-source-software/images/diffoscope.png
=====================================
@@ -0,0 +1 @@
+../../2019-08-04-Linuxdev-BR-There-and-Back-Again-Reproducibly/images/diffoscope.png
\ No newline at end of file
=====================================
2020-05-LFNW-beyond-trusting-open-source-software/images/r-b-projects.png
=====================================
@@ -0,0 +1 @@
+../../2019-08-04-Linuxdev-BR-There-and-Back-Again-Reproducibly/images/r-b-projects.png
\ No newline at end of file
=====================================
2020-05-LFNW-beyond-trusting-open-source-software/images/r-b-projects.xcf
=====================================
@@ -0,0 +1 @@
+../../2019-08-04-Linuxdev-BR-There-and-Back-Again-Reproducibly/images/r-b-projects.xcf
\ No newline at end of file
=====================================
2020-05-LFNW-beyond-trusting-open-source-software/images/reprobuilds-display.jpeg
=====================================
@@ -0,0 +1 @@
+../../2019-08-04-Linuxdev-BR-There-and-Back-Again-Reproducibly/images/reprobuilds-display.jpeg
\ No newline at end of file
=====================================
2020-05-LFNW-beyond-trusting-open-source-software/images/reproducible-builds.png
=====================================
@@ -0,0 +1 @@
+../../2019-08-04-Linuxdev-BR-There-and-Back-Again-Reproducibly/images/reproducible-builds.png
\ No newline at end of file
=====================================
2020-05-LFNW-beyond-trusting-open-source-software/images/stats_pkg_state.png
=====================================
Binary files /dev/null and b/2020-05-LFNW-beyond-trusting-open-source-software/images/stats_pkg_state.png differ
=====================================
2020-05-LFNW-beyond-trusting-open-source-software/images/vagrantupsidedown.png
=====================================
@@ -0,0 +1 @@
+../../2019-08-04-Linuxdev-BR-There-and-Back-Again-Reproducibly/images/vagrantupsidedown.png
\ No newline at end of file
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/compare/42c71720e402647aeaadf6b5b39f3128cb317c96...63c70cbd5b07624a72429d4f2e4a3e0a1e1bae58
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/compare/42c71720e402647aeaadf6b5b39f3128cb317c96...63c70cbd5b07624a72429d4f2e4a3e0a1e1bae58
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20200508/33d46719/attachment.htm>
More information about the rb-commits
mailing list