[Git][reproducible-builds/reproducible-presentations][master] finished slides for bornhack.dk / DebConf20

Holger Levsen (@holger) gitlab at salsa.debian.org
Tue Aug 24 15:40:53 UTC 2021



Holger Levsen pushed to branch master at Reproducible Builds / reproducible-presentations


Commits:
0154e1f4 by Holger Levsen at 2021-08-24T17:40:40+02:00
finished slides for bornhack.dk / DebConf20

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -


2 changed files:

- 2021-08-24-where-we-come-from-and-where-we-are-going/index.html
- 2021-08-24-where-we-come-from-and-where-we-are-going/todo


Changes:

=====================================
2021-08-24-where-we-come-from-and-where-we-are-going/index.html
=====================================
@@ -174,11 +174,88 @@
       </section>
 
        <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <p>However, it is what is... sigh.</p>
-        <p class="fragment">Also, please remember: the worldwide pandemic is almost a small crisis, compared to the climate apocalypsis we are heading into.</p>
+        <p>However, it is what it is... sigh.</p>
         <p class="fragment">Anyway.</p>
       </section>
 
+      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
+        <h3>The incomplete team, with apologies to $YOU</h3>
+<p style="font-size: 90%">
+           akira
+    • Alexis Bienvenüe
+    • Alexander Couzens
+    • Andrew Ayer
+    • Asheesh Laroia
+    • Bernhard M. Wiedemann
+    • Boyuan Yang
+    • Ceridwen
+    • Chris Lamb
+    • Chris West
+    • Christoph Berg
+    • Clint Adams
+    • Dafydd Harries
+    • Daniel Kahn Gillmor
+    • Daniel Shahaf
+    • Daniel Stender
+    • David Suarez
+    • Dhole
+    • Drew Fisher
+    • Emmanuel Bourg
+    • Emanuel Bronshtein
+    • Esa Peuha
+    • Fabian Wolff
+    • Frédéric Pierret
+    • Guillem Jover
+    • Hans-Christoph Steiner
+    • Harlan Lieberman-Berg
+    • Helmut Grohne
+    • Holger Levsen
+    • HW42
+    • Intrigeri
+    • Jelmer Vernooij
+    • josch
+    • Juan Picca
+    • Justin Cappos
+    • kpcyrd
+    • Lunar
+    • Maria Glukhova
+    • Mathieu Bridon
+    • Mattia Rizzolo
+    • Nicolas Boulenguez
+    • Niels Thykier
+    • Niko Tyni
+    • Paul Wise
+    • Peter De Wachter
+    • Philip Rinn
+    • Reiner Herrmann
+    • Robbie Harwood
+    • Santiago Vila
+    • Sascha Steinbiss
+    • Satyam Zode
+    • Scarlett Clark
+    • Stefano Rivera
+    • Stéphane Glondu
+    • Steven Chamberlain
+    • Tom Fitzhenry
+    • Vagrant Cascadian
+    • Valerie Young
+    • Valentin Lorentz
+    • Wookey
+    • Ximin Luo
+	</p>
+	  </section>
+
+      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
+	<ul>
+        <li>Sadly this talk is not team prepared and thus misses the updates since last DebConf section and more. It's the 2nd and hopefully the last time that only myself is presenting this massive team work.</li>
+	<li>Vagrant gives another talk about Reproducible Builds at DebConf21:</li>
+	<li>https://debconf21.debconf.org/talks/89-looking-forward-to-reproducible-builds/
+	<li>Saturday, August 28, 12:30 UTC
+	</li>
+	</ul>
+      </section>
+
+
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
         <p>Who am I</p>
         <ol>
@@ -201,9 +278,8 @@
           <li>Responsible for more than 10% of all source packages in Debian bullseye</li>
         </ol>
       </section>
-
-
-      <section data-background-color="white">
+   
+   <section data-background-color="white">
         <img class="fragment" src="images/logo.png" width="584">
       </section>
 
@@ -216,7 +292,7 @@
         <ul>
           <li class="fragment">Source code of free software available</li>
           <li class="fragment">…most people install pre-compiled binaries</li>
-          <li class="fragment"><strong>We have no idea whether they correspond.</strong></li>
+          <li class="fragment"><strong>No one knows whether they really correspond.</strong></li>
           <li class="fragment">As a result there are various classes of supply chain attacks.</li>
         </ul>
       </section>
@@ -225,8 +301,8 @@
         <h3>The solution</h3>
         <ul>
           <li class="fragment">Enable anyone to independently verify that a given source produces bit by bit identical results.</li>
-          <li class="fragment">Reproducible Builds are an important building block in making supply chains more secure. Nothing more, nothing less.</li>
           <li class="fragment">As a side effect: you can only be sure a binary is free software if it has been reproduced. <em>It's only free software if it's reproducible!</em></li>
+          <li class="fragment">Reproducible Builds are an important building block in making supply chains more secure. Nothing more, nothing less.</li>
         </ul>
       </section>
 
@@ -244,8 +320,8 @@
 
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
         <p>I'll mostly ignore <em>why</em> and <em>how to do such builds</em> now.</p>
-        <p class="fragment">Instead I will focus on <em>how to distribute and verify</em>.</p>
-        <p class="fragment">(Sadly this talk is not team prepared and thus misses the updates since last DebConf section and more. It's the 2nd and hopefully the last time that only myself is presenting about this massive team work.)</p>
+        <p class="fragment">I'll just mention that this has been widely understood as a problem now: https://www.whitehouse.gov/briefing-room/statements-releases/2021/06/08/...</li>
+        <p class="fragment">So I will focus on <em>how to distribute and verify</em> builds today. First I will give an overview about various projects and then I'll explain more about the situation in Debian.</p>
       </section>
 
       <section data-background-color="white">
@@ -254,10 +330,62 @@
       </section>
 
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3><em>My goals / wishes for today</em></h3>
-        To share and widen the understanding of the status of reproducible bullseye:
-	<ul>
-          <li class="fragment">CI versus rebuilds</li>
+        <h3>Short overview of reproducibility of other projects (all AIUI)</h3>
+   	<ul class="fragment">Tails: "easy", pragmatically "solved" but not systematically...
+        <li class="fragment">Arch Linux: has rebuilders, though also lacks user tools and/or other integration</li>
+        <li class="fragment">SuSE: active development, by one person, not enabled in offial builds</li>
+        </ul>
+     </section>
+
+      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
+        <h3>Short overview of reproducibility of other projects (all AIUI), continued</h3>
+	<li class="fragment">nixOS: https://r13y.com: 1380 out of 1465 (94.20%) paths in the minimal installation image are reproducible!</li>
+        <li class="fragment">GNU Guix: also reproducible by design (like nixOS), though this also includes unreproducible software... (guix-challenge)</li>
+        <li class="fragment">Yocto: support for reproducible images</li>
+        <li class="fragment">F-Droid: supports reproducible builds though no UI (manual web crawling needed) nor promises</li>
+        </ul>
+     </section>
+
+      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
+        <h3>Short overview of reproducibility of other projects (all AIUI), continued</h3>
+	<li class="fragment">Alpine: basic support</li>
+        <li class="fragment">FreeBSD/NetBSD/OpenBSD: basic support</li>
+        <li class="fragment">Fedora/Redhat/Ubuntu: not interested it seems</li>
+        </ul>
+     </section>
+
+      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
+        <h3>Summary of reproducibility of other projects (all AIUI)</h3>
+   	<p>Many project support reproducible builds by now, but it's unclear what that means, how it's enforced and how users can know and be confident...</p>
+     </section>
+
+      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
+        <h3>I probably didn't backdoor this</h3>
+	<li>https://github.com/kpcyrd/i-probably-didnt-backdoor-this</li>
+        <li class="fragment">a fine manual...</li>
+        <li class="fragment">simple <em>hello world</em> in Rust</li>
+        <li class="fragment">Reproducing the ELF binary</li>
+        <li class="fragment">Reproducing the Docker image</li>
+        <li class="fragment">Reproducing the Arch Linux package</li>
+        </ul>
+     </section>
+
+      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
+        <h3>The unreproducible package</h3>
+	<li>https://github.com/bmwiedemann/theunreproduciblepackage</li>
+        <li class="fragment">It's much easier to show common pitfalls making a package unreproducible than the opposite...</li>
+        </ul>
+     </section>
+
+      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
+        <h3>Debian</h3>
+     </section>
+
+      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
+        <h3><em>My goals / wishes for</em> DebConf20 / last year</h3>
+   	<ul class="fragment">
+               To share and widen the understanding of the status of reproducible bullseye:
+	  <li class="fragment">CI versus rebuilds</li>
           <li class="fragment">issues with buildinfos.debian.<em>net/org</em></li>
           <li class="fragment">thousands of packages without .buildinfo files in bullseye</li>
           <li class="fragment">fix and improve <em>debrebuild</em> (from src:devscripts)</li>
@@ -267,59 +395,49 @@
      </section>
 
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3><em>Though first, my frustration</em></h3>
-        <p class="fragment">I feel I have given warnings that the next Debian release will not be reproducible
-		for years.</p>
-        <p class="fragment">And here we go again: bullseye will not be reproducible in practice.</p>
-        <p class="fragment">Unless we/you act up now.</p>
+        <h3>Status of those goals / wishes today</h3>
+	<ul>
+   	  <li class="fragment">CI versus rebuilds: some progress</li>
+          <li class="fragment">issues with buildinfos.debian.<em>net/org</em>: better</li>
+          <li class="fragment">thousands of packages without .buildinfo files in bullseye: solved</li>
+          <li class="fragment">fix and improve <em>debrebuild</em> (from src:devscripts): partly addressed, huge infrastructure progress</li>
+          <li class="fragment">other issues: always</li>
+          <li class="fragment">using reproducible builds and user interfaces: getting closer</li>
+        </ul>
+     </section>
+
+      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
+        <h3><em>Though first, my frustration (from 2020)</em></h3>
+        <p class="fragment">I feel I have given warnings that the next Debian release will not be reproducible for years.</p>
      </section>
 
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>Debian <em>stretch</em></h3>
+        <h3>Debian <em>9 / stretch</em></h3>
         <p>The "reproducible in theory but not in practice" release</p>
-        <h3>Debian <em>buster</em></h3>
+        <h3>Debian <em>10 / buster</em></h3>
         <p>The "we could be reproducible but we are not" release</p>
-        <h3>Debian <em>bullseye</em></h3>
-        <p>The "we are almost there but still haven't sorted out..." release?</p>
+        <h3>Debian <em>11 / bullseye</em></h3>
+        <p>The "we are almost there but still haven't sorted out some requirements" release</p>
       </section>
 
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>Debian <em>bullseye</em></h3>
-        <p>The release is still far away and we haven't frozen yet!</p>
-        <p><em>Ride like the wind, bullseye</em></p>
-        <img class="fragment" src="images/hc_fdroid_fosdem16-idea.png" width="584">
+        <h3>Debian <em>9 / stretch</em></h3>
+        <p>The "reproducible in theory but not in practice" release</p>
+        <h3>Debian <em>10 / buster</em></h3>
+        <p>The "we could be reproducible but we are not" release</p>
+        <h3>Debian <em>11 / bullseye</em></h3>
+        <p>The "we are almost made it" release</p>
+        <h3>Debian <em>12 / bookworm</em></h3>
+        <p>The first Debian release with some meaningful reproducibility?</p>
       </section>
 
-      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>Bugs bugs bugs</h3>
-        <p class="fragment">With the upcoming list of bugs I
-        don't want to fingerpoint at individual teams (or people),
-        instead I think we can only solve this if we as Debian
-        decide we want to solve it for <em>bullseye</em>.
-        <br />
-        I think this is not happening because people believe
-        things have been sorted out and we take care of them.
-        But we are not, we can't do this alone.</p>
-      </section>
 
 
       <!--========================================================= -->
 
-      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3><em>My goals / wishes for today</em></h3>
-        To share and widen the understanding of the status of reproducible bullseye:
-	<ul>
-          <li>CI versus rebuilds</li>
-          <li>issues with buildinfos.debian.<em>net/org</em></li>
-          <li>thousands of packages without .buildinfo files in bullseye</li>
-          <li>fix and improve <em>debrebuild</em> (from src:devscripts)</li>
-          <li>other issues</li>
-        </ul>
-     </section>
-
 
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>share and widen understanding of the status of reproducible bullseye</h3>
+        <h3>share and widen understanding of the status of reproducible Debian</h3>
         <p><em>CI versus rebuilds</em></p>
      </section>
 
@@ -334,158 +452,100 @@
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
         <h3>CI versus rebuilds:</h3>
 	<ul>
-        <li>We have no <strong>Debian</strong> infrastructure rebuilding Debian packages.</li>
-        <li class="fragment">The reproducible-builds.org rebuilders are builders, not rebuilders.</li>
-        <li class="fragment">There's a NYU driven a proof of concept.</li>
-        <li class="fragment">There's a prototype on jenkins.d.n using debrebuild...</li>
-        <li class="fragment">Archlinux has rebuilderd, written in rust.. (and see issue #4)</li>
-	<li class="fragment">Integration with Debian's official buildd network?!?</li>
-	</ul>
-      </section>
-
-
-      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>share and widen understanding of the status of reproducible bullseye</h3>
-        <p><em>issues with buildinfos.debian.</em>net/org</p>
-     </section>
+        <li>We have no <strong>Debian</strong> infrastructure rebuilding Debian packages. The reproducible-builds.org rebuilders are builders, not rebuilders.</li>
+        <li class="fragment">Up until recently we had two main blockers for rebuilders:</li>
+	<ul>
+        <li class="fragment">>3000 packages without .buildinfo files, fixed by myself end of February 2021.</li>
+        <li class="fragment">snapshot.debian.org was (and is) unusable for rebuilds, fixed by Frédéric Pierret and josch since June 2021, by providing a partial mirror for amd64 only and only going back until January 2017.</li>
+        <li class="fragment">see their talk on Thursday, August 26 at 21 UTC: "Making use of snapshot.debian.org for fun and profit"</li>
 
-      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3><code>.buildinfo</code> files</h3>
-        <p>buildinfo.debian.net</p>
-        <p class="fragment">buildinfos.debian.net</p>
+	</ul>
+	</ul>
       </section>
 
-      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3><code>.buildinfo</code> files</h3>
-        <p>buildinfo.debian.net: Allows submissions from everyone (PostgreSQL)</p>
-        <p class="fragment">buildinfos.debian.net: ftp-master.d.o based views based on build date <em>and</em> traditional pool structure</p>
-      </section>
+      <section>
+        <h3>That number (93%) was wrong/from last year</h3>
+	<ul>
 
-      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3><code>.buildinfo</code> files from an unofficial service?</h3>
- 	<ul>
-        <li class="fragment">There should be a debian.org machine serving <code>.buildinfo</code> files to the public.</li>
-        <li class="fragment">Since December 2016: 965,333 files in total, eg 118,195 amd64 related.</li>
-        <li class="fragment">12 GB files, 4 GB links.</li>
+        <li>we are at 95.5% (29599 out of 30896 source packages) CI reproducibiliy for bullseye now.<p>
+        <li class="fragment">that's almost 2% up compared to buster (93.9%)</li>
+        <li class="fragment">or almost 3000 more reproducible packages (29599 instead of 26682 in buster)</li>
+        <li class="fragment">or even more impressive: we've solved one third of the remaining 6% buster had...</li>
 	</ul>
+
       </section>
 
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3><code>.buildinfo</code> files</h3>
+        <h3>"Solved" problems with <code>.buildinfo</code> files</h3>
        	<ul>
-        <li>#862073 ftp.debian.org: Please POST .buildinfo files to buildinfo.debian.net</li>
-        <li class="fragment">#763822 ftp.debian.org: please include .buildinfo file in the archive</li>
-        <li class="fragment">#862538 security.debian.org: Please POST .buildinfo files to buildinfo.debian.net</li>
-	<li class="fragment">#929397 ftp.d.o: please upload LTS .buildinfo files to ftp-master</li>
+   	<li>buildinfos.debian.net is just a proof of concept, but it kinda works.</li>
+	<li class="fragment">we had >3000 packages without .buildinfo files... (solved).</li>
+        <li class="fragment">#862073 ftp.debian.org: Please POST .buildinfo files to buildinfo.debian.net (worked around)</li>
+        <li class="fragment">#763822 ftp.debian.org: please include .buildinfo file in the archive (worked around)</li>
 	</ul>
       </section>
-
-      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3><code>.buildinfo</code> database</h3>
-        <p>builtin-pho: a database for .buildinfo data (PostgreSQL)</p>
-        <p>Thanks to David Bremner</p>
-        <p class="fragment">buildinfos.debian.net: ftp-master.d.o based views based on build date <em>and</em> traditional pool structure</p>
-      </section>
-
-      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3><code>.buildinfo</code> files as part of the binary packages???</h3>
+ 
+     <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
+        <h3>Remaining problems with <code>.buildinfo</code> files</h3>
        	<ul>
-        <li>Archlinux is using this implementation.</li>
-        <li class="fragment">Solves those 4 bugs above (and some others).</li>
-        <li class="fragment">Virtually no impact on the mirrors <em>and</em> easy solution for mirroring!</li>
-        <li class="fragment">Difficult with current dpkg design.</li>
-       	</ul>
+        <li class="fragment">#862538 security.debian.org: Please POST .buildinfo files to buildinfo.debian.net: <em>security updates only show up at point releases</em></li>
+	<li class="fragment">#929397 ftp.d.o: please upload LTS .buildinfo files to ftp-master: <em>we have some time to fix this, bookworm will become LTS in 3 years or so</em></li>
+        <li class="fragment">GPG keys expire...</li>
+	</ul>
       </section>
 
-      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>share and widen understanding of the status of reproducible bullseye</h3>
-        <p><em>thousands of packages without .buildinfo files in bullseye</em></p>
-       	<ul>
-          <li class="fragment">mostly <em>arch:all</em> packages (but not only)</li>
-   	  <li class="fragment">binNMUs for arch:all not possible</li>
-   	  <li class="fragment">Shall we do mass NMUs, eg scripted with dgit?</li>
-          <li class="fragment">#900837 release.debian.org: Mass-rebuild of packages for reproducible builds"</li>
-	<ul>
-     </section>
-
-      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>share and widen understanding of the status of reproducible bullseye</h3>
-        <p><em>fix and improve </em>debrebuild<em>(from src:devscripts)</em></p>
-     </section>
 
-      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>fix and improve <em>debrebuild</em><br>(from src:devscripts)</h3>
-       <em>normal</em> bugs, part 1
-       	<ul>
-         <li class="fragment">#955049 debrebuild: no manpage and no --help option</li>
-         <li class="fragment">#955050 debrebuild: please accepted signed .buildinfo files</li>
-         <li class="fragment">#955307 debrebuild: should avoid downgrades</li>
-	</ul>
-     </section>
 
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>fix and improve <em>debrebuild</em><br>(from src:devscripts)</h3>
-       <em>normal</em> bugs, part 2
+        <h3>Debian rebuilders</h3>
        	<ul>
-         <li class="fragment">#961862 debrebuild: should assemble the source for binNMUs</li>
-         <li class="fragment">#961864 debrebuild: creates wrong commandline for binNMUs</li>
-         <li class="fragment">#969098 debrebuild: fails to download some packages from snapshot.d.o</li>
+ <li>Last year we had to <em>fix and improve </em>debrebuild<em>(from src:devscripts)</em></li>
+        <li class="fragment">most of them have addressed...</li>
+        <li class="fragment">but rebuilding needs a working snapshot.debian.org service and we found that snapshot.debian.org doesn't scale...</li>
+        <li class="fragment">snapshot.debian.org was (and is) unusable for rebuilds, fixed by Frédéric Pierret and josch since June 2021, by providing a partial mirror for amd64 only and only going back until January 2017.</li>
+        <li class="fragment">see their talk on Thursday, August 26 at 21 UTC: "Making use of snapshot.debian.org for fun and profit"</li>
 	</ul>
      </section>
 
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>fix and improve <em>debrebuild</em><br>(from src:devscripts)</h3>
-        <em>wishlist</em> bugs, part 1
+        <h3>Debian rebuilders / snapshot.debian.org</h3>
 	<ul>
-         <li class="fragment">#955123 debrebuild: please provide --sbuild-output-only option</li>
-         <li class="fragment">#955304 debrebuild: suggested sbuild command should use --no-run-lintian</li>
-         <li class="fragment">#955308 debrebuild: also explain *how* to use snapshot.d.o</li>
+        <li class="fragment">now that we have https://debian.notset.fr/snapshot/ (and soon snapshot.reproducible-builds.org hosted at OSUOSL) we can setup rebuilders</li>
+        <li class="fragment">rebuilders for both bullseye and bookworm!</li>
+        <li class="fragment">Frédéric Pierret has a proof of concept rebuilder service too. I'm looking forward to integrate that into tests.reproducible-builds.org in the coming months!</li>
 	</ul>
      </section>
 
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>fix and improve <em>debrebuild</em><br>(from src:devscripts)</h3>
-        <em>wishlist</em> bugs, part 2
-	<ul>
-         <li class="fragment">#958750 debrebuild: please add --standalone mode or --one-shot-mode</li>
-         <li class="fragment">#961861 debrebuild: should (optionally) download the source too</li>
-         <li class="fragment">#964722 debrebuild: please add option for rebuilding in the same path</li>
+        <h3>meaningful reproducibilty of Debian</h3>
+       	<ul>
+ <li class="fragment">all 21 essential packages are reproducible.</li>
+        <li class="fragment">26 out of 29 required packages are reproducible.</li>
+        <li class="fragment">50 out of 1216 packages of the most installed packages are <em>not</em> reproducible.</li>
+        <li class="fragment">28 out of 687 packages of the basic GNOME packages are <em>not</em> reproducible.</li>
+        <li class="fragment">Debian installer images are not reproducible.</li>
+        <li class="fragment">Debian Live images are not reproducible.</li>
 	</ul>
-     </section>
 
-      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>share and widen understanding of the status of reproducible bullseye</h3>
-        <p><em>other issues</em></p>
      </section>
 
+
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>Misc other issues</h3>
+        <h3>Eventually...</h3>
 	<ul>
-        <li class="fragment">#869184 sbuild, dput, dpkg: source uploads including <code>_amd64.buildinfo</code> causes problems</li>
-	<li class="fragment">#969084: buildd.d.o: please don't use a tainted buildenv</li>
-        <li class="fragment">#894441 binNMUs, mtimes and <code>rsync(1)</code> causes problems and binNMUs should be replaced by easy "no-change-except-debian/changelog-uploads"</li>
     	<li class="fragment">#863622: apt: warn when installing packages that are not reproducible</li>
 	</ul>
       </section>
 
       <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
         <h3><em>other issues, release team related</em></h3>
-       	</ul>
+       	<ul>
         <li>We are very happy that testing migration is blocked for binary uploads</li>
         <li class="fragment">We very much like the idea of accellerating migration for reproducibility.</li>
         <li class="fragment">Debian policy: probably too early for "must", but maybe time for "must not regress"? (This needs rebuilders first.)</li>
 	</ul>
      </section>
  
-      <section data-background="images/dc21-logo.svg" data-background-size="12%" data-background-position="90% 10%">
-        <h3>Summary</em></h3>
-       	<ul>
-        <li class="fragment">fixing debrebuild should be rather straightforward</li>
-        <li class="fragment">distributing .buildinfo files is hard OTOH</li>
-        <li class="fragment">distributing .buildinfo files is crucial also.</li>
-        <li class="fragment">...and then rebuilders...</li>
-	</ul>
-     </section>
 
       <section data-background="images/dc21-logo.svg" data-background-size="17%" data-background-position="50% 15%">
         <br>


=====================================
2021-08-24-where-we-come-from-and-where-we-are-going/todo
=====================================
@@ -1,33 +1,8 @@
 test debrebuild
-dc21 shirt foto?
-other distro slides:
-	nix/guix/arch/suse/tail/yocto/fdroid
-diffoscope 113 in buster, diffoscope 177 in bullseye
-	
-my goals from last year / debconf20
-my frustration from last year
+mention vagrants talk and that we havent coordinated
+	https://debconf21.debconf.org/talks/89-looking-forward-to-reproducible-builds/
+		 Time: Aug 28 (Sat): 12:30 UTC
+	https://debconf21.debconf.org/talks/22-making-use-of-snapshotdebianorg-for-fun-and-profit/	
 
-stretch / buster / bullseye
-& bookworm, the release which will be partially reproducible \o/ ???
-	(and for a meaningful part ;)
-	-> pkg sets
 
-explain buster status
-explain bullseye status
-	.buildinfo files
-		explain bullseye problems
-		3000 uploads
-		i now maintain 10% of debian. (HAHAHA)
-		.buildinfo files for security
-	snapshot PoC for amd64 only atm
-		currently it is roughly 1473740+ files stored as sha256 (current rsync report); 4.1T usage; 1412490037 inodes
-		the postgresql DB is 3.9G
-		from Jan, 1 2017 until today
-		buster && bullseye && bookworm && unstable
 
-next
-	rebuilder from fpetre ir kpcyrd
-		expired keys are a problem
-	security updates
-		NOPE
-	point releases!



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/0154e1f40ed4f312ce6578a21bd270fa0eed6410

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/0154e1f40ed4f312ce6578a21bd270fa0eed6410
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20210824/104d51e2/attachment.htm>


More information about the rb-commits mailing list