[Git][reproducible-builds/reproducible-presentations][master] debian hamburg reunion r-b talk slides: update some debian stuff
Holger Levsen (@holger)
gitlab at salsa.debian.org
Sat May 28 12:10:07 UTC 2022
Holger Levsen pushed to branch master at Reproducible Builds / reproducible-presentations
Commits:
d7e56dd9 by Holger Levsen at 2022-05-28T14:09:55+02:00
debian hamburg reunion r-b talk slides: update some debian stuff
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
3 changed files:
- + 2022-05-28-reproducible-builds-for-bullseye-bookwork-and-beyond/images/dc15_1.jpg
- + 2022-05-28-reproducible-builds-for-bullseye-bookwork-and-beyond/images/dc15_2.jpg
- 2022-05-28-reproducible-builds-for-bullseye-bookwork-and-beyond/index.html
Changes:
=====================================
2022-05-28-reproducible-builds-for-bullseye-bookwork-and-beyond/images/dc15_1.jpg
=====================================
Binary files /dev/null and b/2022-05-28-reproducible-builds-for-bullseye-bookwork-and-beyond/images/dc15_1.jpg differ
=====================================
2022-05-28-reproducible-builds-for-bullseye-bookwork-and-beyond/images/dc15_2.jpg
=====================================
Binary files /dev/null and b/2022-05-28-reproducible-builds-for-bullseye-bookwork-and-beyond/images/dc15_2.jpg differ
=====================================
2022-05-28-reproducible-builds-for-bullseye-bookwork-and-beyond/index.html
=====================================
@@ -236,7 +236,8 @@
<li class="fragment">Working on Reproducible Builds since 2014</li>
<li class="fragment">Uploaded >10% of all source packages in Debian bullseye</li>
<li class="fragment">Uploaded <10% of all source packages in Debian bookworm...</li>
- </ol>
+ <li class="fragment">May 2022 has been quite extraordinary and left me with even less time to prepare this talk then usual.</li>
+ </ol>
</section>
@@ -244,7 +245,7 @@
<img class="fragment" src="images/logo.png" width="584">
</section>
- <section>
+ <section data-background="images/debianreunionhh2022-hearts-bigger-diamond-i-dot-same-color-more-centered-bigger-hearts-pl.svg" data-background-size="12%" data-background-position="90% 10%">
<h1>Introduction</h1>
</section>
@@ -287,9 +288,9 @@
<section data-background="images/debianreunionhh2022-hearts-bigger-diamond-i-dot-same-color-more-centered-bigger-hearts-pl.svg" data-background-size="12%" data-background-position="90% 10%">
- <p>I'll mostly ignore <em>why</em> and <em>how to do such builds</em> now.</p>
- <p class="fragment">I'll just mention that this has been widely understood as a problem now: https://www.whitehouse.gov/briefing-room/statements-releases/2021/06/08/...</li>
- <p class="fragment">So I will focus on <em>how to distribute and verify</em> builds today. First I will give an overview about various projects and then I'll explain more about the situation in Debian.</p>
+ <p>I'll mostly ignore <em>why</em> and <em>how to do such builds</em> today.</p>
+ <p class="fragment">I'll just mention that by now this has been widely understood as a problem: https://www.whitehouse.gov/briefing-room/statements-releases/2021/06/08/...</li>
+ <p class="fragment">So today I will give a short overview about various projects and then I'll explain the situation in Debian.</p>
</section>
<section data-background-color="white">
@@ -302,10 +303,10 @@
<ul class="fragment">Tails: "easy", pragmatically "solved" but not systematically...
<li class="fragment">Arch Linux: has rebuilders, though also lacks user tools and/or other integration</li>
<pre class="fragment">
-Arch Linux is 86.4% reproducible with 1701 bad, 8 unknown and 10849 good packages.
-[core] repository is 93.3% reproducible with 17 bad, 0 unknown and 238 good packages.
-[extra] repository is 94.1% reproducible with 171 bad, 8 unknown and 2860 good packages.
-[community] repository is 83.8% reproducible with 1481 bad, 0 unknown and 7674 good packages.
+Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
+[core] repository is 93.3% reproducible with 17 bad and 238 good packages.
+[extra] repository is 94.1% reproducible with 171 bad and 2860 good packages.
+[community] repository is 83.8% reproducible with 1481 bad and 7674 good packages.
</pre>
<li class="fragment">SuSE: active development, by one person, not enabled in official builds</li>
</ul>
@@ -356,36 +357,47 @@ Arch Linux is 86.4% reproducible with 1701 bad, 8 unknown and 10849 good package
<h3>Debian</h3>
</section>
+
<section data-background="images/debianreunionhh2022-hearts-bigger-diamond-i-dot-same-color-more-centered-bigger-hearts-pl.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3><em>My goals / wishes for</em> DebConf20 / last year</h3>
- <ul class="fragment">
- To share and widen the understanding of the status of reproducible bullseye:
- <li class="fragment">CI versus rebuilds</li>
- <li class="fragment">issues with buildinfos.debian.<em>net/org</em></li>
- <li class="fragment">thousands of packages without .buildinfo files in bullseye</li>
- <li class="fragment">fix and improve <em>debrebuild</em> (from src:devscripts)</li>
- <li class="fragment">other issues</li>
- <li class="fragment">using reproducible builds and user interfaces are not even on my radar (anymore), but we will need those too.</li>
- </ul>
+ <h3><em>Reproducible Builds were first discussed at DebConf13...</em></h3>
+ <p>..in a BoF hosted by Lunar sparking all of this. DebConf14 had another BoF.</p>
+ <p class="fragment">FOSDEM 2015: getting the wider FLOSS community involved. First summit at the end of 2015. Automated rebuilds. Diffoscope.</p>
+ <img class="fragment" src="images/dc15_1.jpg" width="85%">
+
</section>
<section data-background="images/debianreunionhh2022-hearts-bigger-diamond-i-dot-same-color-more-centered-bigger-hearts-pl.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>Status of those goals / wishes today</h3>
- <ul>
- <li class="fragment">CI versus rebuilds: some progress</li>
- <li class="fragment">issues with buildinfos.debian.<em>net/org</em>: better</li>
- <li class="fragment">thousands of packages without .buildinfo files in bullseye: solved</li>
- <li class="fragment">fix and improve <em>debrebuild</em> (from src:devscripts): partly addressed, huge infrastructure progress</li>
- <li class="fragment">other issues: always</li>
- <li class="fragment">using reproducible builds and user interfaces: getting closer</li>
- </ul>
+ <h3><em>How can we get this done...???</em></h3>
+ <p>at the beginning of the <em>Stretch</em> development cycle...</p>
+ <img src="images/dc15_2.jpg" width="85%">
+
</section>
<section data-background="images/debianreunionhh2022-hearts-bigger-diamond-i-dot-same-color-more-centered-bigger-hearts-pl.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3><em>Though first, my frustration (from 2020)</em></h3>
- <p class="fragment">I feel I have given warnings that the next Debian release will not be reproducible for years.</p>
+ <h3><em>Reproducible talks at least...?</em></h3>
+ <p>DebConf16</p>
+ <p>DebConf17</p>
+ <p>DebConf18</p>
+ <p>DebConf19</p>
+ <p>DebConf20</p>
+ <p>DebConf21</p>
+ <p>DebConf22</p>
+
+ <p class="fragment">"I feel I have given warnings that the next Debian release will not be reproducible for years." is a quote from last year.</p>
+ <p class="fragment">...and I feel fine! 😀</p>
+
</section>
+ <section data-background="images/debianreunionhh2022-hearts-bigger-diamond-i-dot-same-color-more-centered-bigger-hearts-pl.svg" data-background-size="12%" data-background-position="90% 10%">
+ <h3><em>Schrödingers h01ger: frustrated and happy.</em></h3>
+
+ <p>Indeed I have given warnings that the next Debian release will not be reproducible for years...</p>
+ <p>...and I feel fine! 😀</p>
+ <p class="fragment">Let me explain. First the frustration...</p>
+
+ </section>
+
+
<section data-background="images/debianreunionhh2022-hearts-bigger-diamond-i-dot-same-color-more-centered-bigger-hearts-pl.svg" data-background-size="12%" data-background-position="90% 10%">
<h3>Debian <em>9 / stretch</em></h3>
<p>The "reproducible in theory but not in practice" release</p>
@@ -404,22 +416,23 @@ Arch Linux is 86.4% reproducible with 1701 bad, 8 unknown and 10849 good package
<p>The "we are almost made it" release</p>
<h3>Debian <em>12 / bookworm</em></h3>
<p>The first Debian release with some meaningful reproducibility?</p>
+ <p class="fragment">This two slides (so far) were from last year...</p>
+ <h3 class="fragment">Debian <em>13 / trixie</em></h3>
+ <p class="fragment">I still haven't found what I'm looking for</p>
</section>
<!--========================================================= -->
-
<section data-background="images/debianreunionhh2022-hearts-bigger-diamond-i-dot-same-color-more-centered-bigger-hearts-pl.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>share and widen understanding of the status of reproducible Debian</h3>
- <p><em>CI versus rebuilds</em></p>
- </section>
+ <h3>Debian issues in depth</h3>
+ </section>
+
<!-- issues in-depth -->
- <section>
- <h3>Debian is wrong</h3>
- <p>93% reproducibility is a lie.<p>
+ <section data-background="images/debianreunionhh2022-hearts-bigger-diamond-i-dot-same-color-more-centered-bigger-hearts-pl.svg" data-background-size="12%" data-background-position="90% 10%">
+ <h3>93% reproducibility is a lie.</h3>
<p class="fragment">or rather: 93% are CI results.</p>
</section>
@@ -427,25 +440,26 @@ Arch Linux is 86.4% reproducible with 1701 bad, 8 unknown and 10849 good package
<section data-background="images/debianreunionhh2022-hearts-bigger-diamond-i-dot-same-color-more-centered-bigger-hearts-pl.svg" data-background-size="12%" data-background-position="90% 10%">
<h3>CI versus rebuilds:</h3>
<ul>
- <li>We have no <strong>Debian</strong> infrastructure rebuilding Debian packages. The reproducible-builds.org rebuilders are builders, not rebuilders.</li>
+ <li>We have no <strong>Debian</strong> infrastructure rebuilding Debian packages. The reproducible-builds.org rebuilders are builders, not rebuilders.<p class="fragment">https://beta.tests.reproducible-builds.org/debian <em>is showing</em> rebuilds of ftp.debian.org - huge thanks to Frédéric Pierret.</p></li>
<li class="fragment">Up until recently we had two main blockers for rebuilders:</li>
<ul>
<li class="fragment">>3000 packages without .buildinfo files, fixed by myself end of February 2021.</li>
<li class="fragment">snapshot.debian.org was (and is) unusable for rebuilds, fixed by Frédéric Pierret and josch since June 2021, by providing a partial mirror for amd64 only and only going back until January 2017.</li>
- <li class="fragment">see their talk on Thursday, August 26 at 21 UTC: "Making use of snapshot.debian.org for fun and profit"</li>
</ul>
</ul>
</section>
- <section>
- <h3>That number (93%) was wrong/from last year</h3>
+ <section data-background="images/debianreunionhh2022-hearts-bigger-diamond-i-dot-same-color-more-centered-bigger-hearts-pl.svg" data-background-size="12%" data-background-position="90% 10%">
+ <h3>That number (93%) was wrong/from two years ago</h3>
<ul>
- <li>we are at 95.5% (29599 out of 30896 source packages) CI reproducibiliy for bullseye now.<p>
+ <li>we are at 96.0% (29674 out of 30895 source packages) CI reproducibiliy for bullseye now.<p>
<li class="fragment">that's almost 2% up compared to buster (93.9%)</li>
- <li class="fragment">or almost 3000 more reproducible packages (29599 instead of 26682 in buster)</li>
+ <li class="fragment">or almost 3000 more reproducible packages (29674 instead of 26682 in buster)</li>
<li class="fragment">or even more impressive: we've solved one third of the remaining 6% buster had...</li>
+ <li class="fragment">but...</li>
+ <li class="fragment">we are at 94.8% (30482 out of 32153 source packages) CI reproducibiliy for <em>bookworm</em>! :/<p>
</ul>
</section>
@@ -453,9 +467,10 @@ Arch Linux is 86.4% reproducible with 1701 bad, 8 unknown and 10849 good package
<section data-background="images/debianreunionhh2022-hearts-bigger-diamond-i-dot-same-color-more-centered-bigger-hearts-pl.svg" data-background-size="12%" data-background-position="90% 10%">
<h3>"Solved" problems with <code>.buildinfo</code> files</h3>
<ul>
- <li>buildinfos.debian.net is just a proof of concept, but it kinda works.</li>
- <li class="fragment">we had >3000 packages without .buildinfo files... (solved).</li>
- <li class="fragment">#862073 ftp.debian.org: Please POST .buildinfo files to buildinfo.debian.net (worked around)</li>
+ <li>buildinfos.debian.net is just a proof of concept, but it kinda works. (though "<em>it's called a commit because my code is a crime</em>"...)</li>
+ <li class="fragment">we had >3000 packages without .buildinfo files... (solved, well...).</li>
+ <li class="fragment">I've found 782 more of those... I'll fix those, but NEW ones will keep coming..</li>
+ <li class="fragment">#862073 ftp.debian.org: Please POST .buildinfo files to buildinfo.debian.net (worked around poorly)</li>
<li class="fragment">#763822 ftp.debian.org: please include .buildinfo file in the archive (worked around poorly, causing issues with security updates)</li>
</ul>
</section>
@@ -464,8 +479,8 @@ Arch Linux is 86.4% reproducible with 1701 bad, 8 unknown and 10849 good package
<h3>Remaining problems with <code>.buildinfo</code> files</h3>
<ul>
<li class="fragment">#862538 security.debian.org: Please POST .buildinfo files to buildinfo.debian.net: <em>security updates only show up at point releases</em></li>
- <li class="fragment">#929397 ftp.d.o: please upload LTS .buildinfo files to ftp-master: <em>we have some time to fix this, bookworm will become LTS in 3 years or so</em></li>
- <li class="fragment">GPG keys expire...</li>
+ <li class="fragment">#929397 ftp.d.o: please upload LTS .buildinfo files to ftp-master: <em>we have some time to fix this, bookworm will become LTS in 2 years or so</em></li>
+ <!-- li class="fragment">GPG keys expire...</li -->
</ul>
</section>
@@ -478,7 +493,6 @@ Arch Linux is 86.4% reproducible with 1701 bad, 8 unknown and 10849 good package
<li class="fragment">most of them have addressed...</li>
<li class="fragment">but rebuilding needs a working snapshot.debian.org service and we found that snapshot.debian.org doesn't scale...</li>
<li class="fragment">snapshot.debian.org was (and is) unusable for rebuilds, fixed by Frédéric Pierret and josch since June 2021, by providing a partial mirror for amd64 only and only going back until January 2017.</li>
- <li class="fragment">see their talk on Thursday, August 26 at 21 UTC: "Making use of snapshot.debian.org for fun and profit"</li>
</ul>
</section>
@@ -513,11 +527,11 @@ Arch Linux is 86.4% reproducible with 1701 bad, 8 unknown and 10849 good package
</section>
<section data-background="images/debianreunionhh2022-hearts-bigger-diamond-i-dot-same-color-more-centered-bigger-hearts-pl.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3><em>other issues, release team related</em></h3>
+ <h3><em>other issues, release team area</em></h3>
<ul>
- <li>We are very happy that testing migration is blocked for binary uploads</li>
+ <li>We are very happy that testing migration is blocked for binary uploads.</li>
<li class="fragment">We very much like the idea of accellerating migration for reproducibility.</li>
- <li class="fragment">Debian policy: probably too early for "must", but maybe time for "must not regress"? (This needs rebuilders first.)</li>
+ <li class="fragment">Debian policy: too early for "must", but maybe for <em>trixie</em> we can have "must not regress"?</li>
</ul>
</section>
@@ -533,6 +547,7 @@ Arch Linux is 86.4% reproducible with 1701 bad, 8 unknown and 10849 good package
<p class="fragment">If so, please pick <em>one</em> of these bugs and help fixing it.<br />We need your help.</p>
<p class="fragment">https://wiki.debian.org/ReproducibleBuilds</p>
<br>
+ <p class="fragment"><em>I still haven't found what I'm looking for <br> but I'm confident we'll get there, eventually!</em></p>
<h3>
<small>Holger Levsen <holger at debian.org><br>
B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C</small>
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/d7e56dd951c31c3167c8f16e344c5eb49ee5bccc
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/d7e56dd951c31c3167c8f16e344c5eb49ee5bccc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20220528/818a6d47/attachment.htm>
More information about the rb-commits
mailing list