[Git][reproducible-builds/reproducible-presentations][master] foss-north.se talk: final unfinal version

Holger Levsen (@holger) gitlab at salsa.debian.org
Mon Apr 24 11:32:38 UTC 2023 


Holger Levsen pushed to branch master at Reproducible Builds / reproducible-presentations


Commits:
d6b122b9 by Holger Levsen at 2023-04-24T13:32:23+02:00
foss-north.se talk: final unfinal version

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -


4 changed files:

- + 2023-04-24-foss-north.se-R-B-the-first-10-years/images/stats_pkg_state_20150131.png
- + 2023-04-24-foss-north.se-R-B-the-first-10-years/images/stats_pkg_state_20230424.png
- 2023-04-24-foss-north.se-R-B-the-first-10-years/index.html
- 2023-04-24-foss-north.se-R-B-the-first-10-years/todo


Changes:

=====================================
2023-04-24-foss-north.se-R-B-the-first-10-years/images/stats_pkg_state_20150131.png
=====================================
Binary files /dev/null and b/2023-04-24-foss-north.se-R-B-the-first-10-years/images/stats_pkg_state_20150131.png differ


=====================================
2023-04-24-foss-north.se-R-B-the-first-10-years/images/stats_pkg_state_20230424.png
=====================================
Binary files /dev/null and b/2023-04-24-foss-north.se-R-B-the-first-10-years/images/stats_pkg_state_20230424.png differ


=====================================
2023-04-24-foss-north.se-R-B-the-first-10-years/index.html
=====================================
@@ -354,7 +354,7 @@ And the idea is also much older than 10 years...
           <li class="fragment">Who knows about Reproducible Builds, why and how?</li>
           <li class="fragment">Who contribute(s|d) to Reproducible Builds?</li>
           <li class="fragment">Who knows that Reproducible Builds have been known for more than 10 years?<span class="fragment"> >30 years?</span></li>
-          <li class="fragment">Who knows about SBOM? <span class="fragment">(Software Bill of Materials)</li>
+          <li class="fragment">Who knows about SBOM? <span class="fragment">(Software Bill of Materials) = our .buildinfo files from 2014!</li>
       </ul>
       </section>
  
@@ -418,10 +418,17 @@ And the idea is also much older than 10 years...
    	<p class="fragment">https://lists.zx2c4.com/pipermail/wireguard/2023-April/008045.html
 	<br />Wireguard (VPN app for Android) builds are now reproducible, their release is identical on their website, Google Play Store and F-Droid. 🎯🎯🎯🥳
 	<br />(it's more complicated than that, see their mail.)</p>
-   	<p class="fragment">We were not even informed. 🥲  people just do reproducible builds as normal part of their work nowadays. 🤗</p>
+   	<p class="fragment">We were not even informed. 🥲  Poeople just do reproducible builds as normal part of their work nowadays. 🤗</p>
 	
 	</section>
 
+      <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
+	<h3>People just do reproducible builds as normal part of their work nowadays.<h3>
+   	<p style="font-size: 500%">🤗</p>
+	
+	</section>
+
+
       <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
         <h2>How did we get there?</h2>
 	<li class="fragment">Edward Snowden</li>
@@ -461,7 +468,7 @@ And the idea is also much older than 10 years...
         <h2>Detour: unexpected benefits of reproducible builds</h2>
 	<li class="fragment">in 2022 I learned about an Italian company doing certification for gambling machines using diffoscope...</li>
 	<li class="fragment">Licence compliance: you can only be sure a binary is Free Software if it can be (re-)built reproducibly from a given source.</li>
-	<li class="fragment">Software development: does this change really have no effect?</li>
+	<li class="fragment">Software development: does this change really have no effect / the desired effect only?</li>
 	</section>
 
       <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
@@ -481,6 +488,16 @@ And the idea is also much older than 10 years...
 	<li class="fragment">Mike Perry and Seth Schoen gave that presentation at CCCongress in December 2014 showing "my" graphs. Wow.</li>
 	</section>
 
+      <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
+	<h3>Debian unstable, 20150131</h3>
+	<img src="images/stats_pkg_state_20150131.png">
+	</section>
+
+      <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
+	<h3>Debian unstable, 20230424</h3>
+	<img src="images/stats_pkg_state_20230424.png">
+	</section>
+
       <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
         <h2>2015</h2>
 	<li class="fragment">FOSDEM talk by Lunar and myself, inviting the Free Software world at large to collaborate and tackle this problem.</li>
@@ -489,6 +506,145 @@ And the idea is also much older than 10 years...
 	<li class="fragment">1st Reproducible Builds Summit in Athens.</li>
 	</section>
 
+      <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
+        <h2>Reproducible Builds Summits</h2>
+	<li>2015 Athens</li>
+	<li>2016 Berlin</li>
+	<li>2017 Berlin</li>
+	<li>2018 Paris</li>
+	<li>2019 Marrakech</li>
+	<li>2022 Venice</li>
+	<li class="fragment">2023 Hamburg</li>
+	</section>
+
+      <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
+        <h2>Projects at Reproducible Builds Summits</h2>
+	<p style="font-size: 80%">Alpine Linux, 
+Apache Maven, 
+Arch Linux, 
+baserock, 
+Bazel, 
+bootstrappable.org, 
+coreboot, 
+CoyIM, 
+Debian, 
+Eclipse Adoptium, 
+EdgeBSD, 
+F-Droid, 
+Fedora, 
+FreeBSD, 
+GNU Guix, 
+GNU Mes, 
+Google, 
+Guardian Project, 
+Guix, 
+Homebrew, 
+Huawei, 
+Indiana University (IU), 
+in-toto, 
+IPFS, 
+LEAP, 
+LEDE, 
+MacPorts, 
+Max Planck Institute for Security and Privacy (MPI-SP), 
+Microsoft, 
+MirageOS, 
+muinín, 
+NetBSD, 
+New York University (NYU), 
+NixOS, 
+Octez / Tezos, 
+openSUSE, 
+OpenWrt, 
+pantsbuild.org, 
+pkgsrc, 
+Qubes OS, 
+Quinel Ltd, 
+repeatr.io, 
+riot-os.org, 
+Software Freedom Conservancy, 
+subuser.org, 
+Tails, 
+Tor Project, 
+Ubuntu, 
+University of Pennsylvania (UPenn) and
+Warpforge.
+</p>
+	<p>(There were more but we were asked to only mention these.)
+	</p>
+	</section>
+
+      <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
+        <h2>Common reasons for unreproducibilities</h2>
+	<li>timestamps, timestamps, timestamps<li>
+	<li>timestamps, timestamps, timestamps<li>
+	<li>build pathes, build pathes<li>
+	<li>all the rest</li>
+	<li class="fragment">I'll just explain here how to address time stamps and build pathes embedded in build products.<li>
+	</section>
+
+      <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
+        <h2>SOURCE_DATE_EPOCH</h2>
+	<li>who knows about SOURCE_DATE_EPOCH?</li>
+	<li class="fragment">build time stamps are meaningless. SOURCE_DATE_EPOCH describes the time of the last modification of the source.</li>
+	<li class="fragment">supported by <b>a lot</b> of software today.</li>
+	<li class="fragment">show https://reproducible-builds.org/docs/source-date-epoch/</li>
+	</section>
+
+      <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
+        <h2>build path variation</h2>
+	<li>The solution is simple. But it took me almost 10 years to get there.</li>
+	<li class="fragment">First we tried to fix them. Still a valid and useful approach.</li>
+	<li class="fragment">Then we quickly came up with a workaround: record the build path and do rebuilds in the same build path.</li>
+	<li class="fragment">Last week, in discussion with Vagrant a much simpler solution occured to me: just don't vary the build path, instead use predictable build pathes like <code>/buildpath/linux-6.2.23</code></li>
+	</section>
+
+      <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
+	<h3>Debian unstable, 20230424</h3>
+	<img src="images/stats_pkg_state_20230424.png">
+	</section>
+
+      <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
+	<h3>Debian bookworm, 20230424</h3>
+	<img src="images/stats_pkg_state_bookworm_20230424.png">
+	</section>
+
+      <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
+	<h3>more history needs to be written</h3>
+	<li>https://reproducible-builds.org/docs/history/ ends in 2015.😟</li>
+	<li>Arch Linux has done a lot. Rebuilders and pacman-bintrans.<li>
+	<li>CI builds vs rebuilders.</li>
+	<li>Fedora finally enabled r-b macros for RPM.</li>
+	<li>SBOM should be mentioned. And that without reproducible builds SBOMs are rather meaningless, while with them, those are <u>verified SBOMs</u>!.</li>
+	<li>Help would be very much welcome to write our history. While it's fresh, and not 30 years later.</li>
+	</section>
+
+      <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
+        <br>
+        <h3>
+          Thank you
+          <br><small>… and all the contributors out there!</small>
+        </h3>
+        <p class="fragment">Do you think reproducible builds should happen?<br> If so, please help.<br />We need your help.</p>
+        <p class="fragment"><em>I still haven't found what I'm looking for <br> but I'm confident we'll get there, eventually!</em></p>
+        <h3>
+          <small>Holger Levsen <holger at debian.org><br>
+		B8BF 5413 7B09 D35C F026  FE9D 091A B856 069A AA1C</small>
+        </h3>
+      </section>
+
+      <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
+        <br>
+        <h3>
+          The end?
+        </h3>
+        <p>Or do you want to hear more?</p>
+        <p class="fragment">The following slides are from September 2022...</p>
+        <p class="fragment">as the saying goes: "please excuse this long letter, I didn't have the time for a shorter one."</p>
+      </section>
+
+
+
 
       <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
         <h3>Short overview of reproducibility of other projects (all AIUI)</h3>
@@ -878,7 +1034,6 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
     	<li class="fragment">I still haven't found what I'm looking for...!</li>
     	<li class="fragment">100% reproducible packages and distributed images for <code>trixie+1</code>?</li>
     	<li class="fragment">What else?</li>
-    	<li class="fragment">A liveable planet would also be really really nice. 🥵😱 Kinda off-topic here, but I still wanted to at least once mention the big elephant in every room. 🐘 </li>
 	</ul>
       </section>
 


=====================================
2023-04-24-foss-north.se-R-B-the-first-10-years/todo
=====================================
@@ -1,11 +1,12 @@
 TODO:
 
-summit
+summits
+	participating projects 
+
 arch rebuilders
 snapshot
 
 
-
 debconf talks
 
 /docs/history 



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/d6b122b9f2c5e19fe1919f601f3a4d4923742fff

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/d6b122b9f2c5e19fe1919f601f3a4d4923742fff
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20230424/3c8f8480/attachment.htm>

More information about the rb-commits mailing list