[Git][reproducible-builds/reproducible-presentations][master] 2 commits: 10 years r-b: adjust logo for bornhack 23
Holger Levsen (@holger)
gitlab at salsa.debian.org
Fri Aug 4 14:29:59 UTC 2023
Holger Levsen pushed to branch master at Reproducible Builds / reproducible-presentations
Commits:
7eaa6eeb by Holger Levsen at 2023-08-04T12:51:05+02:00
10 years r-b: adjust logo for bornhack 23
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
87b96c43 by Holger Levsen at 2023-08-04T16:29:37+02:00
10 years r-b bornhack talk: wip
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
5 changed files:
- + 2023-08-04-R-B-the-first-10-years/images/bornhack23.png
- + 2023-08-04-R-B-the-first-10-years/images/stats_pkg_state_20230804.png
- + 2023-08-04-R-B-the-first-10-years/images/stats_pkg_state_bookworm_20230804.png
- + 2023-08-04-R-B-the-first-10-years/images/stats_pkg_state_trixie_20230804.png
- 2023-08-04-R-B-the-first-10-years/index.html
Changes:
=====================================
2023-08-04-R-B-the-first-10-years/images/bornhack23.png
=====================================
Binary files /dev/null and b/2023-08-04-R-B-the-first-10-years/images/bornhack23.png differ
=====================================
2023-08-04-R-B-the-first-10-years/images/stats_pkg_state_20230804.png
=====================================
Binary files /dev/null and b/2023-08-04-R-B-the-first-10-years/images/stats_pkg_state_20230804.png differ
=====================================
2023-08-04-R-B-the-first-10-years/images/stats_pkg_state_bookworm_20230804.png
=====================================
Binary files /dev/null and b/2023-08-04-R-B-the-first-10-years/images/stats_pkg_state_bookworm_20230804.png differ
=====================================
2023-08-04-R-B-the-first-10-years/images/stats_pkg_state_trixie_20230804.png
=====================================
Binary files /dev/null and b/2023-08-04-R-B-the-first-10-years/images/stats_pkg_state_trixie_20230804.png differ
=====================================
2023-08-04-R-B-the-first-10-years/index.html
=====================================
@@ -140,7 +140,7 @@
Bornhack 2023
</small>
</h6>
- <img src="images/2023logo.svg" style="height: 70px;">
+ <img src="images/bornhack23.png" style="height: 70px;">
</section>
@@ -169,7 +169,7 @@ And the idea is also much older than 10 years...
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>very incomplete list of people<br>who have been working on this <em>so far</em></h3>
<p style="font-size: 42%">
@@ -338,7 +338,7 @@ And the idea is also much older than 10 years...
</p>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<p>Who am I</p>
<ol>
<li>Holger Levsen / holger at debian.org, located in Hamburg, Germany</li>
@@ -350,7 +350,7 @@ And the idea is also much older than 10 years...
</ol>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>About you</h3>
<ul>
<li class="fragment">Who knows about Reproducible Builds, why and how?</li>
@@ -364,12 +364,12 @@ And the idea is also much older than 10 years...
<img class="fragment" src="images/logo.png" width="584">
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h1>Introduction</h1>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>The problem</h3>
<ul>
<li class="fragment">Source code of free software available</li>
@@ -379,7 +379,7 @@ And the idea is also much older than 10 years...
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>The solution</h3>
<ul>
<li class="fragment">Enable anyone to independently verify that a given source produces bit by bit identical results.</li>
@@ -388,7 +388,7 @@ And the idea is also much older than 10 years...
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>The definition</h3>
<ul>
<li style="font-size: 80%">When is a build reproducible?</li>
@@ -400,7 +400,7 @@ And the idea is also much older than 10 years...
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<p> By now this has been widely and largly understood:
<br><span class="fragment" style="font-size: 100%">https://reproducible-builds.org/resources/
<br>https://reproducible-builds.org/docs/
@@ -415,7 +415,7 @@ And the idea is also much older than 10 years...
<h3>https://reproducible-builds.org</h3>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h2>Fast forward to 2023</h2>
<p class="fragment">https://lists.zx2c4.com/pipermail/wireguard/2023-April/008045.html
<br />Wireguard (VPN app for Android) builds are now reproducible, their release is identical on their website, Google Play Store and F-Droid. 🎯🎯🎯🥳
@@ -424,27 +424,27 @@ And the idea is also much older than 10 years...
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>People just do reproducible builds as normal part of their work nowadays.<h3>
<p style="font-size: 500%">🤗</p>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h2>How did we get there?</h2>
<li class="fragment">Money</li>
<li class="fragment">Edward Snowden</li>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h2>Why money?</h2>
<li class="fragment">Bitcoin</li>
<li class="fragment">Gitian</li>
<li class="fragment">Bitcoin (the software) was reproducible in 2011.</li>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h2>Why Snowden</h2>
<li class="fragment">Well...</li>
<li class="fragment">Mike Perry made Torbrowser reproducible in 2013.</li>
@@ -452,36 +452,43 @@ And the idea is also much older than 10 years...
<li class="fragment">Lunar's BoF at DebConf13.</li>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h2>How did we get there?</h2>
+ <li>Money</li>
+ <li>Edward Snowden</li>
+ <li class="fragment">...and a LOT of work by MANY people.</li>
+ </section>
+
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h2>Even earlier works</h2>
<li class="fragment">Show that thread on debian-devel at lists.debian.org from 2007</li>
<li class="fragment">Though the idea initially appeared in 2000 on debian-devel at l.d.o.</li>
<li class="fragment">And then in 2017 we learned from John Gilmore on rb-general at lists.reproducible-builds.org that GCC was reproducible in the early 1990s on several architectures!</li>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h2>Detour: early computing </h2>
<li>in 2015 I've heard rumors, that in the past slot machines had to be reproducible, due to VAT fraud fears.</li>
<li class="fragment">fact: when machines had 4kb memory, some people knew every bit. That culture got lost when 640kb where not enough anymore...</li>
<li class="fragment">when machines got closer to 640 gigabye of memory the idea that someone would know every bit had become unimagineable.</li>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h2>Detour: diffoscope</h2>
+ <li class="fragment">Who knows about diffoscope?</li>
+ <li class="fragment">Who uses diffoscope?</li>
+ <li class="fragment">https://diffoscope.org</li>
+ <li class="fragment">https://try.diffoscope.org</li>
+ </section>
+
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h2>Detour: unexpected benefits of reproducible builds</h2>
<li class="fragment">in 2022 I learned about an Italian company doing certification for gambling machines using diffoscope...</li>
<li class="fragment">Licence compliance: you can only be sure a binary is Free Software if it can be (re-)built reproducibly from a given source.</li>
<li class="fragment">Software development: does this change really have no effect / the desired effect only?</li>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h2>Detour: diffoscope</h2>
- <li class="fragment">Who knows about diffoscope?</li>
- <li class="fragment">Who uses diffoscope?</li>
- <li class="fragment">show https://diffoscope.org</li>
- <li class="fragment">mention https://try.diffoscope.org</li>
- </section>
-
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h2>Back to 2013 onward</h2>
<li>Lunar's BoF at DebConf13.</li>
<li class="fragment">another BoF at DebConf14</li>
@@ -490,25 +497,26 @@ And the idea is also much older than 10 years...
<li class="fragment">Mike Perry and Seth Schoen gave that presentation at CCCongress in December 2014 showing "my" graphs. Wow.</li>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>Debian unstable, 20150131</h3>
<img src="images/stats_pkg_state_20150131.png">
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>Debian unstable, 20230424</h3>
- <img src="images/stats_pkg_state_20230424.png">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>Debian unstable, 20230804</h3>
+ <img src="images/stats_pkg_state_20230804.png">
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h2>2015</h2>
<li class="fragment">FOSDEM talk by Lunar and myself, inviting the Free Software world at large to collaborate and tackle this problem.</li>
+ <li class="fragment">debbindiff renamed to diffoscope</li>
+ <li class="fragment">SOURCE_DATE_EPOCH spec</li>
<li class="fragment">CCCamp presentation by Lunar, showing many problems and their solutions.</li>
- <li class="fragment">SOURCE_DATE_EPOCH specification: https://reproducible-builds.org/specs/source-date-epoch/</li>
<li class="fragment">1st Reproducible Builds Summit in Athens.</li>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h2>Reproducible Builds Summits</h2>
<li>2015 Athens</li>
<li>2016 Berlin</li>
@@ -519,7 +527,7 @@ And the idea is also much older than 10 years...
<li class="fragment">2023 Hamburg</li>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h2>Projects at Reproducible Builds Summits</h2>
<p style="font-size: 80%">Alpine Linux,
Apache Maven,
@@ -576,80 +584,8 @@ Warpforge.
</p>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h2>Common reasons for unreproducibilities</h2>
- <li>timestamps, timestamps, timestamps<li>
- <li>timestamps, timestamps, timestamps<li>
- <li>build pathes, build pathes<li>
- <li>all the rest</li>
- <li class="fragment">I'll just explain here how to address time stamps and build pathes embedded in build products.<li>
- </section>
-
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h2>SOURCE_DATE_EPOCH</h2>
- <li>who knows about SOURCE_DATE_EPOCH?</li>
- <li class="fragment">build time stamps are meaningless. SOURCE_DATE_EPOCH describes the time of the last modification of the source.</li>
- <li class="fragment">supported by <b>a lot</b> of software today.</li>
- <li class="fragment">show https://reproducible-builds.org/docs/source-date-epoch/</li>
- </section>
-
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h2>build path variation</h2>
- <li>The solution is simple. But it took me almost 10 years to get there.</li>
- <li class="fragment">First we tried to fix them. Still a valid and useful approach.</li>
- <li class="fragment">Then we quickly came up with a workaround: record the build path and do rebuilds in the same build path.</li>
- <li class="fragment">in April 2023 in a discussion with Vagrant a much simpler solution came up: just don't vary the build path, instead use predictable build pathes like <code>/buildpath/linux-6.2.23</code></li>
- </section>
-
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>Debian unstable, 20230424</h3>
- <img src="images/stats_pkg_state_20230424.png">
- </section>
-
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>Debian bookworm, 20230424</h3>
- <img src="images/stats_pkg_state_bookworm_20230424.png">
- </section>
-
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>more history needs to be written</h3>
- <li>https://reproducible-builds.org/docs/history/ ends in 2015.😟</li>
- <li>Arch Linux has done a lot. Rebuilders and pacman-bintrans.<li>
- <li>CI builds vs rebuilders.</li>
- <li>Fedora finally enabled r-b macros for RPM.</li>
- <li>SBOM should be mentioned. And that without reproducible builds SBOMs are rather meaningless, while with them, those are <u>verified SBOMs</u>!.</li>
- <li>Help would be very much welcome to write our history. While it's fresh, and not 30 years later.</li>
- </section>
-
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <br>
- <h3>
- Thank you
- <br><small>… and all the contributors out there!</small>
- </h3>
- <p class="fragment">Do you think reproducible builds should happen?<br> If so, please help.<br />We need your help.</p>
- <p class="fragment"><em>I still haven't found what I'm looking for <br> but I'm confident we'll get there, eventually!</em></p>
- <h3>
- <small>Holger Levsen <holger at debian.org><br>
- B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C</small>
- </h3>
- </section>
-
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <br>
- <h3>
- The end?
- </h3>
- <p>Or do you want to hear more?</p>
- <p class="fragment">The following stats are mostly from September 2022...</p>
- <p class="fragment">as the saying goes: "please excuse this long letter, I didn't have the time for a shorter one."</p>
- </section>
-
-
-
-
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>Short overview of reproducibility of other projects (all AIUI)</h3>
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>Short overview of reproducibility of various projects (AIUI)</h3>
<ul class="fragment">Tails: "easy", pragmatically "solved" but not systematically...
<li class="fragment">Arch Linux: has rebuilders, though also lacks user tools and/or other integration</li>
<pre class="fragment">
@@ -662,8 +598,8 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>Short overview of reproducibility of other projects (all AIUI), continued</h3>
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>Short overview of reproducibility of various projects, continued</h3>
<li class="fragment">nixOS: https://reproducible.nixos.org: 1570 out of 1572 (99.87%) paths in the minimal installation image are reproducible!</li>
<li class="fragment">GNU Guix: also reproducible by design (like nixOS) - <em>guix-challenge</em></li>
<li class="fragment">Yocto: support for reproducible images</li>
@@ -672,77 +608,82 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>Short overview of reproducibility of other projects (all AIUI), continued</h3>
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>Short overview of reproducibility of various projects, continued</h3>
<li class="fragment">Alpine: basic support</li>
<li class="fragment">FreeBSD/NetBSD/OpenBSD: basic support</li>
<li class="fragment">Fedora/Redhat/Ubuntu: not interested it seems</li>
- <li class="fragment">though Fedora recently enabled r-b features via a makro</li>
+ <li class="fragment">though Fedora 38 (April 2023) enabled clamping mtimes of package files using SOURCE_DATE_EPOCH from changelog</li>
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>Summary of reproducibility of other projects (all AIUI)</h3>
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>Summary of reproducibility of various projects</h3>
<p>Many projects support reproducible builds by now, but it's unclear what that means, how it's enforced and how users can know and be confident.</p>
- <p class="fragment">Also: 96% is hardly ever enough, bad for two reasons..</p>
- <p class="fragment">🎶 I still haven't found what I'm looking for 🎶.</p>
+ <p class="fragment">I call it reproducible in theory or in CI.</p>
+ <p class="fragment">Though this is frustrating, it's also a massive success: this was thought impossible not long ago.</p>
+ <p class="fragment">Finally: 96% is not good enough.</p>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>Some more information ;-)</h3>
- </section>
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h2>Common reasons for unreproducibilities:</h2>
+ <li class="fragment">timestamps, timestamps, timestamps<li>
+ <li class="fragment">timestamps, timestamps, timestamps<li>
+ <li class="fragment">build pathes, build pathes<li>
+ <li class="fragment">all the rest</li>
+ <li class="fragment">422 known issue types in reproducible-notes.git<li>
+ </section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>I probably didn't backdoor this</h3>
- <li>https://github.com/kpcyrd/i-probably-didnt-backdoor-this</li>
- <li class="fragment">a fine manual...</li>
- <li class="fragment">simple <em>hello world</em> in Rust</li>
- <li class="fragment">Reproducing the ELF binary</li>
- <li class="fragment">Reproducing the Docker image</li>
- <li class="fragment">Reproducing the Arch Linux package</li>
- </ul>
- </section>
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h2>SOURCE_DATE_EPOCH</h2>
+ <li>who knows about SOURCE_DATE_EPOCH?</li>
+ <li class="fragment">build time stamps are meaningless. SOURCE_DATE_EPOCH describes the time of the last modification of the source.</li>
+ <li class="fragment">supported by <b>a lot</b> of software today.</li>
+ <li class="fragment">show https://reproducible-builds.org/docs/source-date-epoch/</li>
+ </section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>The unreproducible package</h3>
- <li>https://github.com/bmwiedemann/theunreproduciblepackage</li>
- <li class="fragment">It's much easier to show common pitfalls making a package unreproducible than the opposite...</li>
- </ul>
- </section>
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h2>build path variation</h2>
+ <li>The solution is simple. But it took me almost 10 years to get there.<span class="fragment" Again."</span></li>
+ <li class="fragment">First we tried to fix them. Still a valid and useful approach.</li>
+ <li class="fragment">Then we quickly came up with a workaround: record the build path and do rebuilds in the same build path.</li>
+ <li class="fragment">in April 2023 in a discussion with Vagrant a much simpler solution came up: just don't vary the build path, instead use predictable build pathes like <code>/buildpath/linux-6.2.23</code></li>
+ </section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>https://reproducible-builds.org/docs</h3>
- </section>
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>back to Debian again</h3>
+ </section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>Debian</h3>
- </section>
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>Debian unstable, 20230804</h3>
+ <img src="images/stats_pkg_state_20230804.png">
+ </section>
-
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3><em>Reproducible Builds were first discussed at DebConf13...</em></h3>
- <p>..in a BoF hosted by Lunar sparking all of this. DebConf14 had another BoF.</p>
- <p class="fragment">Automated test builds at the end of 2014.</p>
- <p class="fragment">FOSDEM 2015: getting the wider FLOSS community involved.</p>
- <p class="fragment">diffoscope!</p>
- <p class="fragment">First summit at the end of 2015 in Athens.</p>
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>Debian bookworm, 20230804</h3>
+ <img src="images/stats_pkg_state_bookworm_20230804.png">
+ </section>
- </section>
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>Debian trixie, 20230804</h3>
+ <img src="images/stats_pkg_state_trixie_20230804.png">
+ </section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3><em>DebConf15 had four people giving the talk...</em></h3>
<img src="images/dc15_1.jpg" width="85%">
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3><em>“How can we get this done...???”</em></h3>
<p>We wondered at the beginning of the <em>Stretch</em> development cycle.</p>
<img src="images/dc15_2.jpg" width="85%">
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3><em>Reproducible talks at least...?</em></h3>
<p>DebConf16</p>
<p>DebConf17</p>
@@ -756,75 +697,68 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3><em>Schrödingers h01ger: frustrated and happy.</em></h3>
<p>Indeed I have given warnings that the next Debian release will not be reproducible for years...</p>
<p>...and I feel fine! 😀</p>
- <p class="fragment">Let me explain. First the frustration...</p>
+ <p class="fragment">Again: we've made massive progress. In theory (96%) and in practice its more complicated...</p>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>Debian <em>9 / stretch</em></h3>
<p>The "reproducible in theory but not in practice" release</p>
<h3>Debian <em>10 / buster</em></h3>
- <p>The "we could be reproducible but we are not" release</p>
+ <p>The "we could have been reproducible but we are not" release</p>
<h3>Debian <em>11 / bullseye</em></h3>
<p>The "we are almost there but still haven't sorted out some requirements" release</p>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>Debian <em>9 / stretch</em></h3>
<p>The "reproducible in theory but not in practice" release</p>
<h3>Debian <em>10 / buster</em></h3>
- <p>The "we could be reproducible but we are not" release</p>
+ <p>The "we could have been reproducible but we are not" release</p>
<h3>Debian <em>11 / bullseye</em></h3>
<p>The "we are almost made it" release</p>
<h3>Debian <em>12 / bookworm</em></h3>
- <p>The first Debian release with some meaningful reproducibility?</p>
+ <p>The first Debian release with some meaningful reproducibility!</p>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <p>The previous two slides were from last year...</p>
- <br>
- <h3>Debian <em>12 / bookworm</em></h3>
- <p>The first Debian release with some meaningful/usable reproducibility?!?</p>
- <h3 class="fragment">Debian <em>13 / trixie</em></h3>
- <p class="fragment">I still haven't found what I'm looking for</p>
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>Debian <em>13 / trixie</em></h3>
+ <p class="fragment">We now have two years, again.</p>
</section>
<!--========================================================= -->
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>Debian issues in depth</h3>
- </section>
<!-- issues in-depth -->
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>96% reproducibility is a lie.</h3>
<p class="fragment">or rather: 96% are CI results.</p>
<p class="fragment">I explain what's "wrong" with CI results in a moment...</p>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>96% reproducibility is neither a lie nor useless...</h3>
<img class="fragment" src="images/stats_bugs_state.png">
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>96% reproducibility is neither a lie nor useless...</h3>
<img src="images/stats_bugs_sin_ftbfs_state.png">
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>96% in detail</h3>
<ul>
@@ -836,7 +770,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>Did I say <em>bullseye</em>?</h3>
<ul>
<li>So what about <em>bookworm</em>?
@@ -849,7 +783,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>CI versus rebuilds:</h3>
<ul>
<li>We have no <strong>Debian</strong> infrastructure rebuilding Debian packages. The reproducible-builds.org rebuilders are builders, not rebuilders.</li>
@@ -863,7 +797,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>CI versus rebuilds:</h3>
<ul>
<li class="fragment">We have no <strong>Debian</strong> infrastructure rebuilding Debian packages. The reproducible-builds.org rebuilders are builders, not rebuilders.</li>
@@ -874,26 +808,26 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h4>https://beta.tests.reproducible-builds.org/debian</h4>
<img class="fragment" src="images/bookworm_build-essential.amd64+all.png">
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h4>https://beta.tests.reproducible-builds.org/debian</h4>
<img src="images/bookworm_key_packages.amd64+all.png">
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h4>https://beta.tests.reproducible-builds.org/debian</h4>
<img src="images/bookworm_full.amd64+all.png">
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h4>https://beta.tests.reproducible-builds.org/debian</h4>
<ul>
unreproducible in build-essential:
@@ -902,7 +836,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h4>https://beta.tests.reproducible-builds.org/debian</h4>
<ul>
<li>amd64 only, also because our snapshot mirror is amd64 only</li>
@@ -911,7 +845,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>working around snapshot.debian.org</h3>
<ul>
<li class="fragment">snapshot.debian.org was (and is) unusable for rebuilds, fixed by Frédéric Pierret and josch since June 2021, by providing a partial mirror for amd64 only and only going back until January 2017.</li>
@@ -920,7 +854,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>improvements to our snapshot.debian.org mirror</h3>
<ul>
<li class="fragment">soon to be hosted at OSUOSL as snapshot.reproducible-builds.org</li>
@@ -929,7 +863,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>"Solved" problems with <code>.buildinfo</code> files</h3>
<ul style="font-size: 98%">
<li class="fragment">we had >3000 packages without .buildinfo files, I NMUed all of them (with the help of David Bremner!) 😇 Just NEW ones will keep coming...</li>
@@ -941,7 +875,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>And then, meaningful reproducibilty of Debian is still not possible because:</h3>
<ul>
<li class="fragment">linux, gcc and glibc are our current blockers getting <em>build-essential</em> reproducible in <em>bookworm</em>.</li>
@@ -952,7 +886,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>meaningful reproducibilty of Debian d-i images<br>(amd64 only)</h3>
<ul>
<li class="fragment">Debian installer images, are reproducible when build from git, as shown by Roland Clobus. The problem here is that automated testing of d-i images fails almost constantly in sid and testing...</li>
@@ -960,7 +894,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>meaningful reproducibilty of Debian live images<br>(amd64 only)</h3>
<ul>
<li class="fragment">Debian Live images are reproducible using <em>live-build</em> as shown by Roland Clobus.</em>.</li>
@@ -973,7 +907,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>more on d-i and live images</h3>
<ul>
<li class="fragment">Roland Clobus gave a talk at the Debian Reunion Hamburg about his efforts to revive live-images.</li>
@@ -985,7 +919,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3><em>other issues, release team area</em></h3>
<ul>
<li>We are very happy that testing migration is blocked for binary uploads.</li>
@@ -994,47 +928,91 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3><em>other issues, salsa CI related</em></h3>
<ul>
<li>"btw", <em>reprotest</em> is basically unmaintained upstream.</li>
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
- <h3>bookworm goals</h3>
- 6 months until the freeze.
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>trixie goals</h3>
+ More than 12 months until the next freeze.
<ul>
<li class="fragment">0 packages without .buildinfo files..</li>
- <li class="fragment">build-essential reproducible.</li>
+ <li class="fragment">build-essential reproducible, at last and at least.</li>
<li class="fragment">d-i images reproducible.</li>
- <li class="fragment">live images reproducible.</li>
- <li class="fragment">more archs on our snapshot mirror (arm64?).</li>
- <li class="fragment">a 2nd rebuilder of ftp.debian.org. and a 3rd...</li>
+ <li class="fragment">more archs on our snapshot mirror (arm64! riscv64).</li>
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3>trixie goals</h3>
<ul>
<li class="fragment">snapshot.debian.org usable for mass rebuilds by many users for all architectures.</li>
<li class="fragment">more rebuilders! (instead of more CI builders)</li>
- <li class="fragment">0 bugs with patches unuploaded. Currently there are 292 of these. 2 NMUs per week, uploaded to DELAYED/15.</li>
+ <li class="fragment">0 bugs with patches unuploaded. Currently there are 292 of these. 2 NMUs per week, uploaded to DELAYED/15.</li>
<li class="fragment">#863622: apt: warn when installing packages that are not reproducible</li>
- <li class="fragment">.buildinfo files known and used by <code>dak</code>.</li>
+ <li class="fragment">.buildinfo files known and used by the Debian archive (<code>dak</code>).</li>
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<h3><em>post</em> trixie goals</h3>
<ul>
- <li class="fragment">I still haven't found what I'm looking for...!</li>
- <li class="fragment">100% reproducible packages and distributed images for <code>trixie+1</code>?</li>
+ <li class="fragment">debian-policy: reproducible packages must not regress</li>
+ <li class="fragment">debian-policy: all packages (in testing and then stable) must be reproducible</li>
<li class="fragment">What else?</li>
</ul>
</section>
- <section data-background="images/2023logo.svg" data-background-size="12%" data-background-position="90% 10%">
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>History needs to be written</h3>
+ <li>https://reproducible-builds.org/docs/history/ ends in 2015.😟</li>
+ <li>Arch Linux has done a lot. Rebuilders and pacman-bintrans.<li>
+ <li>CI builds vs rebuilders.</li>
+ <li>Fedora finally enabled r-b macros for RPM.</li>
+ <li>SBOM should be mentioned. And that without reproducible builds SBOMs are rather meaningless, while with them, those are <u>verified SBOMs</u>!.</li>
+ <li>Help would be very much welcome to write our history. While it's fresh, and not 30 years later.</li>
+ </section>
+
+
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>I probably didn't backdoor this</h3>
+ <li>https://github.com/kpcyrd/i-probably-didnt-backdoor-this</li>
+ <li class="fragment">a fine manual...</li>
+ <li class="fragment">simple <em>hello world</em> in Rust</li>
+ <li class="fragment">Reproducing the ELF binary</li>
+ <li class="fragment">Reproducing the Docker image</li>
+ <li class="fragment">Reproducing the Arch Linux package</li>
+ </ul>
+ </section>
+
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>The unreproducible package</h3>
+ <li>https://github.com/bmwiedemann/theunreproduciblepackage</li>
+ <li class="fragment">It's much easier to show common pitfalls making a package unreproducible than the opposite...</li>
+ </ul>
+ </section>
+
+
+
+
+
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>Some more information ;-)</h3>
+ </section>
+
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
+ <h3>https://reproducible-builds.org/docs</h3>
+ <h3>https://lists.reproducible-builds.org</h3>
+ <h3>#reproducible-builds on irc.oftc.net</h3>
+ <h3>R-B Summit in Hamburg in November 2023</h3>
+ </section>
+
+
+
+ <section data-background="images/bornhack23.png" data-background-size="12%" data-background-position="90% 10%">
<br>
<h3>
Thank you
@@ -1048,6 +1026,8 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</h3>
</section>
+
+
</div>
</div>
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/compare/d42e9913c805ebd135ba3a3e223604f6c2b46835...87b96c432b3e255d6bc7cafb8540b192f6291397
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/compare/d42e9913c805ebd135ba3a3e223604f6c2b46835...87b96c432b3e255d6bc7cafb8540b192f6291397
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20230804/6793c698/attachment.htm>
More information about the rb-commits
mailing list