[Git][reproducible-builds/reproducible-presentations][master] 10 years r-b cccamp talk: wip
Holger Levsen (@holger)
gitlab at salsa.debian.org
Thu Aug 17 10:13:22 UTC 2023
Holger Levsen pushed to branch master at Reproducible Builds / reproducible-presentations
Commits:
6715a5f1 by Holger Levsen at 2023-08-17T12:13:09+02:00
10 years r-b cccamp talk: wip
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
4 changed files:
- 2023-08-19-R-B-the-first-10-years/images/ccc2014-12.png
- + 2023-08-19-R-B-the-first-10-years/images/ccc2014-13.png
- 2023-08-19-R-B-the-first-10-years/index.html
- 2023-08-19-R-B-the-first-10-years/todo
Changes:
=====================================
2023-08-19-R-B-the-first-10-years/images/ccc2014-12.png
=====================================
Binary files a/2023-08-19-R-B-the-first-10-years/images/ccc2014-12.png and b/2023-08-19-R-B-the-first-10-years/images/ccc2014-12.png differ
=====================================
2023-08-19-R-B-the-first-10-years/images/ccc2014-13.png
=====================================
Binary files /dev/null and b/2023-08-19-R-B-the-first-10-years/images/ccc2014-13.png differ
=====================================
2023-08-19-R-B-the-first-10-years/index.html
=====================================
@@ -150,7 +150,7 @@
<li>Holger Levsen / holger at debian.org, located in Hamburg, Germany. He/him 🏳️🌈🏳️⚧️.</li>
<li>Debian user since 1995, contributing since 2001, Debian member since 2007. I ❤️ Debian.</li>
<li><span class="fragment">Working on Reproducible Builds since 2014.
- trying to make all ❤️ Free Software reproducible.</span></li>
+ aiming to make all ❤️ Free Software reproducible.</span></li>
<li><span class="fragment">Ask me anything, anytime. This is a pretty complex topic.</span>
</ol>
@@ -182,9 +182,6 @@ And the idea is also much older than 10 years...
<h3>very incomplete list of people<br>who have been working on this <em>so far</em></h3>
<!-- taken from website.git/_data/contributors.yml -->
-<p style="font-size: 66%">
- (Huge sorry if YOU are missing, please let's fix this. The real list is much bigger..!)
-</p>
<p style="font-size: 42%">
akira
@@ -348,11 +345,10 @@ And the idea is also much older than 10 years...
</section>
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>contributors according to website.git/_data/contributors.yml, so far!</em></h3>
+ <h3>contributors according to website.git/_data/contributors.yml</em></h3>
<!-- taken from website.git/_data/contributors.yml -->
<p style="font-size: 66%">
- (We love patches. We're all in this together!)
</p>
<p style="font-size: 42%">
@@ -576,8 +572,7 @@ And the idea is also much older than 10 years...
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
<h2>Why money?</h2>
<li class="fragment">Bitcoin</li>
- <li class="fragment">Gitian</li>
- <li class="fragment">Bitcoin (the software) was reproducible in 2011.</li>
+ <li class="fragment">Bitcoin (the software) was made reproducible in 2011.</li>
</section>
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
@@ -585,19 +580,19 @@ And the idea is also much older than 10 years...
<li class="fragment">Well...</li>
<li class="fragment">Mike Perry made Torbrowser reproducible in 2013.</li>
<li class="fragment">That's Firefox. One of the biggest software projects in the world.</li>
- <li class="fragment">Lunar's BoF at DebConf13.</li>
</section>
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
<h2>How did we get there?</h2>
- <li>Money</li>
- <li>Edward Snowden</li>
- <li class="fragment">...and a LOT of work by MANY people.</li>
+ <li>Money / Bitcoin</li>
+ <li>Edward Snowden / Torbrowser</li>
+ <li class="fragment">Lunar's BoF at DebConf13</li>
+ <li class="fragment">...and a LOT of work by MANY people over 10 years</li>
</section>
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h2>Even earlier works</h2>
- <li class="fragment">Show that thread on debian-devel at lists.debian.org from 2007</li>
+ <h2>Even earlier</h2>
+ <li class="fragment">Thread on debian-devel at lists.debian.org from 2007. Deemed undoable by many.</li>
<li class="fragment">Though the idea initially appeared in 2000 on debian-devel at l.d.o.</li>
<li class="fragment">And then in 2017 we learned from John Gilmore on rb-general at lists.reproducible-builds.org that GCC was reproducible in the early 1990s on several architectures!</li>
</section>
@@ -644,6 +639,12 @@ And the idea is also much older than 10 years...
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
<img src="images/ccc2014-11.png">
</section>
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <img src="images/ccc2014-12.png">
+ </section>
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <img src="images/ccc2014-13.png">
+ </section>
<section data-background-color="white">
<img src="images/logo.png" width="584">
@@ -717,6 +718,11 @@ And the idea is also much older than 10 years...
<img src="images/stats_pkg_state_20230804.png">
</section>
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <h3>Debian trixie, 20230804</h3>
+ <img src="images/stats_pkg_state_trixie_20230804.png">
+ </section>
+
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
<h2>2015</h2>
<li class="fragment">FOSDEM talk by Lunar and myself, inviting the Free Software world at large to collaborate and tackle this problem.</li>
@@ -862,35 +868,10 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>Debian unstable, 20230804</h3>
- <img src="images/stats_pkg_state_20230804.png">
- </section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>Debian bookworm, 20230804</h3>
- <img src="images/stats_pkg_state_bookworm_20230804.png">
- </section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>Debian trixie, 20230804</h3>
- <img src="images/stats_pkg_state_trixie_20230804.png">
- </section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3><em>DebConf15 had four people giving the talk...</em></h3>
- <img src="images/dc15_1.jpg" width="85%">
-
- </section>
-
-
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3><em>“How can we get this done...???”</em></h3>
- <p>We wondered at the beginning of the <em>Stretch</em> development cycle.</p>
- <img src="images/dc15_2.jpg" width="85%">
- </section>
-
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
<h3><em>Reproducible talks at least...?</em></h3>
<p>DebConf16</p>
@@ -915,54 +896,27 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>Debian <em>9 / stretch</em></h3>
- <p>The "reproducible in theory but not in practice" release</p>
- <h3>Debian <em>10 / buster</em></h3>
- <p>The "we could have been reproducible but we are not" release</p>
- <h3>Debian <em>11 / bullseye</em></h3>
- <p>The "we are almost there but still haven't sorted out some requirements" release</p>
- </section>
-
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>Debian <em>9 / stretch</em></h3>
- <p>The "reproducible in theory but not in practice" release</p>
- <h3>Debian <em>10 / buster</em></h3>
- <p>The "we could have been reproducible but we are not" release</p>
- <h3>Debian <em>11 / bullseye</em></h3>
- <p>The "we are almost made it" release</p>
- <h3>Debian <em>12 / bookworm</em></h3>
- <p>The first Debian release with some meaningful reproducibility!</p>
- </section>
-
-
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>Debian <em>13 / trixie</em></h3>
- <p class="fragment">We now have two years, again.</p>
- </section>
-
-
<!--========================================================= -->
<!-- issues in-depth -->
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>96% reproducibility is a lie.</h3>
- <p class="fragment">or rather: 96% are CI results.</p>
- <p class="fragment">I explain what's "wrong" with CI results in a moment...</p>
-
+ <h3>Theory vs Praxis</h3>
+ <p>I used to say: 96% reproducibility is a lie. Or rather: 96% are CI results.</p>
+ <a class="fragment">Now I like to say: in theory, we are done. In practice, we have shown that reproducible builds can be done in theory.</p>
</section>
+
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>96% reproducibility is neither a lie nor useless...</h3>
- <img class="fragment" src="images/stats_bugs_state.png">
+ <h3>3000 reprodubility related bugs fixed, 500 patches pending...</h3>
+ <img src="images/stats_bugs_sin_ftbfs_state.png">
</section>
-
+
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>96% reproducibility is neither a lie nor useless...</h3>
- <img src="images/stats_bugs_sin_ftbfs_state.png">
+ <h3>20000 bugs in 10 years ~= 5 per day</h3>
+ <img class="fragment" src="images/stats_bugs_state.png">
</section>
@@ -1005,19 +959,6 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h4>https://beta.tests.reproducible-builds.org/debian</h4>
- <img class="fragment" src="images/bookworm_build-essential.amd64+all.png">
-
- </section>
-
-
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h4>https://beta.tests.reproducible-builds.org/debian</h4>
- <img src="images/bookworm_key_packages.amd64+all.png">
-
- </section>
-
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
<h4>https://beta.tests.reproducible-builds.org/debian</h4>
<img src="images/bookworm_full.amd64+all.png">
@@ -1096,16 +1037,6 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>I probably didn't backdoor this</h3>
- <li>https://github.com/kpcyrd/i-probably-didnt-backdoor-this</li>
- <li class="fragment">a fine manual...</li>
- <li class="fragment">simple <em>hello world</em> in Rust</li>
- <li class="fragment">Reproducing the ELF binary</li>
- <li class="fragment">Reproducing the Docker image</li>
- <li class="fragment">Reproducing the Arch Linux package</li>
- </ul>
- </section>
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
<h3>The unreproducible package</h3>
=====================================
2023-08-19-R-B-the-first-10-years/todo
=====================================
@@ -1,13 +1,34 @@
main story points:
+ 14.png as intro for
+ "in theory we are done, or 96%, in practice we could maybe do it in theory..."
+ 100% reproducible is a politcal task, not technical.
+ getting 100% of the software to build reproducible is only maybe half the work needed...
history
S_D_E
build path
+ distro status:
+ debian numbers
+ columns: stretch buster bullseye bookworm
+ rows: amd64 arm64 i386 armhf with percentages
+ : 2017: debian-policy: should
+ other distros
+ slide: archlinux (mention: they are great. have rebuilders. pacman-bintrans a model for debian and everyone else.)
funding
missing bits / future work
+ snapshot
+ theory vs praxis:
+ "theory" is easy (it was not! and it was a lot of work)
+ incl bug graph here
+ 96% is not enough
+ binary transparency would be useful to bridge that gap
+ and still needed with 100% r-b
+ commitment from Debian project to do it
new todo:
incl emails?
+ no
incl S_D_E definition, no screenshots
+ maybe
improve end / debian status
mv Debian up
mention financing, esp for summit!
@@ -15,13 +36,16 @@ new todo:
funding: first LF, now an SFC project. I like the SFCs focus on freedom.
$ grep -c 'section da' index.html
should not return 74 but 42 or rather less
- now at 81 /o\
+ now at 71 /o\
verifiable SBOMs!
http://v-s.d.n
someone please write a converter
update numbers for trixie
list 10 biggest blockers
or 23
+ slide: personally, i want to finish this. by 2030: no more unreproducible builds in Debian stable.
+ `slide: r-b, the only way you can be sure the binary you are running is the free software you think you are running.
+ or in SBOM speak: ... ("did you get what you bought?" :)
old TODO:
@@ -33,38 +57,19 @@ slide: but surely: the goal of this talk is
the future is unwritten, much needs be done still
- recap what we have done, celebrate 10y of awesomeness
- so yeah, there's still a lot to be done after 100% which will make a UI obsolete
- - think SBOM binary transparency merkel tree
- on a distro scale (say: "please do it with an r-b debian fork. hah, doesnt work because of the 97% only yet".)
-slide: why? threat models
-slide" build path variation: 2023: don't do it. Bug#1034424: buildd.debian.org: Please use predictible build paths
- (for Debian folks: no more build path variation in unstable)
-slide: 2017: debian-policy: should
-slide: fedora (show makro enabled thing)
-slide: archlinux (mention: they are great. have rebuilders. pacman-bintrans a model for debian and everyone else.)
-slide: honorable mention: trisqel
-slide: macos, windows, google android
-slide: debian:
-slide:
- columns: stretch buster bullseye bookworm
- rows: amd64 arm64 i386 armhf with percentages
suite all source packages reproducible icon reproducible packages FTBR icon unreproducible packages FTBFS icon packages failing to build timeout icon packages timing out depwait icon packages in depwait state not_for_us icon not for this architecture blacklisted icon blacklisted
stretch/amd64 24719 23040 / 93.2% 1514 / 6.1% 85 / 0.3% 22 / 0.1% 1 / 0.0% 56 / 0.2% 1 / 0.0%
stretch/arm64 24719 22819 / 92.3% 1292 / 5.2% 277 / 1.1% 10 / 0.0% 80 / 0.3% 239 / 1.0% 2 / 0.0%
stretch/armhf 24719 22108 / 89.4% 2026 / 8.2% 193 / 0.8% 26 / 0.1% 119 / 0.5% 231 / 0.9% 16 / 0.1%
stretch/i386 24719 22488 / 91.0% 1985 / 8.0% 130 / 0.5% 7 / 0.0% 32 / 0.1% 76 / 0.3% 1 / 0.0%
-slide: recap: we all support SOURCE_DATE_EPOCH
- /docs/source-date-epoch/
slide: recap: .buildinfo files / SBOM
recorded or predictable/static buildpath
(for Debian folks: no more build path variation in unstable)
slide: SBOMs are nothing new, we know them since 2014 or so.
verified SBOMs are cool: = have been used to verify = reproduce a build
slide: trixie, forky & probably 2 more until 100% reproducible Debian stable.
- 100% reproducible is a politcal task, not technical.
-slide: rebuilders (rebuild Debian on every point release? as in: publish those .buildinfo files as one tar archive maybe?)
-slide: technically eventually "done"/doable, but practically?
-slide: personally, i want to finish this. by 2030: no more unreproducible builds in Debian stable.
-slide: r-b, the only way you can be sure the binary you are running is the free software you think you are running.
- or in SBOM speak: ... ("did you get what you bought?" :)
+ slide: rebuilders (rebuild Debian on every point release? as in: publish those .buildinfo files as one tar archive maybe?)
+
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/6715a5f18c25ee81ece637233918bce4a6dfea12
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/6715a5f18c25ee81ece637233918bce4a6dfea12
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20230817/bf54af39/attachment.htm>
More information about the rb-commits
mailing list