[Git][reproducible-builds/reproducible-presentations][master] 10 years r-b cccamp talk: more wip
Holger Levsen (@holger)
gitlab at salsa.debian.org
Thu Aug 17 12:52:28 UTC 2023
Holger Levsen pushed to branch master at Reproducible Builds / reproducible-presentations
Commits:
a9c45ab3 by Holger Levsen at 2023-08-17T14:52:06+02:00
10 years r-b cccamp talk: more wip
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
2 changed files:
- 2023-08-19-R-B-the-first-10-years/index.html
- 2023-08-19-R-B-the-first-10-years/todo
Changes:
=====================================
2023-08-19-R-B-the-first-10-years/index.html
=====================================
@@ -144,7 +144,7 @@
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<p>Who am I</p>
<ol>
<li>Holger Levsen / holger at debian.org, located in Hamburg, Germany. He/him 🏳️🌈🏳️⚧️.</li>
@@ -513,8 +513,12 @@ And the idea is also much older than 10 years...
</p>
</section>
+ <section data-background-color="white">
+ <img class="fragment" src="images/logo.png" width="584">
+ </section>
+
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>About you</h3>
<ul>
<li class="fragment">Who knows about Reproducible Builds, why and how?</li>
@@ -523,36 +527,69 @@ And the idea is also much older than 10 years...
<li class="fragment">Who knows about SBOM? <span class="fragment">(Software Bill of Materials) = our .buildinfo files from 2014!</li>
</ul>
</section>
-
- <section data-background-color="white">
- <img class="fragment" src="images/logo.png" width="584">
- </section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h1>Introduction</h1>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>The problem</h3>
<ul>
<li class="fragment">Source code of free software available</li>
<li class="fragment">…most people install pre-compiled binaries</li>
- <li class="fragment"><strong>No one knows whether they really correspond.</strong></li>
+ <li class="fragment"><strong>No one knows whether they really correspond (even those building those binaries).</strong></li>
<li class="fragment">As a result there are various classes of supply chain attacks.</li>
</ul>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>The solution</h3>
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>Ancient history (>10 years ago)</h2>
+ <li class="fragment">Thread on debian-devel at lists.debian.org from 2007. Deemed undoable by many.</li>
+ <li class="fragment">Though the idea initially appeared in 2000 on debian-devel at l.d.o.</li>
+ <li class="fragment">And then in 2017 we learned from John Gilmore on rb-general at lists.reproducible-builds.org that GCC was reproducible in the early 1990s on several architectures!</li>
+ </section>
+
+
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>Fast forward to 2023</h2>
+ <p class="fragment">https://lists.zx2c4.com/pipermail/wireguard/2023-April/008045.html
+ <br />Wireguard (VPN app for Android) builds are now reproducible, their release is identical on their website, Google Play Store and F-Droid. 🎯🎯🎯🥳
+ <br />(it's more complicated than that, see their mail.)</p>
+ <p class="fragment">We were not even informed. 🥲 Poeople just do reproducible builds as normal part of their work nowadays. 🤗</p>
+
+ </section>
+
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>People just do reproducible builds as normal part of their work nowadays.<h3>
+ <p style="font-size: 500%">🤗</p>
+
+ </section>
+
+ <section data-background-color="white">
+ <img class="fragment" src="images/logo.png" width="584">
+ </section>
+
+
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>Our solution</h3>
<ul>
<li class="fragment">Enable anyone to independently verify that a given source produces bit by bit identical results.</li>
<li class="fragment">Reproducible Builds are an important building block in making supply chains more secure. Nothing more, nothing less.</li>
+ <li class="fragment">(Un)secure software build reproducibly still remains (un)secure software. However, with reproducible builds you can be sure that you are running the software you want to be running, built from the sources you want to be using.</li>
</ul>
</section>
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <p> By now Reproducible Builds has been widely and largly understood:
+ <br><span class="fragment" style="font-size: 100%">https://reproducible-builds.org/resources/
+ <br>https://reproducible-builds.org/docs/
+ <br>https://reproducible-builds.org/docs/source-date-epoch/
+<br>https://reproducible-builds.org/docs/publications/</span></li>
+ <br><span class="fragment" style="font-size: 70%">https://www.whitehouse.gov/briefing-room/statements-releases/2021/06/08/...</span></li>
+ </section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>
https://reproducible-builds.org/docs/definition/
</h3>
@@ -563,86 +600,103 @@ And the idea is also much older than 10 years...
</ul>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>How did we get there?</h2>
<li class="fragment">Money</li>
<li class="fragment">Edward Snowden</li>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Why money?</h2>
<li class="fragment">Bitcoin</li>
<li class="fragment">Bitcoin (the software) was made reproducible in 2011.</li>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Why Snowden</h2>
<li class="fragment">Well...</li>
- <li class="fragment">Mike Perry made Torbrowser reproducible in 2013.</li>
+ <li class="fragment">Torbrowser was made reproducible in 2013 by Mike Perry.</li>
<li class="fragment">That's Firefox. One of the biggest software projects in the world.</li>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h2>How did we get there?</h2>
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>How did we <i>really</i> get there?</h2>
<li>Money / Bitcoin</li>
<li>Edward Snowden / Torbrowser</li>
- <li class="fragment">Lunar's BoF at DebConf13</li>
<li class="fragment">...and a LOT of work by MANY people over 10 years</li>
</section>
-
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h2>Even earlier</h2>
- <li class="fragment">Thread on debian-devel at lists.debian.org from 2007. Deemed undoable by many.</li>
- <li class="fragment">Though the idea initially appeared in 2000 on debian-devel at l.d.o.</li>
- <li class="fragment">And then in 2017 we learned from John Gilmore on rb-general at lists.reproducible-builds.org that GCC was reproducible in the early 1990s on several architectures!</li>
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>2013 and 2014</h2>
+ <li>Lunar's BoF at DebConf13.</li>
+ <li class="fragment">another BoF at DebConf14</li>
+ <li class="fragment">patches for <code>dpkg</code>: sorting fixes and .buildinfo files (SBOM!)</li>
+ <li class="fragment">in September 2014 I started systematic builds of Debian packages, twice. First just 100 packages, than all of them.</li>
+ <li class="fragment">Mike Perry and Seth Schoen gave that presentation at CCCongress in December 2014 showing "my" graphs. Wow.</li>
</section>
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>Debian unstable, 20150131</h3>
+ <img src="images/stats_pkg_state_20150131.png">
+ </section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <p> By now this has been widely and largly understood:
- <br><span class="fragment" style="font-size: 100%">https://reproducible-builds.org/resources/
- <br>https://reproducible-builds.org/docs/
- <br>https://reproducible-builds.org/docs/publications/</span></li>
- <br><span class="fragment" style="font-size: 70%">https://www.whitehouse.gov/briefing-room/statements-releases/2021/06/08/...</span></li>
- </section>
-
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-1.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-2.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-3.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-4.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-5.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-6.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-7.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-8.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-9.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-10.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-11.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-12.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>Debian unstable, 20230804</h3>
+ <img src="images/stats_pkg_state_20230804.png">
+ </section>
+
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>Debian trixie, 20230804</h3>
+ <img src="images/stats_pkg_state_trixie_20230804.png">
+ </section>
+
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>2015</h2>
+ <li class="fragment">FOSDEM talk by Lunar and myself, inviting the Free Software world at large to collaborate and tackle this problem.</li>
+ <li class="fragment">SOURCE_DATE_EPOCH spec</li>
+ <li class="fragment">CCCamp presentation by Lunar, showing many problems and their solutions.</li>
+ <li class="fragment">1st Reproducible Builds Summit in Athens.</li>
+ </section>
+
+
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-13.png">
</section>
@@ -651,88 +705,43 @@ And the idea is also much older than 10 years...
<h3>https://reproducible-builds.org</h3>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h2>Fast forward to 2023</h2>
- <p class="fragment">https://lists.zx2c4.com/pipermail/wireguard/2023-April/008045.html
- <br />Wireguard (VPN app for Android) builds are now reproducible, their release is identical on their website, Google Play Store and F-Droid. 🎯🎯🎯🥳
- <br />(it's more complicated than that, see their mail.)</p>
- <p class="fragment">We were not even informed. 🥲 Poeople just do reproducible builds as normal part of their work nowadays. 🤗</p>
-
- </section>
-
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>People just do reproducible builds as normal part of their work nowadays.<h3>
- <p style="font-size: 500%">🤗</p>
-
- </section>
-
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Detour: https://diffoscope.org</h2>
<li class="fragment">Who knows about diffoscope?</li>
<li class="fragment">Who uses diffoscope?</li>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Detour: https://diffoscope.org</h2>
<li>Text and HTML ouput</li>
<li style="font-size: 75%" class="fragment">File formats supported include: Android APK files, Android boot images, Android package resource table (ARSC), Apple Xcode mobile provisioning files, ar(1) archives, ASM Function, Berkeley DB database files, bzip2 archives, character/block devices, ColorSync colour profiles (.icc), Coreboot CBFS filesystem images, cpio archives, Dalvik .dex files, Debian .buildinfo files, Debian .changes files, Debian source packages (.dsc), Device Tree Compiler blob files, directories, ELF binaries, ext2/ext3/ext4/btrfs/fat filesystems, Flattened Image Tree blob files, FreeDesktop Fontconfig cache files, FreePascal files (.ppu), Gettext message catalogues, GHC Haskell .hi files, GIF image files, Git repositories, GNU R database files (.rdb), GNU R Rscript files (.rds), Gnumeric spreadsheets, GPG keybox databases, Gzipped files, Hierarchical Data Format database, HTML files (.html), ISO 9660 CD images, Java class files, Java .jmod modules, JavaScript files,</li>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Detour: https://diffoscope.org</h2>
<li style="font-size: 75%">JPEG images, JSON files, Linux kernel images, LLVM IR bitcode files, local (UNIX domain) sockets and named pipes (FIFOs), LZ4 compressed files, lzip compressed files, macOS binaries, Microsoft Windows icon files, Microsoft Word .docx files, Mono ‘Portable Executable’ files, Mozilla-optimized .ZIP archives, Multimedia metadata, OCaml interface files, Ogg Vorbis audio files, OpenOffice .odt files, OpenSSH public keys, OpenWRT package archives (.ipk), PDF documents, PE32 files, PGP signatures, PGP signed/encrypted messages, PNG images, PostScript documents, Public Key Cryptography Standards (PKCS) files (version #7), Python pyc files, RPM archives, Rust object files (.deflate), Sphinx inventory files, SQLite databases, SquashFS filesystems, symlinks, tape archives (.tar), tcpdump capture files (.pcap), text files, TrueType font files, U-Boot legacy image files, WebAssembly binary module, XML binary schemas (.xsb), XML files, XMLB files, XZ compressed files, ZIP archives and Zstandard compressed files.</li>
<li class="fragment">Fallback on hexdump comparison, fuzzy-matching to handle renamings, and much more!</li>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Detour: https://diffoscope.org</h2>
<li><a href="https-everywhere-5.0.6_vs_5.0.7.html">Example diffoscope output for https-everywhere 5.0.6 vs 5.0.7</a></li>
<li class="fragment">https://try.diffoscope.org</li>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Detour: unexpected benefits of reproducible builds</h2>
<li class="fragment">Licence compliance: you can only be sure a binary is Free Software if it can be (re-)built reproducibly from a given source.</li>
<li class="fragment">Software development: does this change really have no effect / the desired effect only?</li>
<li class="fragment">lower development costs and increased development speed through less developer time wasted on build results</li>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h2>Back to 2013 onward</h2>
- <li>Lunar's BoF at DebConf13.</li>
- <li class="fragment">another BoF at DebConf14</li>
- <li class="fragment">patches for <code>dpkg</code>: sorting fixes and .buildinfo files (SBOM!)</li>
- <li class="fragment">in September 2014 I started systematic builds of Debian packages, twice. First just 100 packages, than all of them.</li>
- <li class="fragment">Mike Perry and Seth Schoen gave that presentation at CCCongress in December 2014 showing "my" graphs. Wow.</li>
- </section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>Debian unstable, 20150131</h3>
- <img src="images/stats_pkg_state_20150131.png">
- </section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>Debian unstable, 20230804</h3>
- <img src="images/stats_pkg_state_20230804.png">
- </section>
-
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>Debian trixie, 20230804</h3>
- <img src="images/stats_pkg_state_trixie_20230804.png">
- </section>
-
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h2>2015</h2>
- <li class="fragment">FOSDEM talk by Lunar and myself, inviting the Free Software world at large to collaborate and tackle this problem.</li>
- <li class="fragment">debbindiff renamed to diffoscope</li>
- <li class="fragment">SOURCE_DATE_EPOCH spec</li>
- <li class="fragment">CCCamp presentation by Lunar, showing many problems and their solutions.</li>
- <li class="fragment">1st Reproducible Builds Summit in Athens.</li>
- </section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Common reasons for unreproducibilities:</h2>
<li class="fragment">timestamps, timestamps, timestamps<li>
<li class="fragment">timestamps, timestamps, timestamps<li>
@@ -741,7 +750,15 @@ And the idea is also much older than 10 years...
<li class="fragment">422 known issue types in reproducible-notes.git<li>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>The unreproducible package</h3>
+ <li>https://github.com/bmwiedemann/theunreproduciblepackage</li>
+ <li class="fragment">It's much easier to show common pitfalls making a package unreproducible than the opposite...</li>
+ </ul>
+ </section>
+
+
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>SOURCE_DATE_EPOCH</h2>
<li>who knows about SOURCE_DATE_EPOCH?</li>
<li class="fragment">build time stamps are meaningless. SOURCE_DATE_EPOCH describes the time of the last modification of the source.</li>
@@ -749,15 +766,14 @@ And the idea is also much older than 10 years...
<li class="fragment">https://reproducible-builds.org/docs/source-date-epoch/</li>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h2>build path variation</h2>
- <li>The solution is simple. But it took me almost 10 years to get there.<span class="fragment" Again.</span></li>
- <li class="fragment">First we tried to fix them. Still a valid and useful approach.</li>
- <li class="fragment">Then we quickly came up with a workaround: record the build path and do rebuilds in the same build path.</li>
- <li class="fragment">in April 2023 in a discussion with Vagrant a much simpler solution came up: just don't vary the build path, instead use predictable build pathes like <code>/buildpath/linux-6.2.23</code></li>
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>Embedded build pathes</h2>
+ <li class="fragment">First we tried to fix them. Still a valid and useful approach, because it's just wrong to embedd the build path.</li>
+ <li class="fragment">Then we (in Debian) came up with a workaround: record the build path and do rebuilds in the same build path.</li>
+ <li class="fragment">Better yet: use predictable build pathes like <code>/buildpath/linux-6.2.23</code></li>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Reproducible Builds Summits</h2>
<li>2015 Athens</li>
<li>2016 Berlin</li>
@@ -768,7 +784,7 @@ And the idea is also much older than 10 years...
<li class="fragment">2023 Hamburg</li>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Projects at Reproducible Builds Summits</h2>
<p style="font-size: 80%">Alpine Linux,
Apache Maven,
@@ -825,10 +841,11 @@ Warpforge.
</p>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Short overview of reproducibility of various projects (AIUI)</h3>
<ul class="fragment">Tails: "easy", pragmatically "solved" but not systematically...
- <li class="fragment">Arch Linux: has rebuilders, though also lacks user tools and/or other integration</li>
+ <li class="fragment">Arch Linux: has rebuilders and snapshot binary archive, though lacks further infrastructure and user tools like <code>pacman-bintrans</code> thus are merely PoCs.</li>
+
<pre class="fragment">
Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
[core] repository is 93.3% reproducible with 17 bad and 238 good packages.
@@ -839,7 +856,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Short overview of reproducibility of various projects, continued</h3>
<li class="fragment">nixOS: https://reproducible.nixos.org: 1570 out of 1572 (99.87%) paths in the minimal installation image are reproducible!</li>
<li class="fragment">GNU Guix: also reproducible by design (like nixOS) - <em>guix-challenge</em></li>
@@ -849,7 +866,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Short overview of reproducibility of various projects, continued</h3>
<li class="fragment">Alpine: basic support</li>
<li class="fragment">FreeBSD/NetBSD/OpenBSD: basic support</li>
@@ -858,7 +875,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Summary of reproducibility of various projects</h3>
<p>Many projects support reproducible builds by now, but it's unclear what that means, how it's enforced and how users can know and be confident.</p>
<p class="fragment">I call it reproducible in theory or in CI.</p>
@@ -872,7 +889,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3><em>Reproducible talks at least...?</em></h3>
<p>DebConf16</p>
<p>DebConf17</p>
@@ -886,7 +903,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3><em>Schrödingers h01ger: frustrated and happy.</em></h3>
<p>Indeed I have given warnings that the next Debian release will not be reproducible for years...</p>
@@ -901,26 +918,26 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
<!-- issues in-depth -->
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Theory vs Praxis</h3>
<p>I used to say: 96% reproducibility is a lie. Or rather: 96% are CI results.</p>
- <a class="fragment">Now I like to say: in theory, we are done. In practice, we have shown that reproducible builds can be done in theory.</p>
+ <p class="fragment">Now I like to say: in theory, we are done. In practice, we have shown that reproducible builds can be done in theory.</p>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>3000 reprodubility related bugs fixed, 500 patches pending...</h3>
<img src="images/stats_bugs_sin_ftbfs_state.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>20000 bugs in 10 years ~= 5 per day</h3>
<img class="fragment" src="images/stats_bugs_state.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>96% in detail</h3>
<ul>
@@ -934,7 +951,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>CI versus rebuilds:</h3>
<ul>
<li>We have no <strong>Debian</strong> infrastructure rebuilding Debian packages. The reproducible-builds.org rebuilders are builders, not rebuilders.</li>
@@ -948,7 +965,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>CI versus rebuilds:</h3>
<ul>
<li class="fragment">We have no <strong>Debian</strong> infrastructure rebuilding Debian packages. The reproducible-builds.org rebuilders are builders, not rebuilders.</li>
@@ -959,13 +976,13 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h4>https://beta.tests.reproducible-builds.org/debian</h4>
<img src="images/bookworm_full.amd64+all.png">
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h4>https://beta.tests.reproducible-builds.org/debian</h4>
<ul>
unreproducible in build-essential:
@@ -974,16 +991,9 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h4>https://beta.tests.reproducible-builds.org/debian</h4>
- <ul>
- <li>amd64 only, also because our snapshot mirror is amd64 only</li>
- <li>one rebuilder only, not several (and at least some should run on Debian ressources)</li>
- <li class="fragment">one person maintaining this so far. Thank you very much, Frédéric Pierret, and sorry too.</li>
- </section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>working around snapshot.debian.org</h3>
<ul>
<li class="fragment">snapshot.debian.org was (and is) unusable for rebuilds, fixed by Frédéric Pierret and josch since June 2021, by providing a partial mirror for amd64 only and only going back until January 2017.</li>
@@ -994,7 +1004,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Debian 13 / trixie goals</h3>
More than 12 months until the next freeze.
<ul>
@@ -1005,7 +1015,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Debian 13 / trixie goals</h3>
<ul>
<li class="fragment">snapshot.debian.org usable for mass rebuilds by many users for all architectures.</li>
@@ -1016,7 +1026,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3><em>post</em> Debian 13 / trixie goals</h3>
<ul>
<li class="fragment">debian-policy: reproducible packages must not regress</li>
@@ -1025,35 +1035,15 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
</ul>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>History needs to be written</h3>
- <li>https://reproducible-builds.org/docs/history/ ends in 2015.😟</li>
- <li>Arch Linux has done a lot. Rebuilders and pacman-bintrans.<li>
- <li>SBOM should be mentioned. And that without reproducible builds SBOMs are rather meaningless, while with them, those are <u>verified SBOMs</u>!.</li>
- </section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>Notable mentions</h3>
- </section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
- <h3>The unreproducible package</h3>
- <li>https://github.com/bmwiedemann/theunreproduciblepackage</li>
- <li class="fragment">It's much easier to show common pitfalls making a package unreproducible than the opposite...</li>
- </ul>
- </section>
-
-
-
-
-
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Summary information</h3>
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>https://reproducible-builds.org/docs</h3>
<h3>https://lists.reproducible-builds.org</h3>
<h3>#reproducible-builds on irc.oftc.net</h3>
@@ -1062,7 +1052,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%">
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<br>
<h3>
Thank you
=====================================
2023-08-19-R-B-the-first-10-years/todo
=====================================
@@ -25,8 +25,7 @@ main story points:
commitment from Debian project to do it
new todo:
- incl emails?
- no
+ nice übergänge
incl S_D_E definition, no screenshots
maybe
improve end / debian status
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/a9c45ab3a94177e3f640b2f539b93aacb6ea706a
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/a9c45ab3a94177e3f640b2f539b93aacb6ea706a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20230817/e17e36a9/attachment.htm>
More information about the rb-commits
mailing list