[Git][reproducible-builds/reproducible-presentations][master] 10 years r-b cccamp talk: wip, add debian numbers
Holger Levsen (@holger)
gitlab at salsa.debian.org
Fri Aug 18 14:23:20 UTC 2023
Holger Levsen pushed to branch master at Reproducible Builds / reproducible-presentations
Commits:
3a5864ae by Holger Levsen at 2023-08-18T16:22:53+02:00
10 years r-b cccamp talk: wip, add debian numbers
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
2 changed files:
- 2023-08-19-R-B-the-first-10-years/index.html
- 2023-08-19-R-B-the-first-10-years/todo
Changes:
=====================================
2023-08-19-R-B-the-first-10-years/index.html
=====================================
@@ -166,7 +166,7 @@
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>list of people working on this so far</h3>
+ <h3>List of people working on this so far</h3>
<!-- taken from website.git/_data/contributors.yml -->
<p style="font-size: 42%">
@@ -332,7 +332,7 @@
</section>
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>contributors according to website.git/_data/contributors.yml</em></h3>
+ <h3>Contributors according to website.git/_data/contributors.yml</em></h3>
<!-- taken from website.git/_data/contributors.yml -->
<p style="font-size: 66%">
@@ -695,13 +695,12 @@
<h2>Common reasons for unreproducibilities:</h2>
<li class="fragment">timestamps, timestamps, timestamps<li>
<li class="fragment">timestamps, timestamps, timestamps<li>
- <li class="fragment">build pathes, build pathes<li>
+ <li class="fragment">build paths, build paths<li>
<li class="fragment">all the rest</li>
- <li class="fragment">422 known issue types in reproducible-notes.git<li>
</section>
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>Common reasons for unreproducibilities:</h2>
+ <h2>Ressources about unreproducibilities:</h2>
<ul>
<li>422 known issue types in reproducible-notes.git<li>
<li>https://reproducible-builds.org/docs/</li>
@@ -727,17 +726,22 @@
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Detour: some unexpected benefits of reproducible builds</h2>
+ <ul>
<li class="fragment">Lower development costs and increased development speed through less developer time wasted on waiting for builds.</li>
<li class="fragment">Software development: does this change really have no effect / the desired effect only?</li>
<li class="fragment">Licence compliance: you can only be sure a binary is Free Software if it can be (re-)built reproducibly from a given source.</li>
<li class="fragment">Reproducible verified SBOMs.</li>
+ </ul>
</section>
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>diffoscope</h2>
+ <ul>
<li class="fragment">Who knows about diffoscope?</li>
<li class="fragment">Who uses diffoscope?</li>
+ <li class="fragment">diffoscope tries to get to the bottom of what makes files or directories different. It will recursively unpack archives of many kinds and transform various binary formats into more human-readable form to compare them.</li>
+ </ul>
</section>
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
@@ -761,17 +765,21 @@
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>SOURCE_DATE_EPOCH</h2>
+ <ul>
<li>who knows about SOURCE_DATE_EPOCH?</li>
<li class="fragment">build time stamps are meaningless. SOURCE_DATE_EPOCH describes the time of the last modification of the source.</li>
<li class="fragment">specification from 2015, supported by <b>a lot</b> of software today.</li>
<li class="fragment">https://reproducible-builds.org/docs/source-date-epoch/</li>
+ </ul>
</section>
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>Embedded build pathes</h2>
+ <h2>Embedded build paths</h2>
+ <ul>
<li class="fragment">First we tried to fix them. Still a valid and useful approach, because it's just wrong to embedd the build path.</li>
<li class="fragment">Then we (in Debian) came up with a workaround: record the build path and do rebuilds in the same build path.</li>
- <li class="fragment">Better yet: use predictable build pathes like <code>/buildpath/linux-6.2.23</code></li>
+ <li class="fragment">Better yet: use predictable build paths like <code>/buildpath/linux-6.2.23</code></li>
+ </ul>
</section>
<section data-background-color="white">
@@ -850,9 +858,9 @@ Warpforge.
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Reproducible-builds.org funding</h3>
<ul>
- <li class="fragment">r-b.o is a Software Freedom Conservancy (SFC) project since 2017</li>
- <li class="fragment">Funding needed to support our work</li>
- <li class="fragment">Funding needed for the summit in November in Hamburg<li>
+ <li class="fragment">r-b.o is a Software Freedom Conservancy (SFC) project since 2018.</li>
+ <li class="fragment">Funding needed to support our work.</li>
+ <li class="fragment">Funding needed for the summit in November in Hamburg.<li>
<li class="fragment">Many many thanks to our past, present and future funders! Together we'll get <em>there</em>. 🙏✊</li>
</ul>
</section>
@@ -867,13 +875,6 @@ Warpforge.
</section>
- <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>Short overview of reproducibility of Debian</h3>
- <ul>
- <li> TBD</li>
- </ul>
- </section>
-
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>results for Debian unstable, until 20230804</h3>
<img src="images/stats_pkg_state_20230804.png">
@@ -885,6 +886,38 @@ Warpforge.
<img src="images/stats_pkg_state_trixie_20230804.png">
</section>
+ <section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>CI reproducibility of Debian amd64</h3>
+ <table>
+ <tr><th>Debian suite</th><th>reproducible</th><th>unreproducible</th><th>fails to build</th><th>other</th></tr>
+<tr>
+<td>stretch</td>
+<td>23040(93.2%)</td>
+<td>1514(6.1%)</td>
+<td>85(0.3%)</td>
+<td>80 (0.4%)</td>
+</tr><tr>
+<td>buster</td>
+<td>26653(93.9%)</td>
+<td>1405(4.9%)</td>
+<td>232(0.8%)</td>
+<td>108 (0.4%)</td>
+</tr><tr>
+<td>bullseye</td>
+<td>29603(95.9%)</td>
+<td>1405(2.7%)</td>
+<td>232(1.0%)</td>
+<td>108 (0.4%)</td>
+</tr><tr>
+<td>bookworm</td>
+<td>32692(95.3%)</td>
+<td>1146(3.3%)</td>
+<td>379(1.1%)</td>
+<td>83 (0.3%)</td>
+</tr>
+</table>
+ </section>
+
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h4>https://beta.tests.reproducible-builds.org/debian</h4>
<img src="images/bookworm_full.amd64+all.png">
@@ -898,7 +931,6 @@ Warpforge.
<li>2017: packages <em>should</em> build reproducibly.</li>
<li class="fragment">2023? reproducible packages <em>must not</em> regress.</li>
<li class="fragment">2025? packages <em>must</em> build reproducibly (to be allowed into <code>testing</code> and <code>stable</code>.</li>
- <li class="fragment">What else?</li>
</ul>
</section>
@@ -907,7 +939,7 @@ Warpforge.
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Short overview of reproducibility of various projects (AIUI)</h3>
<ul>
- <li class="fragment">Tails: "easy", pragmatically "solved" but not systematically...
+ <li class="fragment">Tails: "easy", pragmatically solved.</li>
<li class="fragment">Arch Linux: has rebuilders and snapshot binary archive, though lacks further infrastructure and user tools like <code>pacman-bintrans</code> thus are merely PoCs.</li>
<pre class="fragment">
@@ -925,26 +957,28 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
<ul>
<li>nixOS: https://reproducible.nixos.org: 1570 out of 1572 (99.87%) paths in the minimal installation image are reproducible!</li>
<li>GNU Guix: also reproducible by design (like nixOS) - <em>guix-challenge</em></li>
- <li class="fragment">Yocto: support for reproducible images</li>
- <li class="fragment">F-Droid: supports reproducible builds though no UI (manual web crawling needed) nor promises<ul>
+ <li class="fragment">Yocto: support for reproducible images.</li>
+ <li class="fragment">F-Droid: supports reproducible builds though no UI (manual web crawling needed) nor promises.<ul>
</ul>
</section>
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Short overview of reproducibility of various projects, continued</h3>
<ul>
- <li class="fragment">Alpine: basic support</li>
- <li class="fragment">FreeBSD/NetBSD/OpenBSD: basic support</li>
- <li class="fragment">Fedora/Redhat/Ubuntu: not interested it seems</li>
+ <li class="fragment">Alpine: basic support.</li>
+ <li class="fragment">FreeBSD/NetBSD/OpenBSD: basic support.</li>
+ <li class="fragment">Fedora/Redhat/Ubuntu: not interested it seems.</li>
<li class="fragment">though Fedora 38 (April 2023) enabled clamping mtimes of package files using SOURCE_DATE_EPOCH from changelog</li>
</ul>
</section>
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Summary of reproducibility of various projects, summarized again</h3>
- <p>Many projects support reproducible builds by now, but it's unclear what that means, how it's enforced and how users can know and be confident. I call it reproducible in theory or in CI.</p>
- <p>This is a huge success.</p>
- <p class="fragment">Next: make this accessable and usable for everyone.</p>
+ <ul>
+ <li>Many projects support reproducible builds by now, but it's unclear what that means, how it's enforced and how users can know and be confident. I call it reproducible in theory or in CI.</li>
+ <li>This is a huge success.</li>
+ <li class="fragment">Next: make this accessable and usable for everyone.</li>
+ </ul>
</section>
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
@@ -954,8 +988,10 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Theory vs Praxis</h3>
- <p>I used to say: 96% reproducibility is a lie. Or rather: 96% are CI results.</p>
- <p class="fragment">Now I like to say: in theory, we are done. In practice, we have shown that reproducible builds can be done in theory.</p>
+ <ul>
+ <li>I used to say: 96% reproducibility is a lie. Or rather: 96% are CI results.</li>
+ <li class="fragment">Now I like to say: in theory, we are done. In practice, we have shown that reproducible builds can be done in theory.</li>
+ </ul>
</section>
@@ -963,10 +999,10 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
<section data-background="images/Fisty-sprayed-Stencil_Neonpink.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Theory vs Praxis</h3>
<ul>
- <li>Those missing 5% are <b>one</b> reason why we are not done yet.<li>
+ <li>Rebuilding / reproducing Debian in practice also requires a working snapshot.debian.org service and we don't have this.</li>
+ <li class="fragment">Then we also need many rebuilders and we need to store the results somewhere and we need to define criterias how tools should treat that data...</li>
+ <li class="fragment">Those missing 5% are <b>one</b> reason why we are not done yet.<li>
<li class="fragment">Those missing 5% are crucial however, or at least 1% of them. For Debian, 1% means 300 softwares...</li>
- <li class="fragment">Rebuilding / reproducing Debian in practice also requires a working snapshot.debian.org service and we don't have this.</li>
- <li class="fragment">once we have that, we need many rebuilders like beta.tests.reproducible.org and we need to store the results somewhere and we need to define criterias how tools should treat that data...</li>
</ul>
</section>
=====================================
2023-08-19-R-B-the-first-10-years/todo
=====================================
@@ -1,27 +1,22 @@
-main story points:
+last story points:
theory vs praxis:
"theory" is easy (it was not! and it was a lot of work)
binary transparency would be useful to bridge that gap
and still needed with 100% r-b
getting 100% of the software to build reproducible is only maybe half the work needed...
- update debian stats, shorten existing debian slides at end
- amd64 only
- columns: stretch buster bullseye bookworm
- rows: amd64 arm64 i386 armhf with percentages
- list 10 biggest blockers?
debian next milestones
realistically, 100% reproducible is a politcal decision and nothing technical.
commitment from Debian project to do it
-> policy changes
working snapshot.d.o service
- -> requirement for rebuilders
+ -> requirement for rebuilder
+ list 10 biggest blockers?
archlinux next milestones
I dunno, I'm not even using Arch Linux ;)
They have a working snapshot service, they have rebuilders.
More rebuilders. Policies. User tooling.
Also suffers from 100% dilemma.
Installer .iso?
-
new todo:
@@ -30,10 +25,3 @@ new todo:
should not return 74 but 42 or rather less
now at 65 :/
-suite all source packages reproducible icon reproducible packages FTBR icon unreproducible packages FTBFS icon packages failing to build timeout icon packages timing out depwait icon packages in depwait state not_for_us icon not for this architecture blacklisted icon blacklisted
-stretch/amd64 24719 23040 / 93.2% 1514 / 6.1% 85 / 0.3% 22 / 0.1% 1 / 0.0% 56 / 0.2% 1 / 0.0%
-stretch/arm64 24719 22819 / 92.3% 1292 / 5.2% 277 / 1.1% 10 / 0.0% 80 / 0.3% 239 / 1.0% 2 / 0.0%
-stretch/armhf 24719 22108 / 89.4% 2026 / 8.2% 193 / 0.8% 26 / 0.1% 119 / 0.5% 231 / 0.9% 16 / 0.1%
-stretch/i386 24719 22488 / 91.0% 1985 / 8.0% 130 / 0.5% 7 / 0.0% 32 / 0.1% 76 / 0.3% 1 / 0.0%
-
-
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/3a5864ae4976c47bd6755c07aaf9fa48254471a8
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/3a5864ae4976c47bd6755c07aaf9fa48254471a8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20230818/80dc9c04/attachment.htm>
More information about the rb-commits
mailing list