[Git][reproducible-builds/reproducible-presentations][master] 2023-11-04: Beyond Trusting FOSS: Rearrange and remove some slides for

Vagrant Cascadian (@vagrant) gitlab at salsa.debian.org
Wed Nov 1 20:07:54 UTC 2023 


Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-presentations


Commits:
8a4977a0 by Vagrant Cascadian at 2023-11-01T13:04:57-07:00
2023-11-04: Beyond Trusting FOSS: Rearrange and remove some slides for
shorter talk.

- - - - -


1 changed file:

- 2023-11-04-SeaGL-Beyond-Trusting-FOSS/Beyond-Trusting-FOSS.org


Changes:

=====================================
2023-11-04-SeaGL-Beyond-Trusting-FOSS/Beyond-Trusting-FOSS.org
=====================================
@@ -60,6 +60,7 @@ Track:
     Security and Privacy 
 Difficulty:
     Introductory 
+
 #+END_comment
 
 * Who am I
@@ -94,257 +95,6 @@ Free and Open Source Software
 - Share
 - Community
 
-* Reproducible Builds
-
-** text
-    :PROPERTIES:
-    :BEAMER_col: 0.7
-    :END:
-
-https://reproducible-builds.org/docs/definition/
-
-\vspace{\baselineskip}
-
-A build is reproducible if given the same source code, build
-environment and build instructions, any party can recreate bit-by-bit
-identical copies of all specified artifacts.
-
-** image
-    :PROPERTIES:
-    :BEAMER_col: 0.3
-    :END:
-
-[[./images/reproducible-builds.png]]
-
-* Spelling it out
-
-** text
-    :PROPERTIES:
-    :BEAMER_col: 0.7
-    :END:
-
-Reproducible Builds provides...
-
-#+ATTR_BEAMER: :overlay <+->
-- strong confidence...
-- that a binary was produced from a given source...
-- ...probably!
-
-** image
-    :PROPERTIES:
-    :BEAMER_col: 0.3
-    :END:
-[[./images/reproducible-builds.png]]
-
-
-
-* Freedom to iterate
-
-Benefits of Reproducible Builds
-
-#+ATTR_BEAMER: :overlay <+->
-- ...
-- Security
-- Code refactoring
-- Build Caching
-
-* For example
-
-Debian
-
-#+ATTR_BEAMER: :overlay <+->
-- The Universal Operating System
-- ~34000 source packages ... and counting
-- 380 million lines of code ... and counting!
-- ~95% reproducible
-
-* diffocope
-
-https://diffoscope.org
-
-\vspace{\baselineskip}
-
-#+ATTR_BEAMER: :overlay <+->
-- Recursive and human-readable "diff"
-- locates and diagnoses reproducibility issues
-- used for analysing *why* something is reproducible!
-- *not* used for determining whether something is reproducible!
-
-* diffoscope example
-
-[[./images/diffoscope.png]]
-
-* diffoscope, supported file types
-
-Android APK files, Android boot images, Ar(1) archives, Berkeley DB database files, Bzip2 archives, Character/block devices, ColorSync colour profiles (.icc), Coreboot CBFS filesystem images, Cpio archives, Dalvik .dex files, Debian .buildinfo files, Debian .changes files, Debian source packages (.dsc), Device Tree Compiler blob files, Directories, ELF binaries, Ext2/ext3/ext4/btrfs filesystems, FreeDesktop Fontconfig cache files, FreePascal files (.ppu), Gettext message catalogues, GHC Haskell .hi files, GIF image files, Git repositories, GNU R database files (.rdb), GNU R Rscript files (.rds), Gnumeric spreadsheets, Gzipped files, ISO 9660 CD images, Java .class files, JavaScript files, JPEG images, JSON files, LLVM IR bitcode files, MacOS binaries, Microsoft Windows icon files, Microsoft Word .docx files, Mono 'Portable Executable' files, Ogg Vorbis audio files, OpenOffice .odt files, OpenSSH public keys, OpenWRT package archives (.ipk), PDF documents, PGP signed/encrypted messages, PNG images, PostScript documents, RPM archives, Rust object files (.deflate), SQLite databases, SquashFS filesystems, Statically-linked binaries, Symlinks, Tape archives (.tar), Tcpdump capture files (.pcap), Text files, TrueType font files, XML binary schemas (.xsb), XML files, XZ compressed files, etc.
-
-* try diffoscope
-
-https://diffoscope.org
-
-\vspace{\baselineskip}
-
-Available on many platforms:
-
-** text
-    :PROPERTIES:
-    :BEAMER_col: 0.4
-    :END:
-
-#+ATTR_BEAMER: :overlay <+->
-- Debian
-- Fedora
-- OpenSUSE
-- Archlinux
-- GNU Guix
-
-** text
-    :PROPERTIES:
-    :BEAMER_col: 0.4
-    :END:
-
-#+ATTR_BEAMER: :overlay <+->
-- NixOS
-- FreeBSD
-- NetBSD
-- Homebrew
-- PyPI
-
-* try diffoscope online
-
-And on the World Wide Web!
-
-https://try.diffoscope.org
-
-[[./images/try.diffoscope.org.png]]
-
-* Reprotest
-
-reprotest
-
-#+ATTR_BEAMER: :overlay <+->
-- builds something twice with many variations
-- https://salsa.debian.org/reproducible/reprotest
-- if unreproducible: "bisect" the variations
-
-* So you want to have Reproducible builds
-
-https://reproducible-builds.org/docs/recording/
-
-Providing sufficient information for independent verification:
-
-#+ATTR_BEAMER: :overlay <+->
-- ...
-- "toolchain" packages at specific versions
-- SOURCE_DATE_EPOCH (seconds since 1970-01-01)
-- Works best with Free and Open Source Software!
-
-* To Catch a Regression
-
-Automatic Testing (Continuous Integration, Quality Assurance, etc.)
-
-* Forget Trust, Verify
-
-No need to Trust, All you need is:
-
-  #+ATTR_BEAMER: :overlay <+->
-- Free/Libre and Open Source Software
-- Reproducible Builds
-- Bootstrapping
-- Diverse compilation
-- ... and lots of compile cycles
-
-
-* Trust
-
-Different levels of trust:
-
-  #+ATTR_BEAMER: :overlay <+->
-- curl http://example.net/hackme | sudo sh
-- curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
-- download file, verify signature ... run code
-- download source, verify signature, compile from source
-- emerge --emptytree @world
-- rewrite everything in assembly
-- build it up from transitors
-- I have a beach, some wood, abundant sunshine, and a lot of time
-
-* Trusting Trust
-
-Ken Thompson
-
-Reflections on trusting trust, 1984
-
-https://archive.org/details/reflections-on-trusting-trust
-
-* The Moral of Trusting Trust
-
-"You can't trust code that you did not totally create yourself.
-
-(Especially code from companies that employ people like me.)
-
-No amount of source-level verification or scrutiny will protect you
-
-from using untrusted code." - Ken Thompson
-
-* Did I say 1984, I meant 1974
-
-Karger, 1974
-
-"... insert a trap door into the... compiler...
-
-the trap door can maintain itself,
-
-even when the compiler is recompiled"
-
-* Decades of Trust
-
-Since 1974
-
-  #+ATTR_BEAMER: :overlay <+->
-- 1984: Reflections on trusting trust
-- 1980s: some papers about compiling multiple times
-- 1990s ... usenet post mumbling about multiple compilers
-- 2000s: some more papers about compiling multiple times
-- 2005: Countering Trusting Trust through Diverse Double-Compiling
-- 2009: Fully Countering Trusting Trust through Diverse Double-Compiling
-- ... and some high profile compromises!
-
-* XcodeGhost or should we say Strawhorse?
-
-  XcodeGhost, 2015
-
-  #+ATTR_BEAMER: :overlay <+->
-- Modified version of Apple's Xcode
-- Over 4000 compromised apps
-
-* SolarWhat?
-
-  SolarWinds, 2020
-
-  #+ATTR_BEAMER: :overlay <+->
-- Compromised build server...
-- ...via weak and/or leaked passphrases
-- signing certificates compromised
-- possibly 18000 affected installations
-
-* The price of Trust
-
-What is the Price...
-
-of Trusting Trust?
-
-* Free and Open Source Software
-
-Free and Open Source Software
-
-#+ATTR_BEAMER: :overlay <+->
-- Use
-- Study
-- Change
-- Share
-- Community
-
 * Share what exactly
 
 Sharing FOSS...
@@ -394,7 +144,6 @@ assoc_insert (hash, key, value)
 make
 make install
 #+END_SRC
-
 * A resulting binary might look like
 
 #+BEGIN_SRC shell
@@ -424,6 +173,8 @@ RAbN at P@L.<:B@&
                                  BL 9E4( B
 #+END_SRC
 
+
+
 * Reproducible Builds
 
 ** text
@@ -446,138 +197,158 @@ identical copies of all specified artifacts.
 
 [[./images/reproducible-builds.png]]
 
-* Spelling it out
-
-** text
-    :PROPERTIES:
-    :BEAMER_col: 0.7
-    :END:
+* Reproducible Builds At Scale
 
-Reproducible Builds provides...
+Debian
 
 #+ATTR_BEAMER: :overlay <+->
-- strong confidence...
-- that a binary was produced from a given source...
-- ...probably!
+- The Universal Operating System
+- ~34000 source packages ... and counting
+- 380 million lines of code ... and counting!
+- ~95% reproducible
 
-** image
-    :PROPERTIES:
-    :BEAMER_col: 0.3
-    :END:
-[[./images/reproducible-builds.png]]
+* So you want to have Reproducible builds
 
-* Once upon a time
+https://reproducible-builds.org/docs/recording/
 
-#+ATTR_BEAMER: :overlay <+->
-- Historically software was reproducible! Every bit counted.
-- Things eventually got more complicated...
-- Bit for bit reproducible GNU toolchain in the early 90s on 10(?) architectures.
-- *And we all forgot.*
-- In 2011 and 2012, Bitcoin and Torbrowser were made reproducible...
+Providing sufficient information for independent verification:
 
-* Enter Debian
+#+ATTR_BEAMER: :overlay <+->
+- ...
+- "toolchain" packages at specific versions
+- SOURCE_DATE_EPOCH (seconds since 1970-01-01)
+- Works best with Free and Open Source Software!
+- Automated testing (QA, CI, etc.)
 
-In 2013 folks explore reproducibility for all of Debian
+* diffocope
 
-* Status in Debian
+https://diffoscope.org
 
-Debian
+\vspace{\baselineskip}
 
-  #+ATTR_BEAMER: :overlay <+->
-- ~34000 source packages
-- ~95% reproducible
-- in theory...
-- many submitted patches
+#+ATTR_BEAMER: :overlay <+->
+- Recursive and human-readable "diff"
+- locates and diagnoses reproducibility issues
+- used for analysing *why* something is reproducible!
+- *not* used for determining whether something is reproducible!
 
-* Debian: gcc and binutils
+* diffoscope example
 
-gcc and binutils
+[[./images/diffoscope.png]]
 
-  #+ATTR_BEAMER: :overlay <+->
-- test suite logs
-- PGO (Profile Guided Optimiziation)
-- LTO (Link Time Optimization)
+* diffoscope, supported file types
 
-* Debian: linux
+Android APK files, Android boot images, Ar(1) archives, Berkeley DB
+database files, Bzip2 archives, Character/block devices, ColorSync
+colour profiles (.icc), Coreboot CBFS filesystem images, Cpio
+archives, Dalvik .dex files, Debian .buildinfo files, Debian .changes
+files, Debian source packages (.dsc), Device Tree Compiler blob files,
+Directories, ELF binaries, Ext2/ext3/ext4/btrfs filesystems,
+FreeDesktop Fontconfig cache files, FreePascal files (.ppu), Gettext
+message catalogues, GHC Haskell .hi files, GIF image files, Git
+repositories, GNU R database files (.rdb), GNU R Rscript files (.rds),
+Gnumeric spreadsheets, Gzipped files, ISO 9660 CD images, Java .class
+files, JavaScript files, JPEG images, JSON files, LLVM IR bitcode
+files, MacOS binaries, Microsoft Windows icon files, Microsoft Word
+.docx files, Mono 'Portable Executable' files, Ogg Vorbis audio files,
+OpenOffice .odt files, OpenSSH public keys, OpenWRT package archives
+(.ipk), PDF documents, PGP signed/encrypted messages, PNG images,
+PostScript documents, RPM archives, Rust object files (.deflate),
+SQLite databases, SquashFS filesystems, Statically-linked binaries,
+Symlinks, Tape archives (.tar), Tcpdump capture files (.pcap), Text
+files, TrueType font files, XML binary schemas (.xsb), XML files, XZ
+compressed files, etc.
 
-linux
+* try diffoscope
 
-  #+ATTR_BEAMER: :overlay <+->
-- documentation randomness
-- other unidentified issues
-- fixes available
-  https://bugs.debian.org/1033663
-  https://salsa.debian.org/kernel-team/linux/-/merge_requests/741
-- well, partial fixes, anyways...
+https://diffoscope.org
 
-* Debian: libzstd
+\vspace{\baselineskip}
 
-libzstd
+Available on many platforms:
 
-- recent regression
+** text
+    :PROPERTIES:
+    :BEAMER_col: 0.4
+    :END:
 
-* Status in Guix
+#+ATTR_BEAMER: :overlay <+->
+- Debian
+- Fedora
+- OpenSUSE
+- Archlinux
+- GNU Guix
 
-GNU Guix
+** text
+    :PROPERTIES:
+    :BEAMER_col: 0.4
+    :END:
 
 #+ATTR_BEAMER: :overlay <+->
-- ~87% reproducible
-- in practice!
-- 21594 Reproducible!
-- 1559 Unreproducible...
-- 1692 Unknown...
+- NixOS
+- FreeBSD
+- NetBSD
+- Homebrew
+- PyPI
 
-* Guix made for success
+* try diffoscope online
 
-GNU Guix
+And on the World Wide Web!
 
-#+ATTR_BEAMER: :overlay <+->
-- reproducible by design
-- normalized build environment
-- guix challenge
-- two build farms to compare against
+https://try.diffoscope.org
 
-* Arch Linux
+[[./images/try.diffoscope.org.png]]
 
-Arch Linux
+* Reprotest
 
-https://reproducible.archlinux.org/
+reprotest
 
 #+ATTR_BEAMER: :overlay <+->
-- ~14000 packages
-- ~86% reproducible
-- in practice!
+- builds something twice with many variations
+- https://salsa.debian.org/reproducible/reprotest
+- if unreproducible: "bisect" the variations
 
-* But wait, there is more!
+* What you get with Reproducible Builds
 
-#+ATTR_BEAMER: :overlay <+->
-- NetBSD 84%
-- OpenWRT 96%-100%
-- Coreboot 100%
-- NixOS 95%-99.7%
-- Yocto 99.98%
-- openEuler 96%
-- openSUSE mostly reproducible (caveats apply)
+** text
+    :PROPERTIES:
+    :BEAMER_col: 0.7
+    :END:
 
-* We miss you!
+Reproducible Builds provides...
 
-We once had testing for...
+#+ATTR_BEAMER: :overlay <+->
+- strong confidence...
+- that a binary was produced from a given source...
+- ...probably!
 
-- Alpine
-- Fedora
+** image
+    :PROPERTIES:
+    :BEAMER_col: 0.3
+    :END:
+[[./images/reproducible-builds.png]]
 
-* I am not picky about the color of your hat
+* Trust
 
-Wishlist based on current events...
+Different levels of trust:
 
-- AlmaLinux
-- Rocky Linux
+  #+ATTR_BEAMER: :overlay <+->
+- curl http://example.net/hackme | sudo sh
+- curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+- download file, verify signature ... run code
+- download source, verify signature, compile from source
+- emerge --emptytree @world
+- rewrite everything in assembly
+- build it up from transitors
+- I have a beach, some wood, abundant sunshine, and a lot of time
+
+* Trusting Trust
 
-* Proof Pudding
+Ken Thompson
 
-Reproducible Builds is totally possible...
+Reflections on Trusting Trust, 1984
 
-...But it only provides one strong link in a chain
+https://archive.org/details/reflections-on-trusting-trust
 
 * Building on a solid foundation of turtles
 
@@ -635,7 +406,8 @@ https://reproducible-builds.org/news/2019/12/21/reproducible-bootstrap-of-mes-c-
 GNU Guix: The Reduced Binary Seed Bootstrap
 
 https://guix.gnu.org/en/manual/devel/en/guix.html#Reduced-Binary-Seed-Bootstrap
-  #+ATTR_BEAMER: :overlay <+->
+
+#+ATTR_BEAMER: :overlay <+->
 - ...
 - Reduced to 145MB of bootstrap binaries (from 250MB)
 - Using Mes and guile...
@@ -667,45 +439,29 @@ https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source
 
   https://github.com/fosslinux/live-bootstrap
 
-  #+ATTR_BEAMER: :overlay <+->
+#+ATTR_BEAMER: :overlay <+->
 - A live environment
 - From kernel and a bit of source code
 - To a reproducibly bootstrapped toolchain
 - no pregenerated "source" code shortcuts
 
-* UEFI based bootstrap
-
-Work-in-progress UEFI bootstrap
-
-https://git.stikonas.eu/andrius/stage0-uefi
-
-Only stage0...
-
-* Bare Metal Bootstrap
-
-Stage0 on Bare Metal?
-
-https://git.savannah.nongnu.org/cgit/stage0.git/tree/
-
-* architectures
-
-Full bootstrap only available on x86
+* Under that Turtle
 
-...x86 toolchain can then cross-compile to x86_64
-
-* architectures in progress
-- arm
-- riscv64
-- powerpc64le or powerpc64el
-
-* Freedom in your bits and bytes
+#+ATTR_BEAMER: :overlay <+->
+- UEFI https://git.stikonas.eu/andrius/stage0-uefi
+- Bare Metal https://git.savannah.nongnu.org/cgit/stage0.git/tree/
 
-Free/Libre and Open Source Software
+* Forget Trust, Verify
 
-Allows arbitrary third-party verification
+No need to Trust, all we need is:
 
+  #+ATTR_BEAMER: :overlay <+->
+- Free/Libre and Open Source Software
+- Reproducible Builds
+- Bootstrapping
+- Diverse compilation
+- ... and lots of compile cycles
 
-  
 * Make it happen
 
 https://reproducible-builds.org/contribute/



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/8a4977a017685586c5bdbe112af6167077a32cba

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/8a4977a017685586c5bdbe112af6167077a32cba
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20231101/51b16a39/attachment.htm>

More information about the rb-commits mailing list