[Git][reproducible-builds/reproducible-website][master] Add Hamburg summit rb-commandments

Thu Nov 2 13:29:16 UTC 2023


Bernhard M. Wiedemann pushed to branch master at Reproducible Builds / reproducible-website


Commits:
f27e6967 by Bernhard M. Wiedemann at 2023-11-02T14:28:42+01:00
Add Hamburg summit rb-commandments

from https://pad.riseup.net/p/rbsummmit2023-d2m-10commandments-keep

- - - - -


1 changed file:

- + _events/hamburg2023/notes/rb-commandments.md


Changes:

=====================================
_events/hamburg2023/notes/rb-commandments.md
=====================================
@@ -0,0 +1,58 @@
+RB Ten Commandments
+
+original draft:
+    
+
+    Commandments by the church of reproducible builds
+
+
+1.    Thou shall not record the name of thy maker nor the place of thy making (username, hostname)
+2.    Thou shall not record the date nor time of thy making, unless you respect the holy SDE spec (date+time)
+3.    Thou shall not use memory without initialization or use memory addresses to decide outcomes (ASLR)
+4.    Thou shall do all your work in order - not use filesystem-readdir-order nor random order of hash elements
+5.    Thou shall not (gamble and) record random numbers (UUID, private/public key, hash-seed, ASLR)
+6.    Thou shall only do one thing at a time or ensure races do no harm (parallelism)
+7.    Thou shall not look at build machine processor capabilities
+8.    Thou shall not look at build machine benchmarks for optimizations
+9.    Thou shall be careful with profile-guided-optimization for it can amplify any sin (non-determinism)
+10.   Thou shall keep your workspace env clean of timezones, locales and umasks or ensure they do no harm
+11.   Thou shall not access the internet during build (servers can be down, contents can change)
+12.   Thou shall take note of your build inputs (versions and/or hashes)
+
+
+##Notes
+
+will slightly re-order existing entries to cover most common problems first
+reword 11th to "allow offline builds"
+
+drop|soften 12th because that is what distributions do in SBOMs "only if you distribute binaries yourself"
+
+#8 and #9 are different, because PGO can be done deterministically and is different from benchmarking
+
+not cover `BUILD_PATH_PREFIX` as builders can use a constant build path with current container tech
+
+
+
+## raw notes
+* build path: new rule? more in rule 1?
+* random tmpdir in binary...
+  * part of rule 5, or new subrule?
+* consider oder by frequency?
+* target audience: upstream source code owners.
+  * (implies: don't rant at them about things distro will do, e.g. input manifest style)
+* ... how can we communicate "no internet during build (but a fetch phase is fine if it's clear/separate/?)" ... to single package upstreams? (e.g. rule 11)
+  * "thou shalt not adulterate other computers during the build" ??
+    * weird phrasing, but complicated topic so maybe weird words give pause, and that's appropriate?
+* rule 11 += "have well documented fetch directory layour expectation"
+  * -> someone else can reasonably provide it.
+* rule 11 += "or in pennace thou must make the way clear for other saints and clearhearted neighbors to provide for thy needs in their own clean ways."
+* rule 11: just "Thou shall allow offline builds"
+* links to theunreproduciblepackage as additional guidance for each item
+* are rule 8 & 9 duplicates?
+  * disputed, BUT: people talk about "PGO" often enough that we give them a lightning rod.
+* rule for clean your cache? might already be obvious.
+* `BUILD_PATH_PREFIX` reference in #1 (or in another rule about build paths).
+* are 3 and 5 dupe?
+  * 5 is things you control obviously
+  * 3 deserves callout because it is something the OS surprises you with, so we tell you about it
+* move 3 down; it's rarer



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f27e69673466b5409f95c206639a5bbf9a575ab2

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f27e69673466b5409f95c206639a5bbf9a575ab2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20231102/efe9cec3/attachment.htm>
