[Git][reproducible-builds/reproducible-presentations][master] fosdem 2024: more wip, reshuffle some bits
Holger Levsen (@holger)
gitlab at salsa.debian.org
Fri Feb 2 17:36:10 UTC 2024
Holger Levsen pushed to branch master at Reproducible Builds / reproducible-presentations
Commits:
7e5421aa by Holger Levsen at 2024-02-02T18:35:50+01:00
fosdem 2024: more wip, reshuffle some bits
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
2 changed files:
- 2024-02-03-R-B-the-first-10-years/index.html
- 2024-02-03-R-B-the-first-10-years/todo
Changes:
=====================================
2024-02-03-R-B-the-first-10-years/index.html
=====================================
@@ -125,6 +125,25 @@
<body>
<div class="reveal">
<div class="slides">
+ <section>
+ <br>
+ <h3>
+ Reproducible Builds, <br>the first ten years and beyond!
+ </h3>
+ <br>
+ <img src="images/reprobuilds-display.jpeg" style="height: 220px; border-radius: 10px;">
+ <br>
+
+ <h6>
+ <small>
+ Holger Levsen<br>
+ FOSDEM 2024<br>
+ 2024-02-03, Brussels
+ </small>
+ </h6>
+ <img src="images/FOSDEM_logo.svg" style="height: 70px;">
+ </section>
+
<section data-background-color="white">
<img class="fragment" src="images/fosdem2014-1.png" width="100%">
@@ -153,7 +172,7 @@
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<p>Who am I</p>
<ol>
- <li>Holger Levsen / holger at debian.org, located in Hamburg, Germany. Born at 329 ppm. He/him 🏳️🌈🏳️⚧️.</li>
+ <li>Holger Levsen / holger at debian.org, located in Hamburg, Germany. Born at 329 ppm. He/him. 🏳️🌈🏳️⚧️🖤</li>
<li>Debian user since 1995, contributing since 2001, Debian member since 2007. I ❤️ Debian.</li>
<li><span class="fragment">FOSDEM 2005 was my first love^wFOSDEM. In 2014 we managed to do video for all the rooms for the 1<sup><small>st</small></sup> time.
</span></li>
@@ -621,15 +640,15 @@
</section>
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>Our mission</h3>
+ <h3>
+ https://reproducible-builds.org/docs/definition/
+ </h3>
<ul>
- <li class="fragment">Enable anyone to independently verify that a given source produces bit by bit identical results.</li>
- </ul>
- </section>
-
+ <li style="font-size: 80%">When is a build reproducible?</li>
+ <li class="fragment">A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.</li>
+ <li class="fragment" style="font-size: 80%">The relevant attributes of the build environment, the build instructions and the source code as well as the expected reproducible artifacts are defined by the authors or distributors. The artifacts of a build are the parts of the build results that are the desired primary output.<li>
- <section data-background-color="white">
- <img class="fragment" src="images/fosdem2014-2.png" width="100%">
+ </ul>
</section>
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
@@ -641,6 +660,10 @@
</ul>
</section>
+ <section data-background-color="white">
+ <img class="fragment" src="images/fosdem2014-2.png" width="100%">
+ </section>
+
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<ul>
<li> By 2024 Reproducible Builds has been widely understood:
@@ -654,17 +677,6 @@
</ul></ul>
</section>
- <section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>
- https://reproducible-builds.org/docs/definition/
- </h3>
- <ul>
- <li style="font-size: 80%">When is a build reproducible?</li>
- <li class="fragment">A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.</li>
- <li class="fragment" style="font-size: 80%">The relevant attributes of the build environment, the build instructions and the source code as well as the expected reproducible artifacts are defined by the authors or distributors. The artifacts of a build are the parts of the build results that are the desired primary output.<li>
-
- </ul>
- </section>
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>How did we get there?</h2>
@@ -689,7 +701,7 @@
<h2>How did we <i>really</i> get there?</h2>
<li>Money / Bitcoin</li>
<li>Edward Snowden / Torbrowser</li>
- <li class="fragment">...and a LOT of work by MANY people over 10 years</li>
+ <li class="fragment">...and a LOT of work by MANY people over MANY years</li>
</section>
<section data-background-color="white">
@@ -771,40 +783,15 @@
</section>
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>Ressources about unreproducibilities:</h2>
- <ul>
- <li>422 known issue types in reproducible-notes.git<li>
- <li>https://reproducible-builds.org/docs/</li>
- <li>Lunar's talk at CCCamp 2015</li>
- <span class="fragment">
- <li>It's much easier to show common pitfalls making a package unreproducible than the opposite:</li>
- <li>https://github.com/bmwiedemann/theunreproduciblepackage</li>
- </ul>
- </span>
- </section>
-
- <section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>3852 reprodubility related bugs fixed (mostly upstreamed), 301 patches pending...</h3>
- <img src="images/stats_bugs_sin_ftbfs_state.png">
-
- </section>
-
- <section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>32000 bugs in 10 years ~= 8 per day</h3>
- <img class="fragment" src="images/stats_bugs_state.png">
-
- </section>
-
- <section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>Detour: some unexpected benefits of reproducible builds</h2>
+ <h2>SOURCE_DATE_EPOCH</h2>
<ul>
- <li class="fragment">Lower development costs and increased development speed through less developer time wasted on waiting for builds.</li>
- <li class="fragment">Software development: does this change really have no effect / the desired effect only?</li>
- <li class="fragment">Licence compliance: you can only be sure a binary is Free Software if it can be (re-)build reproducibly from a given source.</li>
- <li class="fragment">Reproducible verified SBOMs.</li>
+ <li>Who knows about SOURCE_DATE_EPOCH?</li>
+ <li class="fragment">Build time stamps are largly meaningless. SOURCE_DATE_EPOCH describes the time of the last modification of the source (in seconds since the Unix epoch).</li>
+ <li class="fragment">Supported by <b>a lot</b> of software today.</li>
+ <li class="fragment">The specification is from 2015 and was updated in 2017.
+ <li class="fragment">https://reproducible-builds.org/docs/source-date-epoch/</li>
</ul>
</section>
-
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>diffoscope</h2>
@@ -834,17 +821,42 @@
</section>
+ <section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>3852 reprodubility related bugs fixed (mostly upstreamed), 301 patches pending...</h3>
+ <img src="images/stats_bugs_sin_ftbfs_state.png">
+
+ </section>
+
+ <section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>32000 bugs in 10 years ~= 8 per day</h3>
+ <img class="fragment" src="images/stats_bugs_state.png">
+
+ </section>
+
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>SOURCE_DATE_EPOCH</h2>
+ <h2>Ressources about unreproducibilities:</h2>
<ul>
- <li>Who knows about SOURCE_DATE_EPOCH?</li>
- <li class="fragment">Build time stamps are largly meaningless. SOURCE_DATE_EPOCH describes the time of the last modification of the source (in seconds since the Unix epoch).</li>
- <li class="fragment">Supported by <b>a lot</b> of software today.</li>
- <li class="fragment">The specification is from 2015 and was updated in 2017.
- <li class="fragment">https://reproducible-builds.org/docs/source-date-epoch/</li>
+ <li>422 known issue types in reproducible-notes.git<li>
+ <li>https://reproducible-builds.org/docs/</li>
+ <li>Lunar's talk at CCCamp 2015</li>
+ <span class="fragment">
+ <li>It's much easier to show common pitfalls making a package unreproducible than the opposite:</li>
+ <li>https://github.com/bmwiedemann/theunreproduciblepackage</li>
+ </ul>
+ </span>
+ </section>
+
+ <section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>Detour: some unexpected benefits of reproducible builds</h2>
+ <ul>
+ <li class="fragment">Lower development costs and increased development speed through less developer time wasted on waiting for builds.</li>
+ <li class="fragment">Software development: does this change really have no effect / the desired effect only?</li>
+ <li class="fragment">Licence compliance: you can only be sure a binary is Free Software if it can be (re-)build reproducibly from a given source.</li>
+ <li class="fragment">Reproducible verified SBOMs.</li>
</ul>
</section>
+
<section data-background-color="white">
<img src="images/logo.png" width="584">
<h3>https://reproducible-builds.org</h3>
@@ -940,9 +952,26 @@ Warpforge.
</p>
</section>
+ <section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>Detour: more unexpected benefits of reproducible builds</h2>
+ <ul>
+ <li class="fragment">https://bootstrappable.org began as breakout session at the Reproducible Builds Summit 2016 in Berlin.</li>
+ <li class="fragment"><em>as I understand it</em> is about bootstrapping toolchain binaries from sources <em>only</em>, so it starts with a handwritten 500 byte sized assembler code, which builds another assembler and then assembles some more, until it can build mes, which can build tinyCC, which can build an ancient GCC which then can build an another ancient GCC, which then can be used to build modern GCC and the rest of the universe.
+ </ul>
+ </section>
+
+ <section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>Detour: more unexpected benefits of reproducible builds</h2>
+ <ul>
+ <li>https://bootstrappable.org began as breakout session at the Reproducible Builds Summit 2016 in Berlin.</li>
+ <li>Since October 2019, Guix bootstraps by using MesCC—the small C compiler that comes with Mes—to build TinyCC, which is used to build GCC 2.95.0, which then builds GCC 4.7.4. Version 4.7 is the last version of GCC to not require a C++ compiler.<small>(quoted from bootstrappable.org)</small></li>
+ </ul>
+ </section>
+
+
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Reproducible Builds Summit</h2>
- <li style="font-size: 300%">2024</li>
+ <li class="fragment" style="font-size: 300%">2024</li>
<li class="fragment">where?</li>
<li class="fragment">when?</li>
<li class="fragment">We need a location for 50 people.</li>
@@ -954,8 +983,7 @@ Warpforge.
<h3>Reproducible-builds.org funding</h3>
<ul>
<li class="fragment">r-b.o is a Software Freedom Conservancy (SFC) project since 2018, currently funding Chris Lambs, Mattia Rizzolo, Vagrant Cascadian and myself.</li>
- <li class="fragment">Funding needed for the next summit in 2024.<li>
- <li class="fragment">Funding needed to support our continous work: community work, fixing upstreams, developing software, designing processes & POCs...</li>
+ <li class="fragment">Funding needed to support our continous work: community work, fixing upstreams, developing software, designing processes, the yearly summit...</li>
<li class="fragment">Thank you! ❤️ </li>
</ul>
</section>
=====================================
2024-02-03-R-B-the-first-10-years/todo
=====================================
@@ -1,30 +1,24 @@
+read policy slides
+
2 big news 2023/2024: testing migration & rebuilder snapshot
forky+1: unreproducible packages are still ok, but only as whitelisted exceptions?
table trixie forky forky+1 +2
-a very short slide: side-effects: bootstrappable.org / mes / stage0
-Since October 2019, Guix bootstraps by using MesCC—the small C compiler that comes with Mes—to build TinyCC, which is used to build GCC 2.95.0, which then builds GCC 4.7.4. Version 4.7 is the last version of GCC to not require a C++ compiler.
-(quote from bootstrappable.org)
snapshot.d.o
archlinux archive.org
ubuntu nice with launchpad
fedora and suse: no idea
-trust path in debian
- packages file
- signed release file
- debs
rebuilder-snapshot
explain the idea based on the observed numbers
#42
metasnap
sideremark:
- a bit jealous on snapshot.ubuntu.com
someone should please do a reproducible binary fork of debian stable.
or another reproducible distro!
-maint help wanted
- debian ci is quite broken atm
- help wanted
+
+
+
what is success?
"theoretical?" & for users?
help wanted
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/7e5421aa68ef5c81951030019e364cf1014da370
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/7e5421aa68ef5c81951030019e364cf1014da370
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240202/5e1160c1/attachment.htm>
More information about the rb-commits
mailing list