[Git][reproducible-builds/reproducible-presentations][master] fosdem 2024: final polishing done.
Holger Levsen (@holger)
gitlab at salsa.debian.org
Mon Feb 12 13:15:29 UTC 2024
Holger Levsen pushed to branch master at Reproducible Builds / reproducible-presentations
Commits:
c3e8fb71 by Holger Levsen at 2024-02-12T14:03:23+01:00
fosdem 2024: final polishing done.
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
3 changed files:
- − 2024-02-03-R-B-the-first-10-years/\
- 2024-02-03-R-B-the-first-10-years/index.html
- 2024-02-03-R-B-the-first-10-years/todo
Changes:
=====================================
2024-02-03-R-B-the-first-10-years/\ deleted
=====================================
@@ -1,915 +0,0 @@
-<!doctype html>
-<html lang="en">
-
-<!--
-
-TODO:
-
-- hide slides which are too debian specific but might be useful later in a more debian specific talk.
-- try not to assume knowledge about debian release processes.
-- /docs/history
-- update contributors (seth, more?)
-
-slide: maybe the talk title should have been: _my_ first 10 years...
-slide: disclaimer: i'm a debian dd but i run tests for a lot of other projects, with more or less help/usage from them.
-slide: r-b is now barely a teenie. I look forward to it being grown up, so in 8 years, I hope to be able to let it go.
-slide: this talk is about my r-b story since 10y. r-b existed at least 30y ago.
-slide: what is r-b (intro etc.)
-slide: why? threat models
-slide: supply chain attacks. SBOM. presidental directive.
-slide: what does this mean for free software? unclear, but we do the technical groundwork & non black boxes *require* open source.
-slide: but lets go back...
-slide: gcc r-b in 199x
-slide: mail from 1997
-slide: bitcoin & torbrowser in 2012
-slide: debconf13
-slide: ccc talk 2013
-slide: fosdem 2014
-slide: camp 2015
-slide: SOURCE_DATE_EPOCH 1.0 2015, 1.1 2017
-slide" build path variation: 2023: don't do it. Bug#1034424: buildd.debian.org: Please use predictible build paths
- (for Debian folks: no more build path variation in unstable)
-slide: r-b summits, 5 so far, next to come.
-slide: talks at debconfs
-slide: funding: first LF, now an SFC project. I like the SFCs focus on freedom.
-slide: 2017: debian-policy: should
-slide: 2023 debian bullseye: will be explained in a bit :)
-slide: recent mail from wireguard
-slide: distro details:
-slide: free- & netbsd
-slide: fedora (show makro enabled thing)
-slide: archlinux (mention: they are great. have rebuilders. pacman-bintrans a model for debian and everyone else.)
-slide: f-droid
-slide: nix
-slide: guix
-slide: honorable mention: trisqel
-slide: ubuntu, mint, rhel
-slide: macos, windows, google android
-slide: debian:
-slide:
- columns: stretch buster bullseye bookworm
- rows: amd64 arm64 i386 armhf with percentages
-slide: now: teh future!
-slide: recap: we all support SOURCE_DATE_EPOCH
- /docs/source-date-epoch/
-slide: recap: .buildinfo files / SBOM
- recorded or predictable/static buildpath
- (for Debian folks: no more build path variation in unstable)
-slide: SBOMs are boring, we know them since 2014 or so.
- verified SBOMs are cool: = have been used to verify = reproduce a build
-slide: trixie, forky & probably 2 more until 100% reproducible Debian stable.
- 100% reproducible is a politcal task, not technical.
-slide: rebuilders (rebuild Debian on every point release? as in: publish those .buildinfo files as one tar archive maybe?)
-slide: technically eventually "done"/doable, but practically?
-slide: personally, i want to finish this. by 2030: no more unreproducible builds in Debian stable.
-slide: we need you. *i* need you. :) we need each other.
-slide: r-b, the only way you can be sure the binary you are running is the free software you think you are running.
- or in SBOM speak: ... ("you bought"? :)
-
--->
-
-<head>
- <meta charset="utf-8">
- <title>Reproducible Builds - the first ten years</title>
- <meta name="apple-mobile-web-app-capable" content="yes">
- <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
-
- <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui">
-
- <link rel="stylesheet" href="css/reveal.css">
- <link rel="stylesheet" href="css/theme/black.css" id="theme">
-
- <style type="text/css">
- li {
- margin-top: 28px !important;
- list-style-type: none !important;
- }
- ul ul li {
- margin-top: 16px !important;
- }
- * {
- text-transform: none !important;
- }
- a {
- color: inherit !important;
- }
- code {
- font-size: 90% !important;
- }
- .text-center {
- text-align: center;
- }
-
- .reveal section img {
- border: none;
- box-shadow: none;
- background-color: inherit;
- }
- .reveal pre code {
- overflow: inherit !important;
- max-height: inherit !important;
- padding: 0 0 20px 20px;
- }
-
- .thanks {
- width: 100%;
- margin-top: 120px !important;
- border-radius: 5px;
- background-color: white;
- }
-
- .thanks img {
- border: 0;
- }
-
- .text-left {
- text-align: left;
- }
-
- .text-right {
- text-align: right;
- }
-
- .pull-left {
- float: left;
- }
-
- .pull-right {
- float: right;
- }
-
- section h4 {
- font-weight: normal;
- font-size: 80%;
- }
-
- table.hash-example td {
- border: none;
- padding-right: 2em;
- padding-bottom: 0.8em;
- }
-
- table.hash-example tr.good code {
- color: lightgreen;
- }
-
- table.hash-example tr.bad code {
- color: #ff2222;
- }
-
- table.involved {
- margin-top: 2em;
- }
-
- table.involved td {
- border: none;
- padding-left: 3em;
- padding-bottom: 0.4em;
- }
- .pics td {
- border-bottom: 0 !important;
- padding: 0 15px 0 15px !important;
- }
-
- .pics img {
- height: 190px;
- }
- </style>
-
- <!--[if lt IE 9]>
- <script src="lib/js/html5shiv.js"></script>
- <![endif]-->
-
- <script>
- var link = document.createElement('link');
- link.rel = 'stylesheet';
- link.type = 'text/css';
- link.href = window.location.search.match( /print-pdf/gi ) ? 'css/print/pdf.css' : 'css/print/paper.css';
- document.getElementsByTagName('head')[0].appendChild( link );
-</script>
-</head>
-
-<body>
- <div class="reveal">
- <div class="slides">
- <section>
- <br>
- <h3>
- Reproducible Builds <br>the first ten years
- </h3>
- <br>
- <img src="images/reprobuilds-display.jpeg" style="height: 220px; border-radius: 10px;">
- <br>
-
- <h6>
- <small>
- Holger Levsen<br>
- foss-north 2023
- </small>
- </h6>
- <img src="images/fn-logo.png" style="height: 70px;">
- </section>
-
- <section>
- <p style="font-size: 120%"><em>
- where we come from and where we are going
- <span class="fragment">
- <br>or<br>
- the last mile and other lightyears ahead
- </span>
- <span class="fragment">
- <br>or<br>
- I still haven't found what I'm looking for
- </span>
- </em>
- </p>
- </section>
- <!--========================================================= -->
-
-
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>very incomplete list of people<br>who have been working on <em>this</em></h3>
-<p style="font-size: 50%">
-
- <!-- taken from website.git/_data/contributors.yml -->
-
- akira
- • Alexander Bedrossian
- • Alexander Borkowski
- • Alexander Couzens (lynxis)
- • Alexis Bienvenüe
- • Alex Wilson
- • Allan Gunn (gunner)
- • Amit Biswas
- • Anders Kaseorg
- • Andrew Ayer
- • anonmos1
- • Anoop Nadig
- • Arnout Engelen
- • Asheesh Laroia
- • Atharva Lele
- • Ben Hutchings
- • Benjamin Hof
- • Bernhard M. Wiedemann
- • Boyuan Yang
- • Brett Smith
- • Calum McConnell
- • Carl Dong
- • Ceridwen
- • Chris Lamb
- • Chris Smith
- • Christoph Berg
- • Christopher Baines
- • Chris West
- • Cindy Kim
- • Clemens Lang
- • Clint Adams
- • Dafydd Harries
- • Daniel Edgecumbe
- • Daniel Kahn Gillmor
- • Daniel Shahaf
- • Daniel Stender
- • David A. Wheeler
- • David Bremner
- • David del Amo
- • David Prévot
- • David Suarez
- • Dhiru Kholia
- • Dhole
- • Drakonis
- • Drew Fisher
- • Ed Maste
- • Edward Betts
- • Eitan Adler
- • Elio Qoshi
- • Eli Schwartz
- • Emanuel Bronshtein
- • Emmanuel Bourg
- • Esa Peuha
- • Fabian Keil
- • Fabian Wolff
- • Felix C. Stegerman
- • Feng Chai
- • Frédéric Pierret (fepitre)
- • Georg Faerber
- • Georg Koppen
- • Gonzalo Bulnes Guilpain
- • Graham Christensen
- • Guillem Jover
- • Hannes Mehnert
- • Hans-Christoph Steiner
- • Harlan Lieberman-Berg
- • heinrich5991
- • Helmut Grohne
- • Hervé Boutemy
- • Holger Levsen (h01ger)
- • HW42
- • Ian Muchina
- • intrigeri
- • jajajasalu2
- • Jakub Wilk
- • James Fenn
- • Jan Nieuwenhuizen
- • Javier Jardón
- • Jelle van der Waa
- • Jelmer Vernooij
- • Jérémy Bobbio (lunar)
- • Johannes Schauer Marin Rodrigues
- • John Scott
- • Joshua Lock
- • Joshua Watt
- • Juan Picca
- • Juri Dispan
- • Justin Cappos
- • kpcyrd
- • Kushal Das
- • Levente Polyak
- • Liyun Li
- • Ludovic Courtès
- • Ludovic Courtès
- • Lukas Puehringer
- • Maliat Manzur
- • marco
- • MarcoFalke
- • Marcus Hoffmann (bubu)
- • Marek Marczykowski-Górecki
- • Maria Glukhova
- • Mariana Moreira
- • marinamoore
- • Mathieu Bridon
- • Mathieu Parent
- • Mattia Rizzolo
- • Michael Pöhn
- • Morten Linderud
- • Muz
- • Mykola Nikishov
- • Nick Gregory
- • Nicolas Boulenguez
- • Nicolas Vigier
- • Niels Thykier
- • Niko Tyni
- • Omar Navarro Leija
- • opi
- • Oskar Wirga
- • Paul Gevers
- • Paul Spooren
- • Paul Wise
- • Peter Conrad
- • Peter De Wachter
- • Peter Wu
- • Philip Rinn
- • Profpatsch
- • Reiner Herrmann
- • Richard Purdie
- • Robbie Harwood
- • Roland Clobus
- • Santiago Torres
- • Santiago Vila
- • Sascha Steinbiss
- • Satyam Zode
- • Scarlett Clark
- • Simon Schricker
- • Snahil Singh
- • Stefano Rivera
- • Stefano Zacchiroli
- • Stéphane Glondu
- • Steven Adger
- • Steven Chamberlain
- • Sylvain Beucler
- • Thomas Vincent
- • Tianon Gravi
- • Tobias Stoeckmann
- • Tom Fitzhenry
- • Ulrike Uhlig
- • Vagrant Cascadian
- • Valentin Lorentz
- • Valerie R Young
- • Vipul
- • Wookey
- • Ximin Luo
- </p>
-<p style="font-size: 42%">
- (Huge sorry if YOU are missing, please lets fix this. I'd think there should probably be 50 more people on this list at least..!)
-</p>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <p>Who am I</p>
- <ol>
- <li>Holger Levsen / holger at debian.org</li>
- <li>Debian user since 1995, contributing since 2001, Debian member since 2007</li>
- <li>Located in Hamburg, Germany</li>
- <li>Working on Reproducible Builds since 2014</li>
- </ol>
- </section>
-
-
- <section data-background-color="white">
- <img class="fragment" src="images/logo.png" width="584">
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h1>Introduction</h1>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>Introduction</h3>
- <ul>
- <li class="fragment">Who knows about Reproducible Builds, why and how?</li>
- <li class="fragment">Who contribute(s|d) to Reproducible Builds?</li>
- <li class="fragment">Who knew that Reproducible Builds are known for more than 10 years?</li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>The problem</h3>
- <ul>
- <li class="fragment">Source code of free software available</li>
- <li class="fragment">…most people install pre-compiled binaries</li>
- <li class="fragment"><strong>No one knows whether they really correspond.</strong></li>
- <li class="fragment">As a result there are various classes of supply chain attacks.</li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>The solution</h3>
- <ul>
- <li class="fragment">Enable anyone to independently verify that a given source produces bit by bit identical results.</li>
- <li class="fragment">Reproducible Builds are an important building block in making supply chains more secure. Nothing more, nothing less.</li>
- <li class="fragment">As a side effect: you can only be sure a binary is free software if it has been reproduced. <em>Someone elses binary is only </em>certainly<em> free software if it's reproducible!</em></li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>The definition</h3>
- <ul>
- <li style="font-size: 80%">When is a build reproducible?</li>
- <li class="fragment">A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.</li>
- <li class="fragment">The relevant attributes of the build environment, the build instructions and the source code as well as the expected reproducible artifacts are defined by the authors or distributors. The artifacts of a build are the parts of the build results that are the desired primary output.<li>
- <li class="fragment">https://reproducible-builds.org/docs/definition/</li>
-
- </ul>
- </section>
-
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <p>I'll mostly ignore <em>why</em> and <em>how to do such builds</em> today.</p>
- <p class="fragment">I'll just mention that by now this has been widely understood as a problem:
- <br><span style="font-size: 70%">https://www.whitehouse.gov/briefing-room/statements-releases/2021/06/08/...</span></li>
- <p class="fragment">So today I will give a short overview about various projects and then I'll explain the situation in Debian.</p>
- </section>
-
- <section data-background-color="white">
- <img src="images/logo.png" width="584">
- <h3>https://reproducible-builds.org</h3>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>Short overview of reproducibility of other projects (all AIUI)</h3>
- <ul class="fragment">Tails: "easy", pragmatically "solved" but not systematically...
- <li class="fragment">Arch Linux: has rebuilders, though also lacks user tools and/or other integration</li>
- <pre class="fragment">
-Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
-[core] repository is 93.3% reproducible with 17 bad and 238 good packages.
-[extra] repository is 94.1% reproducible with 171 bad and 2860 good packages.
-[community] repository is 83.8% reproducible with 1481 bad and 7674 good packages.
-</pre>
- <li class="fragment">SuSE: active development, by one person, not enabled in official builds</li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>Short overview of reproducibility of other projects (all AIUI), continued</h3>
- <li class="fragment">nixOS: https://r13y.com: 1570 out of 1572 (99.87%) paths in the minimal installation image are reproducible!</li>
- <li class="fragment">GNU Guix: also reproducible by design (like nixOS) - <em>guix-challenge</em></li>
- <li class="fragment">Yocto: support for reproducible images</li>
- <li class="fragment">F-Droid: supports reproducible builds though no UI (manual web crawling needed) nor promises<ul>
- <li class="fragment">"Corona Contract Tracing German": update problem due to unreproducibility</li></ul></li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>Short overview of reproducibility of other projects (all AIUI), continued</h3>
- <li class="fragment">Alpine: basic support</li>
- <li class="fragment">FreeBSD/NetBSD/OpenBSD: basic support</li>
- <li class="fragment">Fedora/Redhat/Ubuntu: not interested it seems</li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>Summary of reproducibility of other projects (all AIUI)</h3>
- <p>Many projects support reproducible builds by now, but it's unclear what that means, how it's enforced and how users can know and be confident...</p>
- <p class="fragment">We still haven't found what we're looking for.</p>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>Summary of reproducibility of other projects (all AIUI)</h3>
- <p>Many projects support reproducible builds by now, but it's unclear what that means, how it's enforced and how users can know and be confident...</p>
- <p>We mostly still haven't found what we're looking for, because it's really hard. <br>For example: without 100% it's basically impossible to do a sensible user experience.</p>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>Some more tips</h3>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>I probably didn't backdoor this</h3>
- <li>https://github.com/kpcyrd/i-probably-didnt-backdoor-this</li>
- <li class="fragment">a fine manual...</li>
- <li class="fragment">simple <em>hello world</em> in Rust</li>
- <li class="fragment">Reproducing the ELF binary</li>
- <li class="fragment">Reproducing the Docker image</li>
- <li class="fragment">Reproducing the Arch Linux package</li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>The unreproducible package</h3>
- <li>https://github.com/bmwiedemann/theunreproduciblepackage</li>
- <li class="fragment">It's much easier to show common pitfalls making a package unreproducible than the opposite...</li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>https://reproducible-builds.org/docs</h3>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>Debian</h3>
- </section>
-
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3><em>Reproducible Builds were first discussed at DebConf13...</em></h3>
- <p>..in a BoF hosted by Lunar sparking all of this. DebConf14 had another BoF.</p>
- <p class="fragment">Automated test builds at the end of 2014.</p>
- <p class="fragment">FOSDEM 2015: getting the wider FLOSS community involved.</p>
- <p class="fragment">diffoscope!</p>
- <p class="fragment">First summit at the end of 2015 in Athens.</p>
-
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3><em>DebConf15 had four people giving the talk...</em></h3>
- <img src="images/dc15_1.jpg" width="85%">
-
- </section>
-
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3><em>“How can we get this done...???”</em></h3>
- <p>We wondered at the beginning of the <em>Stretch</em> development cycle.</p>
- <img src="images/dc15_2.jpg" width="85%">
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3><em>Reproducible talks at least...?</em></h3>
- <p>DebConf16</p>
- <p>DebConf17</p>
- <p>DebConf18</p>
- <p>DebConf19</p>
- <p>DebConf20</p>
- <p>DebConf21</p>
-
- <p class="fragment">“I feel I have given warnings that the next Debian release will not be reproducible for years.” <span class="fragment">is a quote from last years.</span></p>
- <p class="fragment">...and I feel fine! 😀</p>
-
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3><em>Schrödingers h01ger: frustrated and happy.</em></h3>
-
- <p>Indeed I have given warnings that the next Debian release will not be reproducible for years...</p>
- <p>...and I feel fine! 😀</p>
- <p class="fragment">Let me explain. First the frustration...</p>
-
- </section>
-
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>Debian <em>9 / stretch</em></h3>
- <p>The "reproducible in theory but not in practice" release</p>
- <h3>Debian <em>10 / buster</em></h3>
- <p>The "we could be reproducible but we are not" release</p>
- <h3>Debian <em>11 / bullseye</em></h3>
- <p>The "we are almost there but still haven't sorted out some requirements" release</p>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>Debian <em>9 / stretch</em></h3>
- <p>The "reproducible in theory but not in practice" release</p>
- <h3>Debian <em>10 / buster</em></h3>
- <p>The "we could be reproducible but we are not" release</p>
- <h3>Debian <em>11 / bullseye</em></h3>
- <p>The "we are almost made it" release</p>
- <h3>Debian <em>12 / bookworm</em></h3>
- <p>The first Debian release with some meaningful reproducibility?</p>
- </section>
-
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <p>The previous two slides were from last year...</p>
- <br>
- <h3>Debian <em>12 / bookworm</em></h3>
- <p>The first Debian release with some meaningful/usable reproducibility?!?</p>
- <h3 class="fragment">Debian <em>13 / trixie</em></h3>
- <p class="fragment">I still haven't found what I'm looking for</p>
- </section>
-
-
- <!--========================================================= -->
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>Debian issues in depth</h3>
- </section>
-
-
- <!-- issues in-depth -->
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>93% reproducibility is a lie.</h3>
- <p class="fragment">or rather: 93% are CI results.</p>
- <p class="fragment">I explain what's "wrong" with CI results in a moment...</p>
-
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>93% reproducibility is neither a lie nor useless...</h3>
- <img class="fragment" src="images/stats_bugs_state.png">
-
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>93% reproducibility is neither a lie nor useless...</h3>
- <img src="images/stats_bugs_sin_ftbfs_state.png">
-
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>That number (93%) was wrong/from two years ago</h3>
- <ul>
-
- <li>we are at 96.0% (29674 out of 30895 source packages) CI reproducibiliy for bullseye now.<p>
- <li class="fragment">that's almost 2% up compared to buster (93.9%)</li>
- <li class="fragment">or almost 3000 more reproducible packages (29674 instead of 26682 in buster)</li>
- <li class="fragment">or even more impressive: we've solved one third of the remaining 6% buster had...</li>
- </ul>
-
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>Did I say <em>bullseye</em>?</h3>
- <ul>
- <li class="fragment">4 weeks ago we were at 94.8% (30482 out of 32153 source packages) CI reproducibiliy for <em>bookworm</em>.</li>
- <li class="fragment">YAY.</li>
- </ul>
-
- </section>
-
-
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>Then, since "Hamburg", something broke and we're at:</h3>
- <ul>
- <li>93.0% for bookworm/amd64</li>
- <li>93.7% for bookworm/arm64</li>
- <li>but why ???</li>
- </ul>
-
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>why 93.x% for bookworm now?</h3>
- <img src="images/stats_pkg_state.png">
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>why 93.x% for bookworm now?<br> because haskell FTBFS...</h3>
- <img src="images/stats_meta_pkg_state_maint_pkg-haskell-maintainers.png">
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>CI versus rebuilds:</h3>
- <ul>
- <li>We have no <strong>Debian</strong> infrastructure rebuilding Debian packages. The reproducible-builds.org rebuilders are builders, not rebuilders.</li>
- <li> That's why I called 93% (or whatever) a "lie".</li>
- <li style="font-size: 90%">Up until recently we had two main blockers for rebuilders:</li>
- <ul style="font-size: 80%">
- <li class="fragment">>3000 packages without .buildinfo files, fixed by myself in February 2021 and in June 2022.</li>
- <li class="fragment">snapshot.debian.org was (and is) unusable for rebuilds, fixed by Frédéric Pierret and josch since June 2021, by providing a partial mirror for amd64 only and only going back until January 2017.</li>
-
- </ul>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>CI versus rebuilds:</h3>
- <ul>
- <li class="fragment">We have no <strong>Debian</strong> infrastructure rebuilding Debian packages. The reproducible-builds.org rebuilders are builders, not rebuilders.</li>
- <li class="fragment">https://beta.tests.reproducible-builds.org/debian <em>is showing</em> rebuilds of ftp.debian.org - huge thanks to Frédéric Pierret for this PoC.</li>
- <li class="fragment">Sadly, Frédéric's rebuilder is down atm...</li>
- <li class="fragment">And one rebuilder is not good enough also. It's a start though:</li>
- </ul>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h4>https://beta.tests.reproducible-builds.org/debian</h4>
- <img class="fragment" src="images/bookworm_build-essential.amd64+all.png">
-
- </section>
-
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h4>https://beta.tests.reproducible-builds.org/debian</h4>
- <img src="images/bookworm_key_packages.amd64+all.png">
-
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h4>https://beta.tests.reproducible-builds.org/debian</h4>
- <img src="images/bookworm_full.amd64+all.png">
-
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h4>https://beta.tests.reproducible-builds.org/debian</h4>
- <ul>
- unreproducible in build-essential:
- <li>linux</li>
- <li>gcc</li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h4>https://beta.tests.reproducible-builds.org/debian</h4>
- <ul>
- <li>amd64 only, also because our snapshot mirror is amd64 only</li>
- <li>one rebuilder only, not several (and at least some should run on Debian ressources)</li>
- <li class="fragment">one person maintaining this so far. Thank you very much, Frédéric Pierret, and sorry too.</li>
- </section>
-
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>working around snapshot.debian.org</h3>
- <ul>
- <li class="fragment">snapshot.debian.org was (and is) unusable for rebuilds, fixed by Frédéric Pierret and josch since June 2021, by providing a partial mirror for amd64 only and only going back until January 2017.</li>
- <li class="fragment">without "a working" snapshot.debian.org (it works, "just" not for our usecases) we cannot have reproducible Debian...</li>
- <li class="fragment">sadly snapshot.notset.fr is currently down and snapshot.reproducible-builds.org ist not yet up... :/</li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>improvements to our snapshot.debian.org mirror</h3>
- <ul>
- <li class="fragment">https://salsa.debian.org/freexian-team/project-funding/-/merge_requests/14</li>
- <li class="fragment">soon to be hosted at OSUOSL as snapshot.reproducible-builds.org</li>
- <li class="fragment">we want at least arm64 too, though that needs more than just HW. See the MR above.</li>
- </ul>
- </section>
-
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>"Solved" problems with <code>.buildinfo</code> files</h3>
- <ul style="font-size: 98%">
- <li class="fragment">we had >3000 packages without .buildinfo files, I NMUed all of them (with the help of David Bremner!) 😇 Just NEW ones will keep coming...</li>
- <li class="fragment">buildinfos.debian.net is just a proof of concept, but it works around #862073, #763822, #862538, #929397 well enough.</li>
- <li class="fragment">GPG keys expire, so we just ignore signatures...</li>
- </ul>
- </section>
-
-
-
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>And then, meaningful reproducibilty of Debian is still not possible because:</h3>
- <ul>
- <li class="fragment">linux, gcc and glibc are our current blockers getting <em>build-essential</em> reproducible in <em>bookworm</em>.</li>
- <li class="fragment">Debian installer images are not reproducible in <em>bullseye</em>.</li>
- <li class="fragment">Debian Live images are not reproducible in <em>bullseye</em>.</li>
- <li class="fragment">Sadly "bullseye" was not a typo in the last two lines. :(</li>
- </ul>
-
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>meaningful reproducibilty of Debian d-i images<br>(amd64 only)</h3>
- <ul>
- <li class="fragment">Debian installer images, are reproducible when build from git, as shown by Roland Clobus. The problem here is that automated testing of d-i images fails almost constantly in sid and testing...</li>
- </ul>
-
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>meaningful reproducibilty of Debian live images<br>(amd64 only)</h3>
- <ul>
- <li class="fragment">Debian Live images are reproducible using <em>live-build</em> as shown by Roland Clobus.</em>.</li>
- <ul>
- <li class="fragment">reproducible package installation != reproducible packages</li>
- <li class="fragment">future of Debian live images uncertain, though we have 3 choices now: none, unreproducible or reproducible.</em></li>
- </ul>
- </ul>
-
- </section>
-
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>more on d-i and live images</h3>
- <ul>
- <li class="fragment">Roland Clobus gave a talk at the Debian Reunion Hamburg about his efforts to revive live-images.</li>
- <li class="fragment">Roland and Phil Hands are working together to get those images tested for functionality as well, using https://openqa.debian.net.</li>
- <li class="fragment">There's a "Debian installer and images team BoF" happening now, though I don't know if live images will be covered there.</li>
- </ul>
-
- </section>
-
-
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3><em>other issues, release team area</em></h3>
- <ul>
- <li>We are very happy that testing migration is blocked for binary uploads.</li>
- <li class="fragment">We very much like the idea of accellerating migration for reproducibility.</li>
- <li class="fragment">Debian policy: too early for "must", but maybe for <em>trixie</em> we can have "must not regress"?</li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3><em>other issues, salsa CI related</em></h3>
- <ul>
- <li>"btw", <em>reprotest</em> is basically unmaintained upstream.</li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>bookworm goals</h3>
- 6 months until the freeze.
- <ul>
- <li class="fragment">0 packages without .buildinfo files..</li>
- <li class="fragment">build-essential reproducible.</li>
- <li class="fragment">d-i images reproducible.</li>
- <li class="fragment">live images reproducible.</li>
- <li class="fragment">more archs on our snapshot mirror (arm64?).</li>
- <li class="fragment">a 2nd rebuilder of ftp.debian.org. and a 3rd...</li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3>trixie goals</h3>
- <ul>
- <li class="fragment">snapshot.debian.org usable for mass rebuilds by many users for all architectures.</li>
- <li class="fragment">more rebuilders! (instead of more CI builders)</li>
- <li class="fragment">0 bugs with patches unuploaded. Currently there are 292 of these. 2 NMUs per week, uploaded to DELAYED/15.</li>
- <li class="fragment">#863622: apt: warn when installing packages that are not reproducible</li>
- <li class="fragment">.buildinfo files known and used by <code>dak</code>.</li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <h3><em>post</em> trixie goals</h3>
- <ul>
- <li class="fragment">I still haven't found what I'm looking for...!</li>
- <li class="fragment">100% reproducible packages and distributed images for <code>trixie+1</code>?</li>
- <li class="fragment">What else?</li>
- <li class="fragment">A liveable planet would also be really really nice. 🥵😱 Kinda off-topic here, but I still wanted to at least once mention the big elephant in every room. 🐘 </li>
- </ul>
- </section>
-
- <section data-background="images/fn-logo.png" data-background-size="12%" data-background-position="90% 10%">
- <br>
- <h3>
- Thank you
- <br><small>… and all the contributors out there!</small>
- </h3>
- <p class="fragment">Do you think reproducible builds should happen?<br> If so, please pick <em>one</em> of these bugs and help fixing.<br />We need your help.</p>
- <p class="fragment">https://wiki.debian.org/ReproducibleBuilds</p>
- <br>
- <p class="fragment"><em>I still haven't found what I'm looking for <br> but I'm confident we'll get there, eventually!</em></p>
- <h3>
- <small>Holger Levsen <holger at debian.org><br>
- B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C</small>
- </h3>
- </section>
-
- </div>
- </div>
-
-
-
- <script src="lib/js/head.min.js"></script>
- <script src="js/reveal.js"></script>
- <script>
- Reveal.initialize({
- controls: false,
- progress: false,
- history: true,
- keyboard: {
- 13: 'next',
- 38: 'next',
- 9: 'prev',
- 40: 'prev'
- }
- });
- </script>
-</body>
-</html>
=====================================
2024-02-03-R-B-the-first-10-years/index.html
=====================================
@@ -295,7 +295,6 @@
• Levente Polyak
• Liyun Li
• Ludovic Courtès
- • Ludovic Courtès
• Lukas Puehringer
• Maliat Manzur
• marco
@@ -355,6 +354,7 @@
• Stéphane Glondu
• Steven Adger
• Steven Chamberlain
+ • Sune Vuorela
• Sylvain Beucler
• Thomas Vincent
• Tianon Gravi
@@ -373,9 +373,8 @@
</section>
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>according to website.git/_data/contributors.yml</em></h3>
+ <h4>according to https://reproducible-builds.org/who/people/</em></h4>
- <!-- taken from website.git/_data/contributors.yml -->
<p style="font-size: 66%">
</p>
@@ -478,7 +477,6 @@
• Levente Polyak
• Liyun Li
• Ludovic Courtès
- • Ludovic Courtès
• Lukas Puehringer
• Maliat Manzur
• marco
@@ -538,6 +536,7 @@
• Stéphane Glondu
• Steven Adger
• Steven Chamberlain
+ • Sune Vuorela
• Sylvain Beucler
• Thomas Vincent
• Tianon Gravi
@@ -877,8 +876,8 @@
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Projects at Reproducible Builds Summits</h2>
- <p style="font-size: 77%">Alpine Linux,
-Apache,
+ <p style="font-size: 77%">
+Alpine Linux,
Apache Maven,
Apache Security,
Arch Linux,
@@ -887,7 +886,6 @@ Bazel,
bootstrappable.org,
Buildroot,
CHAINS (KTH Royal Institute of Technology),
-Cloud,
coreboot,
CoyIM,
Debian,
@@ -902,8 +900,6 @@ GNU Guix,
GNU Mes,
Google,
Guardian Project,
-Guix,
-Hat,
Homebrew,
Huawei,
Indiana University (IU),
@@ -915,7 +911,6 @@ LEDE,
LibreOffice,
Linux,
MacPorts,
-Maven,
Max Planck Institute for Security and Privacy (MPI-SP),
Microsoft,
MirageOS,
@@ -1239,7 +1234,7 @@ Warpforge.
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Short overview of reproducibility of various projects (AIUI)</h3>
<ul>
- <li class="fragment">this section is outdated and incomplete...</li>
+ <li class="fragment">this section is a bit outdated and incomplete...</li>
<li class="fragment">I'm sorry.</li>
<li class="fragment">and very happy there's so much great stuff going on!</li>
</ul>
@@ -1249,7 +1244,7 @@ Warpforge.
<h3>Short overview of reproducibility of various projects (AIUI)</h3>
<ul>
<li class="fragment">Tails: "easy", pragmatically solved.</li>
- <li class="fragment">Arch Linux: has rebuilders and snapshot binary archive, though lacks further infrastructure and user tools like <code>pacman-bintrans</code> thus are merely PoCs.</li>
+ <li class="fragment">Arch Linux: has rebuilders and snapshot binary archive, though lacks further infrastructure and thus user tools like <code>pacman-bintrans</code> are PoCs.</li>
<pre class="fragment">
Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
@@ -1286,38 +1281,25 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Summary of various projects</h3>
<ul>
- <p>Today many projects support reproducible builds, but it's unclear what that means, how it's enforced and how users can know and be confident.</p>
+ <p>Today many projects support reproducible builds, but it's often still unclear what that means in detail, how it's enforced and how users can know and be confident.</p>
<p class="fragment">I call it reproducible in theory or in CI.</p>
<p class="fragment">This is a <em>massive</em> success! This was thought impossible not long ago!</p>
</ul>
</section>
-
-
- <section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <img src="images/ccc2014-13.png">
- </section>
-
-
-
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Theory vs Praxis</h3>
<ul>
<li>In theory, we are done. In practice, we have shown that reproducible builds can be done in theory.</li>
- <li class="fragment">Then we also need many rebuilders (!= CI builders) and we need to store the results somewhere and we need to define criterias how tools should treat that data, and then we need those tools...</li>
+ <li class="fragment">Now we also need many rebuilders (!= CI builders) and we need to store the results somewhere and we need to define criterias how tools should treat that data, and then we need those tools...</li>
<li class="fragment">And those missing 5% are also crucial however, or at least 1% of them. For Debian, 1% means 300 softwares...</li>
</ul>
</section>
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>Summary</h3>
- <ul>
- <li>Many projects support reproducible builds in theory today, but it's unclear what that means in practice and how users can know and be confident.</li>
- <li class="fragment">This is a huge success.</li>
- <li class="fragment">This was thought to be impossible a decade ago.</li>
- </ul>
- </section>
+ <img src="images/ccc2014-13.png">
+ </section>
<section data-background="images/FOSDEM_logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Summary, looking forward</h3>
@@ -1345,7 +1327,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
<br>
<h1>
Thank you
- <br><small>… and all the contributors out there!</small>
+ <br><small>… and all contributors out there!</small>
</h1>
<p class="fragment">Any questions? 🤷</p>
=====================================
2024-02-03-R-B-the-first-10-years/todo
=====================================
@@ -1,11 +1,11 @@
-the end could be a bit clearer...
+include paper by lamby & zack
list more debian successes
live-images
docker/podman images: docker.debian.net
d-i (in theory, not tested atm)
-explicit community slides?
+explicit community slide?
/who/projects
ask projects about their stati! now is time.
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/c3e8fb71296f685b5c5b62fd60c7c22f4d2e4861
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/c3e8fb71296f685b5c5b62fd60c7c22f4d2e4861
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240212/cf8d2a80/attachment.htm>
More information about the rb-commits
mailing list