[Git][reproducible-builds/reproducible-presentations][master] 6 commits: Add skeleton for SeaGL 2024, Two Ways to Trustworthy.
Vagrant Cascadian (@vagrant)
gitlab at salsa.debian.org
Sun Nov 3 00:37:56 UTC 2024
Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-presentations
Commits:
cf3d118a by Vagrant Cascadian at 2024-11-02T16:49:26-07:00
Add skeleton for SeaGL 2024, Two Ways to Trustworthy.
- - - - -
17963094 by Vagrant Cascadian at 2024-11-02T16:49:26-07:00
seagl two-ways-to-trustworthy: example commands and whatnot.
- - - - -
43187619 by Vagrant Cascadian at 2024-11-02T17:02:10-07:00
two-ways: when vagrant started getting involved with guix.
- - - - -
3b664c59 by Vagrant Cascadian at 2024-11-02T17:03:46-07:00
two-ways: broad strokes trustworthy vs trust
- - - - -
80b48dc3 by Vagrant Cascadian at 2024-11-02T17:20:47-07:00
two ways: binaries, source and vcs, oh my!
- - - - -
9425e523 by Vagrant Cascadian at 2024-11-02T17:35:01-07:00
two ways: founding of debian and guix.
- - - - -
11 changed files:
- + 2024-11-08-SeaGL-Two-Ways-to-Trustworthy/Makefile
- + 2024-11-08-SeaGL-Two-Ways-to-Trustworthy/Two-Ways-to-Trustworthy.org
- + 2024-11-08-SeaGL-Two-Ways-to-Trustworthy/debian/changelog
- + 2024-11-08-SeaGL-Two-Ways-to-Trustworthy/debian/control
- + 2024-11-08-SeaGL-Two-Ways-to-Trustworthy/debian/copyright
- + 2024-11-08-SeaGL-Two-Ways-to-Trustworthy/debian/rules
- + 2024-11-08-SeaGL-Two-Ways-to-Trustworthy/debian/source/format
- + 2024-11-08-SeaGL-Two-Ways-to-Trustworthy/debian/two-ways-to-trustworthy.install
- + 2024-11-08-SeaGL-Two-Ways-to-Trustworthy/images/reproducible-builds.png
- + 2024-11-08-SeaGL-Two-Ways-to-Trustworthy/images/vagrantupsidedown.png
- − proposed/2024-11-xx-SeaGL-Two-Ways-to-Trustworthy/two-ways-to-trustworthy-abstract.txt
Changes:
=====================================
2024-11-08-SeaGL-Two-Ways-to-Trustworthy/Makefile
=====================================
@@ -0,0 +1,16 @@
+# thanks to dima for walking me through this!
+#
+# needs: apt install emacs texlive-latex-extra texlive-plain-generic
+
+export FORCE_SOURCE_DATE = 1
+export SOURCE_DATE_EPOCH := $(shell date --utc --date '2024-11-08 11:30:00 -0700' +%s)
+
+all: $(patsubst %.org,%.pdf,$(wildcard *.org))
+
+%.pdf: %.org
+ emacs -Q --batch --eval '(progn (random "0") (find-file "$<") (org-beamer-export-to-pdf))'
+
+clean:
+ rm -f *.pdf *.tex *.png
+
+.PHONY:clean
=====================================
2024-11-08-SeaGL-Two-Ways-to-Trustworthy/Two-Ways-to-Trustworthy.org
=====================================
@@ -0,0 +1,200 @@
+#+TITLE: Two Ways to Trustworthy
+#+AUTHOR: Vagrant Cascadian <vagrant at reproducible-builds.org>
+#+EMAIL: vagrant at reproducible-builds.org
+#+DATE: SeaGL 2024-11-08
+#+LANGUAGE: en
+#+OPTIONS: H:1 num:t toc:nil \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
+#+OPTIONS: TeX:t LaTeX:t skip:nil d:nil todo:t pri:nil tags:not-in-toc
+#+OPTIONS: ^:nil
+#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
+#+EXPORT_SELECT_TAGS: export
+#+EXPORT_EXCLUDE_TAGS: noexport
+#+startup: beamer
+#+LaTeX_CLASS: beamer
+#+LaTeX_CLASS_OPTIONS: [bigger]
+#+latex_header: \mode<beamer>{\usetheme{Madrid}}
+#+LaTeX_CLASS_OPTIONS: [aspectratio=169]
+#+BEGIN_comment
+https://pretalx.seagl.org/2024/talk/W73ACM/
+2024-11-08, 11:30–12:20 (US/Pacific), 332
+
+Two Ways to Trustworthy
+
+A comparison of two Free Software distributions that strive to be
+trustworthy, Debian and GNU Guix.
+
+This talk delves into how each project approaches fundamental security
+features through Reproducible Builds, Bootstrappable Builds, code
+auditability, etc. to improve trustworthiness, allowing independent
+verification; trustworthy projects require little to no trust.
+
+Exploring the challenges that each project faces due to very different
+technical architectures, but also contextually relevent differences in
+social structure, adoption patterns, and organizational history should
+provide a good backdrop to understand how different approaches to
+security might evolve, with real-world merits and downsides.
+#+END_comment
+
+* Who am I
+
+** image
+ :PROPERTIES:
+ :BEAMER_col: 0.4
+ :END:
+
+[[./images/vagrantupsidedown.png]]
+
+
+** text
+ :PROPERTIES:
+ :BEAMER_col: 0.4
+ :END:
+
+ | | Vagrant |
+ |---------------------+---------|
+ | debian user | 2001 |
+ | debian developer | 2010 |
+ | reproducible builds | 2015 |
+ | guix user | 2016? |
+ | guix contributor | 2017 |
+ | guix committer | 2019 |
+
+* Trustworthy vs. Trust
+
+Trustworthy projects require little Trust
+- auditable
+- verifiable
+- blind trust not required (caveats apply)
+
+* Reproducible Builds
+
+** text
+ :PROPERTIES:
+ :BEAMER_col: 0.7
+ :END:
+
+https://reproducible-builds.org/docs/definition/
+
+\vspace{\baselineskip}
+
+A build is reproducible if given the same source code, build
+environment and build instructions, any party can recreate bit-by-bit
+identical copies of all specified artifacts.
+
+** image
+ :PROPERTIES:
+ :BEAMER_col: 0.3
+ :END:
+
+[[./images/reproducible-builds.png]]
+
+* In practice
+
+- record the build environment
+- recreate the build environment
+
+* Binaries at Large
+
+Debian is fundamentally a binary distribution
+- relies on ABI for when to rebuild packages
+- a given package is built with a specific version
+- other packages might use an ABI compatible version
+- rebuilding all of debian today would result in many different pacakges
+
+* The Source With Optimizations
+
+Guix is a fundamentally a source distribution
+- packages optionally pull from substitute server as needed, falling
+ back to building from source
+- packages get rebuilt whenever their dependencies change
+- the current commit builds exactly one set of current packages
+
+* Variably Crude, Sisyphus
+
+Debian
+
+- predates modern version control
+- one repository per package (at best)
+- in a variety of packaging formats (source included, debian/ dir only, etc.)
+- not all on debian infrastructure
+- not all packages use version control
+- the source archive itself is a crude sort of version control
+
+Guix
+
+- git was dominant VCS from the beginning
+- all of guix in a single shared git repository
+- git only contains references to other archives of software
+
+* A score, half a score, and one year ago
+
+Debian 1993
+
+* Half a score and a couple years ago
+
+Guix 2012
+
+* A Human Generation apart
+
+Nineteen years between the start of Debian and Guix
+
+* The challenge of Guix
+
+guix challenge --verbose PACKAGE
+
+* The challenge of Guix
+
+guix challenge --verbose --diff=diffoscope PACKAGE
+
+* Checking in with guix
+
+guix build --check PACKAGE
+
+* Check again
+
+guix build --check --no-grafts --keep-failed PACKAGE
+
+diffoscope /gnu/store/...PACKAGE/ /gnu/store/...PACKAGE-check/
+
+* So many ways in Debian
+
+dpkg-buildpackage, debuild, sbuild, pbuilder, etc.
+
+* rebuilding debian
+
+debrebuild
+
+* Bootstrapping
+
+Guix is bootstrapped from 357 byte hex binary (and 25MB of static binaries)
+
+https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/
+
+The historic versions and their hashes are recorded in guix from very
+early on.
+
+A simple Debian chroot is 522MB of binaries. The original sources used
+to build the binaries has been lost to time.
+
+* Thanks
+
+Help make it happen!
+
+https://reproducible-builds.org/contribute/
+
+https://reproducible-builds.org/donate/
+
+https://reproducible-builds.org/who/sponsors
+
+* Copyright and attributions
+\addtocounter{framenumber}{-1}
+\tiny
+
+ Copyright 2019-2024 Vagrant Cascadian <vagrant at reproducible-builds.org>
+ Portions by contributors to the reproducible-builds.org website.
+
+ This work is licensed under the Creative Commons
+ Attribution-ShareAlike 4.0 International License.
+
+ To view a copy of this license, visit
+ https://creativecommons.org/licenses/by-sa/4.0/
=====================================
2024-11-08-SeaGL-Two-Ways-to-Trustworthy/debian/changelog
=====================================
@@ -0,0 +1,5 @@
+two-ways-to-trustworthy (2024.11.08+seagl) UNRELEASED; urgency=medium
+
+ * Presented at SeaGL 2024.
+
+ -- Vagrant Cascadian <vagrant at reproducible-builds.org> Thu, 24 Oct 2024 13:01:51 -0700
=====================================
2024-11-08-SeaGL-Two-Ways-to-Trustworthy/debian/control
=====================================
@@ -0,0 +1,17 @@
+Source: two-ways-to-trustworthy
+Section: doc
+Priority: optional
+Maintainer: Vagrant Cascadian <vagrant at reproducible-builds.org>
+Build-Depends: debhelper-compat (=13),
+ emacs,
+ emacs-nox,
+ texlive-latex-extra,
+ texlive-plain-generic,
+Standards-Version: 4.7.0
+Rules-Requires-Root: no
+Homepage: https://pretalx.seagl.org/2024/talk/W73ACM/
+
+Package: two-ways-to-trustworthy
+Architecture: all
+Depends: ${misc:Depends}, ${shlibs:Depends},
+Description: Two Ways to Trustworthy
=====================================
2024-11-08-SeaGL-Two-Ways-to-Trustworthy/debian/copyright
=====================================
@@ -0,0 +1,14 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: Two Ways to Trustworthy
+Source: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/tree/master/2024-11-08-SeaGL-Two-Ways-to-Trustworthy/
+
+Files: *
+Copyright: 2019-2024 Vagrant Cascadian <vagrant at reproducible-builds.org>
+License: cc-by-sa-4.0
+
+License: cc-by-sa-4.0
+ This work is licensed under the Creative Commons
+ Attribution-ShareAlike 4.0 International License.
+ .
+ To view a copy of this license, visit
+ https://creativecommons.org/licenses/by-sa/4.0/
=====================================
2024-11-08-SeaGL-Two-Ways-to-Trustworthy/debian/rules
=====================================
@@ -0,0 +1,4 @@
+#!/usr/bin/make -f
+
+%:
+ dh $@
=====================================
2024-11-08-SeaGL-Two-Ways-to-Trustworthy/debian/source/format
=====================================
@@ -0,0 +1 @@
+3.0 (native)
=====================================
2024-11-08-SeaGL-Two-Ways-to-Trustworthy/debian/two-ways-to-trustworthy.install
=====================================
@@ -0,0 +1 @@
+Two-Ways-to-Trustworthy.pdf /usr/share/doc/two-ways-to-trustworthy/
=====================================
2024-11-08-SeaGL-Two-Ways-to-Trustworthy/images/reproducible-builds.png
=====================================
Binary files /dev/null and b/2024-11-08-SeaGL-Two-Ways-to-Trustworthy/images/reproducible-builds.png differ
=====================================
2024-11-08-SeaGL-Two-Ways-to-Trustworthy/images/vagrantupsidedown.png
=====================================
Binary files /dev/null and b/2024-11-08-SeaGL-Two-Ways-to-Trustworthy/images/vagrantupsidedown.png differ
=====================================
proposed/2024-11-xx-SeaGL-Two-Ways-to-Trustworthy/two-ways-to-trustworthy-abstract.txt deleted
=====================================
@@ -1,15 +0,0 @@
-Two Ways to Trustworthy
-
-A comparison of two Free Software distributions that strive to be
-trustworthy, Debian and GNU Guix.
-
-This talk delves into how each project approaches fundamental security
-features through Reproducible Builds, Bootstrappable Builds, code
-auditability, etc. to improve trustworthiness, allowing independent
-verification; trustworthy projects require little to no trust.
-
-Exploring the challenges that each project faces due to very different
-technical architectures, but also contextually relevent differences in
-social structure, adoption patterns, and organizational history should
-provide a good backdrop to understand how different approaches to
-security might evolve, with real-world merits and downsides.
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/compare/c3ddfd808cdc18913b8f06eb8761729651d594b3...9425e523495ca66f1db0e6f98fdc055768f58aba
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/compare/c3ddfd808cdc18913b8f06eb8761729651d594b3...9425e523495ca66f1db0e6f98fdc055768f58aba
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20241103/652d33f1/attachment.htm>
More information about the rb-commits
mailing list