[Git][reproducible-builds/reproducible-presentations][master] toulouse talk: shorten content
Holger Levsen (@holger)
gitlab at salsa.debian.org
Fri Nov 15 13:16:18 UTC 2024
Holger Levsen pushed to branch master at Reproducible Builds / reproducible-presentations
Commits:
21cc0d99 by Holger Levsen at 2024-11-15T14:16:08+01:00
toulouse talk: shorten content
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
2 changed files:
- 2024-11-16-R-B-rebuilding-what-is-distributed-from-ftp.debian.org/index.html
- 2024-11-16-R-B-rebuilding-what-is-distributed-from-ftp.debian.org/todo
Changes:
=====================================
2024-11-16-R-B-rebuilding-what-is-distributed-from-ftp.debian.org/index.html
=====================================
@@ -149,9 +149,9 @@
lunarⒶdebian.org / https://lunar.anargeek.net
</section>
- <section data-background-color="white">
+ <!-- section data-background-color="white">
<img src="images/fosdem2014-6.png" width="100%">
- </section>
+ </section -->
<section>
<br>
@@ -179,9 +179,9 @@ lunarⒶdebian.org / https://lunar.anargeek.net
<li>Holger Levsen / holger at debian.org, located in Hamburg, Germany. Born at 329 ppm. He/him. 🏳️🌈🏳️⚧️🖤😷</li>
<li>Debian user since 1995, contributing since 2001, Debian member since 2007. I ❤️ Debian.</li>
<li>Working on Reproducible Builds since 2014.
- Aiming to make all ❤️ Free Software reproducible.</span></li>
- <li>Ask me anything, anytime. This is a pretty complex topic.</span>
-
+ Aiming to make all ❤️ Free Software reproducible.</li>
+ <li>Ask me anything, anytime. This is a pretty complex topic.</li>
+ <!-- li class="fragment">I'll <i>try</i> to be professional, not sure if I manage or care if I don't.</li -->
</ol>
</section>
@@ -189,10 +189,6 @@ lunarⒶdebian.org / https://lunar.anargeek.net
<!--========================================================= -->
- <section data-background-color="white">
- <img class="fragment" src="images/logo.png" width="584">
- </section>
-
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>people working on this - TTBOMK</h3>
@@ -284,6 +280,7 @@ lunarⒶdebian.org / https://lunar.anargeek.net
• Jelle van der Waa
• Jelmer Vernooij
• Jérémy Bobbio (lunar)
+ • Jochen Sprickerhof
• Johannes Schauer Marin Rodrigues
• John Neffenger
• John Scott
@@ -322,6 +319,7 @@ lunarⒶdebian.org / https://lunar.anargeek.net
• Nicolas Vigier
• Niels Thykier
• Niko Tyni
+ • Oejet
• Omar Navarro Leija
• opi
• Orhun Parmaksiz
@@ -467,6 +465,7 @@ lunarⒶdebian.org / https://lunar.anargeek.net
• Jelle van der Waa
• Jelmer Vernooij
• Jérémy Bobbio (lunar)
+ • Jochen Sprickerhof
• Johannes Schauer Marin Rodrigues
• John Neffenger
• John Scott
@@ -505,6 +504,7 @@ lunarⒶdebian.org / https://lunar.anargeek.net
• Nicolas Vigier
• Niels Thykier
• Niko Tyni
+ • Oejet
• Omar Navarro Leija
• opi
• Orhun Parmaksiz
@@ -558,6 +558,11 @@ lunarⒶdebian.org / https://lunar.anargeek.net
</p>
</section>
+ <!-- section data-background-color="white">
+ <img class="fragment" src="images/logo.png" width="584">
+ </section -->
+
+
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>About you</h3>
@@ -569,16 +574,6 @@ lunarⒶdebian.org / https://lunar.anargeek.net
</ul>
</section>
- <section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <br>
- <h3>We need you!<br> Please support these efforts</h3>
- <ul>
- <li>Do you think reproducible builds should happen?<br> If so, please help. We need your help and support.</li>
- <span class="fragment"><li>The goals of this talk it to recap what we have done and to celebrate 11 years of awesomeness of <b>many</b> with the aim to get you informed, excited & involved.<br>Because a lot of work and support is still needed. We are still far from being done, despite all the progress and successes so far!</li>
- <li class="fragment">It's doable, we can do it together! 💪</li></span>
- </ul>
- </section>
-
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h1>Introduction</h1>
</section>
@@ -587,14 +582,73 @@ lunarⒶdebian.org / https://lunar.anargeek.net
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>The problem</h3>
<ul>
- <li class="fragment">Source code of free software available</li>
- <li class="fragment">…most people install pre-compiled binaries</li>
- <li class="fragment"><strong>No one really knows how they really correspond (even those building those binaries).</strong></li>
+ <li>Source code of free software available</li>
+ <li>…most people install pre-compiled binaries</li>
+ <li><strong>No one really knows how they really correspond (even those building those binaries).</strong></li>
<li class="fragment">As a result there are various classes of supply chain attacks.</li>
</ul>
</section>
+
+
+ <section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>
+ https://reproducible-builds.org/docs/definition/
+ </h3>
+ <ul>
+ <li style="font-size: 80%">When is a build reproducible?</li>
+ <span class="fragment"><li>A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.</li>
+ <li style="font-size: 80%">The relevant attributes of the build environment, the build instructions and the source code as well as the expected reproducible artifacts are defined by the authors or distributors. The artifacts of a build are the parts of the build results that are the desired primary output.<li>
+
+ </ul>
+ </section>
+
+ <section data-background-color="white">
+ <img class="fragment" src="images/fosdem2014-2.png" width="100%">
+ </section>
+
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>Our mission</h3>
+ <ul>
+ <li>Enable anyone to independently verify that a given source produces bit by bit identical results.</li>
+ <li class="fragment">Reproducible Builds are an important building block in making supply chains more secure. Nothing more, nothing less.</li>
+ <li class="fragment">(Un)secure software build reproducibly still remains (un)secure software. However, with reproducible builds you can be sure that you are running the software you want to be running, built from the sources you want to be using.</li>
+ </ul>
+ </section>
+
+
+ <section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>Our mission</h3>
+ <ul>
+ <li>Enable anyone to independently verify that a given source produces bit by bit identical results.</li>
+ <li class="fragment">most people will say: what does that even mean?
+ </ul>
+ <br/>
+ <br/>
+ <br/>
+ <span class="fragment">
+ <h3>Our new slogan in the making...</h3>
+ <ul>
+ <li>Enabling supply chain security.</li>
+ </ul></span>
+ </section>
+
+ <section data-background-color="white">
+ <img class="fragment" src="images/logo.png" width="584">
+ </section>
+
+ <!-- section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <br>
+ <h3>We need you!<br> Please support these efforts</h3>
+ <ul>
+ <li>Do you think reproducible builds should happen?<br> If so, please help. We need your help and support.</li>
+ <span class="fragment"><li>The goals of this talk it to recap what we have done and to celebrate 11 years of awesomeness of <b>many</b> with the aim to get you informed, excited & involved.<br>Because a lot of work and support is still needed. We are still far from being done, despite all the progress and successes so far!</li>
+ <li class="fragment">It's doable, we can do it together! 💪</li></span>
+ </ul>
+ </section -->
+
+
+ <!-- section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>some ancient history (>10 years ago)</h2>
<ul>
<li class="fragment">Thread on debian-devel at lists.debian.org from 2007. Deemed undoable by many.</li>
@@ -636,36 +690,8 @@ lunarⒶdebian.org / https://lunar.anargeek.net
<h3>People just do reproducible builds as normal part of their work nowadays.<h3>
<p style="font-size: 500%">🤗</p>
- </section>
-
- <section data-background-color="white">
- <img class="fragment" src="images/logo.png" width="584">
- </section>
-
- <section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>
- https://reproducible-builds.org/docs/definition/
- </h3>
- <ul>
- <li style="font-size: 80%">When is a build reproducible?</li>
- <li class="fragment">A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.</li>
- <li class="fragment" style="font-size: 80%">The relevant attributes of the build environment, the build instructions and the source code as well as the expected reproducible artifacts are defined by the authors or distributors. The artifacts of a build are the parts of the build results that are the desired primary output.<li>
-
- </ul>
- </section>
-
- <section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>Our mission</h3>
- <ul>
- <li>Enable anyone to independently verify that a given source produces bit by bit identical results.</li>
- <li class="fragment">Reproducible Builds are an important building block in making supply chains more secure. Nothing more, nothing less.</li>
- <li class="fragment">(Un)secure software build reproducibly still remains (un)secure software. However, with reproducible builds you can be sure that you are running the software you want to be running, built from the sources you want to be using.</li>
- </ul>
- </section>
+ </section -->
- <section data-background-color="white">
- <img class="fragment" src="images/fosdem2014-2.png" width="100%">
- </section>
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h4>By 2024 Reproducible Builds has been widely understood:</h4>
@@ -690,15 +716,14 @@ lunarⒶdebian.org / https://lunar.anargeek.net
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Why money?</h2>
- <li class="fragment">Bitcoin</li>
<li class="fragment">Bitcoin (the software) was made reproducible in 2011.</li>
</section>
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Why Snowden</h2>
- <li class="fragment">Well...</li>
- <li class="fragment">Torbrowser was made reproducible in 2013 by Mike Perry.</li>
- <li class="fragment">That's Firefox. One of the biggest software projects in the world.</li>
+ <span class="fragment"><li>Well...after Snowden:</li>
+ <li>Torbrowser was made reproducible in 2013 by Mike Perry.</li>
+ <li>That's Firefox. One of the biggest software projects in the world.</li></span>
</section>
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
@@ -718,15 +743,15 @@ lunarⒶdebian.org / https://lunar.anargeek.net
<section data-background-color="white">
- <img class="fragment" src="images/fosdem2014-6.png" width="100%">
+ <img class="fragment" src="images/fosdem2014-1.png" width="100%">
</section>
+
<section data-background-color="white">
- <img class="fragment" src="images/fosdem2014-1.png" width="100%">
+ <img class="fragment" src="images/fosdem2014-6.png" width="100%">
</section>
-
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>2013 and 2014</h2>
<ul>
@@ -816,8 +841,8 @@ lunarⒶdebian.org / https://lunar.anargeek.net
<li>Who knows about SOURCE_DATE_EPOCH?</li>
<li class="fragment">Build time stamps are largly meaningless. SOURCE_DATE_EPOCH describes the time of the last modification of the source (in seconds since the Unix epoch).</li>
<li class="fragment">Supported by <b>a lot</b> of software today.</li>
- <li class="fragment">The specification is from 2015 and was updated in 2017.
- <li class="fragment">https://reproducible-builds.org/docs/source-date-epoch/</li>
+ <span class="fragment"><li>The specification is from 2015 and was updated in 2017.
+ <li>https://reproducible-builds.org/docs/source-date-epoch/</li></span>
</ul>
</section>
@@ -827,6 +852,8 @@ lunarⒶdebian.org / https://lunar.anargeek.net
<li class="fragment">Who knows about diffoscope?</li>
<li class="fragment">Who uses diffoscope?</li>
<li class="fragment">diffoscope tries to get to the bottom of what makes files or directories different. It will recursively unpack archives of many kinds and transform various binary formats into more human-readable form to compare them.</li>
+ <span class="fragment"><li>https://try.diffoscope.org</li>
+ <li>https://diffoscope.org</li></span>
</ul>
</section>
@@ -838,14 +865,12 @@ lunarⒶdebian.org / https://lunar.anargeek.net
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>diffoscope</h2>
<li style="font-size: 75%">JPEG images, JSON files, Linux kernel images, LLVM IR bitcode files, local (UNIX domain) sockets and named pipes (FIFOs), LZ4 compressed files, lzip compressed files, macOS binaries, Microsoft Windows icon files, Microsoft Word .docx files, Mono ‘Portable Executable’ files, Mozilla-optimized .ZIP archives, Multimedia metadata, OCaml interface files, Ogg Vorbis audio files, OpenOffice .odt files, OpenSSH public keys, OpenWRT package archives (.ipk), PDF documents, PE32 files, PGP signatures, PGP signed/encrypted messages, PNG images, PostScript documents, Public Key Cryptography Standards (PKCS) files (version #7), Python pyc files, RPM archives, Rust object files (.deflate), Sphinx inventory files, SQLite databases, SquashFS filesystems, symlinks, tape archives (.tar), tcpdump capture files (.pcap), text files, TrueType font files, U-Boot legacy image files, WebAssembly binary module, XML binary schemas (.xsb), XML files, XMLB files, XZ compressed files, ZIP archives and Zstandard compressed files.</li>
- <li class="fragment">Fallback on hexdump comparison, fuzzy-matching to handle renamings, and much more!</li>
+ <li>Fallback on hexdump comparison, fuzzy-matching to handle renamings, and much more!</li>
</section>
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>diffoscope example output</h2>
<li><a href="https-everywhere-5.0.6_vs_5.0.7.html">Example diffoscope output for https-everywhere 5.0.6 vs 5.0.7</a></li>
- <li class="fragment">https://try.diffoscope.org</li>
- <li class="fragment">https://diffoscope.org</li>
</section>
@@ -868,7 +893,7 @@ lunarⒶdebian.org / https://lunar.anargeek.net
</ul>
</section>
- <section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <!-- section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Detour: additional benefits of reproducible builds</h2>
<ul>
<li class="fragment">Lower development costs and increased development speed through less developer time wasted on waiting for builds.</li>
@@ -876,7 +901,7 @@ lunarⒶdebian.org / https://lunar.anargeek.net
<li class="fragment">Licence compliance: you can only be sure a binary is Free Software if it can be (re-)build reproducibly from a given source.</li>
<li class="fragment">Reproducible verified SBOMs.</li>
</ul>
- </section>
+ </section -->
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>37400 bugs in 11 years ~= 9 per day</h3>
@@ -901,6 +926,7 @@ lunarⒶdebian.org / https://lunar.anargeek.net
<li>2022 Venice</li>
<li>2023 Hamburg</li>
<li>2024 Hamburg</li>
+ <li class="fragment">2025 location needed!</li>
</section>
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
@@ -977,7 +1003,7 @@ Warpforge.
</p>
</section>
- <section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <!-- section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Detour: more unexpected benefits of reproducible builds</h2>
<ul>
<li class="fragment">https://bootstrappable.org began as breakout session at the Reproducible Builds Summit 2016 in Berlin.</li>
@@ -991,16 +1017,16 @@ Warpforge.
<li>https://bootstrappable.org began as breakout session at the Reproducible Builds Summit 2016 in Berlin.</li>
<li>Since October 2019, Guix bootstraps by using MesCC—the small C compiler that comes with Mes—to build TinyCC, which is used to build GCC 2.95.0, which then builds GCC 4.7.4. Version 4.7 is the last version of GCC to not require a C++ compiler.<small>(quoted from bootstrappable.org)</small></li>
</ul>
- </section>
+ </section -->
- <section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <!-- section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Reproducible Builds Summit</h2>
<li class="fragment" style="font-size: 300%">2025</li>
<li class="fragment">Location and exact dates still undecided</li>
<li class="fragment">We want you!</li>
<li class="fragment">Sponsors wanted!</li>
- </section>
+ </section -->
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Reproducible-builds.org funding</h3>
@@ -1205,7 +1231,7 @@ Warpforge.
<p class="fragment">huge thanks to Linux Nordberg and DSA!</p>
</section>
- <section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <!-- section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>the following two slides are outdated but everybody loves comic sans so I kept them</h2>
<p class="fragment">they also help to illustrate why/how we were stuck the last few years:</p>
</section>
@@ -1224,7 +1250,7 @@ Warpforge.
<li class="fragment">but snapshot was buggy: <strike>#1050815, #1031628, #1029744, #1034000</strike>, #1012559, #979115, <strike>#969603</strike>… </li>
<li class="fragment">And there we <b>had</b> been stuck for more than five years... (as the bugs above weren't fixed until last month.)</li>
</ul>
- </section>
+ </section -->
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2><code>snapshot.debian.org</code> got fixed!</h2>
@@ -1239,19 +1265,19 @@ Warpforge.
<ul><code>
<li class="fragment">wget https://buildinfos.debian.net/ftp-master.debian.org/buildinfo/2024/01/16/crun_1.13-1_amd64.buildinfo</li>
<li class="fragment">debrebuild --builder=sbuild libaacs_0.11.1-3_amd64-source.buildinfo</li></code>
- <li class="fragment">debootsnap and debrebuild need a working snapshot.debian.org thus this didn't really work until last month.</li>
+ <li class="fragment">debootsnap and debrebuild need a working snapshot.debian.org thus this didn't really work until DebConf24.</li>
<li class="fragment">Please try it out and report bugs the BTS.</li>
</ul>
</section>
- <section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <!-- section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h4>and so <i>now finally</i> we can rebuild and compare with what we distribute on ftp.debian.org:</h4>
<img src="images/bookworm_full.amd64+all.png" width="60%">
<ul>
<li>needs re-setup...</li>
<li class="fragment">archlinux rebuilderd could also be used</li>
</ul>
- </section>
+ </section -->
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>more Debian Reproducible Builds successes</h3>
=====================================
2024-11-16-R-B-rebuilding-what-is-distributed-from-ftp.debian.org/todo
=====================================
@@ -1,13 +1,29 @@
-update title, date, event logo
slash most of the 11y talk
-slide: the diff between theory and praxis? 70% (or whatever then number then will be)
+slash more, make it a 30min talk, 5min intro, 10min old stuff, 10min news stuff, the end
+enabling supply chain security!
+early slide: the diff between theory and praxis? 70% (or whatever then number then will be)
+ nach history
+ vor rebuilder
+ [12:09] < Oejet> | h01ger: And 57% in recent days! jq 'map(select(.built_at >= "2024-11-14")) | group_by(.status) | map([.[0].status, length])' < $CACHE/list
+ [12:13] < Oejet> That command returned: [["BAD",810],["GOOD",1065]]
+ [12:17] < Oejet> 159 `^debsnap failed$` out of latest 1000 logs.
+[13:12] < jochensp> | h01ger: most (all?) of the 404 I saw where due to infrastructure and worked when retried
+
+drop ancient history?
+drop wireguard example, replace with somethin simpler?
+
+
introduce https://reproduce.d.n
explain rbuilderd archtecture and setup - it's easy
+ sudo make install
+ soon: sudo apt install
+ mention kp is funded by rb now too
update some numbers
ask people for $arch hardware to setup rebuilderd instances
mention riscv64 nodes
admins wanted
mention netbsd table?
+different "Summary, looking forward"
out of scope: ?
mention potential debian.tests.r-b.o, archlinux.t.r-b.o, though atm tests.r-b.o points to ci tests, thats confusing
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/21cc0d9907f7644dba589787767317a0c28e5a0f
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/21cc0d9907f7644dba589787767317a0c28e5a0f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20241115/935ed96c/attachment.htm>
More information about the rb-commits
mailing list