[Git][reproducible-builds/reproducible-website][master] 2 commits: hamburg24: Fix indentation to allow intended parsing
Evangelos Ribeiro Tzaras (@devrtz)
gitlab at salsa.debian.org
Fri Sep 27 16:36:15 UTC 2024
Evangelos Ribeiro Tzaras pushed to branch master at Reproducible Builds / reproducible-website
Commits:
4cf1e3d7 by Evangelos Ribeiro Tzaras at 2024-09-27T18:35:26+02:00
hamburg24: Fix indentation to allow intended parsing
Otherwise the markdown parser interprets it as a block of sorts
instead of the bullet points that were intended.
- - - - -
3cbc7c7f by Evangelos Ribeiro Tzaras at 2024-09-27T18:35:26+02:00
hamburg24: Import some of the pads into git (Day 1: Morning)
- - - - -
4 changed files:
- _events/hamburg2024/agenda.md
- + _events/hamburg2024/mapping-everything-to-discuss.md
- + _events/hamburg2024/mapping-missing-documentation.md
- + _events/hamburg2024/mapping-success-and-unsolved.md
Changes:
=====================================
_events/hamburg2024/agenda.md
=====================================
@@ -47,74 +47,74 @@ We'll start the program with short question-driven updates from a range of parti
### Round I
- * Maven and Java ecosystem
+* Maven and Java ecosystem
- * growing reproducible-central activity and contributions: https://github.com/jvm-repo-rebuild/reproducible-central/graphs/contributors
+* growing reproducible-central activity and contributions: https://github.com/jvm-repo-rebuild/reproducible-central/graphs/contributors
- * output-file level GitHub badge, for example https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/io/quarkus/README.md
+* output-file level GitHub badge, for example https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/io/quarkus/README.md
- * feedback: interest in other repositories than Maven Central: Android, Kotlin/Jetbrains
+* feedback: interest in other repositories than Maven Central: Android, Kotlin/Jetbrains
- * whatsrc
+* whatsrc
- - https://whatsrc.org
+ - https://whatsrc.org
- * binsider
+* binsider
- - https://binsider.dev/
- - https://github.com/orhun/binsider
+ - https://binsider.dev/
+ - https://github.com/orhun/binsider
- * reproducible nikita / prefix
+* reproducible nikita / prefix
- FIXME: Add links here...
+FIXME: Add links here...
- * Debian status
+* Debian status
- - 97% reproducible in CI
- - reproducible docker images
- - reproducible live-images
- - debian-policy: we are very close to enforce no regressions and no new packages which are unreproducible
- - snapshot.debian.org got fixed (required for rebuilders)
- - now: setting up rebuilders...
+ - 97% reproducible in CI
+ - reproducible docker images
+ - reproducible live-images
+ - debian-policy: we are very close to enforce no regressions and no new packages which are unreproducible
+ - snapshot.debian.org got fixed (required for rebuilders)
+ - now: setting up rebuilders...
### Round II
- * OpenSUSE
+* OpenSUSE
- FIXME: Add links / description here...
+FIXME: Add links / description here...
- * Tor Browser
+* Tor Browser
- - https://gitlab.torproject.org/tpo/applications/tor-browser-build/
- - We build a lot of stuff, see the projects directory. We have to interact with a lot of different build systems (Firefox's, CMake+Ninja, Go, Cargo, autotools...).
- - We we have a series of bash scripts that are customized in real time with a tool Nicolas wrote (RBM: https://gitlab.torproject.org/tpo/applications/rbm/)
- - Firefox ESR 115 -> 128 migration
- - Linux + macOS: no reproducibility problems
- - Windows: problems with the Rust toolchain, due to the GCC/mingw toolchain we used to build Rust std. We migrated to the arch-pc-windows-gnullvm targets (https://doc.rust-lang.org/rustc/platform-support/pc-windows-gnullvm.html)
- - Android: strange regression on the Gradle open source license generator. The patch is easy, but we hope to fix it upstream
+ - https://gitlab.torproject.org/tpo/applications/tor-browser-build/
+ - We build a lot of stuff, see the projects directory. We have to interact with a lot of different build systems (Firefox's, CMake+Ninja, Go, Cargo, autotools...).
+ - We we have a series of bash scripts that are customized in real time with a tool Nicolas wrote (RBM: https://gitlab.torproject.org/tpo/applications/rbm/)
+ - Firefox ESR 115 -> 128 migration
+ - Linux + macOS: no reproducibility problems
+ - Windows: problems with the Rust toolchain, due to the GCC/mingw toolchain we used to build Rust std. We migrated to the arch-pc-windows-gnullvm targets (https://doc.rust-lang.org/rustc/platform-support/pc-windows-gnullvm.html)
+ - Android: strange regression on the Gradle open source license generator. The patch is easy, but we hope to fix it upstream
- * OSS Rebuild
+* OSS Rebuild
- - https://github.com/google/oss-build
+ - https://github.com/google/oss-build
- * Aroma
+* Aroma
- - AROMA stands for Automatic Reproduction of Maven Artifacts. We investigated how far we can go with simple heuristics to help Reproducible Central.
+ - AROMA stands for Automatic Reproduction of Maven Artifacts. We investigated how far we can go with simple heuristics to help Reproducible Central.
- - https://dl.acm.org/doi/pdf/10.1145/3643764
+ - https://dl.acm.org/doi/pdf/10.1145/3643764
- * System Transparency
+* System Transparency
- FIXME
+FIXME
- Add links / description here...
+Add links / description here...
- * Reproducible development environments at work... Made easy
+* Reproducible development environments at work... Made easy
- FIXME:
+FIXME:
- Add links / description here...
+Add links / description here...
## 11.45 Break
@@ -127,20 +127,9 @@ Building on the mappings we did at the 2023 Reproducible Builds Summit, the grou
Topics, issues and ideas that surface during this session will inform how we structure the rest of the agenda.
- * Everything we need to talk about
-
- https://pad.riseup.net/p/rbsummmit2024-d1m-mapping-everything-to-discuss
-
-
- * Success Stories and Unsolved Problems
-
- https://pad.riseup.net/p/rbsummmit2024-d1m-mapping-success-and-unsolved
-
-
- * Missing maps/lists/documentation/visualizations
-
- https://pad.riseup.net/p/rbsummmit2024-d1m-mapping-missing-documentation
-
+* [Everything we need to talk about]({{ "/events/hamburg2024/mapping-everything-to-discuss/" | relative_url }})
+* [Success Stories and Unsolved Problems]({{ "/events/hamburg/2024/mapping-success-and-unsolved.md" | relative_url }})
+* [Missing maps/lists/documentation/visualizations]({{ "/events/hamburg/2024/mapping-missing-documentation" | relative_url }})
## 12.30 Lunch in Cantina
@@ -148,25 +137,25 @@ Participants are encouraged to sit with those who they have not yet met or engag
## 14.00 Collaborative Working Sessions
- * Getting started with reproducible investigations
+* Getting started with reproducible investigations
- https://pad.riseup.net/p/rbsummmit2024-d1a-gettingstarted-keep
+https://pad.riseup.net/p/rbsummmit2024-d1a-gettingstarted-keep
- * Making the business case for reproducible builds
+* Making the business case for reproducible builds
- https://pad.riseup.net/p/rbsummmit2024-d1a-making-case-keep
+https://pad.riseup.net/p/rbsummmit2024-d1a-making-case-keep
- * Rebuilder information exchange
+* Rebuilder information exchange
- https://pad.riseup.net/p/rbsummmit2024-d1a-rebuilder-exchange-keep
+https://pad.riseup.net/p/rbsummmit2024-d1a-rebuilder-exchange-keep
- * Debian supply chain
+* Debian supply chain
- https://pad.riseup.net/p/rbsummmit2024-d1a-debian-supply-chain-keep
+https://pad.riseup.net/p/rbsummmit2024-d1a-debian-supply-chain-keep
- * RB problem prioritization
+* RB problem prioritization
- https://pad.riseup.net/p/rbsummmit2024-d1a-problem-prioritization-keep
+https://pad.riseup.net/p/rbsummmit2024-d1a-problem-prioritization-keep
## 15.45 Closing Circle
@@ -193,25 +182,25 @@ The day will start with a summary of Day 1 outcomes and a Day 2 Agenda Overview.
## 9.45 Collaborative Working Sessionsd
- * Rebuilders II
+* Rebuilders II
- https://pad.riseup.net/p/rbsummmit2024-d2m-rebuilders-keep
+https://pad.riseup.net/p/rbsummmit2024-d2m-rebuilders-keep
- * Kernel reproducibility
+* Kernel reproducibility
- https://pad.riseup.net/p/rbsummmit2024-d2m-kernel-keep
+https://pad.riseup.net/p/rbsummmit2024-d2m-kernel-keep
- * Getting started with reproducible investigations II
+* Getting started with reproducible investigations II
- https://pad.riseup.net/p/rbsummmit2024-d2m-gettingstarted-keep
+https://pad.riseup.net/p/rbsummmit2024-d2m-gettingstarted-keep
- * Making the business case for reproducible builds II
+* Making the business case for reproducible builds II
- https://pad.riseup.net/p/rbsummmit2024-d2m-making-case-keep
+https://pad.riseup.net/p/rbsummmit2024-d2m-making-case-keep
- * TOPIC
+* TOPIC
- https://pad.riseup.net/p/rbsummmit2024-d2m-TOPIC-keep
+https://pad.riseup.net/p/rbsummmit2024-d2m-TOPIC-keep
## 11.15 Break
@@ -228,21 +217,21 @@ Participants are encouraged to sit with those who they have not yet met or engag
## 14.00 Collaborative Working Sessions
- * Rebuilders III
+* Rebuilders III
- https://pad.riseup.net/p/rbsummmit2024-d2m-rebuilders-keep
+https://pad.riseup.net/p/rbsummmit2024-d2m-rebuilders-keep
- * Kernel reproducibility
+* Kernel reproducibility
- https://pad.riseup.net/p/rbsummmit2024-d2m-kernel-keep
+https://pad.riseup.net/p/rbsummmit2024-d2m-kernel-keep
- * Getting started with reproducible investigations III
+* Getting started with reproducible investigations III
- https://pad.riseup.net/p/rbsummmit2024-d2m-gettingstarted-keep
+https://pad.riseup.net/p/rbsummmit2024-d2m-gettingstarted-keep
- * Making the business case for reproducible builds III
+* Making the business case for reproducible builds III
- https://pad.riseup.net/p/rbsummmit2024-d2m-making-case-keep
+https://pad.riseup.net/p/rbsummmit2024-d2m-making-case-keep
## 15.45 Closing Circle
@@ -271,25 +260,25 @@ The day will start with a summary of Day 2 outcomes and a Day 3 Agenda Overview.
Working sessions continue.
- * TOPIC
+* TOPIC
- https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
+https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
- * TOPIC
+* TOPIC
- https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
+https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
- * TOPIC
+* TOPIC
- https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
+https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
- * Getting Started with Reproducible Builds
+* Getting Started with Reproducible Builds
- https://pad.riseup.net/p/rbsummmit2024-d3m-gettingstarted-keep
+https://pad.riseup.net/p/rbsummmit2024-d3m-gettingstarted-keep
- * Making the business case for reproducible builds IV
+* Making the business case for reproducible builds IV
- https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
+https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
## 11.15 Break
@@ -298,25 +287,25 @@ Please note that all break times are approximate :)
## 11.30 Collaborative Working Sessions
- * Teaching RB at universities
+* Teaching RB at universities
- https://pad.riseup.net/p/rbsummmit2024-d3m-university-curriculum-keep
+https://pad.riseup.net/p/rbsummmit2024-d3m-university-curriculum-keep
- * TOPIC
+* TOPIC
- https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
+https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
- * TOPIC
+* TOPIC
- https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
+https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
- * TOPIC
+* TOPIC
- https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
+https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
- * TOPIC
+* TOPIC
- https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
+https://pad.riseup.net/p/rbsummmit2024-d3m-TOPIC-keep
## 13.00 Lunch in Cantina
=====================================
_events/hamburg2024/mapping-everything-to-discuss.md
=====================================
@@ -0,0 +1,64 @@
+# Everything we need to talk about
+
+Reproducible Builds Summit 2024
+Everything we need to talk about
+
+Notes
+
+# (no label)
+
+ * Exgend R-B to quantum computers
+
+# (no label)
+
+ * The use of transparency logs
+
+## Tooling
+
+* Creating underhanded RB contest
+* Easy actionables to do in a team to facilitate R13Y
+* Make reproducible builds by default in build tools
+* Make repro builds default in compilers
+* Bridging CI/CD with package builds
+* Improve/add heuristics to reproduce Maven artifacts
+* Produce an easy way to check reproducibility of signed binaries
+* Automating reproducibility checks
+
+## Rebuilders
+
+* Consensus implementation for rebuilders
+* How to share rebuild results between rebuilders
+* Rebuild definition formats
+* Rebuilder network design
+* Interchange format for rebuild info
+* Do we worry about reproducible package version selection? (e.g., repro lockfile generation)
+* Trust model for human contributed rebuild definitions
+* Encouraging diversity of rebuilders
+
+## Languages
+
+* Python R-B issues
+* Rebuilding Python packages that are available on PyPI
+* Lisp+Scheme R-B issues
+* Rust R-B issues
+
+## Distros/OS
+
+* How to make Debian-based docker images reproducible?
+* macOS codesigning and reproducible builds
+* Immutable operating systems are the solution?
+* BOotstrapping reproducibility
+
+## Docs
+
+* What are the milestones for this year?
+* Mentor programs like GSoC/Outreachy?
+* How to contribute to the cause?
+* Carrot/sticks to get pkg maintainers to be reproducible
+* Trigger end user interest
+
+## Source code
+
+* Establishing canonical source repos
+* Source tarball reproducibility
+* How to avoid another "snapshot is broken" situation
=====================================
_events/hamburg2024/mapping-missing-documentation.md
=====================================
@@ -0,0 +1,28 @@
+# Missing maps/lists/documentation/visualization
+
+* what is blocking progress
+* open issues by programming language
+* A non-distro/all-distry list of unreproducible software
+* RB issues with doxygen: common problems&solutions
+* I want a list of all pypi pythron reproducible packages
+* CVEs but for reproducibility
+* List Security bugs in RB processes and tools (diffoscope, verifification scripts, etc)
+* list services and/or infrastructure we depend on
+* different types of attestations, pros and cons of each of them
+* homepage/doc: other classes of repo issues besides what is already documented?
+* to have some guidelines about how to be a reproducile build tools
+* review docs website for direct links to targeted actionable headings
+* cyber resiliance act requires SBOM, what are tbe best practices to implement them?
+* best practices to investigate and resolve reproducibility bugs
+* how to properly introduce reproducibility in a team? why would we do that?
+* doc explaining how to set up and run rebuilders
+* easy TODOs for student projects (3-6 month wokring 3-4h/week)
+* format to communicate rebuilder capabilities
+* "service [name] only has reproducible deps" green checkmarks
+* rewrite strip-nondeterminism in <not perl>
+* tools to help building reproducibly
+* divergence between differnt packaging reproducibility for same upstreams
+* what is the standard way to make go binaries reproducible
+* how to properly sign APKs to then run APKSIG copier
+* how can I gather gradle dependencies in the proper way
+* source packages to upstream repositories
=====================================
_events/hamburg2024/mapping-success-and-unsolved.md
=====================================
@@ -0,0 +1,50 @@
+# Success stories
+
+* Bernhard's RB-OS ring 0 reproducible
+* Independent rebuild check is part of release workflow of Apache Airflow (data science)
+* R-B mentioned in SLSA 4
+* Doing the 8th R-B summit
+* Timestamp issues solved by SOURCE_DATE_EPOCH
+* A network of rebuilders exists
+* Independent Arch Linux Rebuilderd in an Applied University :)
+* Arch Linux has independent rebuilders for real-world binaries
+* Projects are happy to take patches to ensure reproducibility (in my experience)
+* Practice of R-B is known and accepted by many developers
+* [Meta] R-B website getting an update about success stories
+* Debian containers are reproducible
+* Conda-packages are reproducible using rattler-build
+* apt.vulns.xyz documents how to do reproducible 3rd party apt repos
+* repro-env tracks "traditional" Linux build environments
+* Using reproducible development env. is an amazing experience
+* apt-swarm implements an authority-less p2p transparency log
+* RB + SBOM permitted to find broken dependencies in releases
+* Finding bugs: libxslt issue 37 "puzzled why it took so long to discover this issue"
+
+
+# Unsolved problems
+
+* Establish canonical source repos
+* Agreeing on source code consensus
+* How to systematically detect toolchain reproducibility regressions
+* Reproducible day to day dev builds
+* Document format and protocols for rebuilder network(s) missing
+* How do we build a system of attesters for proving reproducibility?
+* Still not a good enough final user (regular, simple human) motivation and publicity
+* Motivate Maven devs to add timestamp to their pom files
+* How to make the world benefit from R-B
+* Filesystem/VM image reproducibility
+* Awareness in IT, crypto, and cybersecurity fields
+* Linux secure boot and reproducible builds are incompatible
+* Deriving build instructions
+* No contact with proprietary tool vendors (e.g., Apple)
+* How do we create fully reproducible infrastructure? Is Terraform enough?
+* Reproducibility requirements in cryptographic standards (e.g., NIST, BSI, ...)
+* Embedded signatures making build non-reproducible
+* Many open source devs I talked with don't know about reproducible builds (but they agree it's a good idea once you explain it to them)
+* I can't find a way to sell r13y to people that are not aware of it :-(
+* How a maintainer can declare/communicate intended non-reproducible parts of binaries
+* We need a serious marketing effort for R B adoption
+* People afraid of learning new tools/tech
+* Transparency logs, how to do them, how to use them
+* Haskell's GHC has non-deterministic output with concurrency enabled
+* Solve RB for iOS ecosystem (Apple modifies .ipa uploads)
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/da2bdcec67f230085a91184e0e28c7c0ed9da3b2...3cbc7c7f9e5b481496f00d817bbc9c0659486d7f
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/da2bdcec67f230085a91184e0e28c7c0ed9da3b2...3cbc7c7f9e5b481496f00d817bbc9c0659486d7f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240927/58cc5d8c/attachment.htm>
More information about the rb-commits
mailing list