[Git][reproducible-builds/reproducible-presentations][nevermind-the-checkboxes] 5 commits: nevermind the checkboxes: an OLD idea.

Vagrant Cascadian (@vagrant) gitlab at salsa.debian.org
Sun Aug 3 05:36:21 UTC 2025 


Vagrant Cascadian pushed to branch nevermind-the-checkboxes at Reproducible Builds / reproducible-presentations


Commits:
38bd1873 by Vagrant Cascadian at 2025-08-02T10:02:02-07:00
nevermind the checkboxes: an OLD idea.

- - - - -
b674ee63 by Vagrant Cascadian at 2025-08-02T10:12:23-07:00
nevermind the checkboxes: debian/changelog: bump the timestamp.

- - - - -
494fa3bb by Vagrant Cascadian at 2025-08-02T10:32:43-07:00
nevermind the checkboxes: strain a bit less.

- - - - -
6db3a879 by Vagrant Cascadian at 2025-08-02T10:33:17-07:00
nevermind: why it matters.

- - - - -
c673206d by Vagrant Cascadian at 2025-08-02T10:33:47-07:00
nevermind whitespacfe fixes.

- - - - -


2 changed files:

- 2025-08-02-fossy-nevermind-the-checkboxes/Nevermind-the-Checkboxes-heres-Reproducible-Builds.org
- 2025-08-02-fossy-nevermind-the-checkboxes/debian/changelog


Changes:

=====================================
2025-08-02-fossy-nevermind-the-checkboxes/Nevermind-the-Checkboxes-heres-Reproducible-Builds.org
=====================================
@@ -83,7 +83,7 @@ Reproducible Builds and FOSS.
 
 We are a small part of the Reproducible Builds community, which now comprises
 over around 300 contributors and 40 separate software projects. Although the
-idea is an one, we were motivated to start our project after a series of global
+idea is an old one, we were motivated to start our project after a series of global
 surveillance disclosures in the mid-2010s.
 
 
@@ -121,33 +121,25 @@ processes used to develop, build, and publish a software artifact.
 
 * Straining the Supply Chain Anology
 
+A software supply chain differs from a physical supply chain in
+several key ways, which lead to distinct challenges and strategies:
+
 ** text
 	:PROPERTIES:
 	:BEAMER_col: 0.4
 	:END:
 
-A software supply chain differs from a physical supply chain in several key ways:
-
 - Software is **intangible**, nearly infinitely and instantaneously duplicated
   and transmitted
 
-- Software can often be more **complex** to produce
-
-- Software is often distributed digitally, allowing instant global reach. Food
-  requires physical transportation and storage with spoilage and handling
-  concerns.
+- Software is distributed digitally, allowing instant global reach.
 
 - Different **regulatory environments**
 
 - Software has a different **lifecycle**; it can be technically be updated
-  indefinitely, whereas hardware/food often has a limited shelf life
+  indefinitely
 
-- Software relies on digital **infrastructure**, while physical goods require
-  manufacturing and logistical facilities.
-
-These fundamental differences lead to distinct challenges and strategies in
-each type of supply chain, limiting the ability to usefully compare one with
-the other.
+- Software relies on digital **infrastructure**
 
 
 ** text
@@ -155,7 +147,12 @@ the other.
 	:BEAMER_col: 0.4
 	:END:
 
-Hardware gets moved around slowly, requires many steps to duplicate
+- Food and other physical objets require physical transportation
+
+- Hardware or food often has a limited shelf life
+
+- Physical goods require manufacturing and logistical facilities
+
 
 * Billy O' Material
 
@@ -320,19 +317,6 @@ A build is reproducible if, given the same source code, build
 environment and build instructions, any party can recreate bit-by-bit
 identical copies of all specified artifacts.
 
-The crucial reason we care about this, however, is that if multiple people
-can all build the same, bit-for-bit, identical copy of the software, then that
-is pretty strong evidence that none of those builds have been tampered with,
-and none of those people have been hacked.
-
-This, in turn, then allows other people to trust those builds and install that
-software on their machines, without building the software themselves.
-
-For example, if I can build exactly what the Debian build servers are building,
-that is evidence that they have not yet been hacked. Centralised build servers
-are, of course, very juicy targets for malicious actors.
-
-
 ** image
     :PROPERTIES:
     :BEAMER_col: 0.3
@@ -341,6 +325,26 @@ are, of course, very juicy targets for malicious actors.
 [[./images/reproducible-builds.png]]
 
 
+* Why Reproducible Builds Matters
+
+Why Reproducible Builds Matters
+
+#+ATTR_BEAMER: :overlay <+->
+- The crucial reason we care about bit-for-bit Reproducibility, is
+  that if multiple people can all build the same, bit-for-bit,
+  identical copy of the software, then that is pretty strong evidence
+  that none of those builds have been tampered with, and none of those
+  people have been hacked.
+
+- This, in turn, then allows other people to trust those builds and
+  install that software on their machines, without building the software themselves.
+
+- For example, if I can build exactly what the Debian build servers
+  are building, that is evidence that they have not yet been
+  hacked. Centralised build servers are, of course, very juicy targets
+  for malicious actors.
+
+
 * What is needed for Reproducible Builds
 
 A build is reproducible if given the same source code, build
@@ -371,7 +375,7 @@ overlap!
 - Instructions on how to perform the build
 - Any party (e.g. any third party)
 
-	
+
 ** text
     :PROPERTIES:
     :BEAMER_col: 0.4
@@ -382,7 +386,6 @@ overlap!
 - Share
 - Study (Source)
 - Change (Source)
-	
 
 
 * Reproducible Builds


=====================================
2025-08-02-fossy-nevermind-the-checkboxes/debian/changelog
=====================================
@@ -2,4 +2,4 @@ nevermind-the-checkboxes (2025.08.02+fossy) UNRELEASED; urgency=medium
 
   * Presented at FOSSY 2025.
 
- -- Vagrant Cascadian <vagrant at debian.org>  Tue, 15 Jul 2025 13:29:03 -0700
+ -- Vagrant Cascadian <vagrant at debian.org>  Sat, 02 Aug 2025 10:12:01 -0700



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/compare/0658ff8daeb86111061b5d8de11f7032845db03e...c673206d425165fda989a2d0ede137dfa289287c

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/compare/0658ff8daeb86111061b5d8de11f7032845db03e...c673206d425165fda989a2d0ede137dfa289287c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250803/97d801cf/attachment.htm>

More information about the rb-commits mailing list