[Git][reproducible-builds/reproducible-presentations][master] nevermind-the-checkboxes: Presented at FOSSY 2025-08-02.

Vagrant Cascadian (@vagrant) gitlab at salsa.debian.org
Sun Aug 3 05:38:15 UTC 2025 


Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-presentations


Commits:
a60e9286 by Vagrant Cascadian at 2025-08-02T22:36:59-07:00
nevermind-the-checkboxes: Presented at FOSSY 2025-08-02.

- - - - -


15 changed files:

- + 2025-08-02-fossy-nevermind-the-checkboxes/Makefile
- + 2025-08-02-fossy-nevermind-the-checkboxes/Nevermind-the-Checkboxes-heres-Reproducible-Builds.org
- + 2025-08-02-fossy-nevermind-the-checkboxes/debian/changelog
- + 2025-08-02-fossy-nevermind-the-checkboxes/debian/control
- + 2025-08-02-fossy-nevermind-the-checkboxes/debian/copyright
- + 2025-08-02-fossy-nevermind-the-checkboxes/debian/nevermind-the-checkboxes.install
- + 2025-08-02-fossy-nevermind-the-checkboxes/debian/rules
- + 2025-08-02-fossy-nevermind-the-checkboxes/debian/source/format
- + 2025-08-02-fossy-nevermind-the-checkboxes/images/960px-Supply_and_demand_network_english.svg.png
- + 2025-08-02-fossy-nevermind-the-checkboxes/images/Never_Mind_the_Checkboxes_Heres_Reproducible_Builds.png
- + 2025-08-02-fossy-nevermind-the-checkboxes/images/Never_Mind_the_Checkboxes_Heres_Reproducible_Builds.svg
- + 2025-08-02-fossy-nevermind-the-checkboxes/images/chris.png
- + 2025-08-02-fossy-nevermind-the-checkboxes/images/reproducible-builds.png
- + 2025-08-02-fossy-nevermind-the-checkboxes/images/vagrantupsidedown.png
- − proposed/2025-08-never-mind-the-checkboxes/abstract-and-bio


Changes:

=====================================
2025-08-02-fossy-nevermind-the-checkboxes/Makefile
=====================================
@@ -0,0 +1,17 @@
+# thanks to dima for walking me through this!
+#
+# Debian needs: apt install emacs texlive-latex-extra texlive-plain-generic
+# Guix needs: guix shell --pure --container coreutils-minimal emacs-no-x make texlive-collection-fontsrecommended texlive-collection-plaingeneric texlive-collection-latex texlive-collection-latexextra
+
+export FORCE_SOURCE_DATE = 1
+export SOURCE_DATE_EPOCH := $(shell date --utc --date '2025-08-02 10:45:00 -0800' +%s)
+
+all: $(patsubst %.org,%.pdf,$(wildcard *.org))
+
+%.pdf: %.org
+	emacs -Q --batch --eval '(progn (random "0") (find-file "$<") (org-beamer-export-to-pdf))'
+
+clean:
+	rm -f *.pdf *.tex *.png
+
+.PHONY:clean


=====================================
2025-08-02-fossy-nevermind-the-checkboxes/Nevermind-the-Checkboxes-heres-Reproducible-Builds.org
=====================================
@@ -0,0 +1,437 @@
+#+TITLE: Never Mind the Checkboxes, Here's Reproducible Builds!
+#+AUTHOR: Vagrant Cascadian & Chris Lamb
+#+EMAIL: vagrant at reproducible-builds.org
+#+DATE: FOSSY 2025-08-02
+#+LANGUAGE:  en
+#+OPTIONS:   H:1 num:t toc:nil \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
+#+OPTIONS:   TeX:t LaTeX:t skip:nil d:nil todo:t pri:nil tags:not-in-toc
+#+OPTIONS: ^:nil
+#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
+#+EXPORT_SELECT_TAGS: export
+#+EXPORT_EXCLUDE_TAGS: noexport
+#+startup: beamer
+#+LaTeX_CLASS: beamer
+#+LaTeX_CLASS_OPTIONS: [bigger]
+#+latex_header: \mode<beamer>{\usetheme{Madrid}}
+#+LaTeX_CLASS_OPTIONS: [aspectratio=169]
+#+BEGIN_comment
+https://2025.fossy.us/schedule/presentation/327/
+338 | Sat 02 Aug 10:45 a.m.–11:30 a.m.
+
+Never Mind the Checkboxes, Here's Reproducible Builds!
+FOSSY2025
+
+There are numerous policy compliance and regulatory processes being
+developed that target software development... but do they solve actual
+problems? Does it improve the quality of software? Do Software Bill of
+Materials (SBOMs) actually give you the information necessary to
+verify how a given software artifact was built? What is the goal of
+all these compliance checklists anyways... or more importantly, what
+*should* the goals be? If a software object is signed, who should be
+trusted to sign it, and can they be trusted ... forever?
+
+Could you imagine a world with many bureaucratic compliance checks
+being replaced with verifiable processes performed by arbitrary third
+parties?
+
+Let me introduce you to Reproducible Builds, a set of best practices
+which allow you to verify that software artifacts were built from the
+source code, allowing auditing for license compliance, providing
+security benefits, and remove the need to trust arbitrary software
+vendors.
+#+END_comment
+
+#+BEGIN_comment
+The goal of this talk is...
+
+To describe how elements of the punk movement (autonomy and
+independence, DIY ethic, mutual aid and community) can be applied to
+various compliance regimes (CRA, ISO9000, White House Executive Order
+???) are in many ways thoroughly and practically addressed by the use
+Reproducible Builds and FOSS.
+#+END_comment
+
+* Cover Art
+
+** image
+	:PROPERTIES:
+	:BEAMER_col: 0.5
+	:END:
+
+[[./images/Never_Mind_the_Checkboxes_Heres_Reproducible_Builds.png]]
+
+
+* Who we are
+** image
+	:PROPERTIES:
+	:BEAMER_col: 0.3
+	:END:
+
+[[./images/vagrantupsidedown.png]]
+
+** image
+	:PROPERTIES:
+	:BEAMER_col: 0.3
+	:END:
+
+[[./images/chris.png]]
+
+** text
+	:PROPERTIES:
+	:BEAMER_col: 0.3
+	:END:
+
+We are a small part of the Reproducible Builds community, which now comprises
+over around 300 contributors and 40 separate software projects. Although the
+idea is an old one, we were motivated to start our project after a series of global
+surveillance disclosures in the mid-2010s.
+
+
+* What the punk
+
+A selection of Punk values
+
+#+ATTR_BEAMER: :overlay <+->
+- ...
+- Autonomy
+- Independence
+- Mutual Aid
+- Community
+- DIY
+- Blatant Disregard for Authority
+
+
+* Physical Supply chains
+
+** img
+    :PROPERTIES:
+    :BEAMER_col: 0.7
+    :END:
+
+[[./images/960px-Supply_and_demand_network_english.svg.png]]
+
+
+* Chained to your Supply
+
+https://en.wikipedia.org/wiki/Software_supply_chain
+
+A software supply chain is the components, libraries, tools, and
+processes used to develop, build, and publish a software artifact.
+
+
+* Straining the Supply Chain Anology
+
+A software supply chain differs from a physical supply chain in
+several key ways, which lead to distinct challenges and strategies:
+
+** text
+	:PROPERTIES:
+	:BEAMER_col: 0.4
+	:END:
+
+- Software is **intangible**, nearly infinitely and instantaneously duplicated
+  and transmitted
+
+- Software is distributed digitally, allowing instant global reach.
+
+- Different **regulatory environments**
+
+- Software has a different **lifecycle**; it can be technically be updated
+  indefinitely
+
+- Software relies on digital **infrastructure**
+
+
+** text
+	:PROPERTIES:
+	:BEAMER_col: 0.4
+	:END:
+
+- Food and other physical objets require physical transportation
+
+- Hardware or food often has a limited shelf life
+
+- Physical goods require manufacturing and logistical facilities
+
+
+* Billy O' Material
+
+https://en.wikipedia.org/wiki/Bill_of_materials
+
+A Bill of Materials (BOM) ... is a list of the raw materials,
+sub-assemblies, intermediate assemblies, sub-components, parts, and
+the quantities of each needed to manufacture an end product.
+
+
+* Software Bill Of im-Materials
+
+https://en.wikipedia.org/wiki/Software_supply_chain
+
+A Software Bill of Materials (SBOM) declares the inventory of
+components used to build a software artifact, including any open
+source and proprietary software components. It is the software
+analogue to the traditional manufacturing BOM, which is used as part
+of supply chain management.
+
+
+* ISO9000
+
+https://en.wikipedia.org/wiki/ISO_9000_family
+
+The goal of these standards is to help organizations ensure that they meet
+customer and other stakeholder needs within the statutory and regulatory
+requirements related to a product or service.
+
+#+ATTR_BEAMER: :overlay <+->
+- 1987
+- International
+- third-party certification
+
+
+* Cyber Resilience Act
+
+https://en.wikipedia.org/wiki/Cyber_Resilience_Act
+https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847
+
+#+ATTR_BEAMER: :overlay <+->
+- 2024
+- Europe
+- Voluntary self assessment
+- Open Source Stewards
+
+
+* Executively Ordered
+
+https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
+
+Whitehouse Executive Order 14028
+
+Improving the Nation's Cybersecurity
+
+#+ATTR_BEAMER: :overlay <+->
+- 2021
+- United States of America
+- SolarWinds and other big incidents
+- Not yet rescinded
+- SBOMs!
+- autogenerated SBOMs
+
+
+* OpenChain
+
+https://openchainproject.org/checklist-iso-dis-18974
+
+#+ATTR_BEAMER: :overlay <+->
+- ...
+- Voluntary self assessment
+- We have security policies
+- We have people
+- Who know about the policies
+- We document and review policies
+- We document and review implementation of policies
+- Security stuff ... (more later)
+- We keep track of our software
+- We archive our software
+- Document all of the above
+- Review all of the above
+
+
+* OpenChain: The Security Stuff
+
+https://openchainproject.org/checklist-iso-dis-18974
+
+Security Stuff
+
+#+ATTR_BEAMER: :overlay <+->
+- Identify threats
+- Vulnerability Detection
+- Vulnerability follow-up
+- Vulnerability communication
+- We test released software
+
+
+* Real problems
+
+While SBOMs, ISO9660 and other regulatory processes provide a framework
+standards to enhance security, they fall short of solving real-world security
+problems.
+
+#+ATTR_BEAMER: :overlay <+->
+- They primarily focus on documentation and standardization rather than
+  addressing dynamic and evolving threats
+- Static nature of standards (eg. ISO9660) cannot keep pace with the rapid
+  development of vulnerabilities
+- Implementing regulatory processes can be resource-intensive
+- Compliance with standards doesn't guarantee overall security resilience, as
+  these frameworks often fail to account for human factors
+
+* Quality
+
+Does it improve the quality of software?
+
+
+* SBOM
+
+Do Software Bill of Materials (SBOMs) actually give you the
+information necessary to verify how a given software artifact was
+built?
+
+While SBOMs provide valuable information about the components of software,
+reproducible builds offers a more robust guarantee by directly tying the binary
+back to the source code. They ensure the actual code can be audited and
+verified for consistency with the distributed binary, reducing potential
+vectors for compromise that occur between source code and final product
+
+They therefore provide stronger assurances of integrity and security.
+
+#+ATTR_BEAMER: :overlay <+->
+- ...
+- list of software dependencies
+- may be obfuscated!!!
+- may not even be publicly available
+
+
+* Goals
+
+What is the goal of all these compliance checklists anyways... or more
+importantly, what should the goals be?
+
+
+* Signatures
+
+If a software object is signed, who should be trusted to sign it, and
+can they be trusted ... forever?
+
+
+* Reproducible Builds Defined
+** text
+    :PROPERTIES:
+    :BEAMER_col: 0.7
+    :END:
+
+https://reproducible-builds.org/docs/definition/
+
+\vspace{\baselineskip}
+
+A build is reproducible if, given the same source code, build
+environment and build instructions, any party can recreate bit-by-bit
+identical copies of all specified artifacts.
+
+** image
+    :PROPERTIES:
+    :BEAMER_col: 0.3
+    :END:
+
+[[./images/reproducible-builds.png]]
+
+
+* Why Reproducible Builds Matters
+
+Why Reproducible Builds Matters
+
+#+ATTR_BEAMER: :overlay <+->
+- The crucial reason we care about bit-for-bit Reproducibility, is
+  that if multiple people can all build the same, bit-for-bit,
+  identical copy of the software, then that is pretty strong evidence
+  that none of those builds have been tampered with, and none of those
+  people have been hacked.
+
+- This, in turn, then allows other people to trust those builds and
+  install that software on their machines, without building the software themselves.
+
+- For example, if I can build exactly what the Debian build servers
+  are building, that is evidence that they have not yet been
+  hacked. Centralised build servers are, of course, very juicy targets
+  for malicious actors.
+
+
+* What is needed for Reproducible Builds
+
+A build is reproducible if given the same source code, build
+environment and build instructions, any party can recreate bit-by-bit
+identical copies of all specified artifacts.
+
+#+ATTR_BEAMER: :overlay <+->
+- ...
+- Source Code
+- Software used during build (build environment)
+- Instructions on how to perform the build
+- Any party (e.g. any third party)
+
+
+* Have I heard this before
+
+Requirements for Reproducible Builds and Free and Open Source Software
+overlap!
+
+** text
+    :PROPERTIES:
+    :BEAMER_col: 0.4
+    :END:
+
+#+ATTR_BEAMER: :overlay <+->
+- Source Code
+- Software used during build (build environment)
+- Instructions on how to perform the build
+- Any party (e.g. any third party)
+
+
+** text
+    :PROPERTIES:
+    :BEAMER_col: 0.4
+    :END:
+
+#+ATTR_BEAMER: :overlay <+->
+- Use
+- Share
+- Study (Source)
+- Change (Source)
+
+
+* Reproducible Builds
+
+Reproducible builds of Free and Open Source Software
+
+#+ATTR_BEAMER: :overlay <+->
+- ...
+- Autonomy and Independence
+- Mutual Aid
+- DIY
+- Community
+- Healthy Skepticism of Authority
+
+
+* Thanks
+
+Help make it happen!
+
+https://reproducible-builds.org/contribute/
+
+https://reproducible-builds.org/donate/
+
+https://reproducible-builds.org/who/sponsors
+
+
+* Copyright and attributions
+\addtocounter{framenumber}{-1}
+\tiny
+
+  Copyright 2016-2025 Vagrant Cascadian <vagrant at reproducible-builds.org>
+  Portions by contributors to the reproducible-builds.org website.
+
+  This work is licensed under the Creative Commons
+  Attribution-ShareAlike 4.0 International License.
+
+  To view a copy of this license, visit
+  https://creativecommons.org/licenses/by-sa/4.0/
+
+  Cover art derived from
+  https://en.wikipedia.org/wiki/File:Never_Mind_the_Bollocks,_Here%27s_the_Sex_Pistols.png
+  and modified by Vagrant Cascadian.
+
+  960px-Supply_and_demand_network_english.svg.png Downloaded from:
+
+  https://commons.wikimedia.org/wiki/File:Supply_and_demand_network_(en).svg
+
+  Copyright Andreas Wieland, licensed under GFDL without invariants or
+  various CC-BY-SA versions.


=====================================
2025-08-02-fossy-nevermind-the-checkboxes/debian/changelog
=====================================
@@ -0,0 +1,5 @@
+nevermind-the-checkboxes (2025.08.02+fossy) UNRELEASED; urgency=medium
+
+  * Presented at FOSSY 2025.
+
+ -- Vagrant Cascadian <vagrant at debian.org>  Sat, 02 Aug 2025 10:12:01 -0700


=====================================
2025-08-02-fossy-nevermind-the-checkboxes/debian/control
=====================================
@@ -0,0 +1,18 @@
+Source: nevermind-the-checkboxes
+Section: doc
+Priority: optional
+Maintainer: Vagrant Cascadian <vagrant at reproducible-builds.org>
+Build-Depends: debhelper-compat (=13),
+ emacs,
+ emacs-nox,
+ texlive-latex-extra,
+ texlive-plain-generic,
+Standards-Version: 4.7.0
+Rules-Requires-Root: no
+Homepage: https://pretalx.com/pycascades-2025/talk/DUZVPC/
+
+Package: nevermind-the-checkboxes
+Architecture: all
+Depends: ${misc:Depends}, ${shlibs:Depends},
+Description: Never Mind the Checkboxes
+ Here's Reproducible Builds


=====================================
2025-08-02-fossy-nevermind-the-checkboxes/debian/copyright
=====================================
@@ -0,0 +1,14 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: Never Mind the Checkboxes
+Source: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/tree/master/2025-08-02-fossy-nevermind-the-checkboxes
+
+Files: *
+Copyright: 2019-2025 Vagrant Cascadian <vagrant at reproducible-builds.org>
+License: cc-by-sa-4.0
+
+License: cc-by-sa-4.0
+  This work is licensed under the Creative Commons
+  Attribution-ShareAlike 4.0 International License.
+  .
+  To view a copy of this license, visit
+  https://creativecommons.org/licenses/by-sa/4.0/


=====================================
2025-08-02-fossy-nevermind-the-checkboxes/debian/nevermind-the-checkboxes.install
=====================================
@@ -0,0 +1 @@
+Nevermind-the-Checkboxes-heres-Reproducible-Builds.pdf /usr/share/doc/nevermind-the-checkboxes


=====================================
2025-08-02-fossy-nevermind-the-checkboxes/debian/rules
=====================================
@@ -0,0 +1,4 @@
+#!/usr/bin/make -f
+
+%:
+	dh $@


=====================================
2025-08-02-fossy-nevermind-the-checkboxes/debian/source/format
=====================================
@@ -0,0 +1 @@
+3.0 (native)


=====================================
2025-08-02-fossy-nevermind-the-checkboxes/images/960px-Supply_and_demand_network_english.svg.png
=====================================
Binary files /dev/null and b/2025-08-02-fossy-nevermind-the-checkboxes/images/960px-Supply_and_demand_network_english.svg.png differ


=====================================
2025-08-02-fossy-nevermind-the-checkboxes/images/Never_Mind_the_Checkboxes_Heres_Reproducible_Builds.png
=====================================
Binary files /dev/null and b/2025-08-02-fossy-nevermind-the-checkboxes/images/Never_Mind_the_Checkboxes_Heres_Reproducible_Builds.png differ


=====================================
2025-08-02-fossy-nevermind-the-checkboxes/images/Never_Mind_the_Checkboxes_Heres_Reproducible_Builds.svg
=====================================
The diff for this file was not included because it is too large.

=====================================
2025-08-02-fossy-nevermind-the-checkboxes/images/chris.png
=====================================
Binary files /dev/null and b/2025-08-02-fossy-nevermind-the-checkboxes/images/chris.png differ


=====================================
2025-08-02-fossy-nevermind-the-checkboxes/images/reproducible-builds.png
=====================================
Binary files /dev/null and b/2025-08-02-fossy-nevermind-the-checkboxes/images/reproducible-builds.png differ


=====================================
2025-08-02-fossy-nevermind-the-checkboxes/images/vagrantupsidedown.png
=====================================
Binary files /dev/null and b/2025-08-02-fossy-nevermind-the-checkboxes/images/vagrantupsidedown.png differ


=====================================
proposed/2025-08-never-mind-the-checkboxes/abstract-and-bio deleted
=====================================
@@ -1,36 +0,0 @@
-Never Mind the Checkboxes, Here's Reproducible Builds! (Vagrant Cascadian)
-FOSSY2025
-
-There are numerous policy compliance and regulatory processes being
-developed that target software development... but do they solve actual
-problems? Does it improve the quality of software? Do Software Bill of
-Materials (SBOMs) actually give you the information necessary to
-verify how a given software artifact was built? What is the goal of
-all these compliance checklists anyways... or more importantly, what
-*should* the goals be? If a software object is signed, who should be
-trusted to sign it, and can they be trusted ... forever?
-
-Could you imagine a world with many bureaucratic compliance checks
-being replaced with verifiable processes performed by arbitrary third
-parties?
-
-Let me introduce you to Reproducible Builds, a set of best practices
-which allow you to verify that software artifacts were built from the
-source code, allowing auditing for license compliance, providing
-security benefits, and remove the need to trust arbitrary software
-vendors.
-
-...
-
-Vagrant strives to make Reproducible Builds a best practices reality
-for everyone.  Vagrant discovered free software late last millenia and
-has been contributing to free software since the beginning of this
-millenia.  A long-time Debian Developer and contributor to Guix,
-tinkering with ARM and RISC-V systems.  At Portland's Free Geek,
-Vagrant dove into life as a free software developer, rebuilding
-electronic waste with FOSS, modifying or developing new software as
-needed.  That led to exciting work helping coordinate LTSP development
-shared between several different operating systems.  That sense of
-open collaboration has been a life-long habit.  Vagrant contrasts
-spending too much time on computers with bicycle commuting, aikido and
-a DIY solar hobby.



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/a60e92861382c156456ced2f475588c0e5fc5dd5

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/a60e92861382c156456ced2f475588c0e5fc5dd5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250803/ba1c6679/attachment.htm>

More information about the rb-commits mailing list