[Git][reproducible-builds/reproducible-presentations][master] minidebconf hamburg 2025: shorten a lot
Holger Levsen (@holger)
gitlab at salsa.debian.org
Sat May 3 09:41:10 UTC 2025
Holger Levsen pushed to branch master at Reproducible Builds / reproducible-presentations
Commits:
9f1dd3c9 by Holger Levsen at 2025-05-03T11:41:03+02:00
minidebconf hamburg 2025: shorten a lot
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
1 changed file:
- 2025-05-03-reproduce.debian.net-rebuilding-what-is-distributed-from-ftp.debian.org/index.html
Changes:
=====================================
2025-05-03-reproduce.debian.net-rebuilding-what-is-distributed-from-ftp.debian.org/index.html
=====================================
@@ -166,33 +166,32 @@
<h3>About you</h3>
<ul>
<li class="fragment">Who knows about Reproducible Builds, why and how?</li>
- <li class="fragment">Who contribute(s|d) to Reproducible Builds?</li>
- <li class="fragment">Who knows that Reproducible Builds have been known for more than 10 years?<span class="fragment"> >30 years?</span></li>
- <li class="fragment">Who knows about SBOM? (Software Bill of Materials) ~= our .buildinfo files designed in 2014!</li>
</ul>
</section>
- <section data-background="images/minidebconfhh2025-logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>About us</h2>
- <ol>
- <li> <li>
- <li> <li>
- <li> <li>
- <li> <li>
- <li> <li>
- <li> <li>
- </ol>
- </section>
+ <section data-background="images/minidebconfhh2025-logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>The End</h3>
+ <h3>Thank you!</h3>
+ </section>
+
+
+ <section data-background="images/minidebconfhh2025-logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>About you</h3>
+ <ul>
+ <li>Who knows about Reproducible Builds, why and how?</li>
+ <li class="fragment">Who contribute(s|d) to Reproducible Builds?</li>
+ <span class="fragment"><li>Who knows that Reproducible Builds have been known for more than 10 years? >30 years?</li>
+ <li>Who knows about SBOM? (Software Bill of Materials) ~= our .buildinfo files designed in 2014!</li></span>
+ </ul>
+ </section>
<section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>About us</h2>
+ <h2>About me</h2>
<ol>
- <li class="fragment">kpcyrd. Security Researcher. 🦝 🏴 Reproducible Builds since 2017, Debian and Alpine Linux since 2018, Arch Linux since 2019. <span class="fragment">Creator of <i>whatsrc.org</i>.</span></li>
- <li class="fragment">Jelle van der Waa. Arch Linux since 2012, Arch Linux Developer.</li>
- <li class="fragment">Holger Levsen / h01ger. Debian user since 1995. Working on Reproducible Builds since 2014.</li>
- <li class="fragment">We're aiming to make all ❤️ Free Software reproducible.</li>
+ <li>Holger Levsen / h01ger. Debian user since 1995. Working on Reproducible Builds since 2014.</li>
+ <li class="fragment">Aiming to make all ❤️ Free Software reproducible.</li>
</ol>
</section>
@@ -488,43 +487,11 @@ Alpine Linux, Apache Maven, Arch Linux, Baserock, Bitcoin Core, BitShares, Build
</section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>How did we get there?</h2>
- <li class="fragment">Money</li>
- <li class="fragment">Edward Snowden</li>
- </section>
-
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>Why money?</h2>
- <li class="fragment">Bitcoin (the software) was made reproducible in 2011.</li>
- </section>
-
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>Why Snowden</h2>
- <span class="fragment"><li>Well...after Snowden:</li>
- <li>Torbrowser was made reproducible in 2013 by Mike Perry.</li>
- <li>That's Firefox. One of the biggest software projects in the world.</li></span>
- </section>
-
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>How did we <i>really</i> get there?</h2>
- <li>Money / Bitcoin</li>
- <li>Edward Snowden / Torbrowser</li>
- <li class="fragment">...and a LOT of work by MANY people over MANY years.</li>
- </section>
-
<section data-transition="none">
<img src="images/groupphoto_rws5_marrakesh_2019_animated.gif" width="100%">
</section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>2013 and 2014</h2>
- <ul>
- <li>Lunar hosted a brainstorming meeting at DebConf13.</li>
- <li class="fragment">and another one at DebConf14</li>
- </ul>
- </section>
<section data-background-color="white">
<img src="images/fosdem2014-6.png" width="100%">
@@ -534,39 +501,10 @@ Alpine Linux, Apache Maven, Arch Linux, Baserock, Bitcoin Core, BitShares, Build
<img src="images/fosdem2014-1.png" width="100%">
</section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>2013 and 2014</h2>
- <ul>
- <li>Lunar hosted a brainstorming meeting at DebConf13,</li>
- <li>and another one at DebConf14, and a talk at FOSDEM 14!</li>
- <li>Patches for <code>dpkg</code>: sorting fixes and .buildinfo files (SBOM!)</li>
- <li class="fragment">In September 2014 Holger started systematic builds of Debian packages, twice. First just 100 packages, then all of them.</li>
- <li class="fragment">Mike Perry and Seth Schoen gave a presentation at Chaos Communication Congress in December 2014 (31C3) explaining the problem space very well.</li>
- </ul>
- </section>
-
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <img src="images/ccc2014-1.png">
- </section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <img src="images/ccc2014-2.png">
- </section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <img src="images/ccc2014-3.png">
- </section>
<section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-4.png">
</section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <img src="images/ccc2014-5.png">
- </section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <img src="images/ccc2014-6.png">
- </section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <img src="images/ccc2014-7.png">
- </section>
<section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-8.png">
</section>
@@ -579,10 +517,6 @@ Alpine Linux, Apache Maven, Arch Linux, Baserock, Bitcoin Core, BitShares, Build
<section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-11.png">
</section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <img src="images/ccc2014-12.png">
- </section>
-
<section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>2015</h2>
@@ -616,63 +550,6 @@ Alpine Linux, Apache Maven, Arch Linux, Baserock, Bitcoin Core, BitShares, Build
<li class="fragment">all the rest</li>
</section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>Resources about unreproducibilities:</h2>
- <ul>
- <span class="fragment"><li>Lunar's talk at CCCamp 2015</li>
- <li>https://reproducible-builds.org/docs/ & /resources</li> </span>
- <span class="fragment">
- <li>It's much easier to show common pitfalls making a package unreproducible than the opposite:<ul>
- <li style="font-size: 85%">https://github.com/bmwiedemann/theunreproduciblepackage</li></ul></li</ul></li>
- </span>
- <li class="fragment">430 known issue types in reproducible-notes.git<li>
- </ul>
- </section>
-
-
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>SOURCE_DATE_EPOCH</h2>
- <ul>
- <!-- li>Who knows about SOURCE_DATE_EPOCH?</li -->
- <li class="fragment">Build time stamps are largly meaningless. SOURCE_DATE_EPOCH describes the time of the last modification of the source (in seconds since the Unix epoch).</li>
- <span class="fragment"><li>The specification is from 2015 and was updated in 2017.
- <li>https://reproducible-builds.org/docs/source-date-epoch/</li></span>
- <li class="fragment">Supported by <b>a lot</b> of software today.</li>
- </ul>
- </section>
-
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>diffoscope</h2>
- <ul>
- <!-- li class="fragment">Who knows about diffoscope?</li -->
- <li class="fragment">Who uses or has used diffoscope?</li>
- <li class="fragment">diffoscope tries to get to the bottom of what makes files or directories different. It will recursively unpack archives of many kinds and transform various binary formats into more human-readable form to compare them.</li>
- <span class="fragment"><li>https://try.diffoscope.org</li>
- <li>https://diffoscope.org</li></span>
- </ul>
- </section>
-
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>diffoscope</h2>
- <li>Text and HTML ouput</li>
- <li style="font-size: 75%" class="fragment">File formats supported include: Android APK files, Android boot images, Android package resource table (ARSC), Apple Xcode mobile provisioning files, ar(1) archives, ASM Function, Berkeley DB database files, bzip2 archives, character/block devices, ColorSync colour profiles (.icc), Coreboot CBFS filesystem images, cpio archives, Dalvik .dex files, Debian .buildinfo files, Debian .changes files, Debian source packages (.dsc), Device Tree Compiler blob files, directories, ELF binaries, ext2/ext3/ext4/btrfs/fat filesystems, Flattened Image Tree blob files, FreeDesktop Fontconfig cache files, FreePascal files (.ppu), Gettext message catalogues, GHC Haskell .hi files, GIF image files, Git repositories, GNU R database files (.rdb), GNU R Rscript files (.rds), Gnumeric spreadsheets, GPG keybox databases, Gzipped files, Hierarchical Data Format database, HTML files (.html), ISO 9660 CD images, Java class files, Java .jmod modules, JavaScript files,</li>
- </section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>diffoscope</h2>
- <li style="font-size: 75%">JPEG images, JSON files, Linux kernel images, LLVM IR bitcode files, local (UNIX domain) sockets and named pipes (FIFOs), LZ4 compressed files, lzip compressed files, macOS binaries, Microsoft Windows icon files, Microsoft Word .docx files, Mono ‘Portable Executable’ files, Mozilla-optimized .ZIP archives, Multimedia metadata, OCaml interface files, Ogg Vorbis audio files, OpenOffice .odt files, OpenSSH public keys, OpenWRT package archives (.ipk), PDF documents, PE32 files, PGP signatures, PGP signed/encrypted messages, PNG images, PostScript documents, Public Key Cryptography Standards (PKCS) files (version #7), Python pyc files, RPM archives, Rust object files (.deflate), Sphinx inventory files, SQLite databases, SquashFS filesystems, symlinks, tape archives (.tar), tcpdump capture files (.pcap), text files, TrueType font files, U-Boot legacy image files, WebAssembly binary module, XML binary schemas (.xsb), XML files, XMLB files, XZ compressed files, ZIP archives and Zstandard compressed files.</li>
- <li>Fallback on hexdump comparison, fuzzy-matching to handle renamings, and much more!</li>
- </section>
-
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>diffoscope example output</h2>
- <li><a href="https-everywhere-5.0.6_vs_5.0.7.html">Example diffoscope output for https-everywhere 5.0.6 vs 5.0.7</a></li>
- </section>
-
-
- <section data-background-color="white">
- <img src="images/logo.png" width="584">
- <h3>https://reproducible-builds.org</h3>
- </section>
<section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Reproducible Builds Summits</h2>
@@ -817,31 +694,6 @@ Warpforge.
</pre>
</section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>about some distros...</h2>
- </section>
-
- <section data-background="images/archlinux.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>Arch Linux 2015-2025</h3>
- <ul>
- <li class="fragment">2015 - pacman records BUILDINFO</li>
- <li class="fragment">2017 - pacman S_D_E support & archlinux-repro</li>
- <li class="fragment">2019 - started archiving packages required for rebuilds</li>
- <li class="fragment">2020 - rebuilderd instance, [core] 86%</li>
- <li class="fragment">2024 - reproducible minimal container userland</li>
- <li class="fragment">2025 - 12% left to make reproducible (4 for minimal bootable install)</li>
- </ul>
- </section>
- <section data-background="images/archlinux.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>https://gitlab.archlinux.org/archlinux/rebuilderd-website</h3>
- <img src="images/Screenshot_2024-11-15_Arch_Linux_Reproducible_Status.png">
- </section>
-
- <section data-background="images/archlinux.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>https://dashboards.archlinux.org/d/PKkRg-FGz/rebuilderd</h3>
- <img src="images/Screenshot_2025_31_01_Arch_Linux_Reproducible_Dashboard.png">
- </section>
-
<section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Short summary of Reproducible Debian</h3>
</section>
@@ -1033,93 +885,6 @@ Warpforge.
</section>
- <section data-background="images/nixos.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>NixOS</h3>
- <ul>
- <span class="fragment"><li>https://luj.fr/blog/is-nixos-truly-reproducible.html - blog post by Julien Malka, summarizing his research article https://hal.science/hal-04913007.</li>
- <li>The article explores the proportion of bitwise reproducible packages in the Nix package repository and its evolution between 2017 and 2023.</li></span>
- <li class="fragment"><em>"Our most important finding is that the reproducibility rate in nixpkgs has increased steadily from 69% in 2017 to about 91% in April 2023."</em></li>
- </ul>
- </section>
-
- <section data-background="images/nixos.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>NixOS</h3>
- <ul>
- <li>Talk yesterday in the <em>Nix and NixOS</em> track:<br> https://fosdem.org/2025/schedule/event/fosdem-2025-4430-how-reproducible-is-nixos-/
- </ul>
- <img src="images/nixos-reproducibility-overall-absolute.png" style="height: 400px;">
- </section>
-
- <section data-background="images/freebsd.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>FreeBSD</h3>
- <ul>
- <li>Talk at FOSDEM 2016 by Baptiste Daroussin: Reproducible builds in FreeBSD packages</li>
- <li class="fragment">FreeBSD base system continously tested on jenkins.debian.net since 2015. Just as NetBSD is :)</li>
- <li> </li>
- <li> </li>
- <li> </li>
- <li> </li>
- </ul>
- </section>
-
- <section data-background="images/freebsd.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>FreeBSD</h3>
- <ul>
- <li>Talk at FOSDEM 2016 by Baptiste Daroussin: Reproducible builds in FreeBSD packages</li>
- <li>FreeBSD base system continously tested on tests.reproducible-builds.org since 2015. Just as NetBSD is :)</li>
- <li class="fragment">In 2016 there was WIP for reproducing ports and achieved 80%. And then this efford got stalled...</li>
- <li class="fragment">until now: https://freebsdfoundation.org/blog/zero-trust-builds-for-freebsd/</li>
- </ul>
- </section>
-
-
- <section data-background="images/freebsd.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>FreeBSD</h3>
- <ul>
- <li>the zero-trust build project is scheduled from jan-aug 2025 and centers on the freebsd build process, and in particular, release building. the primary goal of this work is to enable the entire release process to run without requiring root access, and that build artifacts build reproducibly – that is, that a third party can build bit-for-bit identical artifacts.
- </li>
- <li class="fragment">[this] is one of five initiatives that together are aimed at advancing zero trust builds, software bill of materials (sbom), ci/cd automation, security controls in ports and packages, and technical debt reduction.</li>
- </ul>
- </section>
-
- <section data-background="images/netbsd.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>NetBSD</h3>
-
- <ul>Jan-Benedict Glaw wrote in November 2024:
- <li> On Linux, of 82 of all tested 94 port/arch combinations built successfully,
-with 78 building reproducible on two consecutive builds. [...]</li>
- <li> Building on NetBSD current, 83 (of 94) combinations build successfully, of
-those 68 were reproducible. [...]</li>
- <li class="fragment"><b> 44 (of 94) port/arch combinations are totally reproducible, creating bit-identical output on NetBSD and Linux. </b></li>
- </ul>
- </section>
-
-
- <section data-background="images/openSUSE.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>R-B-OS</h3>
- <ul>
- <li>Bernhard M. Wiedemann has been working on Reproducible Builds for OpenSUSE since 2016 as a QA/research project, producing arround 2000 patches, half of them sent upstream.</li>
- <li class="fragment">R-B-OS is a PoC built upon this work (and funded by NLNet) and is 100% reproducible! Some fixes are "not distro ready yet" though.</li>
- <li class="fragment" style="font-size: 90%">minimal VM image:<br>
- <span style="font-size: 77%">https://en.opensuse.org/openSUSE:Reproducible_openSUSE/Part1</span>
- </li>
- <li class="fragment" style="font-size: 90%">small DVD with some graphical UI:<br>
- <span style="font-size: 77%">https://en.opensuse.org/openSUSE:Reproducible_openSUSE/Part2</span>
- </li>
- </ul>
- </section>
-
- <section data-background="images/fedora.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>Fedora</h3>
- <ul>
- <li>Zbigniew Jędrzejewski-Szmek started to do rebuilds of Fedora in 2024.</li>
- <li class="fragment">https://in.waw.pl/~zbyszek/fedora/builds-f42-after-mass-rebuild.amd64.txt</li>
- <li class="fragment">AIUI: 5838 src rpms, of which 4799 / 82% built reproducible. (Not sure if CI or rebuilds.)</li>
- <li class="fragment">add-determinism https://github.com/keszybz/add-determinism</li>
- <li class="fragment">matrix channel: #reproducible-builds:fedora.im</li>
- </ul>
- </section>
-
<section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Summary: theory vs practice</h3>
<ul>
@@ -1155,8 +920,6 @@ those 68 were reproducible. [...]</li>
<h4>
<small>Holger Levsen <holger at reproducible-builds.org><br>
- Jelle van der Waa <jelle at archlinux.org><br>
- kpcyrd, @kpcyrd at chaos.social, github.com/kpcyrd<br>
</small>
</h4>
</section>
@@ -1170,6 +933,7 @@ those 68 were reproducible. [...]</li>
<p>Any questions? 🤷</p>
<h4>
+ #debian-reproducible on irc.oftc.net<br>
#reproducible-builds on irc.oftc.net<br>
rb-general at lists.reproducible-builds.org
</small>
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/9f1dd3c94999bb67ea1be7fd8ad7b3ef182420fe
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/9f1dd3c94999bb67ea1be7fd8ad7b3ef182420fe
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250503/7252d412/attachment.htm>
More information about the rb-commits
mailing list