[Git][reproducible-builds/reproducible-presentations][master] transparency.dev summit talk: WIP
Holger Levsen (@holger)
gitlab at salsa.debian.org
Mon Oct 20 22:23:32 UTC 2025
Holger Levsen pushed to branch master at Reproducible Builds / reproducible-presentations
Commits:
d299bbb6 by Holger Levsen at 2025-10-21T00:23:24+02:00
transparency.dev summit talk: WIP
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
4 changed files:
- + 2025-10-21-Reproducible-Builds-brief-summary-of-12-years-and-a-glimpse-into-the-future/images/tdev_summit_banner.png
- + 2025-10-21-Reproducible-Builds-brief-summary-of-12-years-and-a-glimpse-into-the-future/images/tdev_summit_logo.png
- 2025-10-21-Reproducible-Builds-brief-summary-of-12-years-and-a-glimpse-into-the-future/index.html
- 2025-10-21-Reproducible-Builds-brief-summary-of-12-years-and-a-glimpse-into-the-future/todo
Changes:
=====================================
2025-10-21-Reproducible-Builds-brief-summary-of-12-years-and-a-glimpse-into-the-future/images/tdev_summit_banner.png
=====================================
Binary files /dev/null and b/2025-10-21-Reproducible-Builds-brief-summary-of-12-years-and-a-glimpse-into-the-future/images/tdev_summit_banner.png differ
=====================================
2025-10-21-Reproducible-Builds-brief-summary-of-12-years-and-a-glimpse-into-the-future/images/tdev_summit_logo.png
=====================================
Binary files /dev/null and b/2025-10-21-Reproducible-Builds-brief-summary-of-12-years-and-a-glimpse-into-the-future/images/tdev_summit_logo.png differ
=====================================
2025-10-21-Reproducible-Builds-brief-summary-of-12-years-and-a-glimpse-into-the-future/index.html
=====================================
@@ -142,13 +142,13 @@
Holger Levsen<br>
</small>
</h6>
- <img src="images/tdev_summit_banner.svg" style="height: 370px;">
+ <img src="images/tdev_summit_banner.png" style="height: 370px;">
</section>
<section>
<br>
<h3>
- Reproducible Builds<br> lacks transparency logs<span class="fragment">,<br> can you help?!?</span>
+ Reproducible Builds<br> lack transparency logs<span class="fragment">,<br> can you help?!?</span>
</h3>
<!-- br>
<img src="images/reprobuilds-display.jpeg" style="height: 220px; border-radius: 10px;">
@@ -159,7 +159,7 @@
Holger Levsen<br>
</small>
</h6>
- <img src="images/tdev_summit_banner.svg" style="height: 370px;">
+ <img src="images/tdev_summit_banner.png" style="height: 370px;">
</section>
@@ -189,7 +189,7 @@
<h3>About you</h3>
<ul>
<li>Who knows about Reproducible Builds, why and how?</li>
- <li class="fragment">Who contribute(s|d) to Reproducible Builds?</li>
+ <li class="fragment">Who contribute(s|d) to Reproducible Builds somewhere?</li>
<li class="fragment">Who knows that Reproducible Builds have been known for more than 10 years? >30 years?</li>
<li class="fragment">Who knows about SBOM? (Software Bill of Materials) ~= our .buildinfo files designed in 2014!</li>
</ul>
@@ -613,12 +613,13 @@ Warpforge.
<section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>Reproducible Builds for some parts of Debian are a reality today:</h3>
<ul>
- <li class="fragment">reproducible docker/podman images: docker.debian.net</li>
- <li class="fragment">reproducible live images: cdimage.debian.org</li>
- <li class="fragment">individual packages, useful for both developers and some users</li>
- <li class="fragment"><code>mmdebstrap --variant=apt trixie</code></li>
+ <span class="fragment">
+ <li>reproducible docker/podman images: docker.debian.net</li>
+ <li>reproducible live images: cdimage.debian.org</li>
+ <li>individual packages, useful for both developers and some users. >95% of 37000 source packages build reproducibly by now</li>
+ <li><code>mmdebstrap --variant=apt trixie</code></li>
- <li class="fragment">debvm, though <code>!MR/45</code>
+ </span>
</li>
@@ -734,68 +735,77 @@ Warpforge.
<img src="images/riscv64_rdn.png">
</section>
- <section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>missing</h2>
- <h4><code>https://s390x.reproduce.debian.net</code></h4>
- <h4 class="fragment"><code>unstable</code></h4>
- <h4 class="fragment"><code>experimental</code></h4>
- <h4 class="fragment"><code>-security</code></h4>
- <h3 class="fragment"><code>forky</code></h4>
- </section>
-
- <section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>reproduce.debian.net<br/> is <code>trixie</code> only atm</h2>
- <img src="images/trixie.png" class="fragment">
- </section>
-
- <section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2><code>https://reproduce.debian.net</code></h2>
+ <section data-background="images/archlinux.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>Arch Linux 2015-2025</h3>
<ul>
- <li>We are very happy to use the same tool for Debian as Archlinux, and recently Fedora too.<li>
- <li class="fragment">However the Debian setup is still its infancy and scaling is more of an issue: 8 architectures instead of 1, 2 suites needed instead of 1 (and 3 once trixie has been released), and 3 times as many packages as Arch tests.</li>
- <li class="fragment">https://github.com/fepitre/package-rebuilder from Frédéric Pierre also exists. We love rebuilderd, but we also love software diversity.</li>
+ <li class="fragment">2015 - pacman records BUILDINFO</li>
+ <li class="fragment">2017 - pacman S_D_E support & archlinux-repro</li>
+ <li class="fragment">2019 - started archiving packages required for rebuilds</li>
+ <li class="fragment">2020 - rebuilderd instance, [core] 86%</li>
+ <li class="fragment">2024 - reproducible minimal container userland</li>
+ <li class="fragment">2025 - 12% left to make reproducible (4 for minimal bootable install)</li>
</ul>
- </section>
-
- <section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2><code>https://reproduce.debian.net</code></h2>
- <h3>another frontend is possible:</h3>
- <img src='images/reproduce.algiz.nu.png'>
+ </section>
+ <section data-background="images/archlinux.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>https://gitlab.archlinux.org/archlinux/rebuilderd-website</h3>
+ <img src="images/Screenshot_2024-11-15_Arch_Linux_Reproducible_Status.png">
+ </section>
+ <section data-background="images/archlinux.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>https://dashboards.archlinux.org/d/PKkRg-FGz/rebuilderd</h3>
+ <img src="images/Screenshot_2025_31_01_Arch_Linux_Reproducible_Dashboard.png">
</section>
- <section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2><code>https://reproduce.debian.net</code></h2>
- <h1>more help much welcome!</h1>
- <p class="fragment">Also please setup rebuilderd instances!<p>
- <p class="fragment">Because do you really want to put all your trust in me???<p>
- </section>
+ <section data-background="images/nixos.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>NixOS</h3>
+ <ul>
+ <span class="fragment"><li>https://luj.fr/blog/is-nixos-truly-reproducible.html - blog post by Julien Malka, summarizing his research article https://hal.science/hal-04913007.</li>
+ <li>The article explores the proportion of bitwise reproducible packages in the Nix package repository and its evolution between 2017 and 2023.</li></span>
+ <li class="fragment"><em>"Our most important finding is that the reproducibility rate in nixpkgs has increased steadily from 69% in 2017 to about 91% in April 2023."</em></li>
+ </ul>
+ </section>
- <section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>The diff between theory and practice?</code></h2>
- <h1 class="fragment">We soon will be more reproducible in practice than in theory ;p</h1>
- </section>
+ <section data-background="images/nixos.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>NixOS</h3>
+ <ul>
+ <li>Talk yesterday in the <em>Nix and NixOS</em> track:<br> https://fosdem.org/2025/schedule/event/fosdem-2025-4430-how-reproducible-is-nixos-/
+ </ul>
+ <img src="images/nixos-reproducibility-overall-absolute.png" style="height: 400px;">
+ </section>
- <section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>The diff between theory and practice today?</code></h3>
- <h2>96.6% in CI</h2>
- <h3>vs</h3>
- <h2>96.54% on amd64.reproduce.d.n</h2>
- <p class="fragment">and we've only been doing this for 10 months & the freeze...</p>
- </section>
+ <section data-background="images/freebsd.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>FreeBSD</h3>
+ <ul>
+ <li>Talk at FOSDEM 2016 by Baptiste Daroussin: Reproducible builds in FreeBSD packages</li>
+ <li class="fragment">FreeBSD base system continously tested on jenkins.debian.net since 2015. Just as NetBSD is :)</li>
+ <li> </li>
+ <li> </li>
+ <li> </li>
+ <li> </li>
+ </ul>
+ </section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>Find out for yourself:</h3>
+ <section data-background="images/freebsd.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>FreeBSD</h3>
<ul>
- <li><code>sudo apt install debian-repro-status</code>
- <li class="fragment"><code>debian-repro-status</code>
- <li class="fragment"><code> INFO debian-repro-status > 60/2268 packages are not reproducible.</br>
- INFO debian-repro-status > Your system is 97.35% reproducible.</code></li>
- <li class="fragment">That is better in practice than in theory. :-D
+ <li>Talk at FOSDEM 2016 by Baptiste Daroussin: Reproducible builds in FreeBSD packages</li>
+ <li>FreeBSD base system continously tested on tests.reproducible-builds.org since 2015. Just as NetBSD is :)</li>
+ <li class="fragment">In 2016 there was WIP for reproducing ports and achieved 80%. And then this efford got stalled...</li>
+ <li class="fragment">until now: https://freebsdfoundation.org/blog/zero-trust-builds-for-freebsd/</li>
</ul>
- </section>
+ </section>
+
+
+ <section data-background="images/freebsd.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>FreeBSD</h3>
+ <ul>
+ <li>the zero-trust build project is scheduled from jan-aug 2025 and centers on the freebsd build process, and in particular, release building. the primary goal of this work is to enable the entire release process to run without requiring root access, and that build artifacts build reproducibly – that is, that a third party can build bit-for-bit identical artifacts.
+ </li>
+ <li class="fragment">[this] is one of five initiatives that together are aimed at advancing zero trust builds, software bill of materials (sbom), ci/cd automation, security controls in ports and packages, and technical debt reduction.</li>
+ </ul>
+ </section>
<section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>How to reach 100% in practice</h2>
=====================================
2025-10-21-Reproducible-Builds-brief-summary-of-12-years-and-a-glimpse-into-the-future/todo
=====================================
@@ -1,5 +1,4 @@
-about you:
- removed
+sponsors wanted somewhere?
rb definition
who knew this?
@@ -7,6 +6,38 @@ rb definition
who knows diffoscope
who knows S_D_E
+rb & transparency logs:
+ reproducible builds are nice, but without transparency logs who knows whether r-b are really used?
+ (similar to backups are nice/useless, but everybody wants restore)
+ obviously transparency logs are also nice without r-b, but do you really want to run unreproducible software/
+ software transparency, used in the real world?
+
+sigstore debian
+sigstore vs sigsum
+TL used in the real world?
+
+sigsum & sigstore
+ two different tools / implementations
+
+real world transparency
+ ssl certs
+ go
+ android firmware
+ linux firmware
+ imessages
+ applecloud
+hardly software, correct me if i'm wrong :)
+
+transparency world:
+ log operators
+ witnesses
+r-b world
+ log operators
+ rebuilders
+ witnesses
+-> probs double
+
+
about me:
i might not be aware of some CT efforts re: r-b
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/d299bbb6f4ef7361080177985809086c97f4fcbc
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/d299bbb6f4ef7361080177985809086c97f4fcbc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20251020/479ec368/attachment.htm>
More information about the rb-commits
mailing list