[Git][reproducible-builds/reproducible-lfs][master] 2 commits: transparency.dev summit talk: more WIP
Holger Levsen (@holger)
gitlab at salsa.debian.org
Tue Oct 21 08:59:05 UTC 2025
Holger Levsen pushed to branch master at Reproducible Builds / reproducible-lfs
Commits:
aac2d735 by Holger Levsen at 2025-10-21T10:11:58+02:00
transparency.dev summit talk: more WIP
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
803192c7 by Holger Levsen at 2025-10-21T10:58:56+02:00
transparency.dev summit talk: more WIP
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
1 changed file:
- presentations/2025-10-21-Reproducible-Builds-brief-summary-of-12-years-and-a-glimpse-into-the-future/index.html
Changes:
=====================================
presentations/2025-10-21-Reproducible-Builds-brief-summary-of-12-years-and-a-glimpse-into-the-future/index.html
=====================================
@@ -170,32 +170,7 @@
</section>
-
-
- <!-- section data-background="images/tdev_summit_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>About you</h3>
- <ul>
- <li class="fragment">Who knows about Reproducible Builds, why and how?</li>
- </ul>
- </section>
-
- <section data-background="images/tdev_summit_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>The End</h3>
- <h3>Thank you!</h3>
- </section -->
-
-
- <section data-background="images/tdev_summit_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>About you</h3>
- <ul>
- <li>Who knows about Reproducible Builds, why and how?</li>
- <li class="fragment">Who contribute(s|d) to Reproducible Builds somewhere?</li>
- <li class="fragment">Who knows that Reproducible Builds have been known for more than 10 years? >30 years?</li>
- <li class="fragment">Who knows about SBOM? (Software Bill of Materials) ~= our .buildinfo files designed in 2014!</li>
- </ul>
- </section>
-
-
+
<section data-background="images/Capitole_du_libre_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<p>Who am I</p>
<ol>
@@ -204,7 +179,7 @@
<li>Working on Reproducible Builds since 2014.
Aiming to make all ❤️ Free Software reproducible.</li>
<li class="fragment">Since 2015 I've been convinced that transparency logs are desirable for <em>any distributed software</em>, alas...
- <li class="fragment">Finally I'm here to present the work of <b>many</b> people:</li>
+ <li class="fragment">I'm here to present the work of <b>many</b> people:</li>
</ol>
</section>
@@ -397,7 +372,32 @@
</p>
</section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+
+
+ <!-- section data-background="images/tdev_summit_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>About you</h3>
+ <ul>
+ <li class="fragment">Who knows about Reproducible Builds, why and how?</li>
+ </ul>
+ </section>
+
+ <section data-background="images/tdev_summit_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>The End</h3>
+ <h3>Thank you!</h3>
+ </section -->
+
+
+ <section data-background="images/tdev_summit_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h3>About you</h3>
+ <ul>
+ <li>Who knows about Reproducible Builds, why and how?</li>
+ <li class="fragment">Who contribute(s|d) to Reproducible Builds somewhere?</li>
+ <li class="fragment">Who knows that Reproducible Builds have been known for more than 10 years? <span class="fragment">>30 years?</span></li>
+ <li class="fragment">Who knows about SBOM? (Software Bill of Materials) ~= our .buildinfo files designed in 2014!</li>
+ </ul>
+ </section>
+
+ <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h1>Introduction</h1>
</section>
@@ -515,6 +515,45 @@
</section>
+ <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>SOURCE_DATE_EPOCH</h2>
+ <ul>
+ <li>Who knows about SOURCE_DATE_EPOCH?</li>
+ <li class="fragment">Build time stamps are largly meaningless. SOURCE_DATE_EPOCH describes the time of the last modification of the source (in seconds since the Unix epoch).</li>
+ <span class="fragment"><li>The specification is from 2015 and was updated in 2017.
+ <li>https://reproducible-builds.org/docs/source-date-epoch/</li></span>
+ <li class="fragment">Supported by <b>a lot</b> of software today.</li>
+ </ul>
+ </section>
+
+ <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>diffoscope</h2>
+ <ul>
+ <li class="fragment">Who knows about, or uses or has used diffoscope?</li>
+ <li class="fragment">diffoscope tries to get to the bottom of what makes files or directories different. It will recursively unpack archives of many kinds and transform various binary formats into more human-readable form to compare them.</li>
+ <li class="fragment">txt, HTML and/or JSON output</li>
+ <span class="fragment"><li>https://try.diffoscope.org</li>
+ <li>https://diffoscope.org</li></span>
+ </ul>
+ </section>
+
+ <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>diffoscope</h2>
+ <li>Text and HTML ouput</li>
+ <li style="font-size: 75%" class="fragment">File formats supported include: Android APK files, Android boot images, Android package resource table (ARSC), Apple Xcode mobile provisioning files, ar(1) archives, ASM Function, Berkeley DB database files, bzip2 archives, character/block devices, ColorSync colour profiles (.icc), Coreboot CBFS filesystem images, cpio archives, Dalvik .dex files, Debian .buildinfo files, Debian .changes files, Debian source packages (.dsc), Device Tree Compiler blob files, directories, ELF binaries, ext2/ext3/ext4/btrfs/fat filesystems, Flattened Image Tree blob files, FreeDesktop Fontconfig cache files, FreePascal files (.ppu), Gettext message catalogues, GHC Haskell .hi files, GIF image files, Git repositories, GNU R database files (.rdb), GNU R Rscript files (.rds), Gnumeric spreadsheets, GPG keybox databases, Gzipped files, Hierarchical Data Format database, HTML files (.html), ISO 9660 CD images, Java class files, Java .jmod modules, JavaScript files,</li>
+ </section>
+ <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>diffoscope</h2>
+ <li style="font-size: 75%">JPEG images, JSON files, Linux kernel images, LLVM IR bitcode files, local (UNIX domain) sockets and named pipes (FIFOs), LZ4 compressed files, lzip compressed files, macOS binaries, Microsoft Windows icon files, Microsoft Word .docx files, Mono ‘Portable Executable’ files, Mozilla-optimized .ZIP archives, Multimedia metadata, OCaml interface files, Ogg Vorbis audio files, OpenOffice .odt files, OpenSSH public keys, OpenWRT package archives (.ipk), PDF documents, PE32 files, PGP signatures, PGP signed/encrypted messages, PNG images, PostScript documents, Public Key Cryptography Standards (PKCS) files (version #7), Python pyc files, RPM archives, Rust object files (.deflate), Sphinx inventory files, SQLite databases, SquashFS filesystems, symlinks, tape archives (.tar), tcpdump capture files (.pcap), text files, TrueType font files, U-Boot legacy image files, WebAssembly binary module, XML binary schemas (.xsb), XML files, XMLB files, XZ compressed files, ZIP archives and Zstandard compressed files.</li>
+ <li>Fallback on hexdump comparison, fuzzy-matching to handle renamings, and much more!</li>
+ </section>
+
+ <!--section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>diffoscope example output</h2>
+ <li><a href="https-everywhere-5.0.6_vs_5.0.7.html">Example diffoscope output for https-everywhere 5.0.6 vs 5.0.7</a></li>
+ </section-->
+
+
<section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2>Reproducible Builds Summits</h2>
<ul style="font-size: 90%">
@@ -614,28 +653,20 @@ Warpforge.
<h3>Reproducible Builds for some parts of Debian are a reality today:</h3>
<ul>
<span class="fragment">
- <li>reproducible docker/podman images: docker.debian.net</li>
- <li>reproducible live images: cdimage.debian.org</li>
<li>individual packages, useful for both developers and some users. >95% of 37000 source packages build reproducibly by now</li>
<li><code>mmdebstrap --variant=apt trixie</code></li>
</span>
+ <span class="fragment">
+ <li>reproducible docker/podman images: docker.debian.net</li>
+ <li>reproducible live images: cdimage.debian.org</li>
+ </span>
</li>
</ul>
</section>
- <section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>How did we get there?</h3>
- </ul>
- </section>
-
-
- <section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>CI builders from 2015 until today and beyond</h2>
- </section>
-
<section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3>CI results for Debian unstable, 20250712</h3>
<img src="images/stats_pkg_state_20250712.png">
@@ -654,34 +685,29 @@ Warpforge.
<p>we rebuild constantly and find lots of FTBFS bugs</p>
</section>
+ <section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>CI builders from 2015 until today and beyond</h2>
+ <p>CI builders are great, but we also need rebuilders. And we want to have both.</p>
+ </section>
+
<section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2><code>https://reproduce.debian.net</code></h2>
<ul>
- <li class="fragment">a <code>rebuilderd</code> instance, running since Q3 2024</li>
- <li class="fragment">rebuilding and comparing against what Debian distributes on <code>ftp.debian.org</code>.</li>
- <!-- li class="fragment">actually it's eight instances atm, one for each arch...</li>
- <li class="fragment">(thankfully <code>kpcyrd</code> fixed issue#163 yesterday, so we can have several suites on one instance.... more on this later) -->
- </ul>
- </section>
-
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h2>about <em>rebuilderd</em></h2>
- <ul>
- <li class="fragment">support for rebuilding Arch, Fedora, Debian and Tails</li>
- <li class="fragment">rebuilderd, rebuilderd-worker, rebuilderctl</li>
- <li class="fragment">written in Rust by <em>kpcyrd</em>, development started in 2019 during Marrakech summit</li>
- <li class="fragment">available at https://github.com/kpcyrd/rebuilderd - installation with apt, pacman -S, apk add, sudo make install, soon with dnf too</li>
- <li class="fragment">several instances for Arch exist (about 5), one instance for Fedora exists and so far, AFAIK, three for Debian
+ <li>Attempts to bit-for-bit identically rebuild each Debian binary package found in the distribution archive, using the .buildinfo file produced when the buildd originally built the package.</li>
+ <li class="fragment">For each distributed package, rebuilderd calls debrebuild that calls debootsnap, mmdebstrap and finally sbuild to build that package within a user namespace.</li>
</ul>
</section>
<section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h2><code>https://reproduce.debian.net</code></h2>
<ul>
- <li>Attempts to bit-for-bit identically rebuild each Debian binary package found in the distribution archive, using the .buildinfo file produced when the buildd originally built the package.</li>
- <li class="fragment">For each distributed package, rebuilderd calls debrebuild that calls debootsnap, mmdebstrap and finally sbuild to build that package within a user namespace.</li>
+ <li>a <code>rebuilderd</code> instance, running since Q3 2024</li>
+ <li>rebuilding and comparing against what Debian distributes on <code>ftp.debian.org</code>.</li>
+ <li class="fragment">rebuilderd is older but snapshot.debian.org was broken from 2019 until 2024...</li>
+ <!-- li class="fragment">actually it's eight instances atm, one for each arch...</li>
+ <li class="fragment">(thankfully <code>kpcyrd</code> fixed issue#163 yesterday, so we can have several suites on one instance.... more on this later) -->
</ul>
</section>
@@ -694,6 +720,17 @@ Warpforge.
</section>
+ <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>about <em>rebuilderd</em></h2>
+ <ul>
+ <li>support for rebuilding Arch, Fedora, Debian and Tails</li>
+ <span class="fragment"><li>rebuilderd, rebuilderd-worker, rebuilderctl</li>
+ <li>written in Rust by <em>kpcyrd</em>, development started in 2019 during Marrakech summit</li></span>
+ <li class="fragment">available at https://github.com/kpcyrd/rebuilderd - installation with apt, pacman -S, apk add, sudo make install, soon with dnf too</li>
+ <li class="fragment">several instances for Arch exist (about 5), one instance for Fedora exists and so far, AFAIK, now also five for Debian
+ </ul>
+ </section>
+
<section data-background="images/debian_logo.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<h3><code>https://all.reproduce.debian.net</code>: 92.6%</h3>
<img src="images/all_rdn.png">
@@ -788,12 +825,14 @@ Warpforge.
</section>
<section data-background="images/freebsd.png" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
- <h3>FreeBSD</h3>
+ <h3>FreeBSD and NetBSD</h3>
<ul>
<li>Talk at FOSDEM 2016 by Baptiste Daroussin: Reproducible builds in FreeBSD packages</li>
<li>FreeBSD base system continously tested on tests.reproducible-builds.org since 2015. Just as NetBSD is :)</li>
- <li class="fragment">In 2016 there was WIP for reproducing ports and achieved 80%. And then this efford got stalled...</li>
- <li class="fragment">until now: https://freebsdfoundation.org/blog/zero-trust-builds-for-freebsd/</li>
+ <li class="fragment">In 2016 there was WIP for reproducing FreeBSD ports and achieved 80%. And then this efford got stalled...</li>
+ <span class="fragment"><li>until now: https://freebsdfoundation.org/blog/zero-trust-builds-for-freebsd/</li>
+ <li>NetBSD: for most archs base system can be rebuild bit for bit identical on NetBSD and Linux...!
+ </li>
</ul>
</section>
@@ -918,25 +957,47 @@ Warpforge.
</table>
</section>
- <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <!-- section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/ccc2014-13.png">
- </section>
+ </section -->
+ <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>and there is more...</h2>
+ <p>but time is short. Still I want to mention:</p>
+ <ul><li>Torbrowser which started it all - together with Bitcoin client to be fair</li>
+ <li>Tails</li>
+ <li>FDroid</li>
+ <li>Maven central</li>
+ <li>...</li>
+ </ul>
+ </section>
+
+ <section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
+ <h2>Reproducible Builds and transparency logs</h2>
+ <ul>
+ <li>this was mostly distro centric (but it doesnt have to be)
+ <li>transparency logs have been mostly out of scope for me personally
+ <li>more than happy to help though!
+ <li>lets discuss in a breakout session?!
+ <li>i'm here to collaborate
+ <li>be the change you want to see in the FLOSS world
+ </ul>
+ </section>
<section data-background="images/rb-logo.svg" data-background-size="10%" data-background-position="93% 9%" data-transition="none">
<img src="images/groupphoto_rb2023summit.jpg" style="height: 350px;">
- <h2>
+ <h3>
Thank you
<br><small>… and all contributors out there!</small>
- </h2>
+ </h3>
<p>Any questions? 🤷</p>
- <h4>
+ <p><small>
#debian-reproducible on irc.oftc.net<br>
#reproducible-builds on irc.oftc.net<br>
- rb-general at lists.reproducible-builds.org
- </small>
- </h4>
+ rb-general at lists.reproducible-builds.org<br>
+ Holger Levsen / h01ger / holger at reproducible-builds.org / holger at debian.org
+ </small> </p>
</section>
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-lfs/-/compare/677fc64cf3946215c672a5a6e1be47f5a8e87f47...803192c7af16e5a08e9ee8d6b24e3be178fbbe6f
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-lfs/-/compare/677fc64cf3946215c672a5a6e1be47f5a8e87f47...803192c7af16e5a08e9ee8d6b24e3be178fbbe6f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20251021/13dd1130/attachment.htm>
More information about the rb-commits
mailing list