[rb-general] [Jose.Miguel at microsoft.com: Setting up a MS-hosted rebuilder with in-toto metadata]

Santiago Torres Arias santiago at nyu.edu
Thu Aug 22 16:16:03 UTC 2019


I'm taking the library to forward this to the broader community and
answering as much questions as I can :)

- at NYU, we have an 8-core VM with 8GB of RAM, although we will
  probably update this sometime soon.
- I think if you guys could use more cores/ram, although I think this is
  somewhat of an open question. I'm sure people at the debian project
  will probably know better.
- The rebuilders are separate from the debian project, which makes
  things easier for both, a security and governance standpoint.

I think it would be due to discuss/standardize the in-toto query
endpoints, as well as start talking about having witnesses/submitters to
the rebuilder transparency log :)


P.S. +Morten, as he's the brains behind the transparency log.

----- Forwarded message from Jose Miguel Parrella <Jose.Miguel at microsoft.com> -----

Date: Mon, 19 Aug 2019 23:00:31 +0000
From: Jose Miguel Parrella <Jose.Miguel at microsoft.com>
To: "santiago at nyu.edu" <santiago at nyu.edu>
CC: "chris at chris-lamb.co.uk" <chris at chris-lamb.co.uk>, Matt Bearup <mbearup at microsoft.com>
Subject: Setting up a MS-hosted rebuilder with in-toto metadata

We're interested in setting up an Azure-hosted rebuilder<https://urldefense.proofpoint.com/v2/url?u=https-3A__salsa.debian.org_reproducible-2Dbuilds_debian-2Drebuilder-2Dsetup&d=DwIFAg&c=slrrB7dE8n7gBJbeO0g-IQ&r=yZMPY-APGKyVIX7HgQFZJA&m=OHg27uJzPTMAWC-xp85HQBTXU20vf51f8NK1LZSMOrI&s=dV5yYTv2mGwPXBQsp-bYTyqZVx8Ymun6mTOzKMp2gX4&e= > for Debian packages, and publishing in-toto metadata of our rebuilds for public consumption.

I know NYU<https://reproducible-builds.engineering.nyu.edu/> and Bergen<https://urldefense.proofpoint.com/v2/url?u=http-3A__158.39.77.214_&d=DwIFAg&c=slrrB7dE8n7gBJbeO0g-IQ&r=yZMPY-APGKyVIX7HgQFZJA&m=OHg27uJzPTMAWC-xp85HQBTXU20vf51f8NK1LZSMOrI&s=izPOtOdUodNca2blPUROOCOyVE9jeDWgW_cRaTNzLlk&e= > both run rebuilders now. I read it very quickly but I didn't see tons of base system packages in those rebuilders, and those are the ones we are rebuilding, so we might be alone for a while but at least it's a step in the right direction.

I have some questions:

  *   What infrastructure are the two universities using today?
  *   What are the infrastructure requirements for a Debian rebuilder by Microsoft today?
  *   What is the governance of the rebuilders? Is this a project part of Debian CI or is this something else? Are the rebuilders part of the DSA infrastructure?

We also have some packages we build and publish via packages.microsoft.com. Virtually all of those are Microsoft software built by Microsoft, but there is at least one rebuild there (Moby) which we could potentially also publish in-toto metadata for.

What would you suggest we do as next steps?


----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190822/84977c49/attachment.sig>

More information about the rb-general mailing list