From leo at LeoWandersleb.de Sat Aug 1 05:51:31 2020 From: leo at LeoWandersleb.de (Leo Wandersleb) Date: Sat, 1 Aug 2020 01:51:31 -0400 Subject: I would love to expand WalletScrutiny to Linux but how? Message-ID: <876d6cc0-4fd3-ada4-6b8a-1ae86b70e969@LeoWandersleb.de> Hi list, since weeks I have ideas on how to expand WalletScrutiny.com from only monitoring Android Bitcoin wallets to also monitoring Linux wallets for reproducibility. On general Linux, reproducibility is much more a topic than on Android so I hope to find it much more here but most see reproducibility as a tool a user can use to reassure himself that a binary he downloaded was compiled from a certain source code. The scope of WalletScrutiny is slightly more ambitious: I hope to catch as early as possible any rogue update that would have a huge impact else. Protect the user that is ignorant to the topic of reproducibility. On Android there is: * effectively one repository of binaries (Google Play). Alternative repositories (FDroid, Amazon, ...) account for probably still less than 1% of the market. * updates are pinned to a release manager's private key as the user cannot install an update that is not signed by the same key as all the previous versions. On Linux there is: * The provider's website's download link. * Significantly more than one relevant Linux, each with their own app repository and maintainers. * Snap as an attempt at providing apps to multiple Linux flavors. * Secondary websites. * No pinning to a signing key unless the app has a self-update feature which is scary, too. On Android many developers reacted allergic to their app not being reproducible. "After all they develop it for free as open source." and when I say "proof it!", they usually don't turn more friendly but I try to distinguish between the developer who owes me nothing and the release maintainer who should have some accountability when providing a wallet application to the general public. In that sense, I don't care too much about the developer but about thee who press the compile button to then share that binary with users to safe-guard funds. The project would have to list wallets sliced by release managers and repositories. "wallet X as obtained from from walletx .org" vs. "... as obtained from debian" ... There is a long way ahead to cover any significant amount of wallet users as that requires learning about accountability in the various repositories, poisoning detection, etc. If you think you know how to spread the word about reproducibility in the context of Bitcoin wallets through WalletScrutiny, your contributions are highly welcome on [this PR](https://gitlab.com/walletscrutiny/walletScrutinyCom/-/merge_requests/68) or its repository in general. Kind Regards, Leo Wandersleb From chris at reproducible-builds.org Sat Aug 1 15:00:05 2020 From: chris at reproducible-builds.org (Chris Lamb) Date: Sat, 01 Aug 2020 15:00:05 -0000 Subject: I would love to expand WalletScrutiny to Linux but how? In-Reply-To: <876d6cc0-4fd3-ada4-6b8a-1ae86b70e969@LeoWandersleb.de> References: <876d6cc0-4fd3-ada4-6b8a-1ae86b70e969@LeoWandersleb.de> Message-ID: Hi Leo, > On Android many developers reacted allergic to their app not being reproducible. > "After all they develop it for free as open source." and when I say "proof it!", > they usually don't turn more friendly but I try to distinguish between the > developer who owes me nothing and the release maintainer who should > have some accountability when providing a wallet application to the general > public. (This does not address your question about extending to Linux, but...) Could you describe this phenomenon and interaction pattern with Android developers in more detail? I would particularly interested in what incentives, thought patterns or obstacles you believe you are encountering here. I ask because a big part of the purpose of "Reproducible Builds" existing as a community/project is education, ie. to reach out to other communities so we can work together towards common goals. Understanding what other communities' incentives are is therefore highly instructive in working out how we can collaborate, and I don't believe I have a firm grasp on the Android perspective. Best wishes, -- o ? ? Chris Lamb o o reproducible-builds.org ? ? ? o From leo at LeoWandersleb.de Sat Aug 1 16:31:58 2020 From: leo at LeoWandersleb.de (Leo Wandersleb) Date: Sat, 1 Aug 2020 12:31:58 -0400 Subject: I would love to expand WalletScrutiny to Linux but how? In-Reply-To: References: <876d6cc0-4fd3-ada4-6b8a-1ae86b70e969@LeoWandersleb.de> Message-ID: <0441c659-9e6b-e7db-5584-c469445f03f3@LeoWandersleb.de> Hi Chris, > Could you describe this phenomenon and interaction pattern with > Android developers in more detail? I would particularly interested in > what incentives, thought patterns or obstacles you believe you are > encountering here. For a big part I think there is ignorance to the concept of reproducibility, even among developers. It just doesn't occur to them that the release manager under distress might do terrible things. At WalletScrutiny I try to get the reproducible wallets on board to promote the concept. They should advertise the fact but kind of don't yet. Wallets that are open source but not reproducible (if buildable at all) I poke with GitHub issues every now and then and there are some few that show phases of interest to make their builds reproducible but it usually fizzles out. Not sure, why. I keep poking every other month but they usually have other urgent things. At the wallet where I am the release manager, the CEO/CTO did not give it sufficient priority to investigate it for a year of me pushing for it but once I got to look into it, it turned out to be almost reproducible already. Only much later did we have to add disorderfs to the build instructions. > I ask because a big part of the purpose of "Reproducible Builds" > existing as a community/project is education, ie. to reach out to other > communities so we can work together towards common goals. > Understanding what other communities' incentives are is therefore > highly instructive in working out how we can collaborate, and I don't > believe I have a firm grasp on the Android perspective. Native Android is mostly reproducible out of the box but those cross-platform frameworks and stuff developed in C++ are more tricky to get right. From julien at lepiller.eu Sat Aug 1 17:32:57 2020 From: julien at lepiller.eu (Julien Lepiller) Date: Sat, 01 Aug 2020 13:32:57 -0400 Subject: You don't need reproducible builds Message-ID: <21EE8050-0056-4847-BF20-D3301BB33859@lepiller.eu> Hi, With a subject like that, I know I have your attention :). This is actually the title of a blog post I found on my social media, and I wanted to share in case you hadn't read it yet: http://blog.cmpxchg8b.com/2020/07/you-dont-need-reproducible-builds.html?m=1 I think it is important to listen to criticism, as it will help us to better explain and educate about reproducible builds. Thoughts on this? Having met some of you at rb-summit in Paris, I know you're adorable people, but remember to be polite if you decide to comment on his blog. We don't want to sound like we're harassing people :) -------------- next part -------------- An HTML attachment was scrubbed... URL: From foxboron at archlinux.org Sat Aug 1 17:41:34 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Sat, 1 Aug 2020 19:41:34 +0200 Subject: You don't need reproducible builds In-Reply-To: <21EE8050-0056-4847-BF20-D3301BB33859@lepiller.eu> References: <21EE8050-0056-4847-BF20-D3301BB33859@lepiller.eu> Message-ID: <20200801174134.ba2ypdimjlqph3p6@anathema> On Sat, Aug 01, 2020 at 01:32:57PM -0400, Julien Lepiller wrote: > Hi, > > With a subject like that, I know I have your attention :). This is actually > the title of a blog post I found on my social media, and I wanted to share in > case you hadn't read it yet: > > http://blog.cmpxchg8b.com/2020/07/you-dont-need-reproducible-builds.html?m=1 > > I think it is important to listen to criticism, as it will help us to better > explain and educate about reproducible builds. > > Thoughts on this? > > Having met some of you at rb-summit in Paris, I know you're adorable people, > but remember to be polite if you decide to comment on his blog. We don't want > to sound like we're harassing people :) The article misses the point, which is quite apparent when you read the following section. > Now if the vendor is compromised or becomes malicious, they can?t give the > user any compromised binaries without also providing the source code. This > ignores some complexities, like ensuring security updates are delivered even > if one vendor is compromised, what to do if the reproducers stop working, or > how to reach consensus if the reproducers and your vendor disagree on what > software or fork you should be using. Tavis only looks at reproducible builds from the standpoint of a proprietary vendor. Which is obvious considering he works at Google. The section above outlines that the vendor providing the binaries, also provides the source code. But this is not the case for reproducible builds in the context of Linux distributions, or Free and Open-Source software in general. In our case (if I'm allowed to say that :p) the pristine source is separate from the distributor of the binary, and you don't need to have the distributor provide the source, you can fetch it yourself. Tavis also includes the "god argument" of bugdoor, which Reproducible Builds simply can't protect against, thus outside the scope of the project. In short: It's a nice criticism of reproducible builds in the context of proprietary vendors, but it doesn't hold up very well when we look at the Free and Open-Source software communities. -- Morten Linderud PGP: 9C02FF419FECBE16 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From chris at reproducible-builds.org Mon Aug 3 15:32:53 2020 From: chris at reproducible-builds.org (Chris Lamb) Date: Mon, 03 Aug 2020 16:32:53 +0100 Subject: =?UTF-8?Q?diffoscope.org_not_resolving_(was:_"Re:_[diffoscope]_Command_`?= =?UTF-8?Q?unsquashfs_-n_-f_-no_-li_-d_._a/yakshaveinc=5F73.snap`_failed?= =?UTF-8?Q?")?= In-Reply-To: References: Message-ID: <9ef9bb70-0882-438e-bf77-4887cfb1b464@www.fastmail.com> [adding rb-general to CC] Hi Anatoli, > Anyway, writing to let you know that http://try.diffoscope.org/ and > http://diffoscope.org/ are down. Ah, interesting. This is, at least, some kind of domain/DNS issue. For example, try.diffoscope.org should resolve to 46.43.2.47 but it is currently not resolving to anything right now. I don't know what diffoscope.org itself should resolve to but I suspect this is a parallel, if not identical, issue. I've added rb-general to this so that the more sysadmin folks that do Reproducible Builds (Holger, Mattia, Vagrant, etc.) are definitely aware of it. I cannot help any further I'm afraid. ? > It appears I need Salsa account for this. Maybe later I will register. Please do so. It's a bit of a pain but I put together some hopefully foolproof instructions for this here: https://reproducible-builds.org/contribute/salsa/ Let us know if you have suggestions if they could be improved. Best wishes, -- o ? ? Chris Lamb o o reproducible-builds.org ? ? ? o From anatoli at rainforce.org Mon Aug 3 16:12:06 2020 From: anatoli at rainforce.org (Anatoli Babenia) Date: Mon, 3 Aug 2020 19:12:06 +0300 Subject: diffoscope.org not resolving (was: "Re: [diffoscope] Command `unsquashfs -n -f -no -li -d . a/yakshaveinc_73.snap` failed") In-Reply-To: <9ef9bb70-0882-438e-bf77-4887cfb1b464@www.fastmail.com> References: <9ef9bb70-0882-438e-bf77-4887cfb1b464@www.fastmail.com> Message-ID: Registering on Salsa first gave some server error page, but from the second try it worked. As for the DNS issue, it looks like the domain expired. On Mon, 3 Aug 2020 at 18:33, Chris Lamb wrote: > [adding rb-general to CC] > > Hi Anatoli, > > > Anyway, writing to let you know that http://try.diffoscope.org/ and > > http://diffoscope.org/ are down. > > Ah, interesting. This is, at least, some kind of domain/DNS issue. > > For example, try.diffoscope.org should resolve to 46.43.2.47 but it is > currently not resolving to anything right now. I don't know what > diffoscope.org itself should resolve to but I suspect this is a > parallel, if not identical, issue. > > I've added rb-general to this so that the more sysadmin folks that do > Reproducible Builds (Holger, Mattia, Vagrant, etc.) are definitely > aware of it. I cannot help any further I'm afraid. > > ? > > > It appears I need Salsa account for this. Maybe later I will register. > > Please do so. It's a bit of a pain but I put together some hopefully > foolproof instructions for this here: > > https://reproducible-builds.org/contribute/salsa/ > > Let us know if you have suggestions if they could be improved. > > > Best wishes, > > -- > o > ? ? Chris Lamb > o o reproducible-builds.org ? > ? ? > o > -- Anatoli Babenia +1 (650) 605-3365 +375 (29) 320-4241 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mattia at mapreri.org Mon Aug 3 18:47:59 2020 From: mattia at mapreri.org (Mattia Rizzolo) Date: Mon, 3 Aug 2020 20:47:59 +0200 Subject: [diffoscope] diffoscope.org not resolving (was: "Re: Command `unsquashfs -n -f -no -li -d . a/yakshaveinc_73.snap` failed") In-Reply-To: <9ef9bb70-0882-438e-bf77-4887cfb1b464@www.fastmail.com> References: <9ef9bb70-0882-438e-bf77-4887cfb1b464@www.fastmail.com> Message-ID: Hi, Afaik only Holger has access to the DNS management interface (including payments, renewal, etc) at Gandi. I'm writing to him explicitly in the hope he'll see this mail earlier. On Mon, 3 Aug 2020, 5:33 pm Chris Lamb, wrote: > [adding rb-general to CC] > > Hi Anatoli, > > > Anyway, writing to let you know that http://try.diffoscope.org/ and > > http://diffoscope.org/ are down. > > Ah, interesting. This is, at least, some kind of domain/DNS issue. > > For example, try.diffoscope.org should resolve to 46.43.2.47 but it is > currently not resolving to anything right now. I don't know what > diffoscope.org itself should resolve to but I suspect this is a > parallel, if not identical, issue. > > I've added rb-general to this so that the more sysadmin folks that do > Reproducible Builds (Holger, Mattia, Vagrant, etc.) are definitely > aware of it. I cannot help any further I'm afraid. > > ? > > > It appears I need Salsa account for this. Maybe later I will register. > > Please do so. It's a bit of a pain but I put together some hopefully > foolproof instructions for this here: > > https://reproducible-builds.org/contribute/salsa/ > > Let us know if you have suggestions if they could be improved. > > > Best wishes, > > -- > o > ? ? Chris Lamb > o o reproducible-builds.org ? > ? ? > o > _______________________________________________ > diffoscope mailing list > > To change your subscription options, visit > https://lists.reproducible-builds.org/listinfo/diffoscope. > > To unsubscribe, send an email to > diffoscope-unsubscribe at lists.reproducible-builds.org. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From holger at layer-acht.org Tue Aug 4 11:33:22 2020 From: holger at layer-acht.org (Holger Levsen) Date: Tue, 4 Aug 2020 11:33:22 +0000 Subject: [diffoscope] diffoscope.org not resolving (was: "Re: Command `unsquashfs -n -f -no -li -d . a/yakshaveinc_73.snap` failed") In-Reply-To: References: <9ef9bb70-0882-438e-bf77-4887cfb1b464@www.fastmail.com> Message-ID: <20200804113322.GA29817@layer-acht.org> Hi, On Mon, Aug 03, 2020 at 08:47:59PM +0200, Mattia Rizzolo wrote: > Afaik only Holger has access to the DNS management interface (including > payments, renewal, etc) at Gandi. not according to the Gandi (I just logged in and checked) and 'whois diffoscope.org' returns NS1.POTAGER.ORG as nameserver, thus I will mail the potager.org folks now. -- cheers, Holger ------------------------------------------------------------------------------- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From holger at layer-acht.org Tue Aug 4 12:05:36 2020 From: holger at layer-acht.org (Holger Levsen) Date: Tue, 4 Aug 2020 12:05:36 +0000 Subject: [diffoscope] diffoscope.org not resolving (was: "Re: Command `unsquashfs -n -f -no -li -d . a/yakshaveinc_73.snap` failed") In-Reply-To: References: <9ef9bb70-0882-438e-bf77-4887cfb1b464@www.fastmail.com> Message-ID: <20200804120536.GB31143@layer-acht.org> On Mon, Aug 03, 2020 at 07:12:06PM +0300, Anatoli Babenia wrote: > As for the DNS issue, it looks like the domain expired. thankfully this has been fixed by Lunar now. -- cheers, Holger ------------------------------------------------------------------------------- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From chris at reproducible-builds.org Thu Aug 6 14:52:31 2020 From: chris at reproducible-builds.org (Chris Lamb) Date: Thu, 6 Aug 2020 10:52:31 -0400 (EDT) Subject: Please review the draft for July's report Message-ID: <159672551720.2697252.14371979042246937759@tinycat.chris-lamb.co.uk> Hi all, Please review the draft for July's Reproducible Builds report: https://reproducible-builds.org/reports/2020-07/?draft ??? or, via the Git repository itself: https://salsa.debian.org/reproducible-builds/reproducible-website/blob/master/_reports/2020-07.md I intend to publish it no earlier than: $ date -d 'Sat, 08 Aug 2020 16:00:00 +0100' https://time.is/compare/1600_08_Aug_2020_in_BST ?? Please feel free and commit/push to drafts without the overhead of sending patches or merge requests. You should make your changes to the "_reports/2020-07.md" file in the "reproducible-website" repository: $ git clone https://salsa.debian.org/reproducible-builds/reproducible-website $ cd reproducible-website $ sensible-editor _reports/2020-07.md I am happy to reword and/or rework additions prior to publishing. If you currently do not have access to the above repository, you can request access by following the instructions at: https://reproducible-builds.org/contribute/salsa/ Regards, -- o ??? ??? Chris Lamb o o reproducible-builds.org ???? ??? ??? o From chris at reproducible-builds.org Fri Aug 7 11:26:22 2020 From: chris at reproducible-builds.org (Chris Lamb) Date: Fri, 07 Aug 2020 12:26:22 +0100 Subject: =?UTF-8?Q?diffoscope_155_released_=F0=9F=92=A0?= Message-ID: <159679936386.3075470.1170305396666456722@tinycat.chris-lamb.co.uk> Hi, The diffoscope maintainers are pleased to announce the release of version 155 of diffoscope. diffoscope tries to get to the bottom of what makes files or directories different. It will recursively unpack archives of many kinds and transform various binary formats into more human-readable form to compare them. It can compare two tarballs, ISO images, or PDF just as easily. Version 155 includes the following changes: [ Chris Lamb ] * Bump Python requirement from 3.6 to 3.7 - most distributions are either shipping3.5 or 3.7, so supporting 3.6 is not somewhat unnecessary and also more difficult to test locally. * Improvements to setup.py: - Apply the Black source code reformatter. - Add some URLs for the site of PyPI.org. - Update "author" and author email. * Explicitly support Python 3.8. [ Frazer Clews ] * Move away from the deprecated logger.warn method logger.warning. [ Mattia Rizzolo ] * Document ("classify") on PyPI that this project works with Python 3.8. ## Download Version 155 is available from Debian unstable as well as PyPI, and will shortly be available on other platforms surely. More details can be found here: https://diffoscope.org/ ? but source tarballs may be located here: https://diffoscope.org/archive/ The corresponding Docker image may be run via (for example): $ docker run --rm -t -w $(pwd) -v $(pwd):$(pwd):ro \ registry.salsa.debian.org/reproducible-builds/diffoscope a b ## Contribute diffoscope is developed within the "Reproducible builds" effort. - Git repository https://salsa.debian.org/reproducible-builds/diffoscope - Docker image, eg. registry.salsa.debian.org/reproducible-builds/diffoscope https://salsa.debian.org/reproducible-builds/diffoscope - Issues and feature requests https://salsa.debian.org/reproducible-builds/diffoscope/issues - Contribution instructions (eg. to file an issue) https://reproducible-builds.org/contribute/salsa/ Regards, -- o ? ? Chris Lamb o o reproducible-builds.org ? ? ? o From jathanblackred at gmail.com Fri Aug 7 21:10:25 2020 From: jathanblackred at gmail.com (jathan) Date: Fri, 7 Aug 2020 16:10:25 -0500 Subject: To do tasks in Reproducible Builds Message-ID: <12f81fbf-36fc-5e33-48b4-5fa9ae79d3c3@gmail.com> Hi, I was visiting the Reproducible Builds websitesite and the Debian Salsa repo looking for some list of "To do tasks" in the team. Do we have something to view which tasks need to be done with priorities or how do you organise in that way please? Regards Jathan -- Por favor evita enviarme adjuntos en formato de word o powerpoint, si quieres saber porque lee esto: http://www.gnu.org/philosophy/no-word-attachments.es.html ?C?mbiate a GNU/Linux! http://getgnulinux.org/es -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From chris at reproducible-builds.org Sat Aug 8 15:56:33 2020 From: chris at reproducible-builds.org (Chris Lamb) Date: Sat, 08 Aug 2020 16:56:33 +0100 Subject: Please review the draft for July's report In-Reply-To: <159672551720.2697252.14371979042246937759@tinycat.chris-lamb.co.uk> References: <159672551720.2697252.14371979042246937759@tinycat.chris-lamb.co.uk> Message-ID: <49160267-ae04-4dfa-9974-48c93666ee57@www.fastmail.com> Chris Lamb wrote: > Please review the draft for July's Reproducible Builds report: This has now been published; many thanks to all who contributed. Please share the following URL: https://reproducible-builds.org/reports/2020-07/ Alternatively, if you are into that kind of thing, please consider retweeting: https://twitter.com/ReproBuilds/status/1292127275064930304 Regards, -- o ? ? Chris Lamb o o reproducible-builds.org ? ? ? o