Help us map the reproducible builds ecosystem

Santiago Torres-Arias santiago at
Thu Aug 5 15:18:39 UTC 2021


I realized I went a little bit on the verbose side, I may have also
weaved in a little bit "beyond" r-b, so apologies if I diverge too much.

> On 8/2/21 10:20 AM, Santiago Torres Arias wrote:
> > On Mon, Aug 02, 2021 at 09:42:16AM -0700, Allen Gunn wrote:
> >> Thanks Santiago. Can you share what department or school at Purdue is
> >> doing this work?
> > 
> > Most definitely! It's my lab (TSEL) at Purdue's Electrical and Computer
> > Engineering Department :)
> Thanks for that. Might I ask if you all are working on making specific
> code bases reproducible, building tools, exploring broader research
> questions, or something else?

Well, the short answer is all of the above. The longer answer would be:

1. I'm trying to borrow a page of the NYU course I helped prepare (along
    with the broader rb community) in involving students in open source
    (by e.g., finding reproducibility issues and fixing them).

2. I'm trying to build tools to improve the broader state of the
    software supply chain (this includes in-toto plus other stuff).
    I believe that R-B is a *crucial*  part of supply
    chain security

3. I'm also trying to address broader research questions around it, yes.
    Mainly, I'm trying to help map and monitor the state of the supply
    chain (there's plenty of people here that are working towards supply
    chain transparency). I'm hoping we can achieve this with, say,
    SigStore and many of the rebuilder orchestrators/workers out there.

4. For something else, I'm trying to participate in the community on a
    needs-first basis. That is, directing people to work on broader
    community tooling (e.g., the gsoc project for rebuilderd we are
    mentoring) as well as trying to develop ways to cohesively work with
    other OSS communities (e.g., python, ossrh?) and industry (E.g.,
    Google). I can't say much on this dept without feeling like I'm
    putting words on other people's mouths though...

> > I'm also trying to get other parts of the school to participate.
> Are you missing any resources that would help you make the case?

Well! In my experience the biggest challenge has been finding talent.
I'm trying to get full time developers to work on this, as well as grad
students (or otherwise). Unfortunately, I  think the pandemic ground
many people's lives to a halt, and it'll take a little bit until things
start moving again. I personally think that visibility (of my lab's and
the school's efforts) would go a long way in attracting new talent...

Fortunately for me, I work in an university! Developing talent is *also*
part of my job. I'm developing a course here at Purdue[1], and one
module in it is exactly about reproducibility of their builds (so much,
so as to require a diffoscope output of their build in the deliverable).
As far as I'm aware, this is also the first course to cover topics like
Software Bills of Materials :)

Lastly, yes I want to involve other parts of the school in the r-b
aspect. I think the most immediate part of it is involving Purdue's
RCODI[2], which is quite involved in open source and has a large
following. Part of what I'm hoping is to involve r-b within IronHacks in
the forseeable future: so as to encourage a hackathon on finding and
cataloging reproducibility issues. This last part is still yet to be
refined, but I'm really hoping to come back with good news in the
short-term :)

On the longer term, I want to be able to involve the CS department, and
perhaps some of the people involved in the Law minor.

All in all I'm new around here @ Purdue (I turned one year around here
this week!), but I'm super excited of how receptive everybody is about
working towards a multi-pronged approach at fixing the problem :)


> peace,
> gunner
> > 
> > Cheers!
> > -Santiago
> > 
> -- 
> Allen Gunn
> Executive Director, Aspiration
> Aspiration: "Better Tools for a Better World"
> Read our Manifesto:
> Twitter:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the rb-general mailing list