Help us map the reproducible builds ecosystem
gunner at aspirationtech.org
Thu Aug 5 22:52:19 UTC 2021
On 8/5/21 8:18 AM, Santiago Torres-Arias wrote:
> I realized I went a little bit on the verbose side, I may have also
> weaved in a little bit "beyond" r-b, so apologies if I diverge too much.
>> On 8/2/21 10:20 AM, Santiago Torres Arias wrote:
>>> On Mon, Aug 02, 2021 at 09:42:16AM -0700, Allen Gunn wrote:
>>>> Thanks Santiago. Can you share what department or school at Purdue is
>>>> doing this work?
>>> Most definitely! It's my lab (TSEL) at Purdue's Electrical and Computer
>>> Engineering Department :)
>> Thanks for that. Might I ask if you all are working on making specific
>> code bases reproducible, building tools, exploring broader research
>> questions, or something else?
> Well, the short answer is all of the above. The longer answer would be:
> 1. I'm trying to borrow a page of the NYU course I helped prepare (along
> with the broader rb community) in involving students in open source
> (by e.g., finding reproducibility issues and fixing them).
Is there a link to that curriculum online, and in particular to any
> 2. I'm trying to build tools to improve the broader state of the
> software supply chain (this includes in-toto plus other stuff).
> I believe that R-B is a *crucial* part of supply
> chain security
Got it, super helpful.
Few drill-down questions here:
* Are you working from any formalized or machine-readable definition of
"supply chain"? Are there any "supply chain data formats"?
* Are there particular supply chains you are tracking?
* Do you (or anybody) maintain any "list of supply chains" in any
> 3. I'm also trying to address broader research questions around it, yes.
> Mainly, I'm trying to help map and monitor the state of the supply
> chain (there's plenty of people here that are working towards supply
> chain transparency). I'm hoping we can achieve this with, say,
> SigStore and many of the rebuilder orchestrators/workers out there.
Cool, thanks for that info.
> 4. For something else, I'm trying to participate in the community on a
> needs-first basis. That is, directing people to work on broader
> community tooling (e.g., the gsoc project for rebuilderd we are
> mentoring) as well as trying to develop ways to cohesively work with
> other OSS communities (e.g., python, ossrh?) and industry (E.g.,
> Google). I can't say much on this dept without feeling like I'm
> putting words on other people's mouths though...
Got it, all that info is much appreciated.
>>> I'm also trying to get other parts of the school to participate.
>> Are you missing any resources that would help you make the case?
> Well! In my experience the biggest challenge has been finding talent.
> I'm trying to get full time developers to work on this, as well as grad
> students (or otherwise). Unfortunately, I think the pandemic ground
> many people's lives to a halt, and it'll take a little bit until things
> start moving again. I personally think that visibility (of my lab's and
> the school's efforts) would go a long way in attracting new talent...
That all makes sense. Do you think there are any differentiating skills
or knowledge that make a developer better suited for RB work? Is is
"skill dev" enough?
> Fortunately for me, I work in an university! Developing talent is *also*
> part of my job.
I've been in that line of business :)
> I'm developing a course here at Purdue, and one
> module in it is exactly about reproducibility of their builds (so much,
> so as to require a diffoscope output of their build in the deliverable).
> As far as I'm aware, this is also the first course to cover topics like
> Software Bills of Materials :)
> Lastly, yes I want to involve other parts of the school in the r-b
> aspect. I think the most immediate part of it is involving Purdue's
> RCODI, which is quite involved in open source and has a large
> following. Part of what I'm hoping is to involve r-b within IronHacks in
> the forseeable future: so as to encourage a hackathon on finding and
> cataloging reproducibility issues. This last part is still yet to be
> refined, but I'm really hoping to come back with good news in the
> short-term :)
> On the longer term, I want to be able to involve the CS department, and
> perhaps some of the people involved in the Law minor.
> All in all I'm new around here @ Purdue (I turned one year around here
> this week!), but I'm super excited of how receptive everybody is about
> working towards a multi-pronged approach at fixing the problem :)
Thanks for alll your leadership and all you are doing to stoke the
>  https://engineering.purdue.edu/ECE/Academics/Undergraduates/UGO/CourseInfo/courseInfo?courseid=783&show=true&type=undergrad
>  https://rcodi.org/
>> Allen Gunn
>> Executive Director, Aspiration
>> Aspiration: "Better Tools for a Better World"
>> Read our Manifesto: https://aspirationtech.org/publications/manifesto
>> Twitter: www.twitter.com/aspirationtech
Executive Director, Aspiration
Aspiration: "Better Tools for a Better World"
Read our Manifesto: https://aspirationtech.org/publications/manifesto
More information about the rb-general