Help us map the reproducible builds ecosystem

Allen Gunn gunner at aspirationtech.org
Thu Aug 5 22:52:19 UTC 2021 

Hello,

On 8/5/21 8:18 AM, Santiago Torres-Arias wrote:
> Hi! 
> 
> I realized I went a little bit on the verbose side, I may have also
> weaved in a little bit "beyond" r-b, so apologies if I diverge too much.

Much appreciated...
> 
>> On 8/2/21 10:20 AM, Santiago Torres Arias wrote:
>>> On Mon, Aug 02, 2021 at 09:42:16AM -0700, Allen Gunn wrote:
>>>> Thanks Santiago. Can you share what department or school at Purdue is
>>>> doing this work?
>>>
>>> Most definitely! It's my lab (TSEL) at Purdue's Electrical and Computer
>>> Engineering Department :)
>>
>> Thanks for that. Might I ask if you all are working on making specific
>> code bases reproducible, building tools, exploring broader research
>> questions, or something else?
> 
> Well, the short answer is all of the above. The longer answer would be:
> 
> 1. I'm trying to borrow a page of the NYU course I helped prepare (along
>     with the broader rb community) in involving students in open source
>     (by e.g., finding reproducibility issues and fixing them).

Is there a link to that curriculum online, and in particular to any
rb-relevant curricula?

> 2. I'm trying to build tools to improve the broader state of the
>     software supply chain (this includes in-toto plus other stuff).
>     I believe that R-B is a *crucial*  part of supply
>     chain security

Got it, super helpful.

Few drill-down questions here:

* Are you working from any formalized or machine-readable definition of
"supply chain"? Are there any "supply chain data formats"?

* Are there particular supply chains you are tracking?

* Do you (or anybody) maintain any "list of supply chains" in any
reference context?

> 3. I'm also trying to address broader research questions around it, yes.
>     Mainly, I'm trying to help map and monitor the state of the supply
>     chain (there's plenty of people here that are working towards supply
>     chain transparency). I'm hoping we can achieve this with, say,
>     SigStore and many of the rebuilder orchestrators/workers out there.

Cool, thanks for that info.

> 4. For something else, I'm trying to participate in the community on a
>     needs-first basis. That is, directing people to work on broader
>     community tooling (e.g., the gsoc project for rebuilderd we are
>     mentoring) as well as trying to develop ways to cohesively work with
>     other OSS communities (e.g., python, ossrh?) and industry (E.g.,
>     Google). I can't say much on this dept without feeling like I'm
>     putting words on other people's mouths though...

Got it, all that info is much appreciated.

>>> I'm also trying to get other parts of the school to participate.
>>
>> Are you missing any resources that would help you make the case?
> 
> Well! In my experience the biggest challenge has been finding talent.
> I'm trying to get full time developers to work on this, as well as grad
> students (or otherwise). Unfortunately, I  think the pandemic ground
> many people's lives to a halt, and it'll take a little bit until things
> start moving again. I personally think that visibility (of my lab's and
> the school's efforts) would go a long way in attracting new talent...

That all makes sense. Do you think there are any differentiating skills
or knowledge that make a developer better suited for RB work? Is is
"skill dev" enough?

> Fortunately for me, I work in an university! Developing talent is *also*
> part of my job.

I've been in that line of business :)

> I'm developing a course here at Purdue[1], and one
> module in it is exactly about reproducibility of their builds (so much,
> so as to require a diffoscope output of their build in the deliverable).

Nice.

> As far as I'm aware, this is also the first course to cover topics like
> Software Bills of Materials :)

Very cool.

> Lastly, yes I want to involve other parts of the school in the r-b
> aspect. I think the most immediate part of it is involving Purdue's
> RCODI[2], which is quite involved in open source and has a large
> following. Part of what I'm hoping is to involve r-b within IronHacks in
> the forseeable future: so as to encourage a hackathon on finding and
> cataloging reproducibility issues. This last part is still yet to be
> refined, but I'm really hoping to come back with good news in the
> short-term :)

Great.

> On the longer term, I want to be able to involve the CS department, and
> perhaps some of the people involved in the Law minor.

Also great.

> All in all I'm new around here @ Purdue (I turned one year around here
> this week!), but I'm super excited of how receptive everybody is about
> working towards a multi-pronged approach at fixing the problem :)

Thanks for alll your leadership and all you are doing to stoke the
ecosystem!
peace,
gunner

> 
> 
> [1] https://engineering.purdue.edu/ECE/Academics/Undergraduates/UGO/CourseInfo/courseInfo?courseid=783&show=true&type=undergrad
> [2] https://rcodi.org/
> 
>>
>> peace,
>> gunner
>>
>>>
>>> Cheers!
>>> -Santiago
>>>
>>
>> -- 
>>
>> Allen Gunn
>> Executive Director, Aspiration
>> www.aspirationtech.org
>>
>> Aspiration: "Better Tools for a Better World"
>>
>> Read our Manifesto: https://aspirationtech.org/publications/manifesto
>>
>> Twitter:  www.twitter.com/aspirationtech

-- 

Allen Gunn
Executive Director, Aspiration
www.aspirationtech.org

Aspiration: "Better Tools for a Better World"

Read our Manifesto: https://aspirationtech.org/publications/manifesto

Twitter:  www.twitter.com/aspirationtech

More information about the rb-general mailing list