Arguing about source inputs (Was: Irregular status update about reproducible Debian live ISO images)

Fri Mar 28 18:59:08 UTC 2025

On Fri, Mar 28, 2025 at 2:55 PM kpcyrd <kpcyrd at archlinux.org> wrote:

> On 3/28/25 7:18 AM, Marc Haber wrote:
> > I think that Debian should not let itself be pulled into that argument
> > twice a month.
>
> +1 (although I can't find the other discussion in the mailing list
> archive).
>
> > If we did remove that firmware from our live images that would
> > cause especially new users to shrug it off like "oh, Debian doesn't
> > work" and move on to an even less free operating system.
>
> A very long time ago when I switched from Windows to Debian as my first
> Linux distro I also had the "why is my wifi not working"-experience (and
> hated it, as this was my only computer because I was too poor to afford
> a second one I could experiment with, and phones weren't what they are
> these days).
>
> > I move that Debian classifies such crossfire from the FSF, Trisquel etc
> > as trolling and not discuss that any more. We just had that argument two
> > weeks ago for the most recent time. It is a waste of time. We are never
> > going to do everything right from the FSF's point of view.
>
> Since this is posted on a list that is mostly used for supply-chain
> security discussion, I think it's unfortunate how blobs are singled out
> as "this build input is difficult to review because it's not human
> readable", yet xz has shown we aren't really reviewing human readable
> build inputs either (or at least we aren't successful and too easily
> clowned by our own tools).
>

Might be worth highlighting that the xz exploit payload was embedded in a
checked-in binary blob (test file). Not sure I'd consider those "human
readable" inputs.

>
> There's whatsrc that attempts to keep track of what those build inputs
> are (and trying to establish identifiers), in the Rust ecosystem there's
> cargo-crev that's tracking who has read/reviewed which source code
> (instead of just blogging about findings and staying silent about
> everything else), but there are not enough people doing reviews[0] and
> that's about it.
>
> [0]: https://web.crev.dev/rust-reviews/reviewers/
>
> I wish we were in the timeline of binary blobs being the actual problem
> instead of there not being enough interest/incentives to review build
> inputs.
>
> (I obviously still believe connecting binaries to source code with
> reproducible builds as much as possible is useful).
>
> > Just curious, do Ubuntu and Mint get the same amount of "it's not free!"
> > whining than Debian does?
>
> Arch Linux doesn't, but maybe it's because having discord in the package
> repositories is great for managing expectations. People usually
> appreciate our great hardware support.
>
> cheers,
> kpcyrd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250328/470a74e8/attachment.htm>