#reproducible-builds log

16:01:00 <vagrantc> #startmeeting
16:01:00 <MeetBot> Meeting started Tue Jun 19 16:01:00 2018 UTC.  The chair is vagrantc. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:01:00 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
16:01:12 <vagrantc> #topic hello
16:01:30 <vagrantc> if folks could say a little hello so we know who's here
16:01:38 * yashsriv is here
16:01:42 * sangy waves
16:02:33 <vagrantc> let's wait a minute or two, see if others can show up
16:02:41 <jelle> o/
16:05:40 <vagrantc> alright, i'm guessing that's it!
16:05:51 * sangy shrugs
16:05:59 <vagrantc> lamby marked themselves in apologies, so i'm guessing won't make it
16:06:30 <vagrantc> a meeting reminder via email 2-3 days in advance is kind of key, sorry i didn't think of it
16:06:46 <sangy> I kinda rushed it, because I wanted to get back to them sooner rather than later.
16:06:55 <vagrantc> #topic progress on debian rebuilder
16:07:07 <sangy> yashsriv: this is you :)
16:07:08 <yashsriv> hi
16:07:10 <vagrantc> yashsriv: you have the mic!
16:07:48 <yashsriv> so the script I was working on is nearing completion. It manages to take a buildinfo file as input and then perform the complete build
16:08:11 <vagrantc> any links to it?
16:08:24 <yashsriv> https://salsa.debian.org/yashsriv-guest/debian-rebuilder-setup/blob/integrate-srebuild/builder/srebuild
16:08:51 <vagrantc> #link https://salsa.debian.org/yashsriv-guest/debian-rebuilder-setup/blob/integrate-srebuild/builder/srebuild
16:09:13 <mapreri> o/
16:09:18 <sangy> I think the idea with this is that any interested orgs can use this ansible playbooks to deploy a re-builder and attest for its reproducibility.
16:09:19 <mapreri> (sorry for the late arrival)
16:09:20 <sangy> mapreri: o/
16:09:40 <sangy> on our side, NYU will deploy a rebuilder and sign any artifacts it reproduces :)
16:09:47 <vagrantc> very cool
16:10:21 <yashsriv> So the builder was the very first step. The next step is setting up a scheduler to schedule these builds from time to time and an interface for exposing the end results
16:11:02 <jelle> no meetbot?
16:11:04 <mapreri> yashsriv: do you think it would be trivial enough to have it run pbuilder instead?
16:11:07 <sangy> jelle: ye there is
16:11:39 <jelle> oh lol, I'm blind sorry.
16:11:56 <yashsriv> If pbuilder supports prebuild hooks, then should be trivial enough. I had looked into both but then theses scripts already existed so I got biased.
16:12:34 <vagrantc> it might be good to have the infrastructure reproducing builds in the archive using sbuild, since this is more similar to the official buildd machines
16:12:49 <mapreri> yashsriv: pbuilder supports many more hooks than sbuild, afaik :)  https://manpages.debian.org/stretch/pbuilder/pbuilder.8.en.html grep for --hookdir
16:12:58 <vagrantc> as well as getting the other main tool used to build packages working with sbuild
16:12:58 <mapreri> but yes, also that
16:13:31 <mapreri> can somebody remind me where's the agenda?
16:13:39 <sangy> https://pad.riseup.net/p/reproducible-irc-meeting-12
16:13:41 <sangy> mapreri: ^
16:13:45 <mapreri> ta
16:13:54 <yashsriv> regarding  the scheduler, I had a doubt. The buildd servers can be used to schedule for every new package entering if I'm not wrong.
16:14:17 <yashsriv> *information from buildd
16:14:17 <mapreri> define "build servers" there
16:14:52 <vagrantc> yashsriv: you might need to wait till things land in the archive
16:15:26 <vagrantc> yashsriv: as well as we still don't have the actual .buildinfo content exposed anywhere
16:15:33 <vagrantc> anywhere public
16:15:48 <yashsriv> http://buildinfo.debian.net ??
16:15:57 <vagrantc> the official builds aren't published there
16:16:19 <mapreri> (yet, there is an open bug somewhere)
16:16:30 <vagrantc> sure, we'd like to fix that, of course
16:17:01 <sangy> and yeah, keyword "yet". I'm assuming using buildinfo.debian.net for testing/development is correct?
16:17:01 <vagrantc> yashsriv: i wouldn't block your work on that part just yet
16:17:21 <mapreri> sangy: I'd say so, yes
16:17:30 <vagrantc> sure, for testing the infrastructure, buildinfo.debian.net should work for now
16:17:50 <mapreri> hell, the very goal of buildinfo.d.n was to expirement in a thing sharing proof of builds (i.e. the .buildinfo) :)
16:18:19 <yashsriv> does buildinfo.d.n have a machine readable interface as well?
16:18:22 <vagrantc> #link https://bugs.debian.org/763822
16:18:25 <sangy> so what I was thinking about is that these buildinfo files get pushed out, and they get pulled by (e.g., NYU) to schedule a rebuild locally. Finally they'd push their own buildinfo (and signed metadata)
16:18:33 <vagrantc> yashsriv: yes
16:18:38 <mapreri> yashsriv: it has a fair api, yes
16:19:00 <vagrantc> #link https://bugs.debian.org/862073
16:19:03 <jelle> I was thinking for arch of rebuilding based on a package (pkg.tar.xz) the .deb equivalent
16:19:13 <mapreri> well
16:19:31 <vagrantc> yashsriv: and if the API is missing anything you need, lamby is generally responsive to bug reports
16:19:35 <sangy> jelle: I think that can happen with arch, since the .BUILDINFO is packaged in the .tar.xz
16:20:03 <jelle> sangy: but we can also start publishiing the BUILDINFO, since it contains pkgname, pkgbase and pkgver and pkgarch
16:20:15 <mapreri> yashsriv: the /api/ endpoint only has the submission thing, but there are other urls to get .buildinfo quite programatically.  agian, expanding it is not a issue.
16:20:30 <sangy> jelle: well that'd be nice. We don't have a working archive yet though. (do we want to add that as a meeting topic? :P)
16:20:46 <yashsriv> perfect. So now what should we aim to expose once we got something built? As someone mentioned yesterday, BUILDINFO files aren't necessarily exactly the same
16:20:58 <jelle> sangy: the upside of using a .tar.xz is that we can verify it though. So does debian plan to sign these BUILDINFO files?
16:21:04 <yashsriv> so we'd probably need to expose the SHA sums of the end products?
16:21:30 <sangy> yashsriv: I'm biased, but in-toto link metadata would tie things very nicely in this case
16:21:31 <vagrantc> jelle: buildinfo files should always be signed
16:21:40 <jelle> ok :)
16:22:31 <mapreri> yashsriv: I'd just POST your signed buildinfo to buildinfo.d.n and have it deal with the next steps
16:22:47 <mapreri> buildinfo.d.n already has a concept of "reproducible" and "unreproducible", although sometimes not perfect
16:24:04 <sangy> well, I guess that settles it? action point -> try to integrate with pbuilder for scheduling etc?
16:24:10 <vagrantc> the main problem being is it has know way to know which .buildinfo's should reasonably know which other .buildinfo files should be compared for reproducibility
16:24:43 <vagrantc> sangy: wait ... where did that come from? :)
16:24:46 <mapreri> sangy: integrate with pbuilder was more so like I can use it without learning another tool :3  but from what I saw of that script it shouldn't be hard to do at all
16:25:01 <sangy> oh ok ok :P
16:25:05 <mapreri> adding a scheduler, well… that's another point.
16:25:06 <sangy> vagrantc: from there
16:25:33 <vagrantc> the intention of this is something entirely independent from jenkins.debian.net ?
16:25:38 <sangy> vagrantc: re: how to know which .buildinfo files to correlate. I *do* ferviently believe that in-toto link metadata would make it easier
16:25:42 <vagrantc> er, tests.reproducible-builds.org
16:25:55 <sangy> vagrantc: that's what h0lger intended, yes. As it'd be more lightweight and one-click-deployment for interersted organizations
16:26:10 <vagrantc> yeah, i think this came out of discussions at the last summit
16:26:18 <mapreri> tbh, I've been hacking around the t.r-b.o infra in the recent past, I feel like I'm near enough to make it less jenkins-y and more non-debian-friendly, which could easily include integrate it with the rebuilder.  Alas, not so easy this last part.
16:27:19 <vagrantc> while i see the advantages of everything all being in one place, i think it's best to not have to integrate everything in one place to experiment with a few different methods
16:27:23 <mapreri> but if it lives by itself, it can always be plugged in anywhere, so :)
16:27:38 <mapreri> ack
16:27:45 <vagrantc> especially at this point
16:27:58 <vagrantc> so i like the idea of something lightweight and "simple" :)
16:28:42 <vagrantc> so, do we have any actionable items for this topic? any further things that need discussion?
16:29:11 <sangy> jelle: did you want to bring up the arch-archive stuff or hosting the buildinfo's somewhere?
16:29:17 <vagrantc> jelle: and did you want to add some talk of an archlinux rebuilder as a separate agenda item, or did you get enough from the discussion so far?
16:30:32 <jelle> vagrantc: we can discuss the arch one, so far the 'my plan' is to make users able to verify packages
16:30:56 * mapreri has to go afk, sorry for leaving unexpectedly!
16:30:58 <vagrantc> shall we move on to that as a topic?
16:31:05 <jelle> sure
16:31:17 <vagrantc> #topic verifying archlinux packages
16:31:34 <sangy> jelle: there was a plan to have .BUILDINFO files be hosted on archweb no?
16:31:48 <vagrantc> also, if anyone has any additional items for the agenda, just let me know, we've got very little scheduled on the agenda
16:32:23 <jelle> might be good to give a little status update, we now can create reproducible packages with the latest released pacman. This also includes an updated BUILDINFO file. We have worked on creating a script to not remove packages which are mentioned in a BUILDINFO file in our repo, since our archive doesn't have infinite space.
16:32:34 <jelle> This has led to a rebuild of old packages without BUILDINFO files!
16:32:58 <jelle> sangy: we could do that, but archweb would provide BUILDINFO files unsigned, which then might defeat the point?
16:33:19 <sangy> jelle: I don't see why can't the developer sign the buildinfo files?
16:34:26 <jelle> sangy: well, archweb would read updated .pkg.tar.xz's and extract BUILDINFO files
16:34:55 <sangy> right, which could be signed by develoeprs
16:35:02 <vagrantc> the ideal for .buildinfo files is that multiple independent parties sign separate .buildinfo files which can then be used to corroborate each other
16:36:01 <jelle> hmmmm
16:36:30 <vagrantc> (or raise questions about the results, if they don't match)
16:36:38 <jelle> hehe
16:37:14 <sangy> jelle: so is the reason they aren't being signed right now is becuase they are embedded in the .tar.xz which is signed?
16:37:39 <jelle> sangy: yes, well and they aren't separate files only included in our packages
16:38:02 <jelle> on archlinux.org we could extract them and put them on our website, but then they aren't signed.
16:38:06 <vagrantc> jelle: the .pkg.tar.xz includes what, typically? (sorry for my arch ignorance)
16:38:27 <jelle> vagrantc: the actualy package data, an some metadata
16:38:46 <sangy> vagrantc: the pkg itself (data), a .SRCINFO file and an .MTREE file, now there's a .BUILDINFO file too
16:39:08 <sangy> (not so sure about the .SRCINFO actually)
16:39:27 <vagrantc> hm. embedding the .buildinfo means you actually have to extract the archive to verify the checksums on the rest of it, then?
16:39:50 <sangy> yes
16:40:16 <sangy> the argument for that is that you want to check against it anyway
16:40:54 <vagrantc> makes bit-for-bit reproducibility of the .pkg.tar.xz basically impossible...
16:41:36 <vagrantc> on the plus side, you can actually distribute the .buildinfo that you're actually using for that particular build trivially
16:42:52 <vagrantc> or rather, the .buildinfo used to produce the rest of the .pkg.tar.xz
16:43:58 <jelle> yup
16:44:03 <vagrantc> so, you could distribute third-party .buildinfo files through some other out-of-band mechanism, which are signed
16:44:31 <sangy> that'd be ideal. And having the original buildinfo signed by the packager would also be good
16:44:33 <jelle> vagrantc: yup that is still possible
16:44:46 <raboof[m]> (late 'hello' ;) )
16:44:53 <jelle> btw, we could change our upload process, that just requires more work :)
16:45:08 <jelle> personally I think it might be a bit strange to put it unsigned on our website.
16:45:22 <vagrantc> yeah, i wouldn't bother extracting an unsigned .buildinfo
16:45:32 <sangy> jelle: I still don't see why can't we sign it before putting it in the .tar.xz for the time being
16:45:56 <vagrantc> do the uploaders upload source-only? or do they upload binaries?
16:45:57 <jelle> sangy: how would you reproduce it then ;-)
16:46:02 <jelle> vagrantc: we upload binaries
16:46:09 <vagrantc> oh.
16:46:15 <jelle> we sign the .pkg.tar.xz locally, sign it and upload it
16:46:20 <vagrantc> then they *definitely* should sign them! :)
16:46:56 <jelle> well yeah it can be done, just requires changes and extracting them from the .pkg.tar.xz :)
16:47:47 <sangy> jelle: I'm down for working on that, but I have a lot in my plate right now :S. Any updates on the archive?
16:48:04 <jelle> my focus right now, is getting a script together so users can reproduce based on a .pkg.tar.xz and then later we can start thinking about publishing :)
16:48:33 <sangy> yeah, I think without archive we can't really reproduce anything :P
16:48:36 <jelle> sangy: ah, yes, our archive needs fixing, since now we archive once a day and might miss packages depending on a package which was updated in that timeslot. So twice on the same day.
16:48:46 <jelle> sangy: well we have the archive, just one small issue.
16:49:47 <sangy> ack, nice :)
16:50:21 <jelle> anthraxx: created a script to remove old packages which are not referenced in any of our repo packages
16:51:29 <jelle> if we want to re-produce every package we ever had in our repository we need more space :)
16:51:36 <sangy> yeah I remember the discussion about those spureous mylinuxkeyring packages
16:51:55 <sangy> and yeah :[
16:52:38 <jelle> yup, we also had packages with a BUILDINFO referencing packages which are not in our repo!!!!! This is still an issue which we need to resolve, basically disallowing such an upload
16:53:08 <sangy> right. I mean that's the nice thing about this, it catches stuff like this :)
16:54:11 <raboof[m]> I'm not too up to speed with the state of things, would that archive also be the place for third parties to upload their signed buildinfo files (for cross-checking)?
16:54:15 <sangy> well, so I don't know. I guess action point -> sign the .BUILDINFO? :D
16:54:31 <sangy> raboof[m]: no, I think that'd be another platform (similar to buildinfo.d.n)
16:54:54 <jelle> raboof[m]: no, it's an archive of our old packages required to reproduce the repository packages (since rolling release)
16:55:00 <raboof[m]> that sounds like a sensible thing to do in any case, looking at the above, yes
16:56:59 <vagrantc> due to time, maybe we've had enough on this topic for the meeting? can keep discussing later, of course :)
16:57:38 <jelle> sure!
16:57:56 <vagrantc> #topic next meeting
16:58:01 <raboof[m]> I might be up for collaborating on that repo for signed buildinfo files (either based on http://buildinfo.debian.net/ or a standalone thing) - though I have limited time as well :)
16:58:06 <vagrantc> so, so we have a date for the next meeting?
16:58:33 <vagrantc> and also, maybe someone to commit to sending reminder emails 2-3 days in advance?
16:58:45 <sangy> vagrantc: I can do that
16:59:07 <sangy> vagrantc: and should we schedule same tuesday a month from now? I'd like lamby and h01ger to be able to make it though...
17:00:11 <vagrantc> can't speak to their availability, but otherwise same time and day of week a month from now seems reasonable
17:01:04 <sangy> ok, should we set that date tentatively then?
17:01:22 <vagrantc> i think so, and leave it open for revolt :)
17:01:46 <sangy> then let's do Tuesday 17th of July on 16:00 UTC  :D
17:01:48 <vagrantc> looks like the 17th? 16UTC ?
17:02:06 <raboof[m]> perfect
17:02:44 <sangy> +1
17:02:52 <yashsriv> 👍
17:03:09 <vagrantc> #agreed tentative date for next meeting 17th of July, 16:00 UTC.
17:03:10 <sangy> I'll send the reminder on the 26th then. Possibly another one the week after
17:03:26 <vagrantc> #commit sangy to send reminders
17:03:54 <vagrantc> ok, thanks all!
17:03:56 <vagrantc> #endmeeting