#reproducible-builds log

16:04:46 <vagrantc> #startmeeting
16:04:46 <MeetBot> Meeting started Tue Jul 17 16:04:46 2018 UTC.  The chair is vagrantc. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:04:46 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
16:05:02 <vagrantc> everyone feel free to introduce themselves
16:05:48 <vagrantc> #topic roll call
16:06:00 <vagrantc> #topic roll call and agenda
16:06:07 <vagrantc> sparse agenda: https://pad.riseup.net/p/reproducible-irc-meeting-20180717-16UTC
16:06:20 * jelle waves
16:06:49 <sangy> yeah, rather sparse...
16:07:17 <vagrantc> 1) intros & absensces 2) yashsriv: update on Debian Rebuilder 3) NYU repro-builds for application security (take 2?)
16:07:35 <vagrantc> lamby apologizes for not being present
16:07:57 <vagrantc> oh, and of course 4) any other business
16:08:09 <vagrantc> let's wait a few minutes to let people show up and then begin?
16:08:25 <sangy> sure
16:13:39 <vagrantc> ok
16:14:02 <vagrantc> #topic Debian Rebuilder
16:14:06 <vagrantc> yashsriv: you're on!
16:14:44 <yashsriv> hi.. so basically I had divided debian rebuilder into 3 modules..... a builder/rebuilder, a visualizer to expose info and a scheduler to schedule builds
16:15:15 <yashsriv> The first 2 are now complete with an ansible configuration for easy deployment. The whole thing is at https://salsa.debian.org/yashsriv-guest/debian-rebuilder-setup/tree/integrate-srebuild
16:15:42 <vagrantc> #link https://salsa.debian.org/yashsriv-guest/debian-rebuilder-setup/tree/integrate-srebuild
16:16:08 <sangy> yashsriv: pretty cool :)
16:17:06 <yashsriv> The TODO file gives a better idea of the current status. So basically what is left is just scheduling stuff
16:17:07 <vagrantc> sangy: nice!
16:17:48 <sangy> yashsriv: do you have anything sketched out on that side?
16:17:56 <vagrantc> yashsriv: have a pretty good idea where to take it, or do you need anything from the community at large?
16:18:15 <yashsriv> that is currently a little vague as there isn;t anything in the current infrastructure which could help.
16:18:28 <yashsriv> I had discussed something regarding that with lamby after the last meeting
16:18:57 <yashsriv> ah yes: this issue - https://github.com/lamby/buildinfo.debian.net/issues/48
16:19:18 <yashsriv> So I'm thinking of working on this as well so that we could have something deployable
16:20:29 <vagrantc> using "since" might be a bit odd ... because if you have multiple rebuilders and they're all rebuilding and submitting the same most recent buildinfos ...
16:20:30 <sangy> that'd be nice. So ideally it'd be adding this api endpoint and then writing a very lightweight daemon polling ever N minutes/hours/etc?
16:21:09 <yashsriv> vagrantc.. they'll be maintaining what they have already rebuilt / submitted, so they won't trigger builds again
16:21:44 <vagrantc> yashsriv: all of the independent third-party rebuilders?
16:21:44 <yashsriv> sangy: that's the idea
16:22:10 <yashsriv> ah.. as far as I know, nobody else use buildinfo.debian.net for scheduling builds?
16:22:15 <vagrantc> e.g. you have, say 15 different organizations running rebuilders ...
16:22:52 <yashsriv> This configuration I have written works in a way such that even if 15 different organisations, run this same configuration - it would work
16:22:54 <vagrantc> the point of this project is to be able to easily set up an independent rebuilder ... so eventually they may be the majority of rebuilders
16:23:01 <sangy> vagrantc: each of them would have a local scheduler db I believe, and discard any buildinfo that belongs to an already-built package
16:23:19 <yashsriv> ^yeah this
16:23:24 <vagrantc> i'm just wondering if it wouldn't make more sense to rebuild the most stale builds
16:24:09 <sangy> vagrantc: I see your point. Probably having a different scheduling policy may be more interesting
16:24:20 <sangy> e.g., get the N packages that have been rebuilt the least
16:24:28 <vagrantc> at any rate, get something working before getting to bogged down in it :)
16:24:50 <vagrantc> but maybe note the idea of various different scheduling strategies
16:24:54 <sangy> vagrantc: yeah, we can probably play around with different scheduling strategies once the foundations are down
16:25:31 <vagrantc> on the other hand, rebuilding the most recent builds simplifies the liklihood of not needing to use snapshot.debian.org too much :)
16:26:17 <vagrantc> except if another rebuilder is making "recent" rebuilds of old packages... heh. :)
16:26:19 <sangy> ahh, took me a second to see why that was
16:27:05 <vagrantc> i guess using buildinfo.debian.net might be at mixed purposes to use as a data source for scheduling
16:27:48 <yashsriv> yeah.. so the thing with using buildd is that we need to wait for the packages to either arrive in sid / snapshot before initiating a rebuild and that isn't possible
16:28:00 <vagrantc> right
16:28:01 <sangy> well, we could schedule right from the apt repositories too...
16:28:10 <sangy> oh, TIL
16:28:30 <vagrantc> you can also use a combination of incoming.debian.org and the rest of the archive
16:29:47 <sangy> well, I wonder if we can make this scheduler lightweight enough so we can move from one datasource to another without much fuzz
16:29:53 <vagrantc> right
16:30:47 <sangy> yashsriv: well, so that sounds like a good goal :)
16:30:49 <vagrantc> also, is the goal to rebuild specific buildinfo files, or to rebuild what's in the archive?
16:31:18 <vagrantc> which i guess gets into data sources ...
16:31:20 <sangy> vagrantc: I think the goal is to rebuild everything and anything that can be rebuilt in there
16:32:05 <vagrantc> i think there's a way to query buildinfo.debian.net for a binary with a specific hash and find any matching .buildinfo files ...
16:32:24 <sangy> as in, there's an API endpoint for that already?
16:32:32 <vagrantc> so then, you could just use the hash of new packages in the archive to query for matching .buildinfo files, and try to rebuild them
16:32:43 <vagrantc> sangy: i *think* so ... i recall requesting it
16:33:17 <sangy> vagrantc: that sounds useful. Let's look into that too :)
16:33:29 <vagrantc> then again, since the .buildinfo files from the archive aren't yet publicly available ... hrm.
16:33:32 <sangy> either way, I think adding either of these API endpionts shouldn't be too hard to do, so we can take on that too
16:34:03 <sangy> sounds to me like it'd just be an orm operation on that flask/django/-ish looking app
16:34:08 <vagrantc> #link https://github.com/lamby/buildinfo.debian.net/issues/26
16:34:12 <vagrantc> by-hash ^^
16:35:05 <sangy> hmm, I see. I guess we can pick that up and see what's up. What do you think yashsriv ?
16:35:52 <vagrantc> any more on this topic?
16:36:07 <yashsriv> yeah let me look into incoming.debian.net - I wasn't aware of it and then we can discuss more later.
16:36:26 <vagrantc> incoming.debian.org
16:36:26 * yashsriv is satisfied
16:36:42 <vagrantc> we've landed plenty more on your plate for now :)
16:36:47 <sangy> lol yeah
16:37:13 <sangy> so something on this topic that I want to bring up. NYU will most likely host a rebuilder
16:37:13 <vagrantc> #topic NYU repro-builds for application security (take 2?)
16:37:41 <vagrantc> sangy: ah, did i change topic too soon?
16:37:52 <vagrantc> or is this a good segway? :)
16:37:54 <sangy> vagrantc: I think, but it's very minor
16:38:14 <sangy> I was just wondering if we'll have to have some process to enroll rebuilders or will it be open to everyone
16:38:37 <sangy> it's probably something we could discuss on the ML later down the line? (once we can deploy rebuilders, for instance)
16:38:58 <vagrantc> yeah, that sounds good for the mailing list once there's more specific rebuilder technology implemented :)
16:39:33 <vagrantc> sangy: was it you who brought the current topic?
16:39:36 <sangy> awesome, so let's continue with the topic at hand
16:39:38 <sangy> yep
16:40:00 <sangy> so, last year we did a series of reproducible builds sessions on NYU
16:40:35 <sangy> for the application security course. This time we'll have a seminar on "secure systems engineering", which adds more space to do work on projects like reprobuilds
16:40:47 <vagrantc> cool
16:40:53 <sangy> so, this is the syllabus https://docs.google.com/document/d/1KR_vj411j9ARNSmQByvJnr1796XxXL-Ln_SKAD2qVW8/edit?usp=sharing
16:41:35 <sangy> there's a calendar on the second page. We were thinking of devoting four weeks on finding and fixing reproducibility errors and whatnot like what we did last time
16:41:56 <vagrantc> four consecutive weeks?
16:42:17 <sangy> like last time, it'd be awesome if one or two poeple could drop by and talk about the project and how to fix repro bugs, etc.
16:42:41 <sangy> vagrantc: yeah. It's a seminar, so we are aiming at hands-on work, hopefully contributing to FOSS projects while at it
16:42:48 <vagrantc> nice
16:43:09 <sangy> :)
16:43:18 <vagrantc> sangy: if you proposed some potential dates on the mailing list, maybe you could get some specific people to commit
16:43:52 <sangy> vagrantc: yeah I think that's what I'll do. I was hoping there was more quorum on this so I could see if the dates on the syllabus worked. I'
16:43:57 <sangy> ll move it to the ML though :)
16:43:58 <vagrantc> right
16:44:18 <sangy> so, I think that's it for this topic...
16:44:33 <vagrantc> looking forward to seeing it develop
16:44:34 <vagrantc> :)
16:45:05 <vagrantc> also, if you could arrange some of those dates to piggyback around a conference that people might want to attend, as a general idea
16:45:19 <sangy> ah fair point. Let me check what's around
16:45:21 <vagrantc> it might make multiple incentives to show up
16:45:30 * sangy jumps on the lwn weekly update\
16:45:42 <vagrantc> that was clumsy english, but hopefully you get the idea :)
16:46:00 <sangy> lol yeah I did
16:46:25 <sangy> ah it's too early to tell from the LWN list. I'll look around. Thanks for the tip :)
16:46:34 <vagrantc> the next topic is ...
16:46:39 <vagrantc> #topic any other business
16:46:58 <vagrantc> i don't have anything in particular ... any thoughts that sprung up for anyone during the meeting?
16:47:30 <sangy> hmm, I don't think so. Really looking forward to this rebuilder stuff!
16:47:47 <sangy> should we schedule a meeting a month from now?
16:47:48 <vagrantc> indeed ... part of making a theoretical project into a practical one!
16:48:11 <sangy> we can probably make these every other month, so as topics pile up and more people show up?
16:49:09 <vagrantc> 14th? 21st?
16:49:42 <vagrantc> seems like we'll actively need to add issues to make the meetings more enticing :)
16:49:57 <vagrantc> not sure if the time is good/bad or what
16:50:18 <sangy> yeah... I kinda feel we need something like this to keep updates going though >.<
16:51:02 <vagrantc> i was also thinking of if the email reminder cut-and-paste the list of topics from the official agenda ... e.g. https://link-to-agenda ... followed by "list of agenda items so far"
16:51:11 <sangy> any ideas on how to figure out a better date? probably at least accommodating more regulars would be a good idea
16:51:15 <vagrantc> it might encourage folks to add items if they want
16:51:42 <sangy> vagrantc: I can do that, and send a reminder every two weeks (i.e., one next week, and one the week before the meeting)
16:51:54 <vagrantc> sangy: i think reminders are really helpful
16:52:03 <sangy> will do then :)
16:52:35 <vagrantc> and if there's some content in them beyond the link, it might help people who might read offline or something ... not sure
16:52:44 <vagrantc> or just remind them of issues more directly
16:53:07 <sangy> vagrantc: right. So should we tentatively say 21th but open for changes?
16:53:10 <vagrantc> e.g. the X number of clicks between the person and content, you loose ~80% after the first click
16:53:18 <vagrantc> sangy: sounds good to me
16:53:32 <sangy> vagrantc: that had a name in my HCI classes
16:53:38 <sangy> vagrantc: awesome, you got it ;)
16:53:47 <vagrantc> https://pad.riseup.net/p/reproducible-irc-meeting-20180821-16UTC
16:53:52 <sangy> ahh, fitt's law
16:54:09 <sangy> wait no, not that one. Anyway
16:54:14 <vagrantc> #link https://pad.riseup.net/p/reproducible-irc-meeting-20180821-16UTC
16:54:41 <h01ger> oh hi
16:54:49 <h01ger> sorry, i forgot about the meeting...
16:54:59 <vagrantc> h01ger: welcome to the wrapping up of the meeting :)
16:55:24 <sangy> h01ger: will not happen anymore, as I'll be spamming reminders in the ML :P
16:55:33 <h01ger> cool
16:56:09 <vagrantc> i don't know if it would make sense, but setting up a cron job that screenscrapes the next meeting URL might be worth it so it doesn't rely on someone remembering
16:57:03 <vagrantc> anyways, let's call that a meeting, and hope our amazing strategies for reminders will change it for the next round :)
16:57:08 <sangy> vagrantc: so I can automate that, but for now I set a reminder on my calendar
16:57:16 <vagrantc> #endmeeting