#reproducible-builds log

18:07:10 <bmwiedemann> #startmeeting
18:07:10 <MeetBot> Meeting started Mon Dec 14 18:07:10 2020 UTC.  The chair is bmwiedemann. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:07:10 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:07:37 <bmwiedemann> #topic introductions
18:08:01 * bmwiedemann is Bernhard M. Wiedemann (SUSE / Germany)
18:08:14 * lamby is Chris Lamb (UK)
18:08:43 * cbaines is Chris Baines (also UK)
18:09:14 <lamby> hey bmwiedemann, cbaines
18:11:04 <Foxboron> Yo, Morten Linderud (Arch / Norway)
18:12:12 <bmwiedemann> (I still hope for vagrantc as he was active just 15 minutes ago)
18:14:09 <jathan> Hi everybody.
18:14:14 <lamby> hi jathan
18:14:20 <vagrantc> hey all, sorry, had some unexpected surprises this morning
18:15:12 * vagrantc = Vagrant Cascadian
18:15:13 <lamby> Hope all is well
18:16:04 <bmwiedemann> #topic discuss vision of reproducible builds
18:16:10 <bmwiedemann> #link https://pad.sfconservancy.org/p/reproducible-builds-vision
18:17:32 <jathan> Hi lamby!
18:18:00 <jathan> vagrantc: I hope everything is fine.
18:18:21 <bmwiedemann> lamby or vagrantc: want to take over? This is not a good time for me.
18:19:13 <lamby> I'm probably not the best to take this  (wasn't involved in the previous meeting, for example)
18:19:22 <vagrantc> some people clearly put some thought into this, thanks bmwiedemann, kpcyrd and cbaines !
18:20:58 <cbaines> I've only been adding some things in the past 20 minutes
18:21:40 <vagrantc> so, looks like the bulk of the topics were distro-specific next steps and very long term goals
18:22:29 <vagrantc> also of note, the topic of cross-distro bootstrappability :)
18:22:59 <kpcyrd> the notes I wrote are somewhat short/near term, I'm careful with long term decisions while there's still short term stuff to figure out :)
18:23:06 <bmwiedemann> there are a few overarching topics we worked on in the past such as SOURCE_DATE_EPOCH, disorderfs and diffoscope. What will the future have in that direction?
18:23:21 <vagrantc> kpcyrd: fair enough :)
18:24:09 <cbaines> While writing up notes, I remembered about https://ismypackagereproducibleyet.org/ I think I had a plan to get Guix data in to that at one point. Anyway, I like the idea of viewing data from different distros in one place.
18:24:30 <kpcyrd> for example, I'd like to see rebuilders and rebuilder backends mature first before we settle on a report format. it's easier to rewrite stuff without carrying the report code around yet.
18:28:28 <vagrantc> bmwiedemann: well, i think BUILD_PATH_PREFIX_MAP is ... mostly stalled indefinitely, but at some point that could be resurrected. although maybe build paths are not a priority; relatively easy to normalize
18:29:23 <h01ger> re
18:29:39 <vagrantc> i was also intrigued by the idea of various "rings" of package sets ... somewhat similar to debian's various package sets
18:30:08 <vagrantc> #link https://tests.reproducible-builds.org/debian/bullseye/amd64/index_pkg_sets.html
18:30:46 <lamby> Like, generic, distribution-agnostic rings?
18:31:28 <vagrantc> could be something to explore ... if we're all putting energy into fixing "core" reproducibility issues, we might all get there faster ... though some of those are the hardest
18:32:08 <lamby> nod
18:33:51 <vagrantc> i don't know if it makes sense to try and schedule something like a targeted week of hacking on packages we identify as "core" issues for reproducibility across distros?
18:34:09 <h01ger> i'd think it first makes sense to identify them :)
18:34:18 <h01ger> or maybe thats the first bit of that hacking week
18:34:39 <vagrantc> well, like the link i posted above probably identifies some issues from a Debian perspective ...
18:35:14 <vagrantc> and if other distros have similar lists to share, we can compare notes, trade patches and try to get them upstream...
18:35:24 * h01ger nods
18:36:25 <vagrantc> although i think binutils and gcc in debian are possibly mostly of maintainer embedding known unreproducible build logs :(
18:37:20 <vagrantc> i think for a lot of the "make a distro fully reproducible" goals, rebuilders seem to be core to that, though each distro has specific challenges there
18:37:40 <vagrantc> but i guess maybe also coming to agreement on a known set of variations/normalizations?
18:38:34 <vagrantc> but once we have the core bootstrap, cross-distro bootstrapping might become more feasible :)
18:39:22 <bmwiedemann> it still has the same challenges of incompatible versions, but at least we can expect reproducible results then.
18:39:40 <vagrantc> right
18:41:01 <bmwiedemann> something like Guix could come in handy for the cross-distro bootstrapping, because (If I understood it correctly) can be built on different distributions and might be able to bootstrap different parts of various distributions
18:41:11 <vagrantc> oh, nice :)
18:41:41 <h01ger> personally cross-anything is outside my vision(s) currently. its so far out and we have so so many smaller and already caught fish to fry
18:42:00 <h01ger> but hey, scratch your itches :)
18:42:09 <bmwiedemann> true, it is more in the bootstrappable region
18:42:46 <vagrantc> i was also wondering ... how well known is reproducible builds in the world at large? it seems to be increasingly common amoung software development circles ... and sometimes in security circles ... but i also surely have a biased view
18:43:20 <vagrantc> and ... is there more we can do to ... get the word out?
18:43:39 <vagrantc> we've historically given lots of talks at many conferences ... which is a little different right now
18:43:41 <bmwiedemann> government regulations on software ?
18:44:08 <h01ger> vagrantc: well, we've given talks this year too. and 2019 is not really 'historic'
18:44:36 <bmwiedemann> you know, there was the FSFE campaign for "public money, public code" - that could be built upon, to encourage/sponsor/demand reproducible builds of that FLOSS code
18:45:11 * h01ger believes that parts of the german tech scene now reproducible builds, because when last week the free'ed version of the corona warn app was released, two features were noted: a.) free of google services b.) reproducible builds
18:45:27 <vagrantc> h01ger: that's great!
18:45:30 <h01ger> bmwiedemann: i believe r-b is part of their campaign
18:45:51 <h01ger> (and s#now#know# in the last but one line from me)
18:46:34 <bmwiedemann> h01ger: google doesnt find such claim.
18:47:04 * h01ger checks his inbox
18:49:01 <bmwiedemann> I found one FSFE r-b mention in our weekly report #198
18:49:08 <bmwiedemann> about Huawei+5G
18:51:21 <bmwiedemann> I guess, that part of r-b vision could be part of a wider vision of FLOSS adoption (or even requirement) in certain sectors
18:52:26 <lamby> I need to jump off now for a bit :)
18:52:32 <h01ger> bmwiedemann: you're right, i only found random people demanding public code should be reproducible
18:52:33 <vagrantc> lamby: thanks for dropping in
18:52:37 <h01ger> lamby: o/
18:53:28 <vagrantc> i've had a talk or two begging the question "is it really free software if it isn't reproducible" ... maybe nudging that angle a little over the coming years could be interesting
18:53:54 <vagrantc> although want to be careful not to get too adversarial
18:54:06 * h01ger has been asking that question since 3-4 years at least :)
18:54:34 <cbaines> I remember something from Marrakesh about Huawei and the UK 5G stuff. I think there was some aspect of the customer reproducing the vendors artifacts there for security reasons.
18:54:42 <bmwiedemann> I think, we want to shift people's thinking in that direction. Proper FLOSS software should build reproducibly.
18:55:29 <h01ger> cbaines: https://www.huawei.com/en/press-events/news/2019/12/huawei-ma5800-code-evaluation-build-engineering-assessment <- page 4
18:55:48 <vagrantc> i had a never presented talk basically about the interplay between FLOSS, reproducible builds and bootstrappability making each stronger
18:56:38 <cbaines> For Guix at least, I see a clear step from the current state of "fetch a binary thing if the hash is signed and I trust the key" to "fetch a binary thing if the hash is signed by N signatures where N > 1", which will provide more security to users (providing things build reproducibly)
18:56:40 <vagrantc> it did occur to me that we could just give talks and self-publish them, rather than waiting for a conference
18:57:04 <bmwiedemann> a question on timing: do we need to wrap up, or should we continue until the topic (or the people) are exhausted
18:57:21 <vagrantc> cbaines: yeah, seems like guix is well poised to be the first to implement the end-user parts
18:57:39 * h01ger has to prepare food now, so i'll drop out.
18:57:40 <cbaines> h01ger, thanks
18:57:48 <vagrantc> #idea record presentations outside of conferences
18:58:14 <vagrantc> #idea connect with publiccode.eu about reproducible builds
18:58:51 <vagrantc> # broadly government initiatives incorporating reproducible builds
18:58:56 <vagrantc> #idea broadly government initiatives incorporating reproducible builds
18:59:06 * vagrantc hopes #idea works
18:59:28 <bmwiedemann> #save
18:59:31 <vagrantc> #idea guix could implement substitutes with N matching signatures
18:59:49 <vagrantc> bmwiedemann: we should probably wrap up
19:00:03 <vagrantc> was trying to record some of the ideas as we went in the meetbot summary
19:00:07 <cbaines> There's a link for that
19:00:10 <cbaines> #link https://lists.gnu.org/archive/html/guix-devel/2020-06/msg00179.html
19:01:00 <vagrantc> #idea hack sessions to target specific core packages
19:02:20 <vagrantc> well, shall we call it?
19:02:37 <vagrantc> bmwiedemann: i think you have the power to end this :)
19:02:44 <bmwiedemann> alright. we had a nice meeting. thanks all for the contributions.
19:02:54 <vagrantc> thanks everyone!
19:03:08 <bmwiedemann> #endmeeting