#reproducible-builds log

15:58:06 <h01ger> #startmeeting
15:58:06 <MeetBot> Meeting started Mon Dec 21 15:58:06 2020 UTC.  The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:58:06 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:58:17 <h01ger> #topic say hi and review and amend the agenda
15:58:27 * h01ger = Holger Levsen, hello :)
15:58:33 * lamby is Chris Lamb, hello
15:59:37 * h01ger gives people some more minutes to arrive
16:00:01 * jelle hi
16:00:18 <h01ger> though i fear we picked a time too early for vagrant (and possibly bmwiedemann), though iirc vagrant didnt vote, so... :/
16:01:04 * h01ger has two subtopics for 'any other business' and adds them to the agenda
16:01:17 <Foxboron> Yooo, Foxboron / Morten Linderud here
16:01:19 <raboof> o/ Arnout Engelen, JVM and NixOS stuff
16:01:43 <h01ger> https://pad.sfconservancy.org/p/reproducible-builds-meeting-agenda is where the agenda is. sorry :)
16:02:39 * vagrantc waves
16:02:41 <h01ger> hi vagrantc, david-a-wheeler - you didnt miss much yet
16:02:45 <h01ger> https://pad.sfconservancy.org/p/reproducible-builds-meeting-agenda is where the agenda is.
16:02:51 <h01ger> #safe
16:02:54 <h01ger> #save
16:03:05 <david-a-wheeler> Great!
16:03:12 <h01ger> better save then not sorry ;)
16:03:14 <david-a-wheeler> I see the agenda.
16:03:58 <h01ger> http://meetbot.debian.net/reproducible-builds/2020/reproducible-builds.2020-12-21-15.58.log.html is what you missed, so not much
16:04:20 * anthraxx hi al
16:04:36 <h01ger> vagrantc: is that a possible time for you for future meetings too or what you prefer another dudle for yet another time? ;) :/
16:04:48 <h01ger> #topic 1.1 review new meeting time
16:05:49 <david-a-wheeler> I have standing meetings Monday at this time, so another time would be better for me too.
16:05:57 <h01ger> others are welcome to comment on 16 UTC too
16:05:58 <vagrantc> h01ger: i can make it work, but it's definitely on the early end for me :)
16:06:21 <david-a-wheeler> This time is theoretically great for me, yet, I can't usually make it :-).
16:07:18 <h01ger> ok, i suppose we should do another dudle then, but i would propose to do that in a months or so and keep this time for two more rounds, to decrease fluctation. if that makes sense
16:07:28 <h01ger> s#months#month#
16:07:30 <lamby> Nod.
16:07:33 <vagrantc> works for me
16:07:38 <jelle> worksforme
16:07:40 <david-a-wheeler> Ok.
16:07:49 <david-a-wheeler> But can we do the Doodle poll sooner?
16:08:01 <h01ger> to have it longer running?
16:08:32 <david-a-wheeler> Start the Doodle poll sooner, and switch by Feb at the latest.
16:08:50 <h01ger> seems like a good idea. schedule the next two meetings at 16 utc now and schedule a duddle poll for the time of the meeting on february 1st now too
16:09:14 <david-a-wheeler> The SolarWinds crisis may cause a lot more people to be interested in reproducible builds. If that happens, I want to be involved if I can be.
16:09:18 <h01ger> and then each week we can remind people of that dudle
16:09:32 <h01ger> david-a-wheeler: darn, still havent found the time to read your mail about this
16:09:54 <h01ger> #action h01ger will schedule the next two meetings at 16 utc now and schedule a duddle poll for the time of the meeting on february 1st now too. then each week we can remind people of that dudle
16:10:02 <h01ger> next topic, i suppose?
16:10:08 <h01ger> #save
16:11:11 <h01ger> #topic 2. review last meetings action items
16:11:30 <h01ger> http://meetbot.debian.net/reproducible-builds/2020/reproducible-builds.2020-12-07-17.58.html has these 4:
16:11:41 <h01ger> bmwiedemann will either post the results of the debugging meeting or tell us he already did vagrant is driving the next office hour session in january vagrant will post next meeting time to list 2021-01-07 18:00-20:00 UTC h01ger will announce the vision meeting on the list
16:12:20 <h01ger> hmpf, the linebreaks got lost, sorry. but i believe they are all done except the january AMA session which is well on the way
16:12:31 <vagrantc> yup
16:12:33 <h01ger> so next topic again :)
16:12:58 <h01ger> #topic 3. topic specific meetings: review of the last one: visions for r-b
16:13:48 <h01ger> can someone summarize? are there any 'hard' results?
16:14:15 * h01ger was sadly got distracted by real life so couldnt participate much :/
16:14:57 <david-a-wheeler> I wasn't involved, but I have a vision: All software is reproducible & its builds are independently verified with reproducible builds.
16:15:05 <h01ger> :)
16:15:26 <david-a-wheeler> If you like that vision, we can declare victory and move to the next topic :-).
16:15:35 <h01ger> i think it was both about more concrete steps now as well as further ahead visions :)
16:15:45 <vagrantc> the original idea was a bit more of a strategic planning sort of idea
16:15:57 <vagrantc> but we came up with some next steps
16:16:06 <vagrantc> #link http://meetbot.debian.net/reproducible-builds/2020/reproducible-builds.2020-12-14-18.07.html
16:16:16 <vagrantc> or at least ideas to kick around
16:16:38 <h01ger> right, thats the meetbot summary of that meeting at least
16:16:41 <h01ger> #save
16:17:24 <lamby> nice, thanks :)
16:17:27 <vagrantc> the two that stood out to me are working with projects like publiccode.eu to build awareness and interest in reproducible builds
16:17:30 <h01ger> #info thats the meetbot summary of the r-b visions meeting about strategies
16:18:01 <vagrantc> and some targeted hack sessions focusing on making sure "core" packages are reproducible
16:18:35 <h01ger> #info the two that stood out to one participant were working with projects like publiccode.eu to build awareness and interest in reproducible builds and some targeted hack sessions focusing on making sure "core" packages are reproducible
16:18:39 <david-a-wheeler> Is anyone working with any of the language-level repos (PyPI, RubyGems, node, etc.) to get them to work on reproducible buiilds?
16:18:42 <vagrantc> and since everything's virtual, we may as well just record talks whenever we feel like it :)
16:19:29 <h01ger> so, as strategy: make noise and keep up the good work?
16:19:35 <vagrantc> hah :)
16:19:42 <lamby> I had some interest from the PyPI folks and a chap from IBM (whose name evades me right this second!)
16:20:13 <david-a-wheeler> Tweak: Make noise & increasingly cover what's verified via reproducible builds
16:20:30 <vagrantc> david-a-wheeler: that sounds like a good idea! there was some work on a major java distrubition system (e.g. maven?)
16:21:09 <david-a-wheeler> If it's Java, that'd be Central (Sonatype's); that's what Maven uses.
16:21:23 <h01ger> public service reminder: we have 2 established channels to make noise: a.) our monthly report b.) our twitter account. if you dont know how to use them, we'll gladly explain
16:21:28 <vagrantc> david-a-wheeler: sounds about right
16:21:30 <raboof> david-a-wheeler: for the JVM, there's nothing stopping us from uploading buildinfo metadata to jar repo's like Maven Central. I have a proof-of-concept doing it for the Akka library (https://repo1.maven.org/maven2/com/typesafe/akka/akka-actor_2.13/2.6.10/akka-actor_2.13-2.6.10.buildinfo)
16:22:01 <david-a-wheeler> raboof: Cool, didn't know that.
16:22:27 * h01ger is happy about the enthusiasm yet still wants to get back to the agenda ;) IOW: i think we are done with discussing the past strategy/vision meeting.
16:22:34 <david-a-wheeler> h0lger: Those are good channels, but more for the in-crowd.
16:22:36 <h01ger> one question probably left: how to continue?
16:22:37 <vagrantc> yay :)
16:23:10 <vagrantc> maybe start a thread on-list about each strategy approach?
16:23:22 <h01ger> i guess my last question is a bit rhetoric/broad, so lets just move one. if you have an idea how to continue on this topic, please bring it up on the list
16:23:56 <h01ger> #info please followup the discussion about future visions and strategies for r-b on the rb-general list (or make it a topic for the next general irc meeting)
16:24:13 <h01ger> #topic 4. topic specific meetings: plan the next one: pick one from below
16:24:41 <h01ger> i'm a bit confused/unsure: we have another AMA meeting in january, so is this needed now?
16:24:43 <h01ger> vagrantc: ^
16:25:20 <vagrantc> h01ger: i think i'd like to see some other topics addressed ... the AMA can kind of stand on it's own
16:25:45 <vagrantc> dunno if Foxboron is around ... but wanted to do one about academic paper review or something?
16:26:00 <Foxboron> D: i did
16:26:02 <Foxboron> but busy
16:26:03 <david-a-wheeler> I can't attend 11am Eastern Time meetings in January due to conflicts, so I'm not pushing for one of mine :-).
16:26:13 <h01ger> david-a-wheeler: please use UTC
16:26:40 <vagrantc> david-a-wheeler: if you want to drive a session, you could also just pick a different time :)
16:26:40 <h01ger> vagrantc: ok. for which date?
16:26:45 <david-a-wheeler> (1600 UTC)
16:26:57 <h01ger> david-a-wheeler: thank you :)
16:27:32 <vagrantc> h01ger: if we follow the alternate generate meeting approach ...
16:27:46 <h01ger> so january 11th i suppose or is that the AMA date?
16:27:48 <vagrantc> that'd be December 28th,
16:28:02 <h01ger> ah, ok
16:28:08 <vagrantc> or January 13th or 27th
16:28:46 <vagrantc> oops, january 11th or 25th
16:29:32 <h01ger> i suppose we could move on now, as we meet again on january 4th. or you pick a topic now. its not so much fun for 10 people to wait on this :)
16:29:34 <vagrantc> we could also refresh the list
16:29:58 <h01ger> but then, we only have any other businesses as topics..
16:30:43 <vagrantc> can, of course, solicit more future topics on-list ... :)
16:31:00 <h01ger> #info the topic for the next topic meeting is AMA - ask me anything. december 28th
16:31:02 <vagrantc> or review the previous
16:31:15 <vagrantc> h01ger: no, that's in january ...
16:31:27 <h01ger> maybe we need a calendar or some such
16:31:27 <vagrantc> h01ger: kind of moved the AMA outside of the topic-specific things
16:32:17 <vagrantc> #info AMA is january 7th, really :)
16:32:24 <h01ger> cool
16:32:26 <vagrantc> i mean, anyone is willing to host it whenever they want :)
16:32:55 <vagrantc> until i get bored of it, i'll aim for hosting one a month :)
16:33:04 <h01ger> #topic 5. next meeting
16:33:30 <jelle> vagrantc: nice, I'd need to remember it and share my repro issues list :-)
16:33:31 <h01ger> #info next general irc meeting will be on january 4th, 2021, at 16 UTC, here
16:33:54 <h01ger> #info for the meetings starting in february there will be a dudle for a new time
16:33:55 <david-a-wheeler> I don't see a calendar/schedule on https://reproducible-builds.org/contribute/
16:34:01 <h01ger> david-a-wheeler: yup
16:34:14 <lamby> nod
16:34:16 <h01ger> #topic 6. any other business
16:34:25 <h01ger> #topic 6.1 threema
16:34:47 <h01ger> threema (a messenger app) today announced their switch to agpl3 code and reproducible builds
16:35:04 <h01ger> hit the spiegel.de, which is german (non technical) mainstream political press
16:35:25 <vagrantc> nice
16:35:26 <lamby> switch from another license?
16:35:36 <h01ger> (the spiegel article explained "reproduzierbare builds" which is a nice new denglish term)
16:35:41 <h01ger> lamby: propietary
16:35:59 <rinni> but registration will only be possible with the purchased version :-(
16:35:59 <h01ger> threema has pretty good crypto track record.
16:36:13 <h01ger> rinni: which is still the reproducible version..
16:36:34 <h01ger> i've put a short stab in the report in website.git, if you are looking for more urls
16:36:41 <h01ger> https://threema.ch/en/blog/posts/open-source-discount
16:36:41 <lamby> thanks
16:36:46 <h01ger> is one for now
16:37:02 <h01ger> rinni: happy to discuss threema details after the meeting anytime :)
16:37:08 <david-a-wheeler> Interesting. Apple has generally been hostile to GPL apps, I wonder if that's changed.
16:37:39 <h01ger> david-a-wheeler: not sure there is threema for ios
16:37:45 <h01ger> anyhow
16:37:48 <h01ger> #topic 6.2 any other business: debian arch:all upload campaign
16:38:07 <h01ger> not 100% related to reproducible builds, but rather a pre-depends:
16:38:37 <h01ger> back in history, not all debian uploads were build on build daemons (operated by debian) but many/most were build on developer machines
16:38:58 <david-a-wheeler> (Threema): https://apps.apple.com/us/app/threema-the-secure-messenger/id578665578
16:39:00 <jelle> g
16:39:06 <h01ger> the release team fixed this in 2018 but requiring now packaging going to testing being built on the buildds
16:39:16 <h01ger> but uploads from before were/are still in
16:39:34 <h01ger> and all uploads from before 2016 also lack .buildinfo files
16:39:38 <h01ger> long story short:
16:39:51 <h01ger> there were 572 source packages like this
16:39:56 <h01ger> which need a new upload
16:40:22 <h01ger> 3 days ago i started to go through them and now have uploaded the first 30. the last 10 in the last 2h or so.
16:40:34 <h01ger> i hope to be done with those 572 packages in a month.
16:40:39 * vagrantc cheers and claps
16:40:47 <david-a-wheeler> h01ger: Fantastic!
16:40:56 <lamby> nice!
16:41:14 <h01ger> if i stop making progress in the next 2-3 weeks i will ask for help, but really, it should just be a few dull hours for me. i have automated most of it now.
16:41:17 <raboof> great
16:41:24 <david-a-wheeler> So how close are we to a completely reproducible Debian base?
16:41:33 <vagrantc> david-a-wheeler: that's another topic entirely
16:41:38 <david-a-wheeler> Ok :-)
16:41:40 <h01ger> david-a-wheeler: what vagrant said
16:41:45 <h01ger> #topic 6.3 any other business: MCH2021
16:41:53 <h01ger> raboof: ^ the stage is all yours! :)
16:42:06 <raboof> right! we're hoping to organize another 'hacker camp' event in the Netherlands in August 2021, MCH2021, assuming it can be done responsibly by that time.
16:42:20 <raboof> I'd be happy to do a talk spreading the r-b gospel
16:42:33 <h01ger> coolio!
16:42:43 <h01ger> is there an url for MCH2021 already?
16:42:52 <raboof> https://mch2021.org/
16:42:52 <Foxboron> Yes, tickets started selling today
16:43:02 <h01ger> wow
16:43:05 <h01ger> #save
16:43:40 <h01ger> cool, i suppose thats it for now?!?
16:43:58 <david-a-wheeler> I have 1 quick thing
16:44:14 <h01ger> about MCH2021?
16:45:09 <raboof> we can move on from MCH - though if any of you plan to come I'd like to hear, perhaps we can also do some workshop/bof-session/...
16:45:38 <h01ger> raboof: i think that would be cool... (though planning to come is too early right now)
16:45:41 <h01ger> david-a-wheeler: please add your topic to https://pad.sfconservancy.org/p/reproducible-builds-meeting-agenda and we'll get to it in a minute
16:45:45 <h01ger> #topic 6.4 any other business: solarwinds
16:45:53 <h01ger> david-a-wheeler: or is that your topic? vagrantc added it :)
16:46:05 <david-a-wheeler> It is!
16:46:17 <david-a-wheeler> The attack on SolarWinds is a big deal in the US. It appears to have been an att ack on the build system of some proprietary software.
16:46:19 <vagrantc> ok, happy to hand over the mic, then :)
16:46:30 <david-a-wheeler> The same kind of attack could have been performed on OSS.
16:47:28 <david-a-wheeler> An obvious solution is reproducible builds. I'm hoping that this attack will lead to more action on improving the software security....
16:47:29 * h01ger nods
16:47:40 <david-a-wheeler> including vastly increased use of reproducible builds.
16:47:41 <vagrantc> kind of the heartbleed of 2020? :)
16:47:52 <h01ger> jg is pitching on this (in the US, at companies)
16:47:59 <david-a-wheeler> Heartbleed was not nearly as dangerous :-(.
16:48:28 <raboof> jg?
16:48:33 * h01ger thinks it was more a hack/crack/break-in than a software distribution problem. that just made it worse
16:48:38 <david-a-wheeler> vagrantc: Basically yes.
16:48:54 <vagrantc> so other than including in our next report ... what are our next steps to show the world how reproducible builds can help?
16:49:15 <h01ger> raboof: jim getty
16:49:21 <vagrantc> s
16:49:34 <david-a-wheeler> I think it'd be good to make it easier to explain why reproducible builds can counter attacks like SolarWinds.
16:49:38 <h01ger> raboof: jim gettys
16:50:17 <david-a-wheeler> The next report goes to the believers. You want something the *non* believers see :-).
16:50:26 <h01ger> david-a-wheeler: if solarwinds has a consistent good story. and not person say it was the russians and the clown says it were the chines
16:50:31 <h01ger> e
16:50:42 <david-a-wheeler> It doesn't matter who the attacker was.
16:50:46 <vagrantc> i remember a pretty simple talk about bitcoin that touched on the issues of reproducible builds and bootstrapability from dongcarl
16:50:57 <h01ger> i'm not saying it hasnt, but... this can be *very* distracting
16:50:59 <david-a-wheeler> The problem is that there was no way to detect a mis-signed executble.
16:51:03 <dongcarl> hi
16:51:04 <vagrantc> it had really accessible graphic representations with explanations
16:51:35 <h01ger> hi dongcarl - you missed a lot, the whole backlog is linked at http://meetbot.debian.net/reproducible-builds/2020/reproducible-builds.2020-12-21-15.58.html (and summarized too)
16:51:55 <dongcarl> Very cool
16:52:07 <dongcarl> Will check out meeting schedule if that's online anywhere
16:52:07 <h01ger> https://en.wikipedia.org/wiki/Solarwinds#2020_supply_chain_attack
16:52:10 <david-a-wheeler> dongcarl: Can you share a URL for that?
16:52:11 <h01ger> #save
16:52:13 <david-a-wheeler> Never time
16:52:14 <dongcarl> My video: https://youtu.be/I2iShmUTEl8
16:52:16 <david-a-wheeler> Nevermind
16:52:27 <h01ger> what video is that?
16:52:41 <vagrantc> #link  https://en.wikipedia.org/wiki/Solarwinds#2020_supply_chain_attack
16:53:00 <vagrantc> #link  https://youtu.be/I2iShmUTEl8
16:53:04 <dongcarl> h01ger: "a pretty simple talk about bitcoin that touched on the issues of reproducible builds and bootstrapability"
16:53:11 <david-a-wheeler> dongcarl: Is there a URL with the slides themselves?
16:53:18 <h01ger> vagrantc: meetbot recognises https url starting at the beginning of the line
16:53:26 <vagrantc> h01ger: oh, TIL :)
16:53:26 <h01ger> dongcarl: from when?
16:53:35 <h01ger> like 2014 or 2020?
16:53:35 <david-a-wheeler> I think reproducible-biulds.org should have a page on "How RB could have countered the SolarWinds attack"
16:53:37 <dongcarl> david-a-wheeler: There's a transcript, if you'd like! There's a lot of animation so the slides are... repetitive hehe
16:54:04 <h01ger> we were just discussing solarwinds and suddenly a video link is shared with no explaination. i'm trying to make sense out of this ;)
16:54:04 <dongcarl> h01ger: 2019 I believe
16:54:24 <h01ger> ic
16:54:48 <h01ger> ok, i suppose we can conclude the meeting with this then
16:54:49 <vagrantc> h01ger: i mentioned dongcarl's because we were talking about explaining reproducible builds and i recall that being a pretty good example
16:55:05 * dongcarl shoulda read more of the log
16:55:09 <david-a-wheeler> You need "SolarWinds" in the title so people will find it :-)).
16:55:44 * h01ger is still not convinced SolarWinds is the best example to explain people the benefits of preventing supply chain attacks
16:55:49 <david-a-wheeler> h0lger: Makes sense!
16:55:55 <david-a-wheeler> Take care everyone!
16:56:06 <h01ger> see you in two weeks!
16:56:14 * dongcarl waves
16:56:16 <lamby> o/
16:56:22 <h01ger> next general irc meeting will be on january 4th, 2021, at 16 UTC, here
16:56:26 <h01ger> \o
16:56:37 <h01ger> & thank you all for your time & contributions!
16:56:57 <vagrantc> indeed!
16:57:20 <h01ger> #save
16:57:46 <lamby> Next meeting in diary :)
16:58:04 <h01ger> #endmeeting