#reproducible-builds log

15:00:20 <h01ger> #startmeeting
15:00:20 <MeetBot> Meeting started Tue Sep 28 15:00:20 2021 UTC.  The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:20 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:00:39 <h01ger> #topic welcome to this monthly meeting, please briefly introduce yourself or update us on recent or planned projects
15:01:11 * h01ger = Holger Levsen, caring for tests.r-b.o and getting us thru this meeting :)
15:01:22 <h01ger> the agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep
15:01:29 <h01ger> feel free to add & edit, please
15:01:35 * lamby is Chris Lamb, most working on Debian and diffoscope these last few weeks.
15:01:46 <h01ger> (though maybe /msg me of late changes now)
15:01:50 * marmarek = Marek Marczykowski-Górecki, Qubes OS
15:01:58 * vagrantc = Vagrant Cascadian ... mostly debian and cheerleading various reproducible builds efforts
15:02:01 <h01ger> the meetings are supposed to last between 1-2h, maybe rather an hour, but we have lots of time (just after 23-42m on one topic we move on anyway), though of course we aim to keep them short.
15:02:03 * fepitre = Frédéric Pierret, Qubes OS
15:02:28 * bmwiedemann is Bernhard M. Wiedemann, working on reproducible builds for openSUSE (and some SUSE OSes)
15:03:35 * kpcyrd kpcyrd = kpcyrd, independent contractor, rebuilderd, Arch Linux
15:04:34 * jelle = Jelle van der Waa, Arch Linux reproducible things
15:05:02 * h01ger is happy to see so many nicks here again
15:05:21 <lamby> :)
15:05:34 <sangy> sangy = Santiago Torres-Arias, Professor at purdue and overall supply chain security person
15:05:45 <sangy> Assistant Professor, for the record, I Don't have tenure :)
15:06:00 <h01ger> /nick prof_sangy :)
15:06:16 <sangy> haha :D
15:07:17 <h01ger> i suppose we can start... anyone joining late please do introduce yourself briefly if you feel like it... and thanks to everyone doing so, its especially nice for those new people being around or reading this in the logs..
15:07:27 * foka = Anthony Fok, mostly working with the Debian Go Packaging Team.  First time to the reproducibility meeting.  Slowly learning.  :-)
15:07:45 <h01ger> hi foka, great to have you here!
15:08:08 <h01ger> #topic short time slots for checkins from various projects
15:08:30 <h01ger> #topic short time slots:  status update on Alpine
15:08:38 <h01ger> Ariadne: anything to report?
15:08:46 <h01ger> #save
15:09:10 <foka> Hi h01ger!  I am glad to hear your talk during DebConf 21!
15:09:18 <h01ger> gunner: hi gunner. backlog is at http://meetbot.debian.net/reproducible-builds/2021/reproducible-builds.2021-09-28-15.00.log.html
15:09:28 <Ariadne> have been busy with openssl 3, so haven’t had much time to work on finishing the buildinfo yet
15:09:28 <gunner> hello and thanks!
15:09:36 <h01ger> foka: great
15:10:13 <h01ger> Ariadne: ah, ok. hoping for more news next month(s) then :)
15:10:18 <Ariadne> (openssl 3 is a higher priority objective for us due to the improved license)
15:10:25 <Ariadne> yes, next month :)
15:10:27 * h01ger nods, sure
15:10:46 <h01ger> #topic short time slots:  status update on Arch Linux rebuilder
15:10:54 <h01ger> kpcyrd: ^
15:11:00 <kpcyrd> pacman 6.0.1 released with a patch by Allan McRae for reproducible python bytecode with makepkg
15:11:06 <kpcyrd> nobody had time to upload the python packages with the new devtools version due to a funding gap for reproducible archlinu
15:11:15 <h01ger> #info pacman 6.0.1 released with a patch by Allan McRae for reproducible python bytecode with makepkg
15:11:33 <h01ger> (anyone can use the #info command, it just needs to be at the beginning of the line)
15:11:49 <kpcyrd> jelle and Aditya upgraded the instances to the latest rebuilderd version
15:12:06 <h01ger> nice
15:12:09 <kpcyrd> that's it
15:12:18 <h01ger> :thumbsup:
15:12:39 <h01ger> #topic short time slots:  status update on Debian / snapshot.d.o mirror
15:12:45 <h01ger> fepitre: ^ (&myself)
15:13:01 <fepitre> For snapshot service side:
15:13:07 <fepitre> 1) snapshot.notset.fr is really handling this big rebuild very nicely. I've mostly 40 rebuilders running since the beginning and I've not noticed any infrastructure failure so far. Only missing files that I'm in progress to solve by provisioning DB differently. Original problem explained here: https://github.com/fepitre/debian-snapshot/commit/572309a826e03e4d1ead419e65ad1e85409ed01b
15:13:23 <fepitre> (copy what I wrote in ml)
15:13:33 <fepitre> from API side, I've added
15:13:43 <fepitre> support for downloading file by sha256
15:13:45 <h01ger> the osuosl mirror of that mirror at fepitre's house is in the process of being set up, last week it was a bit stalled on osuosl's admins being busy with other stuff, but the discs have arrived and they should have the machine ready for us soon
15:14:01 <fepitre> direct download: https://snapshot.notset.fr/by-hash/SHA256/9c94e113ef655abc58a4f8f6c71e3a71e4df0155a9b306ece76eeed17cd7cb9f
15:14:07 <fepitre> redirected download with filename (first location found): https://snapshot.notset.fr/mr/file/9c94e113ef655abc58a4f8f6c71e3a71e4df0155a9b306ece76eeed17cd7cb9f/download
15:14:15 <h01ger> fepitre: wheehoo, thats awesome!
15:14:22 <fepitre> typically I'm using the latter
15:14:27 <fepitre> for computing diffoscope
15:14:37 <fepitre> when I've got an unreproducible builds
15:14:43 <fepitre> just getting files by hash directly
15:14:53 <fepitre> that's all for me for snapshot service
15:14:59 <lamby> nice
15:15:09 <h01ger> #info API side got support for downloading file by sha256, eg https://snapshot.notset.fr/by-hash/SHA256/9c94e113ef655abc58a4f8f6c71e3a71e4df0155a9b306ece76eeed17cd7cb9f
15:15:21 <h01ger> #info or redirected download with filename (first location found): https://snapshot.notset.fr/mr/file/9c94e113ef655abc58a4f8f6c71e3a71e4df0155a9b306ece76eeed17cd7cb9f/download
15:15:25 * vagrantc dances happily
15:15:31 <lamby> You also announced https://rebuild.notset.fr/ on the ML
15:15:32 <h01ger> very cool!
15:15:44 * fepitre lets h01ger speaking of rebuilding results :)
15:15:47 * marmarek \o/
15:15:55 <h01ger> #topic short time slots:  status update on Debian rebuilder
15:16:26 <h01ger> #info https://beta.tests.reproducible-builds.org/ is now another frontend view of https://rebuild.notset.fr/
15:16:39 <h01ger> showing Debian and Qubes results
15:17:01 <h01ger> and is what we discussed on the list as alpha.t.r-b.o or practice.t.r-b.o
15:17:16 <fepitre> I'm also speaking for josch, he recently made a migration of metasnap
15:17:31 <h01ger> (and which then i decided today to become 'beta', as 'alpha' sounds worse and 'practise' has the problem of US/UK spelling
15:17:35 <fepitre> which allows to intensively get minimal timestamp set
15:17:36 <h01ger> )
15:18:20 <fepitre> Now you can get results
15:18:21 <vagrantc> very, very, very excited :)
15:18:26 <fepitre> in-toto metadata
15:18:36 <sangy> \o/
15:18:37 <fepitre> (links of "links" are on the result page too)
15:18:42 <h01ger> thats all about rebuilders from me for now. the plan is still to set up both kpcyrd and fepitre rebuilders on t.r-b.o but no progress has been made on that yet
15:18:55 <fepitre> reproducible/unreproducible metadata are signed with different keys
15:19:07 <h01ger> thats also a very nice idea, marmarek :)
15:19:09 <vagrantc> fepitre: oh, nice :)
15:19:12 * sangy FWIW I love there are two rebuilder projects, so as to ensure rebuild diversity
15:19:12 <fepitre> so you can't get wrong
15:19:42 <fepitre> yes thank you marmarek for the suggestion!
15:19:55 <h01ger> #info josch made a migration of metasnap which allows to intensively get minimal timestamp set
15:20:05 <fepitre> and I've added diffoscope log yesterday too on results page
15:20:10 <kpcyrd> h01ger: it's currently recommended to use arch linux to rebuild arch linux, rebuilderd is packaged there and it should just work™
15:20:16 <fepitre> so people, no excuse to get what's wrong on Debian packages :D
15:20:41 <h01ger> kpcyrd: i fear i'll first try to rebuild debian but if you steer me in the arch direction first...
15:20:56 <h01ger> shall we move on on the agenda?
15:21:02 <fepitre> yes I'm done :)
15:21:12 <kpcyrd> h01ger: rebuilderd can't rebuild debian yet
15:21:37 <h01ger> kpcyrd: ah, ok, then i misunderstood you for months. and i also thought sangy used it to do that?!?
15:21:37 <sangy> kpcyrd: is this ticketized? I can perhaps point some students of mine in that direction
15:21:53 * h01ger grins and thumbsup
15:22:10 <sangy> h01ger: there are bits that are working iiuc, but I think it needs to fix a couple of bits for it to be up and running
15:22:13 <kpcyrd> there's a tracking issue that needs to be updated: https://github.com/kpcyrd/rebuilderd/issues/4
15:23:05 * h01ger suggests sangy and kpcyrd discuss this after the meeting or via /msg or via that issue :)
15:24:05 <h01ger> #topic short time slots:  status update on Debian / live-images
15:24:34 <h01ger> #info rclobus sent an update to the mailing list
15:25:00 <h01ger> #info https://lists.reproducible-builds.org/pipermail/rb-general/2021-September/002387.html
15:25:15 <h01ger> #topic short time slots:  status update on F-Droid
15:25:15 <lamby> 👍
15:25:54 <h01ger> obfusk couldnt make the meeting this time. no f-droid news to report from his end. he wished us fun.
15:26:22 <h01ger> #topic short time slots:  status update on i-probably-didnt-backdoor-this
15:26:39 <h01ger> as its striked through in the agenda, i guess kpcyrd has no news on this fantastic project :)
15:26:45 <kpcyrd> this isn't really a project with monthly news, it's more of a documentation project for how certain milestones work
15:26:47 <kpcyrd> the issue I mentioned the last time was due to a missing backslack while I prepared the project for release
15:26:56 <kpcyrd> *backslash
15:27:16 <h01ger> ok, removed from the agenda for next month. feel free to add it back anytime
15:27:39 <h01ger> #topic short time slots:  status update on rebuilderd: status update
15:27:42 <h01ger> kpcyrd: ^
15:28:01 <kpcyrd> rebuilderd released 0.14.0, 0.14.1 and 0.14.2
15:28:03 <kpcyrd> the rebuilderd instances are now generating and distributing in-toto attestations with the code contributed by Joy Liu and Aditya Sirish
15:28:05 <kpcyrd> there's also experimental support for tails images (but not IUKs) and a status table what's supported (like debian being "planned"), which backend is used and if the backend needs stuff like CAP_SYS_ADMIN or kvm: https://github.com/kpcyrd/rebuilderd#status
15:28:07 <kpcyrd> development also slowed down due to a funding gap
15:28:59 <h01ger> #info the rebuilderd instances are now generating and distributing in-toto attestations and  experimental support for tails images and more. check the full log
15:29:16 <kpcyrd> #info https://github.com/kpcyrd/rebuilderd#status
15:29:21 <lamby> Can you quickly elaborate on why the backend needs CAP_SYS_ADMIN (or similar) to build packages?
15:29:25 <h01ger> pretty nice
15:30:18 <kpcyrd> lamby: yes, the rebuild backends often use containers themselves and need to be able to use mount(2)
15:30:26 * h01ger is surprised the status table has 'doesnt need' instead of 'needs' :)
15:30:50 <kpcyrd> "needs kvm" is a bit of an anti-feature
15:31:10 * h01ger nods, still it reads strange at first
15:31:22 <h01ger> CAP_SYS_ADMIN is not mentioned in that table nor readme
15:31:34 <kpcyrd> the --privileged column
15:31:59 * h01ger nods. i understood, i was trying to suggest an improvement
15:32:33 <kpcyrd> :)
15:32:49 <h01ger> anything else on this?
15:32:54 <kpcyrd> that's it
15:33:02 <h01ger> :thumbsup: & thank you
15:33:08 <kpcyrd> ah, rebuilderd is now packaged in alpine [testing]
15:33:15 <h01ger> :)
15:33:21 <h01ger> #topic r-b ecosystem
15:33:25 <h01ger> lamby: ^
15:33:44 <lamby> Nothing to report here.  I should have removed it from the agenda; sorry.
15:33:52 <h01ger> np
15:34:14 <h01ger> #topic r-b.o/docs/rebuilders and conflict with r-b.o/tools
15:34:30 <h01ger> nothing to report on that topic neither. its still open and to be resolved...
15:34:55 <h01ger> #topic any other business
15:34:55 <kpcyrd> I'm suggesting to move the list from the wiki page I linked to the r-b website
15:35:41 <lamby> +1 for consolidation of reproducible docs in general :)
15:35:48 <h01ger> kpcyrd: i like that
15:36:11 <h01ger> maybe docs/rebuilders is useless and all should be listed under /tools
15:36:25 <h01ger> actually
15:36:27 <h01ger> #maybe#
15:36:37 <h01ger> rebuilders are very much important tools of r-b.o, or?!!
15:36:57 <kpcyrd> I think the actual deployments should be listed more publicly
15:37:09 <h01ger> i think thats true but a different topic :)
15:37:18 <kpcyrd> is it? :)
15:37:45 * kpcyrd is still looking for the link to the fepitre's debian instance that I can't find right now
15:37:48 <h01ger> yes, one is documenting tools (like diffoscope or rebuilders) and one is documenting instances of rebuilders and their results
15:38:03 <h01ger> kpcyrd: beta.tests.reproducible-builds.org
15:38:16 <h01ger> kpcyrd: pretty new (like 1h), so not linked anywhere yet
15:38:51 <h01ger> r-b.o/who should have the link soo
15:38:54 <h01ger> r-b.o/who should have the link soon
15:39:05 <kpcyrd> putting them under the .reproducible-builds.org domain defeats the "independent" portion of "independent verification" and I'd discourage doing that
15:39:40 <fepitre> => https://rebuild.notset.fr
15:39:44 <h01ger> kpcyrd: sure, thats also why its beta
15:39:48 <fepitre> but I see your point
15:40:05 <h01ger> kpcyrd: and surely this instance should be listed as rebuild.notset.fr
15:41:24 <h01ger> beta.t.r-b.o is more a 'marketing idea' to generate excitement that we are finally doing it :) but its beta and should be replaced by proper tests.r-b.o soon (and then debian also should set up verification of debian builds). /me speaking as r-b holger here and as debian holger :)
15:42:11 <h01ger> beta.t.r-b.o should be gone by xmas or so.
15:42:18 <kpcyrd> prepare for "but what if reproducible-builds.org gets hacked" questions :P
15:42:47 <fepitre> that's not a problem in fact
15:42:58 * h01ger thinks he's well prepared for most r-b questions :)
15:42:58 <fepitre> if you plan to use in-toto metadata
15:43:05 <fepitre> you need to trust the underlying key
15:43:17 <fepitre> which is no way related to r-b.o
15:43:26 <h01ger> :)
15:43:53 <fepitre> got to go sorry, see you later
15:44:01 <sangy> well, that key can be signed by the d-o people, transitively no?
15:44:02 <h01ger> beta.t.r-b.o also prominently says its run by Frédéric Pierret :)
15:44:05 <h01ger> fepitre: o/
15:44:06 <sangy> but we can talk about it :D
15:44:12 <kpcyrd> fepitre: thanks, bye! :)
15:44:25 <h01ger> any other business?
15:44:40 <sangy> I'm more than ahpy to write out how this would work to provide transitive trust from r-b->debrebuild instances->worker nodes :)
15:45:23 <h01ger> yay!
15:45:39 <bmwiedemann> I noticed our monthly page for September is still quite empty. Is just less happening or did we forget to add things?
15:45:44 <sangy> h01ger: in a sense the magic is there, with the apt-transport being signed by somebody in r-b ;)
15:45:47 <sangy> is already there*
15:47:33 <h01ger> bmwiedemann: i didnt add mailinglist posts as lamby said he would be scanning the list archives anyway
15:47:37 <sangy> bmwiedemann: I think there is stuff happening, I wonder if we could do a review of what's going on based on some of these meeting topics/discussions/the ml
15:47:49 <sangy> ah there it is
15:47:56 <h01ger> and probably a bit less was happening in september
15:49:09 <bmwiedemann> I was also pretty busy on other topics
15:49:11 <sangy> there were a bunch of birthdays at least :P
15:49:36 <h01ger> :)
15:49:43 <h01ger> any other business?
15:51:23 <lamby> None here, except thanks to h01ger for running this meeting
15:51:42 <h01ger> :)
15:52:11 <h01ger> i guess we can then close this meeting now, under 1h \o/ :)
15:52:18 <vagrantc> thanks all!
15:52:28 * h01ger thanks everyone!
15:52:34 <sangy> thanks everyone!
15:52:43 <kpcyrd> thanks, bye!
15:53:22 <h01ger> #endmeeting