15:00:20 #startmeeting 15:00:20 Meeting started Tue Sep 28 15:00:20 2021 UTC. The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:20 Useful Commands: #action #agreed #help #info #idea #link #topic. 15:00:39 #topic welcome to this monthly meeting, please briefly introduce yourself or update us on recent or planned projects 15:01:11 * h01ger = Holger Levsen, caring for tests.r-b.o and getting us thru this meeting :) 15:01:22 the agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep 15:01:29 feel free to add & edit, please 15:01:35 * lamby is Chris Lamb, most working on Debian and diffoscope these last few weeks. 15:01:46 (though maybe /msg me of late changes now) 15:01:50 * marmarek = Marek Marczykowski-Górecki, Qubes OS 15:01:58 * vagrantc = Vagrant Cascadian ... mostly debian and cheerleading various reproducible builds efforts 15:02:01 the meetings are supposed to last between 1-2h, maybe rather an hour, but we have lots of time (just after 23-42m on one topic we move on anyway), though of course we aim to keep them short. 15:02:03 * fepitre = Frédéric Pierret, Qubes OS 15:02:28 * bmwiedemann is Bernhard M. Wiedemann, working on reproducible builds for openSUSE (and some SUSE OSes) 15:03:35 * kpcyrd kpcyrd = kpcyrd, independent contractor, rebuilderd, Arch Linux 15:04:34 * jelle = Jelle van der Waa, Arch Linux reproducible things 15:05:02 * h01ger is happy to see so many nicks here again 15:05:21 :) 15:05:34 sangy = Santiago Torres-Arias, Professor at purdue and overall supply chain security person 15:05:45 Assistant Professor, for the record, I Don't have tenure :) 15:06:00 /nick prof_sangy :) 15:06:16 haha :D 15:07:17 i suppose we can start... anyone joining late please do introduce yourself briefly if you feel like it... and thanks to everyone doing so, its especially nice for those new people being around or reading this in the logs.. 15:07:27 * foka = Anthony Fok, mostly working with the Debian Go Packaging Team. First time to the reproducibility meeting. Slowly learning. :-) 15:07:45 hi foka, great to have you here! 15:08:08 #topic short time slots for checkins from various projects 15:08:30 #topic short time slots: status update on Alpine 15:08:38 Ariadne: anything to report? 15:08:46 #save 15:09:10 Hi h01ger! I am glad to hear your talk during DebConf 21! 15:09:18 gunner: hi gunner. backlog is at http://meetbot.debian.net/reproducible-builds/2021/reproducible-builds.2021-09-28-15.00.log.html 15:09:28 have been busy with openssl 3, so haven’t had much time to work on finishing the buildinfo yet 15:09:28 hello and thanks! 15:09:36 foka: great 15:10:13 Ariadne: ah, ok. hoping for more news next month(s) then :) 15:10:18 (openssl 3 is a higher priority objective for us due to the improved license) 15:10:25 yes, next month :) 15:10:27 * h01ger nods, sure 15:10:46 #topic short time slots: status update on Arch Linux rebuilder 15:10:54 kpcyrd: ^ 15:11:00 pacman 6.0.1 released with a patch by Allan McRae for reproducible python bytecode with makepkg 15:11:06 nobody had time to upload the python packages with the new devtools version due to a funding gap for reproducible archlinu 15:11:15 #info pacman 6.0.1 released with a patch by Allan McRae for reproducible python bytecode with makepkg 15:11:33 (anyone can use the #info command, it just needs to be at the beginning of the line) 15:11:49 jelle and Aditya upgraded the instances to the latest rebuilderd version 15:12:06 nice 15:12:09 that's it 15:12:18 :thumbsup: 15:12:39 #topic short time slots: status update on Debian / snapshot.d.o mirror 15:12:45 fepitre: ^ (&myself) 15:13:01 For snapshot service side: 15:13:07 1) snapshot.notset.fr is really handling this big rebuild very nicely. I've mostly 40 rebuilders running since the beginning and I've not noticed any infrastructure failure so far. Only missing files that I'm in progress to solve by provisioning DB differently. Original problem explained here: https://github.com/fepitre/debian-snapshot/commit/572309a826e03e4d1ead419e65ad1e85409ed01b 15:13:23 (copy what I wrote in ml) 15:13:33 from API side, I've added 15:13:43 support for downloading file by sha256 15:13:45 the osuosl mirror of that mirror at fepitre's house is in the process of being set up, last week it was a bit stalled on osuosl's admins being busy with other stuff, but the discs have arrived and they should have the machine ready for us soon 15:14:01 direct download: https://snapshot.notset.fr/by-hash/SHA256/9c94e113ef655abc58a4f8f6c71e3a71e4df0155a9b306ece76eeed17cd7cb9f 15:14:07 redirected download with filename (first location found): https://snapshot.notset.fr/mr/file/9c94e113ef655abc58a4f8f6c71e3a71e4df0155a9b306ece76eeed17cd7cb9f/download 15:14:15 fepitre: wheehoo, thats awesome! 15:14:22 typically I'm using the latter 15:14:27 for computing diffoscope 15:14:37 when I've got an unreproducible builds 15:14:43 just getting files by hash directly 15:14:53 that's all for me for snapshot service 15:14:59 nice 15:15:09 #info API side got support for downloading file by sha256, eg https://snapshot.notset.fr/by-hash/SHA256/9c94e113ef655abc58a4f8f6c71e3a71e4df0155a9b306ece76eeed17cd7cb9f 15:15:21 #info or redirected download with filename (first location found): https://snapshot.notset.fr/mr/file/9c94e113ef655abc58a4f8f6c71e3a71e4df0155a9b306ece76eeed17cd7cb9f/download 15:15:25 * vagrantc dances happily 15:15:31 You also announced https://rebuild.notset.fr/ on the ML 15:15:32 very cool! 15:15:44 * fepitre lets h01ger speaking of rebuilding results :) 15:15:47 * marmarek \o/ 15:15:55 #topic short time slots: status update on Debian rebuilder 15:16:26 #info https://beta.tests.reproducible-builds.org/ is now another frontend view of https://rebuild.notset.fr/ 15:16:39 showing Debian and Qubes results 15:17:01 and is what we discussed on the list as alpha.t.r-b.o or practice.t.r-b.o 15:17:16 I'm also speaking for josch, he recently made a migration of metasnap 15:17:31 (and which then i decided today to become 'beta', as 'alpha' sounds worse and 'practise' has the problem of US/UK spelling 15:17:35 which allows to intensively get minimal timestamp set 15:17:36 ) 15:18:20 Now you can get results 15:18:21 very, very, very excited :) 15:18:26 in-toto metadata 15:18:36 \o/ 15:18:37 (links of "links" are on the result page too) 15:18:42 thats all about rebuilders from me for now. the plan is still to set up both kpcyrd and fepitre rebuilders on t.r-b.o but no progress has been made on that yet 15:18:55 reproducible/unreproducible metadata are signed with different keys 15:19:07 thats also a very nice idea, marmarek :) 15:19:09 fepitre: oh, nice :) 15:19:12 * sangy FWIW I love there are two rebuilder projects, so as to ensure rebuild diversity 15:19:12 so you can't get wrong 15:19:42 yes thank you marmarek for the suggestion! 15:19:55 #info josch made a migration of metasnap which allows to intensively get minimal timestamp set 15:20:05 and I've added diffoscope log yesterday too on results page 15:20:10 h01ger: it's currently recommended to use arch linux to rebuild arch linux, rebuilderd is packaged there and it should just work™ 15:20:16 so people, no excuse to get what's wrong on Debian packages :D 15:20:41 kpcyrd: i fear i'll first try to rebuild debian but if you steer me in the arch direction first... 15:20:56 shall we move on on the agenda? 15:21:02 yes I'm done :) 15:21:12 h01ger: rebuilderd can't rebuild debian yet 15:21:37 kpcyrd: ah, ok, then i misunderstood you for months. and i also thought sangy used it to do that?!? 15:21:37 kpcyrd: is this ticketized? I can perhaps point some students of mine in that direction 15:21:53 * h01ger grins and thumbsup 15:22:10 h01ger: there are bits that are working iiuc, but I think it needs to fix a couple of bits for it to be up and running 15:22:13 there's a tracking issue that needs to be updated: https://github.com/kpcyrd/rebuilderd/issues/4 15:23:05 * h01ger suggests sangy and kpcyrd discuss this after the meeting or via /msg or via that issue :) 15:24:05 #topic short time slots: status update on Debian / live-images 15:24:34 #info rclobus sent an update to the mailing list 15:25:00 #info https://lists.reproducible-builds.org/pipermail/rb-general/2021-September/002387.html 15:25:15 #topic short time slots: status update on F-Droid 15:25:15 👍 15:25:54 obfusk couldnt make the meeting this time. no f-droid news to report from his end. he wished us fun. 15:26:22 #topic short time slots: status update on i-probably-didnt-backdoor-this 15:26:39 as its striked through in the agenda, i guess kpcyrd has no news on this fantastic project :) 15:26:45 this isn't really a project with monthly news, it's more of a documentation project for how certain milestones work 15:26:47 the issue I mentioned the last time was due to a missing backslack while I prepared the project for release 15:26:56 *backslash 15:27:16 ok, removed from the agenda for next month. feel free to add it back anytime 15:27:39 #topic short time slots: status update on rebuilderd: status update 15:27:42 kpcyrd: ^ 15:28:01 rebuilderd released 0.14.0, 0.14.1 and 0.14.2 15:28:03 the rebuilderd instances are now generating and distributing in-toto attestations with the code contributed by Joy Liu and Aditya Sirish 15:28:05 there's also experimental support for tails images (but not IUKs) and a status table what's supported (like debian being "planned"), which backend is used and if the backend needs stuff like CAP_SYS_ADMIN or kvm: https://github.com/kpcyrd/rebuilderd#status 15:28:07 development also slowed down due to a funding gap 15:28:59 #info the rebuilderd instances are now generating and distributing in-toto attestations and experimental support for tails images and more. check the full log 15:29:16 #info https://github.com/kpcyrd/rebuilderd#status 15:29:21 Can you quickly elaborate on why the backend needs CAP_SYS_ADMIN (or similar) to build packages? 15:29:25 pretty nice 15:30:18 lamby: yes, the rebuild backends often use containers themselves and need to be able to use mount(2) 15:30:26 * h01ger is surprised the status table has 'doesnt need' instead of 'needs' :) 15:30:50 "needs kvm" is a bit of an anti-feature 15:31:10 * h01ger nods, still it reads strange at first 15:31:22 CAP_SYS_ADMIN is not mentioned in that table nor readme 15:31:34 the --privileged column 15:31:59 * h01ger nods. i understood, i was trying to suggest an improvement 15:32:33 :) 15:32:49 anything else on this? 15:32:54 that's it 15:33:02 :thumbsup: & thank you 15:33:08 ah, rebuilderd is now packaged in alpine [testing] 15:33:15 :) 15:33:21 #topic r-b ecosystem 15:33:25 lamby: ^ 15:33:44 Nothing to report here. I should have removed it from the agenda; sorry. 15:33:52 np 15:34:14 #topic r-b.o/docs/rebuilders and conflict with r-b.o/tools 15:34:30 nothing to report on that topic neither. its still open and to be resolved... 15:34:55 #topic any other business 15:34:55 I'm suggesting to move the list from the wiki page I linked to the r-b website 15:35:41 +1 for consolidation of reproducible docs in general :) 15:35:48 kpcyrd: i like that 15:36:11 maybe docs/rebuilders is useless and all should be listed under /tools 15:36:25 actually 15:36:27 #maybe# 15:36:37 rebuilders are very much important tools of r-b.o, or?!! 15:36:57 I think the actual deployments should be listed more publicly 15:37:09 i think thats true but a different topic :) 15:37:18 is it? :) 15:37:45 * kpcyrd is still looking for the link to the fepitre's debian instance that I can't find right now 15:37:48 yes, one is documenting tools (like diffoscope or rebuilders) and one is documenting instances of rebuilders and their results 15:38:03 kpcyrd: beta.tests.reproducible-builds.org 15:38:16 kpcyrd: pretty new (like 1h), so not linked anywhere yet 15:38:51 r-b.o/who should have the link soo 15:38:54 r-b.o/who should have the link soon 15:39:05 putting them under the .reproducible-builds.org domain defeats the "independent" portion of "independent verification" and I'd discourage doing that 15:39:40 => https://rebuild.notset.fr 15:39:44 kpcyrd: sure, thats also why its beta 15:39:48 but I see your point 15:40:05 kpcyrd: and surely this instance should be listed as rebuild.notset.fr 15:41:24 beta.t.r-b.o is more a 'marketing idea' to generate excitement that we are finally doing it :) but its beta and should be replaced by proper tests.r-b.o soon (and then debian also should set up verification of debian builds). /me speaking as r-b holger here and as debian holger :) 15:42:11 beta.t.r-b.o should be gone by xmas or so. 15:42:18 prepare for "but what if reproducible-builds.org gets hacked" questions :P 15:42:47 that's not a problem in fact 15:42:58 * h01ger thinks he's well prepared for most r-b questions :) 15:42:58 if you plan to use in-toto metadata 15:43:05 you need to trust the underlying key 15:43:17 which is no way related to r-b.o 15:43:26 :) 15:43:53 got to go sorry, see you later 15:44:01 well, that key can be signed by the d-o people, transitively no? 15:44:02 beta.t.r-b.o also prominently says its run by Frédéric Pierret :) 15:44:05 fepitre: o/ 15:44:06 but we can talk about it :D 15:44:12 fepitre: thanks, bye! :) 15:44:25 any other business? 15:44:40 I'm more than ahpy to write out how this would work to provide transitive trust from r-b->debrebuild instances->worker nodes :) 15:45:23 yay! 15:45:39 I noticed our monthly page for September is still quite empty. Is just less happening or did we forget to add things? 15:45:44 h01ger: in a sense the magic is there, with the apt-transport being signed by somebody in r-b ;) 15:45:47 is already there* 15:47:33 bmwiedemann: i didnt add mailinglist posts as lamby said he would be scanning the list archives anyway 15:47:37 bmwiedemann: I think there is stuff happening, I wonder if we could do a review of what's going on based on some of these meeting topics/discussions/the ml 15:47:49 ah there it is 15:47:56 and probably a bit less was happening in september 15:49:09 I was also pretty busy on other topics 15:49:11 there were a bunch of birthdays at least :P 15:49:36 :) 15:49:43 any other business? 15:51:23 None here, except thanks to h01ger for running this meeting 15:51:42 :) 15:52:11 i guess we can then close this meeting now, under 1h \o/ :) 15:52:18 thanks all! 15:52:28 * h01ger thanks everyone! 15:52:34 thanks everyone! 15:52:43 thanks, bye! 15:53:22 #endmeeting