#reproducible-builds log

14:59:10 <h01ger> #startmeeting
14:59:10 <MeetBot> Meeting started Tue Feb 22 14:59:10 2022 UTC.  The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:59:10 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:59:34 <h01ger> welcome to this months reproducible builds meeting
14:59:51 * vagrantc waves
15:00:00 <h01ger> agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep
15:00:32 <h01ger> #topic please say hi or otherwise indicate your presence. bonus points for some more words about your relation to r-b :)
15:00:47 * rclobus is Roland Clobus, working on reproducible live images
15:01:11 * bmwiedemann is Bernhard M. Wiedemann, working on openSUSE reproducible builds (incl upstream patches)
15:01:14 * h01ger = Holger Levsen, mostly working on tests.r-b.o and r-b debian, but also generally networking different r-b projects and people
15:02:07 * h01ger will wait some more minutes before starting with the actual agenda
15:03:07 * vagrantc Vagrant Cascadian, mostly working on debian
15:04:29 * kpcyrd = kpcyrd, rebuilderd, Arch Linux
15:04:45 * raboof Arnout Engelen, NixOS, JVM (Java/Scala) and misc :)
15:04:59 * h01ger is happy some people have showed up now :)
15:05:44 <h01ger> so lets start, you can still say hi if you join later
15:05:48 <h01ger> #topic     short time slot for checkins from various projects
15:06:09 <h01ger> #topic short time slots: status update on Alpine Linux
15:06:27 <h01ger> Ariadne already said they wouldnt be here so i suppose we can skip this.
15:06:47 <h01ger> #topic short time slots: status update on Arch Linux rebuilder
15:06:56 <h01ger> kpcyrd: ^
15:07:14 <kpcyrd> I'm running out of savings and won't have much time for opensource in the foreseeable future
15:07:16 <kpcyrd> I have nothing else to report today
15:08:10 <bmwiedemann> :-(
15:08:37 <h01ger> #info kpcyrd is looking for funding for his awesome work and thus probably wont have that much time for that in the future.
15:09:06 <lamby> o/  (sorry; my alarm failed to go off!)
15:09:06 <h01ger> kpcyrd: thats unfortunate to say at least but its good that your letting us know..
15:09:29 <h01ger> lamby: o/ backlog is at the usual place on meetbot.debian.net, you didnt really miss much
15:09:31 <h01ger> #save
15:09:39 <lamby> reading. :)
15:10:11 * h01ger pings jelle & Foxboron in case they have other arch / rebuilder comments
15:10:37 <jelle> no comments, sorry
15:10:47 <h01ger> np at all
15:11:07 <h01ger> then lets move on
15:11:33 <h01ger> #topic short time slots: status update on snapshot.d.o mirror (fepitre)
15:11:59 <h01ger> fepitre isnt here sadly and i also dont know about any new developments here
15:12:34 <rclobus> I wrote a feature request, to know when the snapshot it truly completed.
15:12:43 <h01ger> oh nice
15:12:59 <h01ger> you mean the mirror run completed, i suppose?!
15:13:16 <rclobus> It was already sort-of implemented, the Release and InRelease files will be downloaded last.
15:13:50 * h01ger nods - but that wasnt working or?
15:14:14 <rclobus> However, when one of these last files cannot be downloaded, it still is not a complete indication that the snapshot is finished. I had one live-build image that didn't have the signed InRelease file yet.
15:14:44 <rclobus> A minor inconvenience...
15:15:06 <rclobus> #info https://github.com/fepitre/debian-snapshot/issues/11
15:15:19 <h01ger> :thumbsup:
15:16:12 <rclobus> Otherwise, it really works well :-)
15:16:12 <h01ger> next topic then..
15:16:22 <h01ger> :))
15:16:32 <h01ger> #topic short time slots: status update on Debian rebuilder (beta.tests.r-b.o) (h01ger)
15:16:56 <h01ger> no progress on this recently :/
15:18:11 * h01ger would like to work on this during some sprint..
15:18:24 <lamby> Hm, a sprint. :)
15:18:43 <h01ger> yes!
15:18:46 <h01ger> #topic short time slots: status update on Debian live-build (rclobus)
15:18:51 <rclobus> #info https://lists.debian.org/debian-live/2022/02/msg00015.html
15:19:01 <rclobus> I sent a summary earlier today.
15:19:06 <h01ger> :)
15:19:23 <rclobus> Last month I was working mainly on openQA, to have the generated images tested.
15:19:23 <bmwiedemann> nice work there.
15:19:48 <rclobus> The tests will be generic, so every bootable image can have its boot menu walked soon.
15:19:52 * h01ger didnt read it yet, i was busy in the (really) big blue room, but i look forward to read it tonight
15:20:07 <bmwiedemann> If you get stuck with openQA, I know some people working on it.
15:20:15 <h01ger> and yes, awesome working getting this integrated into openQA
15:20:45 <rclobus> bmwiedemann: Thanks, I was planning to contact the openQA team anyway.
15:20:50 <danielsh> openQA = http://open.qa
15:21:05 <h01ger> #info https://open.qa
15:21:06 <rclobus> Debian's version: https://openqa.debian.net/
15:21:48 <h01ger> #info Debian's instance: https://openqa.debian.net
15:22:03 <h01ger> rclobus: anything else on this for now or should we move on?
15:22:31 <rclobus> Just one question: are we in a hurry to have patched in sid, or can the pending patches lay dormant for some more time?
15:22:47 <rclobus> i.e. are NMUs preferred?
15:22:47 <lamby> 'patched' ?
15:22:53 <rclobus> patches
15:23:23 <lamby> There is a process, but pending patches can indeed lay untouched for quite some time indeed.
15:23:40 <h01ger> rclobus: it depends a lot on the maintenance state of a package
15:23:57 <rclobus> Until then, the live-build repository will have a work-around :-)
15:24:08 <lamby> https://bugs.debian.org/777287  eg. 7+ years  ^_^
15:24:08 <h01ger> historically NMUs in debian were frowned upon but this culture is slowly changing
15:24:44 <h01ger> rclobus: in the debian live image case i think the core underlying problem is the debian-live vs live-build situation...
15:25:38 <rclobus> h01ger: True. That topic is out-of-scope for this meeting. I've already sent a gently ping regarding that topic.
15:25:49 <h01ger> rclobus: yup & top
15:25:50 <rclobus> :s/gently/gentle/
15:25:54 <h01ger> next topic then?
15:25:56 <rclobus> Yes.
15:26:02 * vagrantc growing the opinion to do more reproducible builds NMUs for really old packages without much activity
15:26:15 <h01ger> #topic short time slots: status update on F-Droid (obfusk)
15:26:32 <h01ger> obfusk or _hc are you there?
15:26:43 <_hc> hi
15:26:51 <h01ger> _hc: hi!
15:26:57 <h01ger> any news on r-b fdroid?
15:30:18 <h01ger> _hc: ?
15:31:36 <h01ger> ok, lets move on then.. happy to come back to fdroid later
15:31:55 <h01ger> #topic short time slots: status update on openSUSE (bmwiedemann)
15:32:04 <bmwiedemann> I have been looking into differences between consecutive openSUSE-NET isos and found initrd and grub-efi to be contributors. Did some debugging on grub-efi to find pesign to introduce nondeterminism.
15:32:14 <bmwiedemann> No easy fix so far.
15:33:01 <bmwiedemann> apart from that, just the usual operating of my rebuilder + test infra and occasional fixes linked in the monthly report.
15:33:24 <danielsh> do you have a link handy for more details on the pesign nondeterminism?
15:33:34 <danielsh> no worries if not
15:34:32 <bmwiedemann> I tried this patch: https://build.opensuse.org/package/view_file/home:bmwiedemann:reproducible:test/pesign/sde.patch
15:35:09 <h01ger> TIL: pesign :)
15:35:26 <danielsh> thanks.
15:35:32 <h01ger> https://github.com/rhinstaller/pesign - signing utility for UEFI binaries
15:35:35 <danielsh> hard to comment on that without seeing the build diff first.
15:35:43 <danielsh> anyway we can pick this up afterwards
15:35:49 <danielsh> thanks for the link :)
15:35:59 <bmwiedemann> and https://github.com/bmwiedemann/pesign-obs-integration/commit/6f9cc8567b8369cd1770ac7c4a08a7fb5ddfd603
15:36:17 <h01ger> bmwiedemann: thanks for the updates!
15:36:29 <h01ger> next topic i suppose?
15:36:48 <danielsh> (+1 from me)
15:36:51 <bmwiedemann> Next, please
15:37:13 <h01ger> :)
15:37:30 <h01ger> #topic short time slots: status update on rebuilderd (kpcyrd)
15:37:42 <h01ger> kpcyrd: no news neither, i suppose?
15:38:14 <h01ger> (and should we rename the topics into "Archlinux" (the distro) and 'rebuilderd' (the software)?
15:41:29 <h01ger> seems we're all a bit in winter sleep / hibernation mode
15:41:37 <h01ger> :)
15:41:44 <h01ger> #topic r-b summit 2022 (mapreri)
15:41:53 <h01ger> mapreri: are you there?
15:43:57 <h01ger> hmmm
15:44:56 <h01ger> #topic https://pad.sfconservancy.org/p/grow-r-b-debian
15:45:43 * h01ger is happy ideas were collected in this pad, now they need to get submitted to the questionaire
15:46:29 <h01ger> #topic any other business (AOB)
15:47:51 <lamby> There's a https://gitbom.dev/ meeting later today (11AM PT) if anyone is interested in that
15:48:30 <vagrantc> i made a post asking about getting gnome package set reproducibility, had some response from gnome upstream folks: https://floss.social/web/@vagrantc/107837729150057068
15:48:30 <lamby> ("git-based .buildinfo database" might be a 3-word summary)
15:48:40 <h01ger> where's the meeting taking place?
15:48:59 <h01ger> lamby: oh shiny
15:49:32 <lamby> h01ger: Zoom. Details on https://gitbom.dev/community/ I think
15:49:38 <vagrantc> curious if other distros have package sets like gnome, kde, etc. and the relative reproducibility of these sets
15:50:03 <h01ger> lamby: thanks
15:50:05 <h01ger> vagrantc: afaik not
15:50:53 <vagrantc> e.g. would love to spur on a health competition with major desktop environments to make them reproducible :)
15:51:01 <h01ger> :)
15:51:07 <h01ger> another topic: i'm wondering: whats your opinion on this meeting, mostly wondering whether you think this is a usefull way to spend your time? i'd hope so, as (i'd think that) most of you can multitask and do other stuff during the meeting, yet get informed about developments with being able to ask/discuss too. but i'd like to know a bit better what you think, not what i think you think?
15:52:20 <danielsh> vagrantc, you don't need the distros themselves to define sets in order to do that
15:52:58 <vagrantc> it definitely gets me up early at least once a month  ... it's pretty variable ... some meetings feel a little sparse, some meetings feel a little more lively and content-dense
15:52:59 <lamby> Although am not very talkative today, I like seeing folks here, and find it somewhat motivational. This is something not easily captured in the minutes or scrollback.
15:53:00 <bmwiedemann> h01ger: I think it is useful. Though often, Thu or Fri would work better for me.
15:53:18 <rclobus> Having this meeting on a monthly basis is OK for me. It's nice to see what's going on, and to have the progress presented with a few lines per topic.
15:53:40 <vagrantc> danielsh: yeah, though i'm less familiar with other distro infrastructure and the right way to start making something like that
15:54:20 <vagrantc> danielsh: so would be happy to either see it already done, or maybe nudge people already working on such infrastructure to make a go of it :)
15:55:04 <danielsh> personally I'd have preferred a bit less "wait time" between topics... but maybe it's just me
15:55:10 <vagrantc> i definitely make a point of being available for the meeting and have the flexibility to do it
15:55:11 * h01ger is happy about your feedback about the meetings usefulness. i'd obviously also appreciate ideas to improve it
15:55:26 <danielsh> vagrantc, guess you'll want something to map package names between distro.  repology might have something like that?
15:55:37 <vagrantc> danielsh: maybe
15:55:37 <sangy> lamby: I think that's one way to put gitbom. I'm curious to see how it actually materializes in terms of internals
15:56:10 <h01ger> danielsh: true. gaps between topics are hard to navigate, as there's no way to see if some people are still typing, thinking or not interested
15:56:30 <vagrantc> danielsh: but even then, some distros might have "meta-packages" of highly variable names ... i guess one approach would be to target the upstream components only (i think debian's current package sets also include many non-upstream gnome components, for example)
15:56:36 <danielsh> h01ger, I normally ask people to type "." if they'd like the chair to wait for them to finish typing
15:57:24 <danielsh> vagrantc, yeah, targeting upstream components only makes a lot of sense for inter-distro compares...
15:57:43 <danielsh> vagrantc, why not start with packages that have predictable names?  E.g., "git" is named that everywhere, probably
15:58:02 <h01ger> danielsh: that helps but doesnt help with other chiming in. but finishing lines with a dot is a good habit.
15:58:06 <vagrantc> well, can't imagine the "git" package set is very large :)
15:58:10 <bmwiedemann> danielsh: we have "git-core" instead
15:58:20 <danielsh> h01ger, I mean literally send a \n.\n if one is typing,
15:58:22 <bmwiedemann> (or rather in addition)
15:58:29 <danielsh> h01ger, that's a different convention to the . at the end of one's last line.
15:58:32 <h01ger> we need this package name mapping for sharing notes too
15:58:45 <danielsh> people will use it for other things too
15:58:48 <vagrantc> there's http://ismypackagereproducibleyet.org/ ... which might need some mapping features for better cross-distro comparison?
15:58:51 <danielsh> eg compare which distro has the most bugs filed
15:58:57 <danielsh> (people outside r-b)
15:59:13 <bmwiedemann> there is a MITRE project to have unique identifiers for projects
15:59:16 <h01ger> danielsh: sure. but still, while we discuss this and have finished (and indicated so), others might just started typing and then press enter when we just started a new topic and then we have two topics at once going on...
15:59:39 <h01ger> (where we=daniel and me, as an example)
15:59:47 <h01ger> (for the first we..)
15:59:48 <danielsh> h01ger, that's the CAP theorem, isn't it?
15:59:48 <vagrantc> the nature of irc makes it hard to not occasionally fork conversation
15:59:58 <danielsh> h01ger, worst case we #undo the #topic and wait a minute, no?
16:00:38 <h01ger> danielsh: undoing a topic rarely works. half the people undo the change and others dont and we still discuss two topics. but, hey, i will try to switch topics faster and see how that goes.
16:00:38 <danielsh> and after a minute move on to the next topic
16:00:39 <h01ger> .
16:00:52 <danielsh> ty h01ger
16:01:01 <h01ger> bmwiedemann: do you know more about that MITRE project, eg name or url? :)
16:01:29 <danielsh> do most distros have, say, an "Upstream homepage" metadatum?
16:01:34 <danielsh> or "Upstream VCS URL" ?
16:01:47 <danielsh> that'd approximate a unique identifier
16:01:58 <sangy> danielsh: that'd be close to a pURL. So maybe?
16:02:01 <vagrantc> as long as people pick the same page/vcs links :)
16:02:05 <danielsh> (not necessarily, one repo might have multiple projects, but it's a start)
16:02:18 <bmwiedemann> cpe.mitre.org sounds like it
16:02:27 <h01ger> #info cpe.mitre.org
16:02:33 <h01ger> thanks
16:03:17 <sangy> (CPEs are kinda iffy, but yeah there's a whole world of things too look at in terms of "unique identifiers for software artifacts")
16:03:36 <bmwiedemann> at least our .spec files have a URL and Sources can include a URL, too but sometimes they point to the project webpage and sometimes to github, so it is not a one-to-one mapping
16:03:44 <danielsh> actually, the upstream PGP signature could be used, couldn't it?
16:03:50 <danielsh> it's unique pretty much by definition
16:04:03 <h01ger> many upstreams dont use pgp sigs :)
16:04:07 <bmwiedemann> except that so many projects don't publish them
16:04:11 <danielsh> (I have a feeling if we do this we'll learn more than we want to know about the openpgp standard internals)
16:04:12 <sangy> and things can be re-signed as well
16:04:21 <vagrantc> bmwiedemann: yeah, similar for debian weather it's a vcs or homepage url
16:04:31 <danielsh> conceded that not everyone signs. but for those who do, the pgp sig is by definition unforgeable, hence unique
16:05:09 <danielsh> (pgpdump --list-packets, gpg --enarmor, et al)
16:05:16 <sangy> danielsh: unforgeable != unique
16:05:17 <vagrantc> and things get repacked as well, loosing the signature...
16:05:27 <sangy> a same entity can sign twice f.e.,
16:06:02 <h01ger> any OTHER business? :)
16:06:07 <danielsh> sangy, ack
16:06:13 <bmwiedemann> would it make sense to have an entity to sign all upstream tarballs - similar to how I import SVN repos into https://github.com/gitmirrors2/
16:06:28 <danielsh> an entity to sign what set of tarballs?
16:06:45 <sangy> h01ger: I'm looking to hire a developer for my lab. Mostly it's OSS work around rebuilderd, sre and working towards in-toto + rebuilderd integration
16:06:56 <sangy> preferrably US based, but I can see what I can do
16:07:01 <h01ger> sangy: did you ask kpcyrd ? ah
16:07:33 <sangy> h01ger: I've told them, overall that'd be a great fit, but it'd be hard for me to pay in DE
16:07:33 <h01ger> sangy: whats your lab again? (for the log :)
16:07:35 <danielsh> sangy, full time? part time?
16:07:46 <bmwiedemann> danielsh: all releases that might end up in a distribution. There is the release-monitoring website that might be helpful to locate new tarballs
16:07:48 <h01ger> sangy: as a contractor?
16:07:50 <sangy> trustworthy software ecosystems lab (TSEL) https://lab.seal.purdue.wtf
16:07:55 <sangy> no contractor, as staff in the lab
16:07:58 <sangy> danielsh: full time :D
16:08:09 <danielsh> sangy, *nod*
16:08:40 <danielsh> bmwiedemann, OK... so suppose such an entity existed, what then?  I.e. what's the use case?
16:08:47 <lamby> sangy: Sounds fun. :-)
16:08:51 <h01ger> #info sangy is looking to hire a developer for trustworthy software ecosystems lab (TSEL) https://lab.seal.purdue.wtf full time. Mostly it's OSS work around rebuilderd, sre and working towards in-toto + rebuilderd integration
16:09:04 <sangy> lamby: it should be :D
16:09:07 <danielsh> bmwiedemann, release-monitoring.org ?
16:09:12 * h01ger grins at an official university team under a .wtf domain
16:09:37 <bmwiedemann> yes
16:10:12 <sangy> :D
16:10:48 <sangy> h01ger: I'll hold to it until I'm scolded about it
16:10:57 <h01ger> :)
16:11:03 <h01ger> any other business?
16:11:21 <danielsh> next meeting is... Mar 29 ?
16:11:31 <h01ger> last tuesday of the month, 15 utc
16:11:41 <h01ger> so march 29th 2022 seems right :)
16:11:48 <vagrantc> h01ger: thanks for keeping these meetings going :)
16:11:52 <danielsh> +1
16:11:56 <bmwiedemann> 2022-03-29 15:00 that is
16:12:00 <lamby> vagrantc: +1
16:12:01 <sangy> yeah happy to see them!
16:12:09 <h01ger> :) thanks!
16:12:27 * h01ger thanks everyone for attending&contributing too!
16:12:30 <bmwiedemann> CU then
16:12:35 <h01ger> closing the log in 2min :)
16:12:44 * h01ger waves
16:13:02 <sangy> See you all next time around :)
16:13:08 <raboof> o/
16:14:24 <h01ger> #endmeeting