14:59:20 #startmeeting reproducible-builds.org monthly IRC meeting 14:59:20 Meeting started Tue Mar 29 14:59:20 2022 UTC. The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:59:20 Useful Commands: #action #agreed #help #info #idea #link #topic. 14:59:31 #topic welcome to this monthly meeting, please briefly introduce yourself or update us on recent or planned projects 14:59:45 https://pad.riseup.net/p/rb-irc-meetings-keep has the agenda 15:00:12 * h01ger is Holger Levsen, working on this and that for reproducible-builds.org - i'm also your host today :) 15:00:21 * rclobus is Roland Clobus, working on live ISO images as generated by live-build 15:00:39 * sangy is Santiago Torres-Arias. Assistant Professor at Purdue University, doing work on all things software supply chain security 15:00:40 * aparcar[m] works on OpenWrt 15:01:00 * lamby is Chris Lamb, also working on this and that, here and there, in and around Reproducible Builds and Debian :) 15:01:13 :) 15:01:31 * vagrantc is Vagrant Cascadian ... Reproducible Builds mostly in Debian with a hint of guix 15:02:26 * h01ger will wait til 17:05 until we really start. feel free to edit the agenda til then or to fetch a beverage or some such 15:02:44 * boklm is Nicolas, working on tor browser (reproducible) builds 15:02:44 * lamby has tea. 15:03:32 * Foxboron is Morten Linderud. F/OSS developer and working on Arch Linux 15:05:11 ok, lets start! if you arrived later, please still feel welcome to introduce yourself! 15:05:26 #topic short time slots for checkins from various projects 15:05:54 also, feel free to ping me to ask for such a short slot if you have exciting news about something but forgot to add it to the agenda 15:05:59 or just edit the agenda 15:06:16 #topic short time slots: Alpine Linux ( Ariadne ) 15:06:35 Ariadne said they would be afk during the meeting so i suppose no news here. 15:07:05 we're working on 3.16 release, but i have written some tools at chainguard that i hope will be used to make alpine's docker images reproducible 15:07:15 oh, hi! :)) 15:07:24 & with awesome news! 15:07:44 chaingard is your workplace or? 15:07:50 yes 15:08:00 * h01ger nods 15:08:24 so maybe we'll see the headline "alpine 3.16 docker releases images bit for bit reproducible"? 15:08:39 Ah that would be great :) 15:08:43 when is that release roughly planned? this year? next week? 15:10:59 Ariadne: ^ ? 15:11:30 ok, let's assume "when it's ready" and move on ;) 15:11:52 I guess Ariadne is afk now, or doesn't want to commit to a timeline. I believe they are quite close to something though :) 15:11:56 https://gitlab.alpinelinux.org/alpine/tsc/-/issues/40 has goals, not dates, AFAICT 15:12:11 #topic short time slots: Arch Linux (jelle, Foxboron, kpcyrd) 15:12:47 the topic formerly also had rebuilder in it... but thats explicitly another topic 15:13:09 So, Arch Linux is chugging along fine. 15:13:42 + note there, I'd appreciate some help with the arch rebuilder @ Purdue. Anybody interested please send me an email/dm and I"d be happy to see how we can help you get the most out of it... 15:13:45 We've some dip in recent percentage of reproducible packages (86% now, used to be closer to 90%) but some if infrastructure related issues. The most important part is that gcc and the toolchain is reproducible again with a new maintainer :) 15:14:11 #info sangy ppreciates some help with the arch rebuilder @ Purdue. Anybody interested please contact sangy 15:14:22 We had some issues around the order we bootstrapped our toolchain. https://bugs.archlinux.org/task/70954 15:14:45 Foxboron: interesting 15:15:00 #info issues around the order we bootstrapped our toolchain: https://bugs.archlinux.org/task/70954 15:15:53 thanks for the update, Foxboron & sangy 15:16:22 #topic short time slots: Debian snapshot.d.o mirror status (fepitre) 15:17:00 afaik there are no major updates here, the mirror is running, fepitre did some work on issues reported by rclobus 15:18:03 snapshot.d.o is working fine for my purpose :-) The issue I reported turned out to be a non-issue. 15:18:17 coolio 15:18:21 Everything was working fine already. 15:18:43 #topic short time slots: Debian beta.t.r-b.o status update (h01ger) 15:19:26 this is running fine too, however no progress for moving to more powerful hw or improving eg the presentation layer 15:19:43 isn't the presentation layer based on javascript? 15:19:55 partly yes 15:19:59 I tried b.t.r-b.o and it was a bit sluggish 15:20:11 what are the parts in the back? The graph generation? 15:20:50 aparcar[m]: https://github.com/fepitre/package-rebuilder is powering that site 15:21:32 thanks I haven't checked that out yet 15:21:58 are there plans to move more distros over there? (I reworked some OpenWrt rebuilder to generate a compatible JSON file) 15:21:58 * h01ger switches to the next topic, trying to incorporate feedback from the last irc meeting (to move on faster) 15:21:59 having not looked at the code, the "obvious" thing would be to break it up into more fine-grained views (e.g. not all of the charts on a single page) 15:22:07 vagrantc: yup 15:22:23 #topic short time slots: Debian: live-build (rclobus) 15:22:31 rclobus sent another update to our mailing list 15:22:32 As usual, I've prepared a summary that was sent to the mailing list 15:22:36 #info https://lists.reproducible-builds.org/pipermail/rb-general/2022-March/002530.html 15:22:38 \o/ 15:22:45 I'm currently hindered by the Python 3.10 migration in sid, it prevents new live images from being generated and Jenkins is red. 15:22:51 rclobus: thanks for pounding away at all that :) 15:23:18 My primary focus for last month was on the functionality of the reproducible images. 15:23:22 For sid and bookworm I rebuild the Debian Installer images myself (the Debian archive will (nearly) always be out-of-date) and I started testing in a (local) openQA instance. 15:23:29 * sangy needs to run now, will catch up with the rest later. cheers! 15:23:31 cool 15:23:34 sangy: o/ 15:23:59 It's good if the image is reproducible, but it should work properly as well :-) 15:24:20 * h01ger nods - anything else? 15:24:35 That's it from my side. 15:24:35 rclobus: does each build build it's own debian-installer image? and are they coming out reproducible? 15:25:02 vagrantc: The debian-installer images are nearly reproducible... 15:25:32 They only have libgcc-s1 from the host, I'm looking into that. Everything else from from snapshot.notset.fr 15:25:58 :s/from from/comes from/ 15:26:11 thanks 15:26:16 #topic short time slots: FDroid ( obfusk hc _hc ) 15:26:18 rclobus: you might want to get in touch with aurel32 if you need advise in that area; he did most of the work around libc udebs in the past. 15:26:34 kibi: Thanks 15:26:45 * h01ger holds the line, either for more debian live stuff or FDroid updates 15:27:15 <_hc> nothing particular to report. We just had the Guardian Project meeting here in Vienna at the magdas hotel. It would be a nice place for the RB meeting too, if it is not too large 15:28:04 _hc: i'd definitly want to talk to you more about an rb meeting in vienna... (later/in a bit) 15:28:27 so next 15:28:35 #topic short time slots: rebuilder ( kpcyrd ) 15:28:52 kpcyrd indicated they would be absent... 15:29:08 updates from anyone else? 15:29:29 * h01ger missed the suse topic and will move on to that in a minute 15:29:36 I added a minor topic 15:29:59 aparcar[m]: noted, thanks 15:30:32 #topic short time slots: openSUSE ( bmwiedemann ) 15:31:40 bmwiedemann: ? 15:32:54 * h01ger has seen many patches via the monthly blog and is supposing openSuSE is doing well 15:33:17 also there's a meeting coming up in Nuremberg.. maybe bmwiedemann can send us updates later on this one too 15:33:41 #topic short time slots: OpenWrt / reboot of rebuilder ( aparcar[m] ) 15:33:47 I gave the OpenWrt rebuilder another spin. It rebuilds the upstream provided binaries and runs diffoscope in case of issues. I'm using the GitHub CI since is free for now but since it's a python script it can run anywhere. I'd like to collaborate with someone working on b.t.r-b.o to have a nice interface for the tests. Also while working on it the diffoscope support for our uboot images is rather limited, it has a tendency of 15:33:47 just dumping raw data rather than unpacking the contents. 15:34:18 So working with lamby on that would be great 15:34:30 :-) 15:34:41 aparcar[m]: the openwrt rebuilder is yet another rebuilder software named rebuilder? or is it based on kpcyrd's rebuilder or fepitre's rebuilder? 15:34:53 and YAY in the first place 15:35:10 h01ger: it's yet another one since OpenWrt really rebuilds _everything_ on each run, not just single packages 15:35:52 aparcar[m]: nods 15:36:11 I'm happy to name it differently, right now it's called openwrt-rebuilder 15:36:17 i would also welcome improving uboot support in diffoscope :) 15:36:29 aparcar[m]: if you name it, please call it something else. rebuilderito. rebuildy. remaker. peter. maria. whatever. 15:36:45 openwrt-rebuilder is kinda ok, i guess ;) 15:36:53 it's just a script, not a fancy tool like the rebuilder 15:37:05 h01ger: lol 15:37:05 python is just for convenience, could be shell, too 15:37:10 thats how they all start. and soon you have an editor and then an OS 15:37:18 fair 15:37:26 I'll go wither rebuilderito then 15:37:32 hahaha 15:38:16 oh and another thing, I added "unsigned" checksums to our build artifacts, meaning it's now possible to compare builds even if both build hosts used different signing keys 15:38:39 before one would download the others firmware, replace the signature etc 15:38:53 aparcar[m]: and then in the longer run it would be great if we can fetch the results somehow to display them under some t.r-b.o url, but thats something for later (and definitly a detail not needed to be discussed in such a meeting) 15:39:11 yea ty for the timeslot 15:39:19 I've seen that patch, I was confused by the term 'unsigned'. Now I understand that it means 'before-signing'. 15:39:58 aparcar[m]: i find it fascinating that we now have another kind of results: unsigned, signed and normally-signed-but-now-unsigned. (and i do think they all make sense) 15:39:59 yea there was a bit of confusion how to call it and if to put the checksum algorithm in the key itself or not, I guess I need to read a book about API design 15:40:29 well normally_signed and unsigned should be the same 15:40:49 externally signed vs. internally signed? 15:41:01 detached vs. embedded signatures ... 15:41:05 now we just have a checksum before signing and one after, meaning people who download the file use the regular one, tools checking if reproducible use the unsigned one 15:41:15 we use embedded signatures 15:41:56 if RB comes up with a standard like for "signatures which do not contain any intentionally unreproducible things" I'm happy to adopt it 15:42:16 (signatures are usually intentionally unreproducible I guess) 15:42:59 aparcar[m]: in the past, we had two kinds of results: unsigned (easy) and signed, where we came up with the hack/solution to just reapply the 'original' sig. not because we wanted, but because projects already used those designs 15:43:38 eg rpm files are signed and its unrealistic to expect to be able to change that. and we want rpms to be reproducible... so we came up with that 15:43:39 yea I implemented a signature swap too, but since we produce daily some 20GB of images, I don't want to swap them all 15:43:48 yeah 15:43:56 shall we move on to the next topic? 15:44:03 yes plase 15:44:14 aparcar[m]: whats the git repo of your work on this? 15:44:17 Perhaps off-topic, but what _is_ required for a signature? The secret of the signer, some timestamp I guess, but does it need also some random data? 15:44:38 https://github.com/aparcar/openwrt-rebuilder/runs/5737341581?check_suite_focus=true (not yet renamed) 15:44:42 rclobus: definitly the secret, so.. 15:44:47 aparcar[m]: thanks 15:44:51 #save 15:45:23 #topic r-b summit 2022 ( mapreri ) 15:45:36 i havent seen mapreri today on irc.. 15:46:11 but i guess i can say we are looking at having an RB summit in september or october this year, hopefully. and in person. 15:46:36 🤞 15:47:15 having very little data i'm also confident to say that finding a location will be really hard as many many places are booked already (and we have our time constraints too, eg not in june/july/august, because too crowded already) 15:47:34 . 15:49:52 _hc: so, if you know venues in vienna, lets talk. basically you could start by asking them if they are available for any week in september or october. 15:50:23 i found *one* end of october in hamburg (the rest was already booked) but sadly gunner was not available that week. 15:50:33 where week=monday to friday 15:51:28 we need a space with approx 100-200m², which can be divited for four sub groups. be that with smaller extra rooms, or room divider or whatever 15:51:46 also happy to discuss details in more detail later 15:52:31 we'd also be happy about other cities as long as they are easy to reach by train and plane 15:53:22 * h01ger feels a bit crazy for talking about a RL event with people in 6 months. 15:53:31 (and nobody else saying a bit ;) 15:54:03 Probably best to send a mail to the list with those requirements - will let people check things async to this meeting ^ 15:54:18 but great to raise it here :) 15:54:23 hard to say much, it seems realyl hard to plan still 15:54:24 h01ger: You know about the requirements, now we can think about possible locations in our neighbourhoods. 15:54:28 right :) 15:55:22 oh well, then 15:55:25 #topic AOB 15:55:35 what is AOB? 15:55:40 vagrantc: the samba bug... 15:55:45 aparcar[m]: any other business 15:55:51 smart 15:55:58 i was asked a question that ... i wasn't fully sure of the answer to 15:56:02 https://lists.samba.org/archive/samba-technical/2022-March/137172.html 15:56:09 <_hc> h01ger: how many attendees are you thinking? 15:56:26 _hc: 42 15:56:41 _hc: 23 to 50 15:56:50 basically, i proposed to add -ffile-prefix-map to the default arguments, but they asked about what to do with debug symbols ... i know debian can still get at the debug symbols, but i'm not sure if upstream would also have to do anything special to make that work 15:57:29 obviously, stripping the full path out of the debug symbols would mean you need some way to find them 15:57:40 Aren't the debug symbols found by GNU_BUILD_ID? 15:57:40 vagrantc: there are automatic debug packages now but i never dove into them 15:58:08 h01ger: i've used them slightly ... but can't say hugely proficiently 15:58:22 and i know debian does something to make them 15:58:30 make them work 15:58:46 #info https://wiki.debian.org/Debuginfod 15:59:01 vagrantc: maybe #debian-devel can help you with this question? 15:59:21 specifically, i know how to use them in *debian* ... but i'm wondering what upstream would have to consider, worry about, workaround, etc. 15:59:41 ah 16:01:10 i think debian builds with the debugging symbols, and then part of the packaging process extracts them into the separate dbgsym packages, but obviously upstream would need to do something similar 16:01:19 * h01ger is trying to come up with the right #info line, like 'vagrant is looking for help with debug flags (outside debian)' 16:01:33 yeah, me to 16:01:36 :) 16:01:50 But for regular debugging, you will most probably have a source path that it different from the source path that was used by the provider of the binary package. So you will have to point your debugger to your local source anyway. 16:02:13 rclobus: yeah, that's what confuses me a bit 16:02:30 #info like 'vagrant is looking for help with debug flags (outside debian) - see https://lists.samba.org/archive/samba-technical/2022-March/137172.html for context 16:02:37 h01ger: thanks :) 16:02:47 :) np 16:03:16 * h01ger has another AOB bit: i really enjoyed the mailing list discussion about r-b use cases in the real world. thanks to everyone who contributed! 16:03:25 Yes, thanks too 16:03:43 Still very much looking for "bad thing averted", but enjoying the thread all the same 16:04:26 it is hard to find something that didn't happen because of something 16:04:44 :) 16:05:08 maybe we turn it around ... things like X (e.g. solarwinds) will continue to happen without reproducible builds? 16:05:23 hah. 16:05:25 (while also showing that reproducible builds is one piece in that) 16:05:48 any other business? 16:05:54 not the magic silver bullet, etc... 16:06:53 any other business? :) 16:07:23 alright. lets wrap this up 16:07:39 thank you all for attending, sharing updates & lots of nice work! 16:07:59 THanks for running the meeting, h01ger :) 16:08:00 hoping to see you again on the last tuesday of the month at 15 UTC, so thats april 26th! 16:08:05 h01ger: Thank you for hosting the meeting. 16:08:10 o/ 16:08:10 thanks all! 16:08:47 * vagrantc is hoping to maintain timezone stability for the forseeable future 16:08:58 #endmeeting