15:06:50 <rclobus> #startmeeting #reproducible-builds September 2022
15:06:50 <MeetBot> Meeting started Tue Sep 27 15:06:50 2022 UTC.  The chair is rclobus. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:06:50 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:06:51 <vagrantc> i would guess the meetbot hasn't taken over the topic, so probably not?
15:06:55 <vagrantc> or that.
15:07:13 <rclobus> The meeting has started, please write your introductions (again)
15:07:17 * lamby is Chris Lamb, working on all things reproducible, but especially diffoscope, toolchain issues, package-specific patches and other tools.. :)
15:07:19 * jelle is Jelle van der Waa, working on Arch Linux reproducibility
15:07:21 * vagrantc is Vagrant Cascadian, working on Debian reproducibility and sometimes Guix too
15:07:38 * rclobus is Roland Clobus, working on the reproducible live-build-based ISO images
15:08:18 <rclobus> Are more people present and willing to introduce themselves?
15:09:18 * Myon is Christoph Berg, mostly watching curiously
15:09:30 <lamby> (Oh hi, Myon.)
15:09:34 <rclobus> #topic diffoscope on BSD
15:10:26 <rclobus> Who knows more about this topic? The agenda states that diffoscope only has older versions in BSD
15:10:43 <rclobus> (and MacPorts)
15:10:59 <rclobus> lamby?
15:11:12 <lamby> Ah, I was not aware of that.
15:11:20 <lamby> That is something I can look into
15:11:31 <rclobus> #info https://pad.riseup.net/p/rb-irc-meetings-keep
15:11:59 <lamby> Not sure how to keep BSD updated, but will resolve it either way
15:12:24 <rclobus> Perhaps it only needs certain people to be pinged.
15:12:55 <lamby> Indeed
15:13:16 <vagrantc> as somewhat of a segway, maybe can dig up people to ping from previous summits
15:13:17 <neverpanic> I can take care of the MacPorts one
15:13:25 <rclobus> A lot has happened since 134 and 221
15:13:33 * neverpanic is Clemens Lang, working at Red Hat on Crypto and MacPorts maintainer
15:13:53 <rclobus> #action neverpanic Synchronise MacPorts and diffoscope
15:13:53 * vagrantc nudges mapreri and h01ger
15:14:12 <rclobus> #action lamby Synchronise BSD and diffoscope
15:14:15 <lamby> rburton: "334 files changed, 70234 insertions(+), 5394 deletions(-)" :)
15:15:07 <rburton> hm?
15:15:16 <rclobus> Shall we skip the topic 'r-b summit 2022' until mapreri shows up?
15:15:22 <lamby> Good idea
15:15:37 <rclobus> #topic short time slots for checkins from various projects
15:16:14 <rclobus> jelle: Arch Linux: status update, live/install .iso status?
15:16:55 <jelle> not much happened there, kpcyrd did share today that our docker image's packages are 99% reproducible (glibc being unreproducible)
15:17:17 <jelle> so a cool goal would be to make the docker image reproducible after fixing glibc
15:17:56 <rclobus> Would fixing glibc be a Arch Linux-only issue, or would all distros benefit?
15:18:10 <jelle> I am not sure yet what's wrong with glibc
15:18:34 <rclobus> IIRC, Debian also has open reproducible-issues with glibc
15:18:46 <jelle> https://reproducible.archlinux.org/api/v0/builds/343630/diffoscope will investigate later :)
15:19:13 <rclobus> #action jelle Investigate glibc on Arch Linux
15:19:23 <vagrantc> only glibc issue i see on debian is failure to build from source ... :/
15:19:48 <h01ger> oh hi, sorry, etoo many meetings today
15:20:19 <rclobus> h01ger: You are just in time for Debian: status update (h01ger)
15:21:00 <h01ger> right
15:21:54 <h01ger> #topic Debian snapshot.d.o mirrors
15:22:02 <vagrantc> we're eyeing up the beginning of freeze for the next debian release (bookworm)
15:22:11 <h01ger> rclobus: can you #chair h01ger please
15:22:20 <rclobus> #chair h01ger
15:22:20 <MeetBot> Current chairs: h01ger rclobus
15:22:25 <h01ger> #topic Debian snapshot.d.o mirrors
15:22:59 <h01ger> a.) fepitre[m]'s mirror is back
15:23:07 <rclobus> Yay!
15:23:14 <h01ger> our mirror is chewing through a lot of symlinks:
15:23:21 <h01ger> Tue 27 Sep 2022 03:19:24 PM UTC - processed: 2115 timestamps, 539 days, currently at 20201223T025244Z - need to get to 2017...
15:23:45 <h01ger> this was started quite almost exactly a month ago
15:24:04 <h01ger> so this will need roughly two more months :/
15:24:32 <rclobus> Are the most recent entries added before the historical entries?
15:24:35 <vagrantc> started at the newest and working backwards?
15:24:40 * h01ger has met fepitre[m] recently in berlin at the qubes os summit and discussed some bits, eg adding arm64 to our mirror too
15:24:50 <h01ger> vagrantc: yes
15:25:56 <h01ger> so summary: eventually we have a mirror hosted at osuosl in a datacenter, and not "only" at fepitre[m]'s place.
15:26:24 <rclobus> Does this mean that instead of snapshot.notset.fr my script can be changed to mention snapshot.reproducible-builds.org?
15:26:33 <h01ger> rclobus: not yet
15:26:37 <rclobus> (As it only needs the most recent snapshot)
15:26:50 <rclobus> ic
15:27:14 <h01ger> #topic general Debian status update
15:28:17 <h01ger> last week vagrantc and myself met on #debian-reproducible and did a few non maintainer uploads fixing reproducible issues, where we uploaded to DELAYED/10 (or 15), so that maintainers have time to react and upload a different fix or whatever
15:28:43 <h01ger> thus was a fun event and we intend to repeat it next week
15:28:44 <vagrantc> i've also been on a roll with submitting new patches :)
15:29:03 <lamby> I regret not being there - it sounded fun. Will be there next time :)
15:29:31 <h01ger> #info next NMU upload meeting, is thursday, october 6th, 16 utc on #debian-reproducible
15:29:44 <vagrantc> but yeah, given the freeze is coming, it would be nice to resolve all patches from ~2015, ~2016, etc. :)
15:29:59 <h01ger> lamby: it was! we started a bit slow but in the end did longer than planned :)
15:30:05 <jelle> vagrantc: so these are patches from 2015 which are not included in packages yet?
15:30:12 <h01ger> jelle: yes
15:30:14 <jelle> wow!
15:30:54 <h01ger> https://udd.debian.org/bugs/?release=bookworm_and_sid&patch=only&pending=ign&merged=ign&done=ign&fnewerval=7&flastmodval=7&reproducible=1&sortby=last_modified&sorto=asc&format=html#results lists 245 such bugs
15:31:18 <lamby> 2015!
15:31:21 <h01ger> though only 30 or so from before 2020
15:31:49 <vagrantc> several of which should be resolved as the result of our meeting, but yes ... some from 2015 still
15:31:50 <h01ger> i ment: though only 30 or so last modified before 2020
15:32:41 <h01ger> i think thats it about debian in general for now...
15:32:59 <lamby> Ah, that's "last modified" ... the modification could very well just be a ping from me. So there are some very old patches, jelle :)
15:33:34 <h01ger> #7xxxxx bugs are from 2015
15:33:58 <h01ger> anyhow, next topic?
15:34:06 <vagrantc> lamby: oh, the dreaded ping!
15:34:21 <rclobus> #topic Debian: live-build
15:34:27 <h01ger> :)
15:34:30 <rclobus> #info Monthly report https://lists.debian.org/debian-live/2022/09/msg00016.html
15:34:42 <rclobus> As usual, I've prepared my monthly report
15:35:08 <h01ger> very nice to read, "as usual" :)
15:35:11 <rclobus> Good news: no more hooks/patches are required for any of the 9 images, both in sid and bookworm
15:35:33 * vagrantc cheers
15:35:55 <rclobus> This month, I've worked with mapreri and h01ger to have the images that are proven to be reproducible being fed automagically to openQA.
15:36:08 <rclobus> Next step: extend the tests in openQA (e.g. with fil)
15:36:14 <h01ger> thats really cool too
15:36:44 * h01ger hopes we'll have these images as offical reproducible Debian bookworm images next year
15:36:49 <rclobus> Then... Have Debian publish these verified images.
15:37:26 <rclobus> ... but that will take some more time, and perhaps me becoming DD (I've evaded becoming DD for a long while now :-)
15:37:36 <h01ger> rclobus: \o/
15:37:57 <h01ger> rclobus: excellent perhaps! :)
15:39:06 <rclobus> Next topic? (Given that many are not online: AOB)
15:39:41 <h01ger> no _hc[m] ? no bmwiedemann1 ? no aparcar[m] ?
15:39:46 <vagrantc> i linked to two posts this morning on the rb list, one about scons and SOURCE_DATE_EPOCH
15:40:06 <h01ger> #topic any other business (AOB)
15:40:43 <vagrantc> the other about loosening the requirements for reproducible builds best practices badges ...
15:41:22 <rclobus> The last entry I say (before being offline) was that scons can be configured to have a hook that propagates S_D_E.
15:41:24 <vagrantc> bmwiedemann asked to make comments so it isn't a bunch of arbitrary people on the scons pull request
15:41:35 <rclobus> That would mean duplication for every distro.
15:41:55 <h01ger> rclobus: did you add that to the pad bmwiedemann1 linked?
15:42:23 <rclobus> No, I saw that in the referenced ticket
15:42:42 <vagrantc> the openssf best practices thread shows an alarming lack of understanding about what reproducible builds is, although someone already commented on the github issue really solidly
15:43:29 <h01ger> yeah, suggesting raising it to diamond :)
15:43:39 <h01ger> https://github.com/coreinfrastructure/best-practices-badge/issues/1865 is the issue discussed
15:44:19 <rclobus> #info https://github.com/SCons/scons/pull/4239#issuecomment-1258941198 (the comment, and now with 2 answers)
15:44:20 <vagrantc> h01ger: also poitning how how anything but bit-for-bit is dubious
15:45:01 <vagrantc> i explicitly linked to the mailing list post rather than the pull request directly, as bmwiedemann didn't want all sorts of people commenting on it ... but ... ugh. URLs are hard.
15:45:06 * h01ger just left two emojis there
15:45:17 <vagrantc> #link https://etherpad.opensuse.org/p/scons-rb-argument
15:45:30 <rclobus> vagrantc: Sorry, I wanted to link to the specific proposal.
15:45:50 * vagrantc shrugs :)
15:45:51 <h01ger> we're having two discussions at the same time :/
15:45:54 <vagrantc> that too
15:46:46 <vagrantc> someone #topic AOB scrons and/or #topic AOB openssf best practices badge misunderstandings
15:46:56 <rclobus> #topic AOB scons
15:47:49 <h01ger> i think the question about the goals of that policy is a good one
15:48:05 <h01ger> (unanswered til now)
15:49:17 <h01ger> next topic? or end here? :)
15:49:44 <vagrantc> i haven't read the whole thread, but encountered a few scons packages over the years and am interested in the discussion
15:49:56 <rclobus> Would the proposed solution to have (per distro) a hook script be something to support, or would it better be to have the fix directly upstream?
15:49:59 <vagrantc> just wanted to raise it to people's awareneess
15:50:17 <vagrantc> it's almost always better upstream, if possible
15:50:27 <h01ger> rclobus: i think it would be better not to have a solution per distro, but one upstream
15:51:04 <h01ger> also if the goal of scons environment cleaning is actually more deterministic builds, i do think scons should keep S_D_E set
15:51:09 <rclobus> I thought so too. Could that be an argument, given that we (the people present in this meeting) represent several distros?
15:51:10 <jelle> vagrantc: is scons itself reproducible in debian?
15:51:37 <vagrantc> nope
15:51:47 <h01ger> jelle: only 3.0 in buster, 4.x since bullseye not anymore
15:51:52 <jelle> ah, faced the same issue on Arch, as it seems to still record timestamps :|
15:51:55 <vagrantc> https://tests.reproducible-builds.org/debian/history/scons.html
15:52:05 <h01ger> 2.5 (in stretch) was also reproducible
15:52:26 <jelle> oh that is different
15:52:57 <jelle> we still have: │ │ │ -     4          12 LOAD_CONST               3 ('Sun, 07 Aug 2022 13:52:56 +0200')
15:53:00 <jelle> │ │ │ +     4          12 LOAD_CONST               3 ('Sun, 07 Aug 2022 11:52:56 +0000')
15:53:40 <h01ger> jelle: for 4.4.0?
15:53:53 <jelle> yes, so I will take a look at the debian package :)
15:54:28 <rclobus> #action jelle Look at the Debian scons package
15:54:40 <h01ger> #934699 seems to be related
15:54:45 <vagrantc> maybe solving the source_date_epoch bug with scons will fix scons :)(
15:55:10 <h01ger> vagrantc: *g*
15:55:31 <rclobus> h01ger: If I remember correctly, the .pyc issue has been resolved.
15:55:50 <h01ger> rclobus: yes, thats why it was reproducible in buster :)
15:56:14 <h01ger> and the fix was appearantly to disable parallel build (according to d/changelog of scons)
15:56:57 <h01ger> any other business? :)
15:58:22 <rclobus> #topic AOB best practices badge requirements
15:58:47 <vagrantc> #link https://github.com/coreinfrastructure/best-practices-badge/issues/1865
15:59:21 * h01ger has nothing to add what he didnt already say above: /me likes the idea of raising to diamond. or keep it at gold.
15:59:30 <vagrantc> i think marcprux hit most of the issues, although i'm tempted to raise some more serious warnings
16:00:06 <vagrantc> e.g. comment on the difficulting of verifying reproducibility for "all but these bits" which could introduce errors into the verification process
16:00:58 <h01ger> please
16:01:21 <vagrantc> it's also more work to make a complicated verification process than just fix the issue in many cases
16:01:23 <h01ger> there's also prior art for errors in such special tools: happened to signal a few years ago
16:01:35 <vagrantc> oh, a reference to that would be great!
16:01:38 <h01ger> i'm quite sure we mentioned that in our monthly or then weekly blogs
16:01:40 <vagrantc> as in URL
16:03:09 <vagrantc> this seems like a check-box ticking vs. a solving real world problems conflict
16:03:16 <h01ger> rgrep -i signal _blog/ _reports/ doesnt find it. hmmm. maybe it wasnt signal but...?
16:04:19 <vagrantc> not much more to say, feel free to chime in or use me as a proxy to comment on it
16:04:22 <rclobus> #topic AOB Do you have other topics for the meeting?
16:04:28 <rclobus> No.
16:04:44 <vagrantc> nothing more here
16:05:05 <h01ger> :) me neither, except to again say i'msorry for having missed the beginning
16:05:24 <lamby> None here. :)
16:05:35 <lamby> h01ger: Don't worry, glad you could make it in the end. :)
16:05:38 <rclobus> #info some topic were skipped, due people not being present. Next meeting, you'll have your chance to shine!
16:05:53 <h01ger> lamby: :) thanks.
16:06:21 <rclobus> #endmeeting