#reproducible-builds log

14:58:26 <h01ger> #startmeeting
14:58:26 <MeetBot> Meeting started Tue Nov 29 14:58:26 2022 UTC.  The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:58:26 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:58:38 <h01ger> the agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep
14:58:54 * Foxboron waves
14:59:10 <h01ger> #topic welcome to our monthly irc meeting, please briefly introduce yourself or otherwise your presence
14:59:21 * h01ger = Holger Levsen
14:59:27 <lamby> o/
14:59:31 * vagrantc ~= Vagrant Cascadian
14:59:35 * rclobus is Roland Clobus, working on the Debian live images
14:59:37 * lamby -> Chris Lamb
14:59:45 <Foxboron> Morten/Foxboron, Arch Linux developer working reproducible builds
14:59:58 * jelle -> Jelle van der Waa, Arch Linux
15:00:05 <jelle> lamby: btw, thanks for the progressbar fix in diffoscope!
15:00:19 <lamby> jelle: No problem at all. I didn't actually know about the progressbar fork (!)
15:01:43 <h01ger> so lets start, any latecomer can still say hello anytime :)
15:02:04 <h01ger> #topic follow-up on the action points from last meeting
15:02:30 * h01ger checks http://meetbot.debian.net/reproducible-builds/2022/reproducible-builds.2022-09-27-15.06.html
15:03:01 <h01ger> CTION: neverpanic Synchronise MacPorts and diffoscope (rclobus, 15:13:53)
15:03:01 * h01ger lamby Synchronise BSD and diffoscope (rclobus, 15:14:12)
15:03:26 * h01ger jelle Investigate glibc on Arch Linux (rclobus, 15:19:13)
15:03:26 * h01ger jelle Look at the Debian scons package (rclobus, 15:54:28)
15:03:35 <rclobus> IIRC, just minutes after ending the meeting, neverpanic wrote that Macports and diffoscope were finished
15:03:48 <h01ger> coolio
15:03:51 <jelle> haven't found the time yet :(
15:03:52 <rclobus> s/finished/synchronised/
15:04:09 <neverpanic> correct
15:04:12 <h01ger> jelle: so you just got an easy reminder :)
15:04:14 <neverpanic> it's outdated now again, I think
15:04:24 <jelle> h01ger: hehehe, if scons was that easy :-)
15:04:31 <h01ger> :)
15:04:45 <h01ger> also, as there's no new action point there wont be another reminder in a month
15:05:35 <lamby> I contacted Brian Callahan from OpenBSD back in October re. keeping that up to date, and that particular BSD has a system to track whether they are behind; there is just a queue of work for them.
15:05:35 <rclobus> ack.
15:05:53 <h01ger> lamby: nice
15:06:14 <h01ger> #topic reports from the summit in Venice
15:06:35 <h01ger> there's no written report yet, however i have some items for the November monthly blog post
15:07:04 <h01ger> we were roughly 23 people, iirc 23 plus Gunner and had many good discussions and quite some fun too
15:07:21 * h01ger also managed to actually visit Venice for 4h :)
15:07:39 <h01ger> (the hotel was 5km away on the main land..)
15:08:15 <h01ger> frederic made some new tshirts now, which we'll try to distribute during events in 2023
15:08:52 <h01ger> for those who have been to previous summits, the format was like those, but with some hacking time every afternoon
15:09:33 <h01ger> we took many notes in many pads, which now need to be transferred to our r-website.git, like we did for previous years
15:09:49 <h01ger> thats it from me
15:11:05 <h01ger> oh, one interesting bit: one of the sponsors was an italian company doing gambling machines and which AIUI by law are now required to proof reliable results. and one building block for them are reproducible builds.
15:11:14 <h01ger> they also *love* diffoscope
15:11:42 <h01ger> .
15:11:44 <lamby> \o/
15:11:46 <lamby> thanks
15:12:54 <h01ger> #topic FOSDEM 2023
15:13:14 <h01ger> so fosdem.org is 4+5 feb 2023 in brussels again
15:13:29 * h01ger believes Foxboron might have submitted a talk?
15:13:38 <Foxboron> Yes!
15:13:56 <h01ger> Foxboron: about what? :)
15:14:01 <Foxboron> There are several relevant devrooms for Reproducible Builds. At least *two* devrooms mention supply chain issues :)
15:14:03 * h01ger will probably not attend or maybe i will, not sure.
15:14:20 <Foxboron> https://github.com/security-devroom/fosdem-2023
15:14:30 <h01ger> #info there are several relevant devrooms for Reproducible Builds. At least *two* devrooms mention supply chain issues :)
15:14:32 <Foxboron> Distributions Devroom - https://lists.fosdem.org/pipermail/fosdem/2022q4/003468.html
15:14:38 <Foxboron> Binary Tools Devroom - https://lists.fosdem.org/pipermail/fosdem/2022q4/003436.html
15:14:55 <Foxboron> I have submitted a "State of reprobuilds in Arch" sort of talk to the security devroom :)
15:15:11 <Foxboron> If they give enough time there might be kpcyrd and jelle as co-presenters :)
15:15:14 <h01ger> coolio!
15:15:24 <Foxboron> I think diffoscope could have a talk at the binary tools devroom as well
15:15:40 * h01ger nods
15:15:51 <Foxboron> I'll also email about this :) I just havent gotten that far yet
15:15:55 <h01ger> there could be many more talks :)
15:16:01 <Foxboron> Yes! Totes :)
15:16:09 <h01ger> :)
15:16:09 <Foxboron> That's all I had on the topic
15:16:51 <h01ger> coolio. anyone else already planning to be there?
15:17:23 <lamby> I will likely not be there. :(
15:17:50 <lamby> vagrantc: Just a random idea- we could do a mini-meetup that weekend in OR
15:17:55 <h01ger> hehe
15:18:10 <vagrantc> heh
15:18:15 <h01ger> mini-meetups are fun too!
15:18:47 <h01ger> #topic short time slots for various projects
15:18:57 <h01ger> Ariadne: any news on alpine?
15:19:24 <h01ger> _hc[m]: are you here? (news on fdroid?)
15:19:38 <h01ger> aparcar: lynxis: are you here, news on openwrt/coreboot?
15:19:50 <h01ger> #topic short time slots for various projects: Arch Linux
15:19:56 <h01ger> jelle: Foxboron: ^ :)
15:20:05 <Foxboron> Ah
15:20:26 <Foxboron> In Arch we build Go packages with the cgo and the external linker When we enabled LTO our Golang packages became unreproducible!
15:20:31 <Ariadne> i've been busy with other projects, so i don't know what the latest state of things with alpine is (technically, i stepped down from the Alpine TSC after 3.17 release)
15:20:43 <Foxboron> The gnu build-id was different pr build which was veryvery weird :)
15:20:58 <h01ger> Ariadne: ic.
15:21:00 <Foxboron> After a lot of juggling and debugging I figure out it's all due to a gcc bug :)
15:21:14 <Foxboron> https://go-review.googlesource.com/c/go/+/413974 <- upstream patches for the Go compiler here
15:21:28 <Foxboron> https://gcc.gnu.org/pipermail/gcc-patches/2022-November/606205.html <- mention of the gcc bug
15:21:44 <h01ger> Foxboron: cool stuff!
15:21:53 <Foxboron> Essentially bare symbols in line macros gets a path prefixes which is not stripped by debug-prefix-map. These paths are embeeded into the sections of the .o files :)
15:22:15 <vagrantc> this sounds very familiar
15:22:16 <Foxboron> since they are hashed to create the build-id they would give us a unqiue build-id pr compilation as everything is done in tmpfile directories
15:22:28 <Foxboron> That is the rundown of the issue.
15:23:03 <Foxboron> nothing else has been happening in Arch land except for the talk discussion :)
15:23:21 <h01ger> and your patches do strip the path prefixes?
15:23:58 <Foxboron> Unintuitively, the fix is to add a debug-prefix-map for each bare symbol and prefix them with an absolute path
15:24:11 <Foxboron> This ensures the gcc compiler doesn't include the random path into the object file
15:24:21 * h01ger nods
15:24:24 <Foxboron> So the cgo patch just adds like 5-10 debug-prefix-maps for the symbols
15:24:31 <Foxboron> It took a while to figure out :p
15:24:57 <h01ger> it looks very easy and straightforward now ;)
15:25:11 <_hc[m]> I can report on behalf of obfusk: they did a bunch of work around Android APK signatures, and handling all the cases to get to bit-for-bit reproducible using signature copying.
15:25:23 <h01ger> #topic short time slots for various projects: F-Droid
15:25:59 <h01ger> _hc[m]: cool. (and hi!)
15:26:04 <_hc[m]> and we're using it in F-Droid, should be in producrtion this week
15:26:07 <_hc[m]> hi!
15:26:21 <h01ger> there also were aptsigner related changes to diffoscope
15:26:41 <_hc[m]> I'm guessing that was also obfusk :)
15:27:08 * h01ger thinks so too
15:27:46 <h01ger> & apksigner..
15:28:11 <_hc[m]> that's it from me
15:28:18 <h01ger> thank you
15:28:28 <h01ger> #topic short time slots for various projects: Debian live-builds
15:28:32 <lamby> ^ Yes, a big optimisation for apk processing was pushed earlier
15:28:32 <h01ger> rclobus: ^
15:28:32 <rclobus> I've prepared my monthly report
15:28:42 <rclobus> #info https://lists.reproducible-builds.org/pipermail/rb-general/2022-November/002760.html
15:28:59 <rclobus> Reproducible summary: all still reproducible
15:29:10 <rclobus> Jenkins status: all green (even Bullseye)
15:29:24 <rclobus> openQA status: Some functionality issues are present
15:29:48 <rclobus> Publishing the images from the Debian infrastructure: work-in-progress
15:30:35 <h01ger> great stuff & thank you for keeping us informed too!
15:30:41 <rclobus> Regarding the Bullseye tests: the rebuild script can now select the source of the installer: either rebuilt from git or from deb.debian.org
15:31:11 <h01ger> thats life-installer or d-i?
15:31:22 <rclobus> d-i.
15:31:43 <h01ger> nice, so we are testing reproducibility of building d-i now too?
15:32:19 <rclobus> Yes, several months ago I wrote some patches, d-i can be built reproducibly for a while now.
15:32:31 <vagrantc> \o/
15:32:51 <h01ger> that part was clear to me. i wasnt aware we're also regularily testing this now as part of the live builds
15:32:56 <h01ger> and \o/ too!
15:33:24 <rclobus> The Bookworm and sid images have the d-i rebuilt from git.
15:33:43 <rclobus> As soon as bookworm gets frozen, I'll update the scripts to take d-i from deb.debian.org
15:34:18 * h01ger nods
15:34:39 <rclobus> That's it from me
15:34:50 <_hc[m]> repro ISOs is super exciting!
15:35:06 <Foxboron> Reminds me I need to take a few stabs at this for Arch :)
15:35:24 <jelle> does the debian ISO, also have a BUILDINFO file? :o
15:35:29 <rclobus> Just use live-build. You probably do not need additional steps.
15:35:44 <rclobus> BUILDINFO is very package-specific.
15:36:01 <rclobus> There is a file on the ISO that contains the timestamp.
15:36:22 * h01ger sees room for improvement :) the iso should get some .buildinfo like file
15:36:23 <rclobus> I'm thinking of adding a marker that says 'built by the rebuild script'.
15:36:31 <h01ger> .oO( SBOM )
15:36:51 * h01ger also learned about SBOM at the r-b summit. that was quite very useful
15:37:02 * jelle needs a SBOM for dummies
15:37:11 <rclobus> The rebuild script leaves no room for injections, it uses time-travel for the git repo.
15:37:15 <vagrantc> rclobus: so with just the iso itself you have all the information necessary to rebuild it? all the relelvent packages used during the build process?
15:37:26 <h01ger> SBOM is some generic .buildinfo concept which gained a lot of traction recently
15:38:14 <jelle> h01ger: that I understood, but never looked deeper
15:38:18 * h01ger took a note to write something about SBOM later
15:38:21 <rclobus> vagrantc: Yes, I use the snapshot from fepitre, so there is no additional source for the content of the ISO (except the rebuild script itself, which is taken from the time-travelled git)
15:39:08 <rclobus> nudge nudge, or should I use snapshot.reproducible-builds.org?
15:39:23 <h01ger> #topic short time slots for various projects: Debian snapshot.r-b.o
15:39:38 <rclobus> hehe
15:39:46 <h01ger> so lets move on :)
15:40:12 <h01ger> there has been several progresses regarding snapshot.r-b.o but its not usable yet:
15:40:27 <h01ger> a.) the symlink creation has been finished, except
15:40:46 <h01ger> b.) for the new timestamps (now back to july 2022) copied on the machine since the summit
15:41:13 <h01ger> c.) the DPL has approved buying 7 4tb SSDs for it to improve performance
15:41:55 <h01ger> d.) frederic has started experimenting with zfs (for future developments, but more performance will be needed if we want more releases and archs on it eventually)
15:42:20 <h01ger> c2.) i'm discussing with OSUOSL how to get those SDDs to them
15:42:34 <h01ger> thats basically it for now
15:43:41 <rclobus> It that 7x4=28TB or something striped-RAID?
15:43:51 <h01ger> raid6, so 16tb
15:44:19 <h01ger> #topic short time slots for various projects: Debian
15:44:42 <h01ger> at least until the end of the year, we're having weekly NMU sprints every thursday at 17 UTC now
15:45:10 <vagrantc> i've poked at bugs from 2015-2017 with the previous few sprints
15:45:22 <h01ger> where we upload packages which have r-b patches, to DELAYED/10, so maintainers have 10 days to step in...
15:45:40 <vagrantc> (NMU Non-Maintainer Upload)
15:46:30 <h01ger> we've done this 4(?) times now and uploaded >42 packages
15:46:51 <vagrantc> wow, didn't realize it was that many
15:47:07 <h01ger> those were fake stats :) guesstimates
15:47:13 <vagrantc> :)
15:47:39 <h01ger> but i think the order of magnitue is correct
15:48:27 <h01ger> nota bene: we meet at #debian-reproducible, not here.
15:48:34 <h01ger> #topic Any Other Business (AOB)
15:49:17 * h01ger only has one question: shall we skip the December meeting? it would be Dec 27th...
15:50:11 * vagrantc in favor
15:50:23 * rclobus agrees
15:50:29 <h01ger> if there were CCCongress, skipping would be a no-brainer, but even without, I think skipping is sensible, it's the end of the year and life tends to be different then..
15:51:07 <lamby> in favour, too. We could do it the next week (ie. Jan 3rd)
15:51:29 <vagrantc> i wouldn't break the last-tuesday of the month pattern
15:51:53 * h01ger nods
15:52:11 <h01ger> january 31st will then be our next meeting
15:52:14 <Foxboron> I don't mind skipping :) I'll do organizing a local conference at our hackerspace in Oslo
15:52:37 <h01ger> hmmm, Oslo! ;)
15:52:54 <h01ger> #info next meeting january 31st 2023
15:53:07 <h01ger> any other business?
15:53:15 <rclobus> No.
15:53:41 <lamby> None here. :)
15:54:10 <vagrantc> nothing i'm aware of
15:55:01 <jelle> Foxboron: strange time for a conference :)
15:55:11 * h01ger packs up and thanks everyone for participating!
15:55:15 <Foxboron> jelle: Not at all :)
15:55:17 <jelle> :)
15:55:20 <h01ger> :)
15:55:32 <h01ger> Foxboron: you should make that a yearly tradition!
15:55:51 <Foxboron> We should make it an acronym and then include the numbers into the name
15:56:05 <Foxboron> I think it should be a bit chaotic.. a chaos congress if you will
15:56:19 <h01ger> :)
15:56:22 <Foxboron> :)
15:56:53 <h01ger> alright.
15:56:54 <h01ger> o/
15:57:04 <Foxboron> \o
15:57:25 <h01ger> #endmeeting