#reproducible-builds log

14:58:24 <h01ger> #startmeeting
14:58:24 <MeetBot> Meeting started Tue Mar 28 14:58:24 2023 UTC.  The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:58:24 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:58:31 * h01ger waves with tea
14:58:45 <h01ger> #please indicate your presence
14:58:51 <h01ger> #topic please indicate your presence
14:58:56 * h01ger = Holger Levsen
14:59:00 * lamby = Chris Lamb
14:59:03 * aehlig is Klaus Aehlig
14:59:04 * vagrantc = Vagrant Cascadian
14:59:09 * rclobus is Roland Clobus
14:59:42 <h01ger> #topic agenda at https://pad.riseup.net/p/rb-irc-meetings-keep - please edit as you see fit
14:59:48 <Foxboron> o/
14:59:56 * Foxboron is Morten Linderud
15:00:15 * h01ger will wait 2m until we really start
15:00:44 * sangy is Santiago Torres-Arias
15:01:09 * lamby waves to all
15:01:31 * orhun is Orhun Parmaksiz
15:02:23 <h01ger> hi orhun, feel free to introduce yourself more (if you want to), we've been doing this several times so by now most of us simply say their names
15:02:53 * h01ger is mostly working on tests.reproducible-builds.org and on reproducible Debian stuff
15:03:22 * rclobus is working on the Debian live images
15:03:36 <h01ger> (its also really fine to just lurk here :)
15:03:48 <orhun> hey, I'm a packager for Arch Linux, I'm simply interested in reprobuilds very much like the other folks here so I thought I could chime in :3
15:03:59 * vagrantc ~= Vagrant Cascadian ... working on debian with a pinch of guix and struggling with gcc and binutils reproducibility
15:04:09 <h01ger> orhun: awesome! & welcome!
15:04:22 * lamby is working on diffoscope and sometimes strip-nondeterminism, individual Debian packages and Debian toolchain packages when bandwidth permits. :)
15:05:28 <h01ger> so lets starts. and everyone who hasnt said "hi" yet, please continue to do so!
15:05:38 <h01ger> #topic follow-up of the action items from last meeting
15:06:09 <h01ger> there were none in january and we skipped the february meeting, cause i was sick on short notice and didnt send invites etc
15:06:28 <h01ger> so that was an easy topic :)
15:06:56 <h01ger> #topic short time slots for checkins from various projects: quick check who's here (& hasnt said so yet)
15:07:31 <h01ger> Ariadne: _hc: bmwiedemann: aparcar: lynxis_: raboof___: are you there?
15:07:38 <jelle> o/
15:07:44 <aparcar[m]> hey
15:07:55 * h01ger will continue with the subtopics where i know people are here, so lets start with archlinux
15:08:04 <h01ger> #topic short time slots: archlinux
15:08:04 <raboof[m]> o/
15:08:20 <h01ger> & hey hey to those who just waved :)
15:08:31 <h01ger> so whats the status / news from archlinux?
15:08:32 <Foxboron> I have one small item on this point :)
15:09:03 <h01ger> go ahead :)
15:09:34 <Foxboron> It's a tiny bit more generic, but the next release of the Go compiler is going to be reproducible across macOS, Windows and Linux with 1.21
15:09:47 <Foxboron> https://github.com/golang/go/issues/57120 <- so I validated the claim on Arch and they reproduced it on Debian (I think)
15:09:50 <h01ger> Foxboron: wheeehoo
15:09:52 <Foxboron> So that is cool
15:10:06 <Foxboron> I have mentiond it in this channel previously, but reposting during the meeting to share the news :)
15:10:32 <h01ger> #info the next release of the Go compiler is going to be reproducible across macOS, windows and Linux with 1.21 - see https://github.com/golang/go/issues/57120
15:10:33 <raboof[m]> that is super cool, congrats
15:10:33 <vagrantc> Foxboron: reproducible output? the compiler itself?
15:10:44 <Foxboron> vagrantc: the compiler binary, yes
15:10:53 <vagrantc> great!
15:11:00 <Foxboron> the compiled programs is mostly reproducible, but I've found a gcc bug :)
15:11:06 <h01ger> hahaha
15:11:16 <h01ger> down the rabbit hole!
15:11:29 <h01ger> awesome.
15:11:33 <Foxboron> Go is weird is the reason for that though. Been patching stuff as I figure it out, but it's mostly only relevant for cgo + lto
15:11:39 <vagrantc> fix them toolchains up good
15:12:11 <h01ger> any other news on archlinux specifically?
15:12:20 <sangy> cool stuff! I see there's also a discussion of having ci-test the reproducibility on different envs. Is this something we should start thinking of generalizing?
15:12:43 <Foxboron> I don't think we have anything new on the Arch front
15:12:51 <h01ger> sangy: which discussion where? do you mean reprotest? or?
15:12:52 <Foxboron> sangy: it might be a good idea frankluy
15:13:24 <aparcar[m]> sangy: would be nice to have a generic github action that people can just include in their projects to rebuild things with different envs
15:13:46 <h01ger> ah
15:14:21 <h01ger> for salsa.debian.org (which uses gitlab) people can do this using reprotest. many projects do that nowadays.
15:14:26 <sangy> yah idk what's the proper abstraction, but I could imagine having e.g., rebuilderd-ish backends on different envs gossip proofs of repro and then signal these somewhere
15:14:47 <sangy> yeah, though i imagine it'd be hard to add a --underlying-system flag to reprotest
15:15:16 * h01ger nods, getting more ci-tests to test for reproducibility at upstream is definitly something we want more and more
15:15:24 <sangy> maybe we could have a rebuilderd + reprotest sandwich for maximum entropy hha
15:15:29 <h01ger> sangy: what do you mean with this flag?
15:16:07 <sangy> so in the ctx of e.g., this golang build, that requires to vary between linux/osx/windows I think we couldn't just use reprotest, but something a little bit more outside-in
15:16:27 <sangy> but sorry I didn't mean to digress too much :)
15:16:38 <h01ger> ah
15:16:50 <h01ger> yeah, then lets move on
15:17:02 <Foxboron> It's a good idea though
15:17:06 <h01ger> yeah
15:17:16 * h01ger skips short topic on alpine as Ariadne seems not be here
15:17:39 <h01ger> #topic short time slots: Debian
15:18:04 <h01ger> with sub topics 'in general', 'life-builds' and 'snapshot'
15:19:03 * h01ger doesnt have much general news on Debian. (i do have some other general news which i'm adding to the agenda in a second). and debian is frozen and rclobus has some things to say about life images for bookworm, the next release
15:19:57 <h01ger> on snapshot.r-b.o the news is: the SDDs arrived and we got the new machine setup, but with the wrong hw raid controler, so we only see 11tb instead of 16tb, so osuosl will need to fix this for us, before we can start that migration
15:20:02 <vagrantc> the freeze has allowed the builders to catch up a bit, at least ... fewer package updates and such :)
15:20:50 <h01ger> the freeze also means we stopped our NMU campaign (which i intend to revive once bookworm has been released)
15:20:55 <h01ger> rclobus: are you there?
15:21:09 <rclobus> This month I didn't prepare a report in time, but...
15:21:12 <rclobus> The live-images are now including non-free-firmware
15:21:16 <rclobus> and they are (still/again) reproducible (starting with Bullseye), as tested by Jenkins
15:21:20 <rclobus> #info https://jenkins.debian.net/view/live/
15:21:25 <rclobus> Recently the live images are generated on .debian.org hardware, there is still some work to do (regarding content/functionality)
15:21:28 <rclobus> #info https://get.debian.org/images/weekly-live-builds/amd64/iso-hybrid/
15:21:29 <h01ger> and they are being considered for official release!!1
15:21:32 <rclobus> They are generating 'short-term-reproducible' images, meaning that they can be reproduced within the same DAK-run, which is every 6 hours
15:21:36 <rclobus> I'm currently working on getting the functionality tested on openQA again (after the workers were moved to different machines)
15:21:41 <rclobus> #info https://openqa.debian.net/group_overview/14
15:21:43 <rclobus> Soon I would like to have the .d.o-generated images to generate 'long-term-reproducible' images, i.e. using a snapshot server
15:21:46 <rclobus> The snapshot server would then need to carry non-free-firmware too
15:21:53 <raboof[m]> sweet
15:21:59 <h01ger> rclobus: but cant they be regenerated later using shapshot?
15:22:10 <rclobus> I haven't tried yet.
15:22:23 <rclobus> It will need to have some timestamp magic
15:22:23 <h01ger> please try :)
15:22:38 <vagrantc> almost like we need .buildinfo files for .iso generation or something
15:22:56 <h01ger> cause (i assume) offical images will alsways be build against deb.debian.org and not against snapshot. and as deb.d.o changes, rebuilds will need to use snapshot...
15:23:13 <rclobus> The timestamp of the archive will not match the timestamp on the snapshot server, so there needs to be some tolerance in the timestamps of the files and inside some files.
15:23:18 <h01ger> vagrantc: noone never had this idea before :) (hello tails)
15:23:29 <vagrantc> :)
15:24:13 <h01ger> rclobus: so the most important infrastructure you now need is the non-free-firmaware section on snapshot, right?
15:24:16 <rclobus> If the iso images are generated from the snapshot server, I use that timestamp, which is sufficient for reproducibility
15:24:57 <rclobus> h01ger: Indeed. non-free-firmware on the snapshot server for bookworm and newer, and if bullseye is to be considered, non-free and contrib too.
15:25:01 <h01ger> #info https://github.com/fepitre/debian-snapshot/issues/18 is the issue about non-free-firmware missing on snapshot
15:25:28 <h01ger> rclobus: gee.. i don't what bullseye is... ;-D
15:26:02 <h01ger> but cool. anything else about debian or shall we move on?
15:26:16 <rclobus> That's it from my side.
15:27:19 * h01ger will skip 'f-droid' as neither obfusk nor _hc seem to be here
15:27:39 * h01ger will skip 'openSuSE' as bmwiedemann doesnt seem to be here
15:28:03 <h01ger> #topic short time slots: OpenWrt
15:28:08 <h01ger> lynxis_: aparcar[m]: any news?
15:28:33 <aparcar[m]> Daniel and me talked the other week and we'll try to get https://github.com/openwrt/luci/pull/5753 in shape for BattleMesh 15
15:28:44 <h01ger> \o/
15:28:49 <aparcar[m]> Meaning more people should host upgrade servers, each upgrade will be build on multiple servers and compared
15:29:06 <aparcar[m]> this will kind of reveal evil servers but mostly unreproducible firmware images
15:29:07 <h01ger> cool
15:29:27 <h01ger> #info https://github.com/openwrt/luci/pull/5753 - introducing OpenWrt rebuilders
15:29:34 <aparcar[m]> that's all
15:30:03 * h01ger saw the news about battlemesh 15 taking place in Barcelona and was tempted
15:30:20 <h01ger> aparcar[m]: thank you & enjoy battlemesh! :)
15:30:23 <aparcar[m]> h01ger: please join 😉
15:30:34 <h01ger> iirc the timing wasnt so good
15:30:46 <h01ger> #topic short time slots: Nix
15:30:51 <h01ger> raboof[m]: ^
15:30:57 <raboof[m]> o/ just one thing:
15:31:20 <raboof[m]> #info https://reproducible.nixos.org is the new home for NixOS Reproducible Builds reports
15:31:46 <raboof[m]> It's just a simple front for the same hard-to-interpret reports for now, but this is moving more things to shared infrastructure, so hopefully we can encourage more of our community to help improve those things going forward ;)
15:32:03 * vagrantc cheers
15:32:11 * h01ger notes r13y.com was last generated on 2022-06-06 - maybe add a link on that old url to the new one?
15:32:16 * h01ger also cheers
15:32:22 <Foxboron> Cool
15:33:01 <raboof[m]> jup, working on making r13y.com a redirect
15:33:10 <h01ger> raboof[m]: please also send a patch to update https://reproducible-builds.org/who/projects/ - the file you want to patch is ./_data/projects.yml
15:33:18 <raboof[m]> will do!
15:33:22 <h01ger> thank you!
15:33:42 <h01ger> anything else about nix?
15:33:49 <raboof[m]> nope that's it for now!
15:33:54 <h01ger> or nix mehr? :)
15:34:04 <h01ger> coolio, next topic then
15:34:16 <h01ger> #topic     reproducible builds summit in november 2023 in hamburg
15:34:31 <h01ger> #info https://reproducible-builds.org/events/hamburg2023/
15:34:52 <h01ger> currently this is mostly reminder about the event & its dates
15:35:16 <Foxboron> Looking forward to it :)
15:35:24 <h01ger> mapreri thankfully took the todo item "send email invites to the list" away from me, so i'm gladly reminding him here now
15:35:39 <h01ger> #action mapreri: send email invites about r-b meeting in november
15:35:45 <h01ger> :-D
15:36:09 <h01ger> #topic new nodes at osuosl.org
15:36:40 <h01ger> so in 2018, r-b.o as many other projects was offered 8 machines, originally donated by facebook, and hosted by osuosl.org
15:37:26 <h01ger> those 8 machines were very nice and powerful and we ran lots of tests.r-b.o there but now, 5 years later, those probably 10y old machines were retired so osuosl.org gave us new machines
15:37:52 <h01ger> and in the last two weeks we moved all jobs from the old nodes to the 3 new nodes
15:38:22 <h01ger> (which are a bit less captable, but i suppose we could ask osuosl for more hw if needed. or use other hosting offers)
15:38:53 <h01ger> plus we have two more new machines at osuosl, so we now have osuosl1-5
15:39:19 <h01ger> the setup is now this:
15:39:21 <h01ger> * osuosl1-amd64: archlinux, alpine, coreboot, netbsd, openwrt
15:39:21 <h01ger> * osuosl2-amd64: archlinux, alpine, coreboot, openwrt
15:39:21 <h01ger> ** osuosl2 is running in the future
15:39:21 <h01ger> * osuosl3-amd64: Debian live-builds / Debian bootstrap jobs / debian-janitor / mmdebstrap-jenkins jobs / openqa.d.n workers
15:39:24 <h01ger> * osuosl4-amd64: snapshot.r-b.o, manual debugging by vagrant
15:39:24 <h01ger> * osuosl5-amd64: to be snapshot.r-b.o
15:39:26 <vagrantc> osuosl4 seems to have less ram, but maybe faster disk and cpu?
15:40:22 <lamby> Oh, neat!
15:40:24 <h01ger> the plan for o4 is to setup a debian rebuilder there, and then maybe an archlinux rebuilder on it too. (unclear whether the machine can do both)
15:40:49 <h01ger> o5 will become the new snapshot but is currently waiting for the new raid controller so we get full capacity on it
15:40:54 <h01ger> .
15:41:38 <h01ger> oh, and i might kick of the debian janitor and debian openqa stuff from o3, if we need more ressources for r-b.o things :)
15:41:46 <h01ger> eof from me on this topic.
15:42:16 <h01ger> (and the alpine builds are currently disabled)
15:42:43 <h01ger> next topic i suppose...
15:42:59 <h01ger> #topic any other business
15:43:08 <h01ger> #topic any other business: reprotest (vagrant)
15:43:19 <h01ger> vagrantc: ^
15:43:53 <vagrantc> i started a thread about reprotest a some weeks back, and implemented some changes, but noticed that it has a lot of things that are just randomized ...
15:44:03 <vagrantc> so the variations it does are not very deterministically reproducible
15:44:13 <vagrantc> er, deterministically unreproducible?
15:44:52 <h01ger> i'd call that random ;)
15:45:00 <vagrantc> but more importantly, would love to gut the autopkgtest code-copies and/or upgrade them ... but that is maybe beyond me
15:45:29 * h01ger is happy vagrantc started looking deeper into reprotest
15:45:30 <vagrantc> alternately, i've been experimenting with using sbuild which can do an unshare build in a user namespace, and then hooking reprotest into that ... but that is obviously debian-specific
15:45:58 <h01ger> (for those not knowing sbuild: it's a debian build tool.)
15:46:16 <vagrantc> anyone know of tooling to do "rootless" unshare/usernamespace chroots that would be distro agnostic?
15:46:46 <vagrantc> probably better as a mailing list post too, but figured i'd mention here for the moment :)
15:46:56 <h01ger> doesnt the "archlinux"^wkpcyrd's rebuilder do that?
15:47:13 <vagrantc> plausibly?
15:47:36 <vagrantc> it would be ni
15:47:37 <h01ger> i'm pretty sure it does. but we have users of this software here, of which i'm not one.
15:48:38 <h01ger> ok, next topic then.
15:48:39 <vagrantc> anyays, i'll post on list for more :)
15:48:44 <h01ger> :thumsbup:
15:48:59 <h01ger> #topic any other business: foss-north.se (h01ger)
15:49:33 <h01ger> #info https://foss-north.se/events/2023/schedule/session/139/
15:49:58 <jelle> > The session list for foss-north 2023 has not been published.
15:50:25 <h01ger> #info h01ger will give a talk at foss-north.se in gothenburg in april 2023 titled "Reproducible Builds - the first ten years"
15:50:36 <jelle> nice!
15:50:44 <h01ger> jelle: i know :) but the url will work eventually
15:51:12 <h01ger> no idea if it will be streamed or not. but i suppose so, also because the last years the conf was online..
15:51:47 <h01ger> also happy to meet, should someone be around in gothenburg, also pondering a stopover in copenhagen on the way.
15:52:07 <h01ger> #topic any other business: Debian Reunion Hamburg (h01ger)
15:52:18 <h01ger> #info https://wiki.debian.org/DebianEvents/de/2023/DebianReunionHamburg
15:52:43 <h01ger> is a week of hacking and talks in May 2023 at the same venue that will host the reproducible builds summit in november
15:53:29 <h01ger> & given the overlap of all our work, i thought to invite folks working on r-b to this event too. its a space for hacking and hanging around with other people working on free software
15:53:37 <h01ger> so if *you* want to join, do!
15:53:40 <h01ger> .
15:54:08 <h01ger> #topic any other business
15:54:36 <lamby> None here.
15:55:18 <rclobus> None.
15:55:38 <lamby> Just to say thanks for running the meeting - been mostly lurking as didn't want to say "neat" every 2 minutes. :)
15:55:49 <Foxboron> Neat :)
15:55:50 <h01ger> #info DebianReunionHamburg is a week of hacking and talks in May 2023 at the same venue that will host the reproducible builds summit in november. you might want to join.
15:55:54 <vagrantc> neetbot
15:56:02 <h01ger> lamby: neat!
15:57:29 <lamby> lol
15:57:44 * h01ger will say #endmeeting in a minute then, so we can finish off nicely in an hour. (unless someone has something..)
15:57:48 <lamby> https://i.imgur.com/tYlWRVE.jpg
15:58:23 <h01ger> so, i'll just say thank you all for joining this meeting and hoping to see you again on the last tuesday of April, thats the 25th, at 15 UTC
15:58:44 <h01ger> lamby: *g*
15:58:56 <rclobus> Thank you for chairing this meeting
15:59:08 <vagrantc> thanks all
15:59:51 <h01ger> #endmeeting