14:58:24 #startmeeting 14:58:24 Meeting started Tue Mar 28 14:58:24 2023 UTC. The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:58:24 Useful Commands: #action #agreed #help #info #idea #link #topic. 14:58:31 * h01ger waves with tea 14:58:45 #please indicate your presence 14:58:51 #topic please indicate your presence 14:58:56 * h01ger = Holger Levsen 14:59:00 * lamby = Chris Lamb 14:59:03 * aehlig is Klaus Aehlig 14:59:04 * vagrantc = Vagrant Cascadian 14:59:09 * rclobus is Roland Clobus 14:59:42 #topic agenda at https://pad.riseup.net/p/rb-irc-meetings-keep - please edit as you see fit 14:59:48 o/ 14:59:56 * Foxboron is Morten Linderud 15:00:15 * h01ger will wait 2m until we really start 15:00:44 * sangy is Santiago Torres-Arias 15:01:09 * lamby waves to all 15:01:31 * orhun is Orhun Parmaksiz 15:02:23 hi orhun, feel free to introduce yourself more (if you want to), we've been doing this several times so by now most of us simply say their names 15:02:53 * h01ger is mostly working on tests.reproducible-builds.org and on reproducible Debian stuff 15:03:22 * rclobus is working on the Debian live images 15:03:36 (its also really fine to just lurk here :) 15:03:48 hey, I'm a packager for Arch Linux, I'm simply interested in reprobuilds very much like the other folks here so I thought I could chime in :3 15:03:59 * vagrantc ~= Vagrant Cascadian ... working on debian with a pinch of guix and struggling with gcc and binutils reproducibility 15:04:09 orhun: awesome! & welcome! 15:04:22 * lamby is working on diffoscope and sometimes strip-nondeterminism, individual Debian packages and Debian toolchain packages when bandwidth permits. :) 15:05:28 so lets starts. and everyone who hasnt said "hi" yet, please continue to do so! 15:05:38 #topic follow-up of the action items from last meeting 15:06:09 there were none in january and we skipped the february meeting, cause i was sick on short notice and didnt send invites etc 15:06:28 so that was an easy topic :) 15:06:56 #topic short time slots for checkins from various projects: quick check who's here (& hasnt said so yet) 15:07:31 Ariadne: _hc: bmwiedemann: aparcar: lynxis_: raboof___: are you there? 15:07:38 o/ 15:07:44 hey 15:07:55 * h01ger will continue with the subtopics where i know people are here, so lets start with archlinux 15:08:04 #topic short time slots: archlinux 15:08:04 o/ 15:08:20 & hey hey to those who just waved :) 15:08:31 so whats the status / news from archlinux? 15:08:32 I have one small item on this point :) 15:09:03 go ahead :) 15:09:34 It's a tiny bit more generic, but the next release of the Go compiler is going to be reproducible across macOS, Windows and Linux with 1.21 15:09:47 https://github.com/golang/go/issues/57120 <- so I validated the claim on Arch and they reproduced it on Debian (I think) 15:09:50 Foxboron: wheeehoo 15:09:52 So that is cool 15:10:06 I have mentiond it in this channel previously, but reposting during the meeting to share the news :) 15:10:32 #info the next release of the Go compiler is going to be reproducible across macOS, windows and Linux with 1.21 - see https://github.com/golang/go/issues/57120 15:10:33 that is super cool, congrats 15:10:33 Foxboron: reproducible output? the compiler itself? 15:10:44 vagrantc: the compiler binary, yes 15:10:53 great! 15:11:00 the compiled programs is mostly reproducible, but I've found a gcc bug :) 15:11:06 hahaha 15:11:16 down the rabbit hole! 15:11:29 awesome. 15:11:33 Go is weird is the reason for that though. Been patching stuff as I figure it out, but it's mostly only relevant for cgo + lto 15:11:39 fix them toolchains up good 15:12:11 any other news on archlinux specifically? 15:12:20 cool stuff! I see there's also a discussion of having ci-test the reproducibility on different envs. Is this something we should start thinking of generalizing? 15:12:43 I don't think we have anything new on the Arch front 15:12:51 sangy: which discussion where? do you mean reprotest? or? 15:12:52 sangy: it might be a good idea frankluy 15:13:24 sangy: would be nice to have a generic github action that people can just include in their projects to rebuild things with different envs 15:13:46 ah 15:14:21 for salsa.debian.org (which uses gitlab) people can do this using reprotest. many projects do that nowadays. 15:14:26 yah idk what's the proper abstraction, but I could imagine having e.g., rebuilderd-ish backends on different envs gossip proofs of repro and then signal these somewhere 15:14:47 yeah, though i imagine it'd be hard to add a --underlying-system flag to reprotest 15:15:16 * h01ger nods, getting more ci-tests to test for reproducibility at upstream is definitly something we want more and more 15:15:24 maybe we could have a rebuilderd + reprotest sandwich for maximum entropy hha 15:15:29 sangy: what do you mean with this flag? 15:16:07 so in the ctx of e.g., this golang build, that requires to vary between linux/osx/windows I think we couldn't just use reprotest, but something a little bit more outside-in 15:16:27 but sorry I didn't mean to digress too much :) 15:16:38 ah 15:16:50 yeah, then lets move on 15:17:02 It's a good idea though 15:17:06 yeah 15:17:16 * h01ger skips short topic on alpine as Ariadne seems not be here 15:17:39 #topic short time slots: Debian 15:18:04 with sub topics 'in general', 'life-builds' and 'snapshot' 15:19:03 * h01ger doesnt have much general news on Debian. (i do have some other general news which i'm adding to the agenda in a second). and debian is frozen and rclobus has some things to say about life images for bookworm, the next release 15:19:57 on snapshot.r-b.o the news is: the SDDs arrived and we got the new machine setup, but with the wrong hw raid controler, so we only see 11tb instead of 16tb, so osuosl will need to fix this for us, before we can start that migration 15:20:02 the freeze has allowed the builders to catch up a bit, at least ... fewer package updates and such :) 15:20:50 the freeze also means we stopped our NMU campaign (which i intend to revive once bookworm has been released) 15:20:55 rclobus: are you there? 15:21:09 This month I didn't prepare a report in time, but... 15:21:12 The live-images are now including non-free-firmware 15:21:16 and they are (still/again) reproducible (starting with Bullseye), as tested by Jenkins 15:21:20 #info https://jenkins.debian.net/view/live/ 15:21:25 Recently the live images are generated on .debian.org hardware, there is still some work to do (regarding content/functionality) 15:21:28 #info https://get.debian.org/images/weekly-live-builds/amd64/iso-hybrid/ 15:21:29 and they are being considered for official release!!1 15:21:32 They are generating 'short-term-reproducible' images, meaning that they can be reproduced within the same DAK-run, which is every 6 hours 15:21:36 I'm currently working on getting the functionality tested on openQA again (after the workers were moved to different machines) 15:21:41 #info https://openqa.debian.net/group_overview/14 15:21:43 Soon I would like to have the .d.o-generated images to generate 'long-term-reproducible' images, i.e. using a snapshot server 15:21:46 The snapshot server would then need to carry non-free-firmware too 15:21:53 sweet 15:21:59 rclobus: but cant they be regenerated later using shapshot? 15:22:10 I haven't tried yet. 15:22:23 It will need to have some timestamp magic 15:22:23 please try :) 15:22:38 almost like we need .buildinfo files for .iso generation or something 15:22:56 cause (i assume) offical images will alsways be build against deb.debian.org and not against snapshot. and as deb.d.o changes, rebuilds will need to use snapshot... 15:23:13 The timestamp of the archive will not match the timestamp on the snapshot server, so there needs to be some tolerance in the timestamps of the files and inside some files. 15:23:18 vagrantc: noone never had this idea before :) (hello tails) 15:23:29 :) 15:24:13 rclobus: so the most important infrastructure you now need is the non-free-firmaware section on snapshot, right? 15:24:16 If the iso images are generated from the snapshot server, I use that timestamp, which is sufficient for reproducibility 15:24:57 h01ger: Indeed. non-free-firmware on the snapshot server for bookworm and newer, and if bullseye is to be considered, non-free and contrib too. 15:25:01 #info https://github.com/fepitre/debian-snapshot/issues/18 is the issue about non-free-firmware missing on snapshot 15:25:28 rclobus: gee.. i don't what bullseye is... ;-D 15:26:02 but cool. anything else about debian or shall we move on? 15:26:16 That's it from my side. 15:27:19 * h01ger will skip 'f-droid' as neither obfusk nor _hc seem to be here 15:27:39 * h01ger will skip 'openSuSE' as bmwiedemann doesnt seem to be here 15:28:03 #topic short time slots: OpenWrt 15:28:08 lynxis_: aparcar[m]: any news? 15:28:33 Daniel and me talked the other week and we'll try to get https://github.com/openwrt/luci/pull/5753 in shape for BattleMesh 15 15:28:44 \o/ 15:28:49 Meaning more people should host upgrade servers, each upgrade will be build on multiple servers and compared 15:29:06 this will kind of reveal evil servers but mostly unreproducible firmware images 15:29:07 cool 15:29:27 #info https://github.com/openwrt/luci/pull/5753 - introducing OpenWrt rebuilders 15:29:34 that's all 15:30:03 * h01ger saw the news about battlemesh 15 taking place in Barcelona and was tempted 15:30:20 aparcar[m]: thank you & enjoy battlemesh! :) 15:30:23 h01ger: please join 😉 15:30:34 iirc the timing wasnt so good 15:30:46 #topic short time slots: Nix 15:30:51 raboof[m]: ^ 15:30:57 o/ just one thing: 15:31:20 #info https://reproducible.nixos.org is the new home for NixOS Reproducible Builds reports 15:31:46 It's just a simple front for the same hard-to-interpret reports for now, but this is moving more things to shared infrastructure, so hopefully we can encourage more of our community to help improve those things going forward ;) 15:32:03 * vagrantc cheers 15:32:11 * h01ger notes r13y.com was last generated on 2022-06-06 - maybe add a link on that old url to the new one? 15:32:16 * h01ger also cheers 15:32:22 Cool 15:33:01 jup, working on making r13y.com a redirect 15:33:10 raboof[m]: please also send a patch to update https://reproducible-builds.org/who/projects/ - the file you want to patch is ./_data/projects.yml 15:33:18 will do! 15:33:22 thank you! 15:33:42 anything else about nix? 15:33:49 nope that's it for now! 15:33:54 or nix mehr? :) 15:34:04 coolio, next topic then 15:34:16 #topic reproducible builds summit in november 2023 in hamburg 15:34:31 #info https://reproducible-builds.org/events/hamburg2023/ 15:34:52 currently this is mostly reminder about the event & its dates 15:35:16 Looking forward to it :) 15:35:24 mapreri thankfully took the todo item "send email invites to the list" away from me, so i'm gladly reminding him here now 15:35:39 #action mapreri: send email invites about r-b meeting in november 15:35:45 :-D 15:36:09 #topic new nodes at osuosl.org 15:36:40 so in 2018, r-b.o as many other projects was offered 8 machines, originally donated by facebook, and hosted by osuosl.org 15:37:26 those 8 machines were very nice and powerful and we ran lots of tests.r-b.o there but now, 5 years later, those probably 10y old machines were retired so osuosl.org gave us new machines 15:37:52 and in the last two weeks we moved all jobs from the old nodes to the 3 new nodes 15:38:22 (which are a bit less captable, but i suppose we could ask osuosl for more hw if needed. or use other hosting offers) 15:38:53 plus we have two more new machines at osuosl, so we now have osuosl1-5 15:39:19 the setup is now this: 15:39:21 * osuosl1-amd64: archlinux, alpine, coreboot, netbsd, openwrt 15:39:21 * osuosl2-amd64: archlinux, alpine, coreboot, openwrt 15:39:21 ** osuosl2 is running in the future 15:39:21 * osuosl3-amd64: Debian live-builds / Debian bootstrap jobs / debian-janitor / mmdebstrap-jenkins jobs / openqa.d.n workers 15:39:24 * osuosl4-amd64: snapshot.r-b.o, manual debugging by vagrant 15:39:24 * osuosl5-amd64: to be snapshot.r-b.o 15:39:26 osuosl4 seems to have less ram, but maybe faster disk and cpu? 15:40:22 Oh, neat! 15:40:24 the plan for o4 is to setup a debian rebuilder there, and then maybe an archlinux rebuilder on it too. (unclear whether the machine can do both) 15:40:49 o5 will become the new snapshot but is currently waiting for the new raid controller so we get full capacity on it 15:40:54 . 15:41:38 oh, and i might kick of the debian janitor and debian openqa stuff from o3, if we need more ressources for r-b.o things :) 15:41:46 eof from me on this topic. 15:42:16 (and the alpine builds are currently disabled) 15:42:43 next topic i suppose... 15:42:59 #topic any other business 15:43:08 #topic any other business: reprotest (vagrant) 15:43:19 vagrantc: ^ 15:43:53 i started a thread about reprotest a some weeks back, and implemented some changes, but noticed that it has a lot of things that are just randomized ... 15:44:03 so the variations it does are not very deterministically reproducible 15:44:13 er, deterministically unreproducible? 15:44:52 i'd call that random ;) 15:45:00 but more importantly, would love to gut the autopkgtest code-copies and/or upgrade them ... but that is maybe beyond me 15:45:29 * h01ger is happy vagrantc started looking deeper into reprotest 15:45:30 alternately, i've been experimenting with using sbuild which can do an unshare build in a user namespace, and then hooking reprotest into that ... but that is obviously debian-specific 15:45:58 (for those not knowing sbuild: it's a debian build tool.) 15:46:16 anyone know of tooling to do "rootless" unshare/usernamespace chroots that would be distro agnostic? 15:46:46 probably better as a mailing list post too, but figured i'd mention here for the moment :) 15:46:56 doesnt the "archlinux"^wkpcyrd's rebuilder do that? 15:47:13 plausibly? 15:47:36 it would be ni 15:47:37 i'm pretty sure it does. but we have users of this software here, of which i'm not one. 15:48:38 ok, next topic then. 15:48:39 anyays, i'll post on list for more :) 15:48:44 :thumsbup: 15:48:59 #topic any other business: foss-north.se (h01ger) 15:49:33 #info https://foss-north.se/events/2023/schedule/session/139/ 15:49:58 > The session list for foss-north 2023 has not been published. 15:50:25 #info h01ger will give a talk at foss-north.se in gothenburg in april 2023 titled "Reproducible Builds - the first ten years" 15:50:36 nice! 15:50:44 jelle: i know :) but the url will work eventually 15:51:12 no idea if it will be streamed or not. but i suppose so, also because the last years the conf was online.. 15:51:47 also happy to meet, should someone be around in gothenburg, also pondering a stopover in copenhagen on the way. 15:52:07 #topic any other business: Debian Reunion Hamburg (h01ger) 15:52:18 #info https://wiki.debian.org/DebianEvents/de/2023/DebianReunionHamburg 15:52:43 is a week of hacking and talks in May 2023 at the same venue that will host the reproducible builds summit in november 15:53:29 & given the overlap of all our work, i thought to invite folks working on r-b to this event too. its a space for hacking and hanging around with other people working on free software 15:53:37 so if *you* want to join, do! 15:53:40 . 15:54:08 #topic any other business 15:54:36 None here. 15:55:18 None. 15:55:38 Just to say thanks for running the meeting - been mostly lurking as didn't want to say "neat" every 2 minutes. :) 15:55:49 Neat :) 15:55:50 #info DebianReunionHamburg is a week of hacking and talks in May 2023 at the same venue that will host the reproducible builds summit in november. you might want to join. 15:55:54 neetbot 15:56:02 lamby: neat! 15:57:29 lol 15:57:44 * h01ger will say #endmeeting in a minute then, so we can finish off nicely in an hour. (unless someone has something..) 15:57:48 https://i.imgur.com/tYlWRVE.jpg 15:58:23 so, i'll just say thank you all for joining this meeting and hoping to see you again on the last tuesday of April, thats the 25th, at 15 UTC 15:58:44 lamby: *g* 15:58:56 Thank you for chairing this meeting 15:59:08 thanks all 15:59:51 #endmeeting