16:04:46 <vagrantc> #startmeeting 16:04:46 <MeetBot> Meeting started Tue Jul 17 16:04:46 2018 UTC. The chair is vagrantc. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:04:46 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 16:05:02 <vagrantc> everyone feel free to introduce themselves 16:05:48 <vagrantc> #topic roll call 16:06:00 <vagrantc> #topic roll call and agenda 16:06:07 <vagrantc> sparse agenda: https://pad.riseup.net/p/reproducible-irc-meeting-20180717-16UTC 16:06:20 * jelle waves 16:06:49 <sangy> yeah, rather sparse... 16:07:17 <vagrantc> 1) intros & absensces 2) yashsriv: update on Debian Rebuilder 3) NYU repro-builds for application security (take 2?) 16:07:35 <vagrantc> lamby apologizes for not being present 16:07:57 <vagrantc> oh, and of course 4) any other business 16:08:09 <vagrantc> let's wait a few minutes to let people show up and then begin? 16:08:25 <sangy> sure 16:13:39 <vagrantc> ok 16:14:02 <vagrantc> #topic Debian Rebuilder 16:14:06 <vagrantc> yashsriv: you're on! 16:14:44 <yashsriv> hi.. so basically I had divided debian rebuilder into 3 modules..... a builder/rebuilder, a visualizer to expose info and a scheduler to schedule builds 16:15:15 <yashsriv> The first 2 are now complete with an ansible configuration for easy deployment. The whole thing is at https://salsa.debian.org/yashsriv-guest/debian-rebuilder-setup/tree/integrate-srebuild 16:15:42 <vagrantc> #link https://salsa.debian.org/yashsriv-guest/debian-rebuilder-setup/tree/integrate-srebuild 16:16:08 <sangy> yashsriv: pretty cool :) 16:17:06 <yashsriv> The TODO file gives a better idea of the current status. So basically what is left is just scheduling stuff 16:17:07 <vagrantc> sangy: nice! 16:17:48 <sangy> yashsriv: do you have anything sketched out on that side? 16:17:56 <vagrantc> yashsriv: have a pretty good idea where to take it, or do you need anything from the community at large? 16:18:15 <yashsriv> that is currently a little vague as there isn;t anything in the current infrastructure which could help. 16:18:28 <yashsriv> I had discussed something regarding that with lamby after the last meeting 16:18:57 <yashsriv> ah yes: this issue - https://github.com/lamby/buildinfo.debian.net/issues/48 16:19:18 <yashsriv> So I'm thinking of working on this as well so that we could have something deployable 16:20:29 <vagrantc> using "since" might be a bit odd ... because if you have multiple rebuilders and they're all rebuilding and submitting the same most recent buildinfos ... 16:20:30 <sangy> that'd be nice. So ideally it'd be adding this api endpoint and then writing a very lightweight daemon polling ever N minutes/hours/etc? 16:21:09 <yashsriv> vagrantc.. they'll be maintaining what they have already rebuilt / submitted, so they won't trigger builds again 16:21:44 <vagrantc> yashsriv: all of the independent third-party rebuilders? 16:21:44 <yashsriv> sangy: that's the idea 16:22:10 <yashsriv> ah.. as far as I know, nobody else use buildinfo.debian.net for scheduling builds? 16:22:15 <vagrantc> e.g. you have, say 15 different organizations running rebuilders ... 16:22:52 <yashsriv> This configuration I have written works in a way such that even if 15 different organisations, run this same configuration - it would work 16:22:54 <vagrantc> the point of this project is to be able to easily set up an independent rebuilder ... so eventually they may be the majority of rebuilders 16:23:01 <sangy> vagrantc: each of them would have a local scheduler db I believe, and discard any buildinfo that belongs to an already-built package 16:23:19 <yashsriv> ^yeah this 16:23:24 <vagrantc> i'm just wondering if it wouldn't make more sense to rebuild the most stale builds 16:24:09 <sangy> vagrantc: I see your point. Probably having a different scheduling policy may be more interesting 16:24:20 <sangy> e.g., get the N packages that have been rebuilt the least 16:24:28 <vagrantc> at any rate, get something working before getting to bogged down in it :) 16:24:50 <vagrantc> but maybe note the idea of various different scheduling strategies 16:24:54 <sangy> vagrantc: yeah, we can probably play around with different scheduling strategies once the foundations are down 16:25:31 <vagrantc> on the other hand, rebuilding the most recent builds simplifies the liklihood of not needing to use snapshot.debian.org too much :) 16:26:17 <vagrantc> except if another rebuilder is making "recent" rebuilds of old packages... heh. :) 16:26:19 <sangy> ahh, took me a second to see why that was 16:27:05 <vagrantc> i guess using buildinfo.debian.net might be at mixed purposes to use as a data source for scheduling 16:27:48 <yashsriv> yeah.. so the thing with using buildd is that we need to wait for the packages to either arrive in sid / snapshot before initiating a rebuild and that isn't possible 16:28:00 <vagrantc> right 16:28:01 <sangy> well, we could schedule right from the apt repositories too... 16:28:10 <sangy> oh, TIL 16:28:30 <vagrantc> you can also use a combination of incoming.debian.org and the rest of the archive 16:29:47 <sangy> well, I wonder if we can make this scheduler lightweight enough so we can move from one datasource to another without much fuzz 16:29:53 <vagrantc> right 16:30:47 <sangy> yashsriv: well, so that sounds like a good goal :) 16:30:49 <vagrantc> also, is the goal to rebuild specific buildinfo files, or to rebuild what's in the archive? 16:31:18 <vagrantc> which i guess gets into data sources ... 16:31:20 <sangy> vagrantc: I think the goal is to rebuild everything and anything that can be rebuilt in there 16:32:05 <vagrantc> i think there's a way to query buildinfo.debian.net for a binary with a specific hash and find any matching .buildinfo files ... 16:32:24 <sangy> as in, there's an API endpoint for that already? 16:32:32 <vagrantc> so then, you could just use the hash of new packages in the archive to query for matching .buildinfo files, and try to rebuild them 16:32:43 <vagrantc> sangy: i *think* so ... i recall requesting it 16:33:17 <sangy> vagrantc: that sounds useful. Let's look into that too :) 16:33:29 <vagrantc> then again, since the .buildinfo files from the archive aren't yet publicly available ... hrm. 16:33:32 <sangy> either way, I think adding either of these API endpionts shouldn't be too hard to do, so we can take on that too 16:34:03 <sangy> sounds to me like it'd just be an orm operation on that flask/django/-ish looking app 16:34:08 <vagrantc> #link https://github.com/lamby/buildinfo.debian.net/issues/26 16:34:12 <vagrantc> by-hash ^^ 16:35:05 <sangy> hmm, I see. I guess we can pick that up and see what's up. What do you think yashsriv ? 16:35:52 <vagrantc> any more on this topic? 16:36:07 <yashsriv> yeah let me look into incoming.debian.net - I wasn't aware of it and then we can discuss more later. 16:36:26 <vagrantc> incoming.debian.org 16:36:26 * yashsriv is satisfied 16:36:42 <vagrantc> we've landed plenty more on your plate for now :) 16:36:47 <sangy> lol yeah 16:37:13 <sangy> so something on this topic that I want to bring up. NYU will most likely host a rebuilder 16:37:13 <vagrantc> #topic NYU repro-builds for application security (take 2?) 16:37:41 <vagrantc> sangy: ah, did i change topic too soon? 16:37:52 <vagrantc> or is this a good segway? :) 16:37:54 <sangy> vagrantc: I think, but it's very minor 16:38:14 <sangy> I was just wondering if we'll have to have some process to enroll rebuilders or will it be open to everyone 16:38:37 <sangy> it's probably something we could discuss on the ML later down the line? (once we can deploy rebuilders, for instance) 16:38:58 <vagrantc> yeah, that sounds good for the mailing list once there's more specific rebuilder technology implemented :) 16:39:33 <vagrantc> sangy: was it you who brought the current topic? 16:39:36 <sangy> awesome, so let's continue with the topic at hand 16:39:38 <sangy> yep 16:40:00 <sangy> so, last year we did a series of reproducible builds sessions on NYU 16:40:35 <sangy> for the application security course. This time we'll have a seminar on "secure systems engineering", which adds more space to do work on projects like reprobuilds 16:40:47 <vagrantc> cool 16:40:53 <sangy> so, this is the syllabus https://docs.google.com/document/d/1KR_vj411j9ARNSmQByvJnr1796XxXL-Ln_SKAD2qVW8/edit?usp=sharing 16:41:35 <sangy> there's a calendar on the second page. We were thinking of devoting four weeks on finding and fixing reproducibility errors and whatnot like what we did last time 16:41:56 <vagrantc> four consecutive weeks? 16:42:17 <sangy> like last time, it'd be awesome if one or two poeple could drop by and talk about the project and how to fix repro bugs, etc. 16:42:41 <sangy> vagrantc: yeah. It's a seminar, so we are aiming at hands-on work, hopefully contributing to FOSS projects while at it 16:42:48 <vagrantc> nice 16:43:09 <sangy> :) 16:43:18 <vagrantc> sangy: if you proposed some potential dates on the mailing list, maybe you could get some specific people to commit 16:43:52 <sangy> vagrantc: yeah I think that's what I'll do. I was hoping there was more quorum on this so I could see if the dates on the syllabus worked. I' 16:43:57 <sangy> ll move it to the ML though :) 16:43:58 <vagrantc> right 16:44:18 <sangy> so, I think that's it for this topic... 16:44:33 <vagrantc> looking forward to seeing it develop 16:44:34 <vagrantc> :) 16:45:05 <vagrantc> also, if you could arrange some of those dates to piggyback around a conference that people might want to attend, as a general idea 16:45:19 <sangy> ah fair point. Let me check what's around 16:45:21 <vagrantc> it might make multiple incentives to show up 16:45:30 * sangy jumps on the lwn weekly update\ 16:45:42 <vagrantc> that was clumsy english, but hopefully you get the idea :) 16:46:00 <sangy> lol yeah I did 16:46:25 <sangy> ah it's too early to tell from the LWN list. I'll look around. Thanks for the tip :) 16:46:34 <vagrantc> the next topic is ... 16:46:39 <vagrantc> #topic any other business 16:46:58 <vagrantc> i don't have anything in particular ... any thoughts that sprung up for anyone during the meeting? 16:47:30 <sangy> hmm, I don't think so. Really looking forward to this rebuilder stuff! 16:47:47 <sangy> should we schedule a meeting a month from now? 16:47:48 <vagrantc> indeed ... part of making a theoretical project into a practical one! 16:48:11 <sangy> we can probably make these every other month, so as topics pile up and more people show up? 16:49:09 <vagrantc> 14th? 21st? 16:49:42 <vagrantc> seems like we'll actively need to add issues to make the meetings more enticing :) 16:49:57 <vagrantc> not sure if the time is good/bad or what 16:50:18 <sangy> yeah... I kinda feel we need something like this to keep updates going though >.< 16:51:02 <vagrantc> i was also thinking of if the email reminder cut-and-paste the list of topics from the official agenda ... e.g. https://link-to-agenda ... followed by "list of agenda items so far" 16:51:11 <sangy> any ideas on how to figure out a better date? probably at least accommodating more regulars would be a good idea 16:51:15 <vagrantc> it might encourage folks to add items if they want 16:51:42 <sangy> vagrantc: I can do that, and send a reminder every two weeks (i.e., one next week, and one the week before the meeting) 16:51:54 <vagrantc> sangy: i think reminders are really helpful 16:52:03 <sangy> will do then :) 16:52:35 <vagrantc> and if there's some content in them beyond the link, it might help people who might read offline or something ... not sure 16:52:44 <vagrantc> or just remind them of issues more directly 16:53:07 <sangy> vagrantc: right. So should we tentatively say 21th but open for changes? 16:53:10 <vagrantc> e.g. the X number of clicks between the person and content, you loose ~80% after the first click 16:53:18 <vagrantc> sangy: sounds good to me 16:53:32 <sangy> vagrantc: that had a name in my HCI classes 16:53:38 <sangy> vagrantc: awesome, you got it ;) 16:53:47 <vagrantc> https://pad.riseup.net/p/reproducible-irc-meeting-20180821-16UTC 16:53:52 <sangy> ahh, fitt's law 16:54:09 <sangy> wait no, not that one. Anyway 16:54:14 <vagrantc> #link https://pad.riseup.net/p/reproducible-irc-meeting-20180821-16UTC 16:54:41 <h01ger> oh hi 16:54:49 <h01ger> sorry, i forgot about the meeting... 16:54:59 <vagrantc> h01ger: welcome to the wrapping up of the meeting :) 16:55:24 <sangy> h01ger: will not happen anymore, as I'll be spamming reminders in the ML :P 16:55:33 <h01ger> cool 16:56:09 <vagrantc> i don't know if it would make sense, but setting up a cron job that screenscrapes the next meeting URL might be worth it so it doesn't rely on someone remembering 16:57:03 <vagrantc> anyways, let's call that a meeting, and hope our amazing strategies for reminders will change it for the next round :) 16:57:08 <sangy> vagrantc: so I can automate that, but for now I set a reminder on my calendar 16:57:16 <vagrantc> #endmeeting