18:07:10 <bmwiedemann> #startmeeting 18:07:10 <MeetBot> Meeting started Mon Dec 14 18:07:10 2020 UTC. The chair is bmwiedemann. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:07:10 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 18:07:37 <bmwiedemann> #topic introductions 18:08:01 * bmwiedemann is Bernhard M. Wiedemann (SUSE / Germany) 18:08:14 * lamby is Chris Lamb (UK) 18:08:43 * cbaines is Chris Baines (also UK) 18:09:14 <lamby> hey bmwiedemann, cbaines 18:11:04 <Foxboron> Yo, Morten Linderud (Arch / Norway) 18:12:12 <bmwiedemann> (I still hope for vagrantc as he was active just 15 minutes ago) 18:14:09 <jathan> Hi everybody. 18:14:14 <lamby> hi jathan 18:14:20 <vagrantc> hey all, sorry, had some unexpected surprises this morning 18:15:12 * vagrantc = Vagrant Cascadian 18:15:13 <lamby> Hope all is well 18:16:04 <bmwiedemann> #topic discuss vision of reproducible builds 18:16:10 <bmwiedemann> #link https://pad.sfconservancy.org/p/reproducible-builds-vision 18:17:32 <jathan> Hi lamby! 18:18:00 <jathan> vagrantc: I hope everything is fine. 18:18:21 <bmwiedemann> lamby or vagrantc: want to take over? This is not a good time for me. 18:19:13 <lamby> I'm probably not the best to take this (wasn't involved in the previous meeting, for example) 18:19:22 <vagrantc> some people clearly put some thought into this, thanks bmwiedemann, kpcyrd and cbaines ! 18:20:58 <cbaines> I've only been adding some things in the past 20 minutes 18:21:40 <vagrantc> so, looks like the bulk of the topics were distro-specific next steps and very long term goals 18:22:29 <vagrantc> also of note, the topic of cross-distro bootstrappability :) 18:22:59 <kpcyrd> the notes I wrote are somewhat short/near term, I'm careful with long term decisions while there's still short term stuff to figure out :) 18:23:06 <bmwiedemann> there are a few overarching topics we worked on in the past such as SOURCE_DATE_EPOCH, disorderfs and diffoscope. What will the future have in that direction? 18:23:21 <vagrantc> kpcyrd: fair enough :) 18:24:09 <cbaines> While writing up notes, I remembered about https://ismypackagereproducibleyet.org/ I think I had a plan to get Guix data in to that at one point. Anyway, I like the idea of viewing data from different distros in one place. 18:24:30 <kpcyrd> for example, I'd like to see rebuilders and rebuilder backends mature first before we settle on a report format. it's easier to rewrite stuff without carrying the report code around yet. 18:28:28 <vagrantc> bmwiedemann: well, i think BUILD_PATH_PREFIX_MAP is ... mostly stalled indefinitely, but at some point that could be resurrected. although maybe build paths are not a priority; relatively easy to normalize 18:29:23 <h01ger> re 18:29:39 <vagrantc> i was also intrigued by the idea of various "rings" of package sets ... somewhat similar to debian's various package sets 18:30:08 <vagrantc> #link https://tests.reproducible-builds.org/debian/bullseye/amd64/index_pkg_sets.html 18:30:46 <lamby> Like, generic, distribution-agnostic rings? 18:31:28 <vagrantc> could be something to explore ... if we're all putting energy into fixing "core" reproducibility issues, we might all get there faster ... though some of those are the hardest 18:32:08 <lamby> nod 18:33:51 <vagrantc> i don't know if it makes sense to try and schedule something like a targeted week of hacking on packages we identify as "core" issues for reproducibility across distros? 18:34:09 <h01ger> i'd think it first makes sense to identify them :) 18:34:18 <h01ger> or maybe thats the first bit of that hacking week 18:34:39 <vagrantc> well, like the link i posted above probably identifies some issues from a Debian perspective ... 18:35:14 <vagrantc> and if other distros have similar lists to share, we can compare notes, trade patches and try to get them upstream... 18:35:24 * h01ger nods 18:36:25 <vagrantc> although i think binutils and gcc in debian are possibly mostly of maintainer embedding known unreproducible build logs :( 18:37:20 <vagrantc> i think for a lot of the "make a distro fully reproducible" goals, rebuilders seem to be core to that, though each distro has specific challenges there 18:37:40 <vagrantc> but i guess maybe also coming to agreement on a known set of variations/normalizations? 18:38:34 <vagrantc> but once we have the core bootstrap, cross-distro bootstrapping might become more feasible :) 18:39:22 <bmwiedemann> it still has the same challenges of incompatible versions, but at least we can expect reproducible results then. 18:39:40 <vagrantc> right 18:41:01 <bmwiedemann> something like Guix could come in handy for the cross-distro bootstrapping, because (If I understood it correctly) can be built on different distributions and might be able to bootstrap different parts of various distributions 18:41:11 <vagrantc> oh, nice :) 18:41:41 <h01ger> personally cross-anything is outside my vision(s) currently. its so far out and we have so so many smaller and already caught fish to fry 18:42:00 <h01ger> but hey, scratch your itches :) 18:42:09 <bmwiedemann> true, it is more in the bootstrappable region 18:42:46 <vagrantc> i was also wondering ... how well known is reproducible builds in the world at large? it seems to be increasingly common amoung software development circles ... and sometimes in security circles ... but i also surely have a biased view 18:43:20 <vagrantc> and ... is there more we can do to ... get the word out? 18:43:39 <vagrantc> we've historically given lots of talks at many conferences ... which is a little different right now 18:43:41 <bmwiedemann> government regulations on software ? 18:44:08 <h01ger> vagrantc: well, we've given talks this year too. and 2019 is not really 'historic' 18:44:36 <bmwiedemann> you know, there was the FSFE campaign for "public money, public code" - that could be built upon, to encourage/sponsor/demand reproducible builds of that FLOSS code 18:45:11 * h01ger believes that parts of the german tech scene now reproducible builds, because when last week the free'ed version of the corona warn app was released, two features were noted: a.) free of google services b.) reproducible builds 18:45:27 <vagrantc> h01ger: that's great! 18:45:30 <h01ger> bmwiedemann: i believe r-b is part of their campaign 18:45:51 <h01ger> (and s#now#know# in the last but one line from me) 18:46:34 <bmwiedemann> h01ger: google doesnt find such claim. 18:47:04 * h01ger checks his inbox 18:49:01 <bmwiedemann> I found one FSFE r-b mention in our weekly report #198 18:49:08 <bmwiedemann> about Huawei+5G 18:51:21 <bmwiedemann> I guess, that part of r-b vision could be part of a wider vision of FLOSS adoption (or even requirement) in certain sectors 18:52:26 <lamby> I need to jump off now for a bit :) 18:52:32 <h01ger> bmwiedemann: you're right, i only found random people demanding public code should be reproducible 18:52:33 <vagrantc> lamby: thanks for dropping in 18:52:37 <h01ger> lamby: o/ 18:53:28 <vagrantc> i've had a talk or two begging the question "is it really free software if it isn't reproducible" ... maybe nudging that angle a little over the coming years could be interesting 18:53:54 <vagrantc> although want to be careful not to get too adversarial 18:54:06 * h01ger has been asking that question since 3-4 years at least :) 18:54:34 <cbaines> I remember something from Marrakesh about Huawei and the UK 5G stuff. I think there was some aspect of the customer reproducing the vendors artifacts there for security reasons. 18:54:42 <bmwiedemann> I think, we want to shift people's thinking in that direction. Proper FLOSS software should build reproducibly. 18:55:29 <h01ger> cbaines: https://www.huawei.com/en/press-events/news/2019/12/huawei-ma5800-code-evaluation-build-engineering-assessment <- page 4 18:55:48 <vagrantc> i had a never presented talk basically about the interplay between FLOSS, reproducible builds and bootstrappability making each stronger 18:56:38 <cbaines> For Guix at least, I see a clear step from the current state of "fetch a binary thing if the hash is signed and I trust the key" to "fetch a binary thing if the hash is signed by N signatures where N > 1", which will provide more security to users (providing things build reproducibly) 18:56:40 <vagrantc> it did occur to me that we could just give talks and self-publish them, rather than waiting for a conference 18:57:04 <bmwiedemann> a question on timing: do we need to wrap up, or should we continue until the topic (or the people) are exhausted 18:57:21 <vagrantc> cbaines: yeah, seems like guix is well poised to be the first to implement the end-user parts 18:57:39 * h01ger has to prepare food now, so i'll drop out. 18:57:40 <cbaines> h01ger, thanks 18:57:48 <vagrantc> #idea record presentations outside of conferences 18:58:14 <vagrantc> #idea connect with publiccode.eu about reproducible builds 18:58:51 <vagrantc> # broadly government initiatives incorporating reproducible builds 18:58:56 <vagrantc> #idea broadly government initiatives incorporating reproducible builds 18:59:06 * vagrantc hopes #idea works 18:59:28 <bmwiedemann> #save 18:59:31 <vagrantc> #idea guix could implement substitutes with N matching signatures 18:59:49 <vagrantc> bmwiedemann: we should probably wrap up 19:00:03 <vagrantc> was trying to record some of the ideas as we went in the meetbot summary 19:00:07 <cbaines> There's a link for that 19:00:10 <cbaines> #link https://lists.gnu.org/archive/html/guix-devel/2020-06/msg00179.html 19:01:00 <vagrantc> #idea hack sessions to target specific core packages 19:02:20 <vagrantc> well, shall we call it? 19:02:37 <vagrantc> bmwiedemann: i think you have the power to end this :) 19:02:44 <bmwiedemann> alright. we had a nice meeting. thanks all for the contributions. 19:02:54 <vagrantc> thanks everyone! 19:03:08 <bmwiedemann> #endmeeting