#reproducible-builds log

14:59:21 <h01ger> #startmeeting r-b general april 2022
14:59:21 <MeetBot> Meeting started Tue Apr 26 14:59:21 2022 UTC.  The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:59:21 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:59:28 <lamby> hello MeetBot
14:59:29 <h01ger> hello again :)
14:59:39 <h01ger> the agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep
15:00:20 <h01ger> #topic welcome to this monthly meeting, please briefly introduce yourself
15:00:41 * rclobus is Roland Clobus, working on reproducible live images
15:00:45 * h01ger = Holger Levsen, working on (tests).reproducible-builds.org
15:01:33 <h01ger> vagrantc: lamby: are the AOB subtopics in the agenda still current?
15:01:34 * lamby is Chris Lamb, working on reproducibility in Debian, diffoscope and other tools and things
15:01:57 <lamby> Yep
15:02:05 <h01ger> lamby: cool then
15:03:21 * vagrantc is Vagrant Cascadian a reproducible broom pusher
15:03:29 <lamby> hah
15:03:32 * h01ger will give it 2-3 more minutes for people to reach their seats, prepare some $beverage & introduce themselves
15:04:08 <h01ger> please also dont forget to dust off your brooms
15:04:22 <vagrantc> h01ger: the tevent/samba thing is in progress
15:04:41 <h01ger> vagrantc: as in, you want the subtopic or not?
15:04:52 <vagrantc> i'll ax it
15:05:09 <h01ger> :) thank you
15:06:08 <h01ger> alright, lets start, hoping more people will show up
15:06:15 <h01ger> #topic short time slots for checkins from various projects:
15:06:34 <h01ger> #topic short time slots: Alpine Linux: status update (Ariadne, absent)
15:06:41 <h01ger> i guess we can skip this :)
15:06:53 <h01ger> (though i thought so the last time for the same reasons... ;)
15:06:56 <Ariadne> sorry i am out of office today :upside
15:06:58 <Ariadne> ...
15:07:03 <Ariadne> thanks irccloud
15:07:08 <h01ger> Ariadne: ack & enjoy!
15:07:11 <lamby> no worries, nice to see you temporarily Ariadne
15:07:29 <h01ger> #topic short time slots:  Arch Linux: status update (jelle)
15:08:18 <h01ger> or Foxboron anthraxx kpcyrd :)
15:09:03 <jelle> nothing from my side
15:09:33 <h01ger> okidoki
15:09:51 <h01ger> #topic short time slots: Debian: snapshot.d.o mirror status update (fepitre)
15:09:56 <h01ger> oh, hi, fepitre :))
15:12:36 <h01ger> fepitre: if you have something to add later, please do
15:12:50 <rclobus> snapshot.d.o is still working fine, I'm using it.
15:12:51 <h01ger> #topic short time slots: Debian: rebuilder (beta.t.r-b.o) status update (h01ger)
15:13:01 <fepitre> h01ger, hi, sorry I'm here just few secs: nothing particular happened on snapshot.notset.fr
15:13:22 <h01ger> fepitre: hi! dont worry and thanks for joining in!
15:13:34 <h01ger> today seems to be a pretty short meeting anyhow...
15:13:44 <h01ger> also no news on the debian rebuilder...
15:13:48 <fepitre> for beta.t.r-b.o you may have seen that bookworm and sid are close to 90% repro
15:14:05 <fepitre> I've had few runner issue few days ago, I hope it is solved
15:14:08 <h01ger> do you know why the change?
15:14:20 <fepitre> change of?
15:14:38 <fepitre> what I meant is that the amount of rebuild done
15:14:45 <vagrantc> i also noticed that the various suites were split into their own pages, thanks!
15:14:54 <fepitre> yes I did that very quickly
15:14:55 <h01ger> fepitre: ah
15:15:04 <fepitre> because the backend json was enormous
15:15:52 <lamby> How big, out of interest? :)
15:16:03 <fepitre> ~ 150mb
15:16:12 <fepitre> if I remember correctly
15:16:22 <h01ger> fepitre: looking at the pages again, i (still) think the pie charts are great but i would also like to see those numbers as numbers in some table besides them...
15:16:27 <fepitre> I definitively need to add an API for retrieving things etc
15:16:29 <h01ger> ouch (150mb)
15:16:32 <lamby> :)
15:17:24 <h01ger> alright then...
15:17:28 <h01ger> #topic short time slots: Debian: live-build (rclobus)
15:17:31 <rclobus> As usual, I've prepared an overview of my activities in the last month.
15:17:35 <h01ger> \o/
15:17:36 <rclobus> #info https://lists.reproducible-builds.org/pipermail/rb-general/2022-April/002540.html
15:17:38 <rclobus> Summary: all image are now (forced to be) reproducible
15:18:01 <rclobus> My primary focus was a stand-alone script to rebuild live images.
15:18:04 <rclobus> That script is currently live in Jenkins, but I'm having a configuration issue at the moment
15:18:08 <rclobus> #link https://jenkins.debian.net/view/live/
15:18:30 <h01ger> excellent news & progress!
15:18:42 <rclobus> My second focus was the reproducibility of the Cinnamon live image.
15:18:45 <rclobus> It turned out to be the hash seed in Lua.
15:18:48 <rclobus> The hash seed can be set in Perl and Python, but not (yet?) in Lua.
15:18:51 <rclobus> mapreri suggested to only use SOURCE_DATE_EPOCH, not to introduce something like LUA_HASH_SEED
15:18:54 <rclobus> Anyway the texlive team will probably use FORCE_SOURCE_DATE=1 combined with SOURCE_DATE_EPOCH, if they accept my patch
15:18:59 <rclobus> #link https://reproducible-builds.org/docs/stable-outputs/
15:19:39 <rclobus> And now my focus turned to openQA, for testing the live images and also the Debian installer
15:19:44 <rclobus> That is ongoing :-)
15:20:04 <vagrantc> very nice!
15:20:07 <h01ger> yes, its pretty unfortunate that texlive only respects SOURCE_DATE_EPOCH (S_D_E) if FORCE_SOURCE_DATE=1 is set. i very much hope lua will not follow path and instead simply rely on S_D_E if its set
15:20:22 <lamby> h01ger: yeah. :/
15:20:24 <vagrantc> curious about texlive ?
15:20:45 <h01ger> vagrantc: ?
15:21:10 <vagrantc> rclobus: what do you mean by the "texlive team will probably use FORCE_SOURCE_DATE=1 ..." ?
15:21:17 <rclobus> Lua is embedded in several Debian packages, I hope they will (after I write them) accept only SOURCE_DATE_EPOCH.
15:21:35 <vagrantc> i know about FORCE_SOURCE_DATE and texlive, but curious if there are new developments aroudn that
15:21:42 <rclobus> The Texlive team uses additionally the value one for FORCE_SOURCE_DATE. Only then will they use SOURCE_DATE_EPOCH
15:22:21 <vagrantc> yeah, i know about that ... but what patch are you talking about?
15:22:24 <rclobus> There was some concern about security issues, when I proposed to fix the seed for the hashes.
15:22:45 <jelle> hmmmm interesting, only see FORCE_SOURCE_DATE being used twice in arch packages
15:22:53 <rclobus> #link https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009196
15:22:58 <vagrantc> jelle: just set it globally :)
15:23:07 <jelle> vagrantc: that's what I'm considering yes :)
15:23:07 <vagrantc> rclobus: thanks!
15:23:28 <h01ger> *g* (set it globally)
15:23:34 <vagrantc> jelle: the debian texlive folks refuse to do that because upstream doesn't, but ... at least some distros can benefit :)
15:23:38 <h01ger> seems legit too
15:23:48 <bmwiedemann> openSUSE sets it
15:23:49 <rclobus> I think that I convinced them that reproducible images are *also* provide a kind of security
15:24:00 <h01ger> so, we want r-b for our distro, so lets set it unconditionially
15:24:16 <jelle> vagrantc: but hmm I don't see too many lua packages being unreproducible however
15:24:41 <rclobus> Lua proposes to sort the tables.
15:24:59 <bmwiedemann> https://github.com/openSUSE/post-build-checks/blob/master/suse-buildsystem.sh#L9
15:25:24 <h01ger> bmwiedemann: interesting
15:25:27 <rclobus> For Texlive, there was already much done several years ago, but they apparently missed the list of abbreviation exceptions (which contains 14 words)
15:25:42 <h01ger> shall we move on or continue discussing lua/texlive here?
15:25:43 <lamby> huh :)
15:26:15 <rclobus> If this meeting has a proposal how to proceed... Please do so.
15:26:39 <rclobus> Otherwise I'll write them somewhere next month with the proposal for SOURCE_DATE_EPOCH as the hash seed.
15:26:45 <h01ger> well, next topic it would be
15:26:55 <h01ger> rclobus: sounds great
15:27:36 <h01ger> #topic short time slots: F-Droid (obfusk)
15:27:41 <h01ger> or _hc ?
15:30:10 <h01ger> alright
15:30:13 <h01ger> #topic short time slots: openSUSE: (bmwiedemann)
15:30:29 <h01ger> bmwiedemann: any news to report here?
15:31:26 <bmwiedemann> I was not able to spend much time here, so mostly the normal operations of rebuilding and checking diffs.
15:31:52 <bmwiedemann> However, I got my talk accepted to SupplyChainSecurityConf (see 2022-04 report)
15:32:15 <h01ger> coolio!
15:32:16 <lamby> congrats, bmwiedemann
15:32:21 <bmwiedemann> and the 1h rb workshop in Nuremberg early June will also be on the openSUSE conf schedule
15:32:33 <h01ger> thats quite some news :)
15:33:09 <h01ger> #topic short time slots: rebuilderd: status update (kpcyrd, absent)
15:33:19 <h01ger> i guess we can move on here too...
15:33:20 <lamby> bmwiedemann: Nearer the time, lets sync up so we can do extra and more timely announcements on Twitter
15:33:44 <h01ger> #topic short time slots: OpenWrt: reboot of rebuilder (aparcar)
15:34:52 <h01ger> aparcar[m]: ^
15:36:37 <h01ger> ok..
15:36:40 <h01ger> #topic r-b summit 2022 (mapreri)
15:37:00 <h01ger> i guess no mapreri here neither today. :/
15:37:16 <lamby> aw. :)
15:37:18 <vagrantc> nearly deterministic scheduling today...
15:38:38 <h01ger> #topic Any Other Business (AOB)
15:38:42 <h01ger> #topic AOB: list discussion about reproducible builds usefullness in real life
15:38:52 <h01ger> lamby: ^
15:39:31 <lamby> This thread is a little old now and probably isn't worth restarting it now, but just to say thanks to all for contributing to it.
15:40:10 <h01ger> +1 from me.
15:40:17 <lamby> The only thing I will say is that please do look out for news stories that might have been prevented by reproducible builds
15:40:37 <lamby> These examples really help make it clear to people and projects that they should prioritise it above other things
15:40:45 * vagrantc keeps eyes peeled
15:40:47 <lamby> .
15:41:39 <h01ger> #topic AOB: Hamburg Debian Reunion 2022
15:41:48 <h01ger> #info https://wiki.debian.org/DebianEvents/de/2022/DebianReunionHamburg
15:42:11 <lamby> "Monday May 23 2022 until Monday May 30 2022."
15:42:24 <h01ger> its a debian hacking event, from may 23rd until the 30th, where we'll happy to welcome non debian folks working on r-b or other parts of free software too
15:43:24 <h01ger> 41 people have registered so far, and there's approx 10 on site beds still left.. (see wiki page for more details)
15:43:29 <h01ger> .
15:43:57 <lamby> That's good numbers
15:45:27 <h01ger> #topic any other business?
15:46:29 <lamby> none here
15:46:58 <bmwiedemann> Q for lamby: was "bad" in that email thread meant as intentional/malicous?
15:47:51 <lamby> bmwiedemann: Yes it was. Did you interpret it another way? :)
15:48:09 <bmwiedemann> yes
15:49:02 <vagrantc> inquiring minds want to know
15:49:13 <bmwiedemann> Hanlon's Razor applies in that space, too... there is so much around that can be explained by laziness/stupidity
15:51:06 <lamby> oh thats true
15:51:31 <lamby> I think my primary goal in that thread was to find attacks (ie. malicious, intentional, etc.)
15:51:57 <lamby> But I didn't mind that it went in a slightly different direction. :)
15:52:00 <vagrantc> though, a bug is a bug, and an accidental bug could still be exploited for attacks at times
15:52:37 <bmwiedemann> I was also thinking, that the prevention paradox might be relevant here.
15:53:09 <bmwiedemann> People brush their teeth, even though they never experienced tooth decay
15:53:34 <vagrantc> prevention is just never as exciting as disaster
15:53:47 <vagrantc> which has horrible consequences for outcomes...
15:53:57 <bmwiedemann> "There is no glory in prevention" goes a saying
15:55:01 <bmwiedemann> But I got the feeling, SLSA4 and such can make a difference
15:56:30 <h01ger> alright, let's wrap this up, shall we?
15:56:40 <vagrantc> thanks everyone!
15:56:50 <h01ger> thank you everyone!
15:56:56 <rclobus> Thanks for the meeting.
15:57:17 <h01ger> #info next meeting will be on Tuesday, May 30th 2022 at 15 UTC on this irc channel.
15:57:28 <vagrantc> rclobus: really hope you can convince the lua folks to avoid the silliness of FORCE_SOURCE_DATE :)
15:57:36 * h01ger wishes good times to everyone too
15:57:42 <h01ger> o/
15:57:46 <vagrantc> \o
15:57:57 <h01ger> #endmeeting