[Reproducible-commits] [presentations] 01/02: add questions to the audience. plan what to discuss beyond reproducible builds

Holger Levsen holger at moszumanska.debian.org
Sat Nov 7 11:00:25 UTC 2015


This is an automated email from the git hooks/post-receive script.

holger pushed a commit to branch master
in repository presentations.

commit d7b3eabdb3804b1d38ead9cdb3074a614cc90561
Author: Holger Levsen <holger at layer-acht.org>
Date:   Sat Nov 7 10:30:39 2015 +0000

    add questions to the audience. plan what to discuss beyond reproducible builds
---
 .../2015-11-06-MiniDebConfCambridge.tex            |  7 +++--
 2015-11-06-MiniDebConfCambridge/notes              | 36 ++++++++++++++++++++++
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/2015-11-06-MiniDebConfCambridge/2015-11-06-MiniDebConfCambridge.tex b/2015-11-06-MiniDebConfCambridge/2015-11-06-MiniDebConfCambridge.tex
index 03f6ee3..5b5544b 100644
--- a/2015-11-06-MiniDebConfCambridge/2015-11-06-MiniDebConfCambridge.tex
+++ b/2015-11-06-MiniDebConfCambridge/2015-11-06-MiniDebConfCambridge.tex
@@ -165,9 +165,10 @@
 \begin{frame}
  \frametitle{Who are you?}
  \begin{itemize}
-  \item Who is…
-  \item \only<2-3>{Who is…}
-  \item \only<3>{Who…}
+  \item Who has seen a previous talk about reproducible builds this year?
+  \item \only<2-3>{Who has contributed to this effort?}
+  \item \only<3>{Who thinks "packages should produce reproducible binaries"
+  should be added to policy now?}
  \end{itemize}
 \end{frame}
 
diff --git a/2015-11-06-MiniDebConfCambridge/notes b/2015-11-06-MiniDebConfCambridge/notes
index e781670..e0a1bf2 100644
--- a/2015-11-06-MiniDebConfCambridge/notes
+++ b/2015-11-06-MiniDebConfCambridge/notes
@@ -9,6 +9,42 @@ the last 33% = end user tools)
 
 - adopt slide title, etc., add lamby, also his fingerprint
 
+- show package sets in more detail?
+- which screenshots to show?
+
+- Summary
+-- we have shown that reproducible builds are doable in theory and practice.
+-- we have patches (well, except for dak) to make 85% reproducible now.
+-- "in theory"
+
+- debian release process
+-- in our current design and practices, rebuilding stretch will require package versions which are not part of stretch
+-- this will also put a high load on snapshot.debian.org
+-- rebuilding all of debian a month prio the release? I don't think the release team will like this.
+-- so?
+
+- rebuilders and sharing signed checksums
+-- almost no work has been done here
+-- individuelly signed checksums (think web of trust) could work in the Debian case (we have a gpg web of trust), but wont scale
+-- so I think we need systematic rebuilders, run by large organisations (ACLU, NASA, NSA, Deutsche Bank, EDF & Greenpeace)
+--- so we need automated installers and howtos for those who set up these builders
+-- and then we a system to sign those checksums and share them
+--- append only logs (-> binary transparency logs)
+
+- end user tools
+-- do you really want to install this unreproducible package? (y/N)
+-- how many signed checksums do you require to call a package "reproducible"?
+-- do you want to build those packages which unconfirmed checksums, before installing?
+-- which rebuilders do you want to trust?
+-- "rebuilders and sharing signed checksums" needs to be designed (and probably at least partly implemented) before thinking more about end user tools. It's just clear we need them.
+
+- questions / room for discussion
+
+
+- help needed
+-- DSA offers to give us more hardware (other archs, ppc64el), but is (rightfully) unhappy with our over usage of sudo
+-- please help
+
 
 nice to have
 ------------

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/presentations.git



More information about the Reproducible-commits mailing list