[Reproducible-commits] [presentations] 01/01: Misc/many updates
Chris Lamb
lamby at moszumanska.debian.org
Thu Dec 10 09:45:31 UTC 2015
This is an automated email from the git hooks/post-receive script.
lamby pushed a commit to branch master
in repository presentations.
commit 250f1e3b4ec81d548d4b146423f8eb38cc92b71f
Author: Chris Lamb <lamby at debian.org>
Date: Thu Dec 10 11:44:45 2015 +0200
Misc/many updates
---
...12-10-skroutz.gr-Beyond-Reproducible-builds.tex | 461 ++++++---------------
1 file changed, 130 insertions(+), 331 deletions(-)
diff --git a/2015-12-10-skroutz.gz/2015-12-10-skroutz.gr-Beyond-Reproducible-builds.tex b/2015-12-10-skroutz.gz/2015-12-10-skroutz.gr-Beyond-Reproducible-builds.tex
index 1effdb0..84e52db 100644
--- a/2015-12-10-skroutz.gz/2015-12-10-skroutz.gr-Beyond-Reproducible-builds.tex
+++ b/2015-12-10-skroutz.gz/2015-12-10-skroutz.gr-Beyond-Reproducible-builds.tex
@@ -88,108 +88,53 @@
\setbeamercolor{block title}{fg=debianblue}
-\title[Reproducible Builds]{Reproducible Builds}
+\title[Reproducible Builds]{Reproducible Builds: \\ The original promise of free software}
\author[lamby]{%
\texorpdfstring{
\centering
Chris Lamb \\
\href{mailto:lamby at debian.org}{lamby at debian.org}
+ \\
+ \\
+ @lambyuk
}{lamby}}
-\institute[Debian]{}
\date[skroutz.gr '15]{%
skroutz.gr (Athens, Greece)\\
\small{2015-12-10}}
\begin{document}
-\begin{frame}
- \titlepage
-\end{frame}
+\section{About}
-\begin{frame}
- \frametitle{Debian reproducible builds team}
- \begin{center}
- \begin{columns}
- \small
- \column{.33\linewidth}
- {akira} \\
- {Andrew Ayer} \\
- {Asheesh Laroia} \\
- \only<1>{Chris Lamb}\only<2>{{\color{debianblue} Chris Lamb}} \\
- {Chris West} \\
- {Christoph Berg} \\
- {Daniel Kahn Gillmor} \\
- David Suarez \\
- {Dhole} \\
- Drew Fisher \\
- Esa Peuha \\
- {Guillem Jover} \\
- \column{.33\linewidth}
- Hans-Christoph Steiner \\
- {Helmut Grohne} \\
- {Holger Levsen} \\
- {Jelmer Vernooij} \\
- {josch} \\
- Juan Picca \\
- {Lunar} \\
- Mathieu Bridon \\
- {Mattia Rizzolo} \\
- Nicolas Boulenguez \\
- {Niels Thykier} \\
- Niko Tyni \\
- \column{.33\linewidth}
- {Paul Wise} \\
- Peter De Wachter \\
- Philip Rinn \\
- {Reiner Herrmann} \\
- {Stefano Rivera} \\
- {Stéphane Glondu} \\
- {Steven Chamberlain} \\
- Tom Fitzhenry \\
- Valentin Lorentz \\
- {Wookey} \\
- {Ximin Luo} \\
- \end{columns}
- \end{center}
+\begin{frame}[fragile]
+ \frametitle{The problem}
+ \begin{itemize}
+ \item Anyone can the source code of free software
+ \item But distributions provide compiled packages
+ \item Can we trust this process?
+ \end{itemize}
\end{frame}
-\begin{frame}
- \frametitle{Who are you?}
+\begin{frame}[fragile]
\begin{itemize}
- \item Contributed to Free Software?
- \item<2-3> Seen a talk about reproducible builds this year?
- \item<3> Contributed to this effort?
+ \item \texttt{CVE-2002-0083}: remote root exploit in OpenSSH - single bit difference in binary
+ \item Financial incentives to crack developer machines
+ \item Apple SDK
+ \item Rootkit modifying the source code in memory only
\end{itemize}
\end{frame}
-\section{About}
-
\begin{frame}
- \frametitle{The problem}
-
\begin{center}
\includegraphics[width=0.7\textwidth]{images/31c3.png}
-
+ \\
Available on \url{media.ccc.de}, 31c3
\end{center}
\end{frame}
\begin{frame}[fragile]
- \frametitle{A few example's from that 31c3 talk}
- \begin{itemize}
- \item CVE-2002-0083: remote root exploit in \texttt{sshd}, a single bit difference in binary
- \item 31c3 talk: live demo with kernel module modifying source code in memory only
- \item financial incentives to crack developer machines…
- \item how can you be sure what's running on your machine or on a build
- daemon network? Do you ever leave your USB3 ports alone?
- \end{itemize}
-\end{frame}
-
-\begin{frame}[fragile]
- \frametitle{Another example from real life}
-
- At a CIA conference in 2012:
+ CIA conference in 2012:
\begin{center}
\includegraphics[width=0.8\textwidth]{images/strawhorse.png}
@@ -199,102 +144,53 @@
\end{center}
\end{frame}
-
-\begin{frame}
- \frametitle{The solution}
-
- \begin{center}
- \Large{
- Promise that anyone can always generate
- identical binary packages
- from a given source}
-\end{center}
-\end{frame}
-
-
-\begin{frame}
+\begin{frame}[fragile]
\frametitle{The solution}
-
- \begin{center}
- We call this:
-
- \Huge{ “Reproducible builds” }
- \end{center}
-\end{frame}
-
-\section{Progress}
-
-\begin{frame}[plain]
- \frametitle{Progress in Debian \texttt{unstable}}
- \begin{center}
- \includegraphics[height=0.73\paperheight]{images/stats_pkg_state.png}
-
- \footnotesize{19,257 out of 23,141 source packages are reproducible \\
- in our test framework}
- \vfill
- \end{center}
+ \begin{itemize}
+ \item Promise that compilation always produces the same result
+ \item Bit-for-bit identical
+ \item Multiple people verify and compare signatures
+ \item Attacker needs to infect all developers simultaneously
+ \end{itemize}
\end{frame}
-\begin{frame}
- \frametitle{What we did in Debian since Summer 2014}
-
+\begin{frame}[fragile]
+ \frametitle{Current projects}
\begin{itemize}
- \item Agreed on using a fixed build path: \texttt{/build/}
- \item Recording the build environment: \texttt{.buildinfo}
- \item \texttt{strip-nondeterminism}
- \item \texttt{reproducible.debian.net}
- \item \texttt{diffoscope} (formerly \texttt{debbindiff})
- \item \texttt{SOURCE\_DATE\_EPOCH}
- \item \texttt{disorderfs}
- \item 700+ patches: \texttt{dpkg}, \texttt{debhelper}, \texttt{sbuild}, …
- \item<2> Tell the world \& collaborate
+ \item Tor, Bitcoin, etc
+ \item Need an entire operating system
\end{itemize}
\end{frame}
-
-\begin{frame}
- \frametitle{Tell the world \& collaborate}
-
+\begin{frame}[fragile]
+ \frametitle{Technical advantages}
\begin{itemize}
- \item Recent talks (some available with subtitles):
- \begin{itemize}
- \item 2015-08-13: Chaos Communication Camp 2015
- \item 2015-08-20: DebConf15
- \item 2015-11-08: Mini-DebConf Cambridge 2015
- \end{itemize}
- \item Weekly reports since May 2015
- \item Summit in December 2015 (Athens)
- \begin{itemize}
- \item 40 people from 16 projects
- \end{itemize}
+ \item Unsafe/unreliable behaviour (eg. internet access)
+ \item Non-deterministic behaviour
+ \item Being able to "go back in time"
+ \item Detect corrupted build environments
+ \item Easier to test changes/revisions
\end{itemize}
\end{frame}
-\begin{frame}
- \frametitle{Tell the world \& collaborate, cont.}
+\section{Progress in Debian}
- \begin{itemize}
- \item \texttt{https://reproducible-builds.org}
- \end{itemize}
+\begin{frame}[plain]
+ \frametitle{Progress in Debian \texttt{unstable}}
\begin{center}
- \includegraphics[width=0.7\textwidth]{images/rbwww1.png}
+ \includegraphics[height=0.73\paperheight]{images/stats_pkg_state.png}
+
+ \footnotesize{19,257 out of 23,141 packages are reproducible}
+ \vfill
\end{center}
\end{frame}
\begin{frame}
- \frametitle{Stats about reproducible.debian.net}
+ \frametitle{reproducible.debian.net}
\begin{itemize}
- \item Continuously testing Debian testing, unstable and experimental
- \begin{itemize}
- \item \small{ \texttt main only }
- \item \small{ can we build \texttt contrib without legal troubles? }
- \end{itemize}
- \item Also testing coreboot, OpenWrt, NetBSD, FreeBSD,
- Archlinux and soon Fedora
- \begin{itemize}
- \item \small{ those currently only weekly though… }
- \end{itemize}
+ \item Continuously testing \texttt{testing}, \texttt{unstable} and \texttt{experimental}
+ \item Also testing coreboot, OpenWrt, NetBSD, FreeBSD and Archlinux.
\end{itemize}
\vfill
\begin{center}
@@ -304,14 +200,11 @@
\begin{frame}
- \frametitle{More stats on reproducible.debian.net}
-
+ \frametitle{reproducible.debian.net}
\begin{itemize}
\item 122 jenkins jobs running on 12 hosts
- \item 27 contributors for \texttt{jenkins.debian.net.git}
- \item 4k lines of Python and 5k lines Bash code
\item \texttt{amd64}: 111 cores and 198 GB RAM split on 9 VMs, provided by
- https://profitbricks.co.uk
+ ProfitBricks
\item \texttt{armhf}: 18 cores and 9 GB RAM on 6 systems, provided by vagrant at d.o.
\end{itemize}
\begin{center}
@@ -320,27 +213,8 @@
\end{center}
\end{frame}
-\begin{frame}
- \frametitle{Good to know about reproducible.debian.net}
-
- \begin{itemize}
- \item \url {https://reproducible.debian.net/$src}
- \item<2-3> { 165 categorised distinct issues }
- \item<2-3> { 3,496 packages to be fixed in \texttt{sid}, but only 426 without annotated
- issues }
- \item<3> { 29 different "package sets", eg. \texttt{build-essential} is only 78\%
- reproducible
- \begin{center}
- \includegraphics[height=0.5\paperheight]{images/stats_meta_pkg_state_build-essential.png}
- \vfill
- \end{center}
- }
- \end{itemize}
-\end{frame}
-
-
\begin{frame}[fragile]
- \frametitle{Variations on reproducible.debian.net}
+ \frametitle{Variations}
\begin{center}
\begin{table}
@@ -370,6 +244,24 @@ hour, minute & \multicolumn{2}{l}{hour is usually the same… usually, the minut
\end{center}
\end{frame}
+\begin{frame}
+ \frametitle{Publicity}
+ \begin{itemize}
+ \item Recent talks (some available with subtitles):
+ \begin{itemize}
+ \item 2015-08-13: Chaos Communication Camp 2015
+ \item 2015-08-20: DebConf15
+ \item 2015-11-08: Mini-DebConf Cambridge 2015
+ \end{itemize}
+ \item Weekly reports since May 2015
+ \item Summit in December 2015 (Athens)
+ \begin{itemize}
+ \item 40 people from 16 projects
+ \end{itemize}
+ \item LWN articles
+ \item Lots of press
+ \end{itemize}
+\end{frame}
{
\usebackgroundtemplate{%
@@ -380,25 +272,20 @@ hour, minute & \multicolumn{2}{l}{hour is usually the same… usually, the minut
\end{tikzpicture}%
}
\begin{frame}{diffoscope}
- \frametitle{Debugging problems: diffoscope}
-
+ \frametitle{diffoscope}
\begin{itemize}
- \item Examines differences \textbf{in depth}.
- \item Outputs HTML or plain text with human readable differences.
+ \item Examines differences \textbf{recursively}
+ \item Outputs HTML / text with human readable differences.
\item Recursively unpacks archives, uncompresses PDFs, disassembles
- binaries, unpacks Gettext files, …
- \item Easy to extend to new file formats.
- \item Falls back to binary comparison.
- \item Available from \texttt{git}, PyPI, Debian (sid and stretch), \\
- Arch Linux, Guix, Homebrew.
- \item Maintainers in other distros wanted.
+ binaries, unpacks Gettext files, etc
+ \item Falls back to binary comparison
+ \item Available from \texttt{git}, PyPI, Debian, Archlinux, Guix, Homebrew
\item \url{http://diffoscope.org/}
\end{itemize}
\end{frame}
}
\begin{frame}
- \frametitle{diffoscope example (HTML output)}
\begin{tikzpicture}[remember picture]
\node[at=(current page.center)] {
\includegraphics[width=0.9\paperwidth]{images/diffoscope_example_html.png}
@@ -406,80 +293,60 @@ hour, minute & \multicolumn{2}{l}{hour is usually the same… usually, the minut
\end{tikzpicture}
\end{frame}
-\begin{frame}
- \frametitle{\texttt{SOURCE\_DATE\_EPOCH}}
-
- \begin{itemize}
- \item Build date usually not useful for the user
- \item Value of \texttt{SOURCE\_DATE\_EPOCH} instead of current date \& for other seeds
- \item In Debian, set from the latest \texttt{debian/changelog} entry
- \item General solution for other projects \& distributions
- \end{itemize}
-\end{frame}
-
-\section{Beyond building}
-
-\begin{frame}
- \frametitle{Reproducible builds demand a defined build environment}
- \begin{itemize}
- \item Re-creating an identical build environment is mandatory too.
- \item Without an identical build environment, reproducible builds will only
- happen by sheer luck.
- \item<2>{Only solved for Debian right now and currently proof of concept only…}
- \end{itemize}
-\end{frame}
-
-\begin{frame}
- \frametitle{Debian release process}
- \begin{itemize}
- \item In our current design and practices, rebuilding stretch will require
- package versions which are not part of stretch.
- \item This design might put a high load on snapshot.debian.org.
- \item<2-4>{Rebuilding all of Debian a month prio the release? }
- \item<3-4>{Cross-builds could even speed up slow archs.}
- \item<4>{More discussions needed. Freeze probably on November 5th 2016.}
- \end{itemize}
-\end{frame}
-
-\begin{frame}
- \frametitle{Distributing \texttt{.buildinfo} files}
- \begin{itemize}
- \item Probably 100,000 new files per Debian suite; 50\% increase per suite
- \item Mirrors would not be happy, so should not go there
- \item We'll need more files when we have detached signatures
- \item<2>{Revoking signatures?}
- \item<2>{...}
- \end{itemize}
-\end{frame}
-
-\begin{frame}
- \frametitle{Rebuilders and sharing signed checksums}
- \begin{itemize}
- \item Almost no work has been done here yet.
- \item<2-3> Continuous rebuilds should happen in a systematic way and resulting
- checksums properly published.
- \item<3> And then we need a system to sign those checksums and share them.
- \end{itemize}
-\end{frame}
+\section{Want to help?}
\begin{frame}
- \frametitle{Rebuilders and sharing signed checksums, cont.}
- \begin{itemize}
- \item Individuelly signed checksums (think web of trust) could work in the
- Debian case (we have a gpg web of trust), but won't scale.
- \item<2-4> { We'll probably could use systematic rebuilders, run by large organisations
- (ACLU, CCC, CERN, DECIX, DESY, Deutsche Bank, EDF, EON, Greenpeace, NASA, NSA, XYZ).}
- \item<3-4> { …and automated installers for those… }
- \item<4> { …and howtos (\texttt {gpg --gen-key})…}
- \end{itemize}
+ \frametitle{Debian reproducible builds team}
+ \begin{center}
+ \begin{columns}
+ \small
+ \column{.33\linewidth}
+ {akira} \\
+ {Andrew Ayer} \\
+ {Asheesh Laroia} \\
+ \only<1>{Chris Lamb}\only<2>{{\color{debianblue} Chris Lamb}} \\
+ {Chris West} \\
+ {Christoph Berg} \\
+ {Daniel Kahn Gillmor} \\
+ David Suarez \\
+ {Dhole} \\
+ Drew Fisher \\
+ Esa Peuha \\
+ {Guillem Jover} \\
+ \column{.33\linewidth}
+ Hans-Christoph Steiner \\
+ {Helmut Grohne} \\
+ {Holger Levsen} \\
+ {Jelmer Vernooij} \\
+ {josch} \\
+ Juan Picca \\
+ {Lunar} \\
+ Mathieu Bridon \\
+ {Mattia Rizzolo} \\
+ Nicolas Boulenguez \\
+ {Niels Thykier} \\
+ Niko Tyni \\
+ \column{.33\linewidth}
+ {Paul Wise} \\
+ Peter De Wachter \\
+ Philip Rinn \\
+ {Reiner Herrmann} \\
+ {Stefano Rivera} \\
+ {Stéphane Glondu} \\
+ {Steven Chamberlain} \\
+ Tom Fitzhenry \\
+ Valentin Lorentz \\
+ {Wookey} \\
+ {Ximin Luo} \\
+ \end{columns}
+ \end{center}
\end{frame}
-\section{Want to help?}
-
\begin{frame}
\frametitle{As a developer}
\begin{itemize}
+ \item Build something twice, run diffoscope on the result
\item Stop using build dates
\item Use \texttt{SOURCE\_DATE\_EPOCH} instead
\item See \url{https://reproducible-builds.org/specs/}
@@ -487,98 +354,30 @@ hour, minute & \multicolumn{2}{l}{hour is usually the same… usually, the minut
\end{frame}
\begin{frame}
- \frametitle{Get involved - learning by doing}
+ \frametitle{Join the team}
\begin{itemize}
- \item Test for yourself:
- \begin{itemize}
- \item Build something twice, run diffoscope on the results
- \begin{itemize}
- \item For better results use our “reproducible” repository, \texttt{pbuilder} and a custom config
- \end{itemize}
- \end{itemize}
- \item Docs on the web: \\
- \small{\url{https://reproducible-builds.org/docs/}} \\
- \small{\url{https://wiki.debian.org/ReproducibleBuilds/ExperimentalToolchain}}
- \item Ask for help on \texttt{\#debian-reproducible} or on mailing list
+ \item Fix individual issues
+ \item Fix toolchain issues
+ \item Identify issues / document solutions
+ \item \texttt{reproducible.d.n}, diffoscope, other tools
+ \item Write documentation and talk to the world
\end{itemize}
\end{frame}
\begin{frame}
- \frametitle{Join the team!}
-
- \begin{itemize}
- \item Why?
- \begin{itemize}
- \item \heartsuit{}\heartsuit{}\heartsuit{} Lovely group of people \heartsuit{}\heartsuit{}\heartsuit{}
- \item Learn something new everyday
- \item Change the (software) world!
- \end{itemize}
- \item What do we do?
- \begin{itemize}
- \item Review packages
- \item Identify issues and document solutions
- \item \texttt{reproducible.d.n}, diffoscope, strip-nondeterminism
- \item Propose changes for toolchain
- \item Submit patches for individual packages
- \item Write more general documentation and talk to the world
- \end{itemize}
- \end{itemize}
-\end{frame}
-
-\begin{frame}
- \frametitle{Create a new team!}
-
- \begin{itemize}
- \item Why?
- \begin{itemize}
- \item Every distribution should be reproducible!
- \item Learn something new everyday
- \item Change the (software) world!
- \end{itemize}
- \item How to get started?
- \begin{itemize}
- \item Talk to me here or talk to us on IRC or via mail.
- \item RTFM, there is lots of documentation
- \item Experiment - learning by doing
- \end{itemize}
- \end{itemize}
-\end{frame}
-
-\section{Questions, comments, ideas?}
-
-\begin{frame}
- \frametitle{Questions, comments, ideas?}
-
- \begin{itemize}
- \item \url{https://reproducible-builds.org}
- \item \url{https://reproducible.debian.net}
- \item \texttt{\#debian-reproducible} on \texttt{irc.OFTC.net}
- \end{itemize}
-\end{frame}
-
-
-\begin{frame}
- \frametitle{Thanks!}
-
- \begin{itemize}
- \item Debian “Reproducible Builds” team \\
- {\small (you are just \textbf{so} awesome!)}
- \item Linux Foundation and the Core Infrastructure Initiative
-\end{itemize}
-
\begin{center}
- \includegraphics[height=0.1\paperheight]{images/linux_foundation_logo.png}
- \hspace{0.1\paperwidth}
- \includegraphics[height=0.1\paperheight]{images/cii_logo.png}
+ @lambyuk \\
+ \texttt{https://chris-lamb.co.uk}
\end{center}
\vfill
+
\begin{center}
\resizebox{0.8\textwidth}{!}{%
\begin{tabular}{rl}
\texttt{lamby at debian.org} & \texttt{C2FE 4BD2 71C1 39B8 6C53} \\
- & \texttt{3E46 1E95 3E27 D431 1E58}
+ & \texttt{3E46 1E95 3E27 D431 1E58}
\end{tabular}
}
\end{center}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/presentations.git
More information about the Reproducible-commits
mailing list