[presentations] 01/01: Add talk for SeaGL 2016: Introduction to Reproducible Builds.
Vagrant Cascadian
vagrant at moszumanska.debian.org
Sat Nov 12 15:40:24 UTC 2016
This is an automated email from the git hooks/post-receive script.
vagrant pushed a commit to branch master
in repository presentations.
commit f48d19a821cfd16bc12364a3a54667ca0ce3d092
Author: Vagrant Cascadian <vagrant at debian.org>
Date: Sat Nov 12 07:39:25 2016 -0800
Add talk for SeaGL 2016: Introduction to Reproducible Builds.
---
.../Introduction-to-Reproducible-Builds.org | 243 +++++++++++++++++++++
.../README.txt | 19 ++
2 files changed, 262 insertions(+)
diff --git a/2016-11-12-SeaGL-Introduction-to-Reproducible-Builds/Introduction-to-Reproducible-Builds.org b/2016-11-12-SeaGL-Introduction-to-Reproducible-Builds/Introduction-to-Reproducible-Builds.org
new file mode 100644
index 0000000..9f308b3
--- /dev/null
+++ b/2016-11-12-SeaGL-Introduction-to-Reproducible-Builds/Introduction-to-Reproducible-Builds.org
@@ -0,0 +1,243 @@
+#+TITLE: Introduction to Reproducible Builds
+#+AUTHOR: Vagrant Cascadian
+#+EMAIL: vagrant at debian.org
+#+DATE: SeaGL 2016-11-12
+#+LANGUAGE: en
+#+OPTIONS: H:1 num:t toc:nil \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
+#+OPTIONS: TeX:t LaTeX:t skip:nil d:nil todo:t pri:nil tags:not-in-toc
+#+OPTIONS: ^:nil
+#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
+#+EXPORT_SELECT_TAGS: export
+#+EXPORT_EXCLUDE_TAGS: noexport
+#+startup: beamer
+#+LaTeX_CLASS: beamer
+#+LaTeX_CLASS_OPTIONS: [bigger]
+#+latex_header: \mode<beamer>{\usetheme{Madrid}}
+
+#+BEGIN_comment
+The Reproducible Builds project aims to bring us closer to a world
+where binary software can be independently verified as the result of
+building the provided source code, as a matter of best practices.
+
+Without being able to verify that the software actually used is the
+produced from the source code, this leaves open the possibility of
+unintentional or even malicious security vulnerabilities.
+
+The focus will be on common examples of reproducibility issues,
+tools to troubleshoot reproducibility issues, and most importantly,
+ways to fix these issues.
+
+https://reproducible-builds.org/
+#+END_comment
+
+* Goals
+
+ The Reproducible Builds project aims to bring us closer to a world
+ where binary software can be independently verified as the result of
+ building the provided source code.
+
+* Source Code
+
+ - Source code is readable and writeable by trained +monkeys+ humans
+ - Computers run binary code
+ - How do you know the binary code the computer is running was
+ produced from the source code?
+
+* Scientific Methods
+
+ Reproducibility is the ability of an entire experiment or study to
+ be duplicated, either by the same researcher or by someone else
+ working *independently*.
+
+ https://en.wikipedia.org/wiki/Reproducibility
+
+* Ooooh, Math(s)!
+
+ #+BEGIN_SRC shell
+ $ python -c 'x=1 ; y=1 ; print(x+y)'
+ 2
+ #+END_SRC
+
+ #+BEGIN_SRC shell
+ $ python -c 'x=1 ; y=1 ; print(x+y)' | md5sum
+ 26ab0db90d72e28ad0ba1e22ee510510 -
+ #+END_SRC
+
+ #+BEGIN_SRC shell
+ $ echo 2 | md5sum
+ 26ab0db90d72e28ad0ba1e22ee510510 -
+ #+END_SRC
+
+* But software building is more like...
+
+ x=1
+
+ y=1
+
+ z=toolchain (compiler, liker, libraries, etc.)
+
+ r=other stuff (time of build, running OS, username building
+ software, etc.)
+
+ x + y + z + r = ?
+
+* History in Debian
+
+ - Mentioned on lists as early as 2007
+ - Didn't gain traction until more recently
+ - Automated rebuilding of Debian's 25,000+ source packages began in
+ late 2014
+ - Currently rebuilding roughly 1,800 packages a day on each of
+ amd64, i386 and armhf
+
+* A plague of unreproducibility
+
+ Recent status with magic numbers:
+ - About 4,800 (19%) of software in Debian unstable
+ - About 1,600 (7%) of software in Debian testing
+ - Debian unstable has more things varied between builds
+ - Patches in Debian toolchains and packages, but patches are
+ swimming upstream
+
+* Reproducibility matters
+
+ What kind of security implications are we facing?
+
+ - *CVE-2002-0083*: Remote root exploit in OpenSSH,
+ caused by an off-by-one error
+
+ - 2015: *XcodeGhost*: malware variant of Apple's SDK Infected over
+ 4,000 apps in Apple's App store
+
+* Common problems
+
+ - timestamps
+ - timezone
+ - file sort order
+ - locales
+
+* timestamps
+
+ - Embedded timestamps:
+
+ U-Boot SPL 2016.01+dfsg1-3 (*Feb 21 2016 - 21:39:10*)
+
+* timestamps: Please No
+
+ - There's no timestamps like *NO* timestamps.
+
+* timestamps: SOURCE_DATE_EPOCH
+
+ - If you really must, use the SOURCE_DATE_EPOCH specification, which
+ specifies the timestamp to use in a standardized environment
+ variable.
+
+ https://reproducible-builds.org/specs/source-date-epoch/
+
+* timezone
+
+ - The timezone of the running build can impact output:
+
+ $ LC_ALL=C date --date "@1478647393" --rfc-2822
+ Tue, 08 Nov 2016 15:23:13 *-0800*
+
+ - Set to UTC using TZ environment variable:
+
+ $ TZ=UTC LC_ALL=C date --date "@1478647393" --rfc-2822
+ Tue, 08 Nov 2016 23:23:13 *+0000*
+
+ https://reproducible-builds.org/docs/timezones/
+
+* file sort order
+
+ - Bad Makefile:
+ #+BEGIN_SRC Makefile
+ SRCS = $(wildcard *.c)
+ tool: $(SRCS:.c=.o)
+ $(CC) -o $@ $^
+ #+END_SRC
+
+ - Good Makefile:
+ #+BEGIN_SRC Makefile
+ SRCS = $(sort $(wildcard *.c))
+ tool: $(SRCS:.c=.o)
+ $(CC) -o $@ $^
+ #+END_SRC
+
+ https://reproducible-builds.org/docs/stable-inputs/
+
+* locales
+
+ - Sort order for C, as spoken in UNIX:
+ #+BEGIN_SRC shell
+ $ printf 'a\nB\nb\nA\n' | LC_ALL=C sort
+ A
+ B
+ a
+ b
+ #+END_SRC
+
+ - Sort order for English, as spoken in USA:
+ #+BEGIN_SRC shell
+ $ printf 'a\nB\nb\nA\n' | LC_ALL=en_US.UTF-8 sort
+ a
+ A
+ b
+ B
+ #+END_SRC
+
+ https://reproducible-builds.org/docs/locales/
+
+* Building tools
+
+ - reprotest - source rebuilder
+
+ #+BEGIN_SRC shell
+ reprotest 'debuild -b -uc -us' '../*.deb'
+ #+END_SRC
+
+ - debrepro - simple .deb rebuilder
+
+ #+BEGIN_SRC shell
+ debrepro
+ #+END_SRC
+
+* diffoscope
+
+ diffoscope - an exceptionally clever diff tool
+ https://diffoscope.org
+
+* try.diffoscope.org
+
+ - diff as a service:
+ https://try.diffoscope.org/
+ - trydiffoscope client
+
+* Thanks
+
+ Profitbricks
+
+ Core Infrastructure Initiative
+
+ Lunar
+
+ Holger Levsen
+
+ Chris Lamb
+
+ Reiner Herrmann
+
+ All the other great folks doing reproducible builds work!
+
+* Copyright
+
+ Copyright 2016 Vagrant Cascadian <vagrant at debian.org>
+
+ Copyright of images included in this document are held by their
+ respective owners.
+
+ This work is licensed under the Creative Commons
+ Attribution-ShareAlike 4.0 International License.
+
+ To view a copy of this license, visit
+ https://creativecommons.org/licenses/by-sa/4.0/
diff --git a/2016-11-12-SeaGL-Introduction-to-Reproducible-Builds/README.txt b/2016-11-12-SeaGL-Introduction-to-Reproducible-Builds/README.txt
new file mode 100644
index 0000000..5be660a
--- /dev/null
+++ b/2016-11-12-SeaGL-Introduction-to-Reproducible-Builds/README.txt
@@ -0,0 +1,19 @@
+This talk can generate a PDF presentation using emacs org-mode.
+
+Install:
+
+ apt-get install texlive-latex-extra org-mode
+
+ emacs Introduction-to-Reproducible-Builds.org
+
+To generate a PDF from within emacs:
+
+ ctrl-c ctrl-e l P
+
+or:
+
+ M-x org-beamer-export-to-pdf
+
+(This also generates a .tex file)
+
+To present it, I used firefox's built-in PDF viewer.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/presentations.git
More information about the Reproducible-commits
mailing list