[presentations] 01/01: wip
Holger Levsen
holger at layer-acht.org
Fri Jan 27 09:01:15 UTC 2017
This is an automated email from the git hooks/post-receive script.
holger pushed a commit to branch master
in repository presentations.
commit 78c8b71c9452dd96c2c3492e4bb98672aec2250e
Author: Holger Levsen <holger at layer-acht.org>
Date: Fri Jan 27 10:00:29 2017 +0100
wip
---
2017-01-27-devconf.cz/2017-01-27-devconf.cz.tex | 74 ++++++++++++++++-----
2017-01-27-devconf.cz/TODO | 49 +++++++-------
.../images/stats_bugs_sin_ftbfs_state.png | Bin 27940 -> 28257 bytes
.../images/stats_pkg_state_testing.png | Bin 30176 -> 32427 bytes
.../images/stats_pkg_state_unstable.png | Bin 31976 -> 33669 bytes
5 files changed, 79 insertions(+), 44 deletions(-)
diff --git a/2017-01-27-devconf.cz/2017-01-27-devconf.cz.tex b/2017-01-27-devconf.cz/2017-01-27-devconf.cz.tex
index 29c8001..f0a704b 100644
--- a/2017-01-27-devconf.cz/2017-01-27-devconf.cz.tex
+++ b/2017-01-27-devconf.cz/2017-01-27-devconf.cz.tex
@@ -137,6 +137,7 @@ from a given source}
\begin{itemize}
\item since April 2015 funded by the Linux Foundation
\end{itemize}
+ \item<2> the Debian branding on these slides is obviously my fault…
\end{itemize}
\end{frame}
@@ -279,8 +280,19 @@ from a given source}
\section{Motivation}
+\begin{frame}[fragile]
+ \frametitle{The problem: we need to believe}
+ \begin{itemize}
+ \item Free Software is great: one can study, modify, share and use it!
+ \item<2-3> We study, modify and share sources.
+ \item<2-3> We use binaries.
+ \item<3> We need to believe our binaries come from the sources they are said
+ to made from.
+ \end{itemize}
+\end{frame}
+
\begin{frame}
- \frametitle{The problem}
+ \frametitle{The problem in greater detail}
\begin{center}
\includegraphics[width=0.7\textwidth]{images/31c3.png}
@@ -293,11 +305,14 @@ from a given source}
\frametitle{A few examples from that 31c3 talk}
\begin{itemize}
\item CVE-2002-0083: remote root exploit in \texttt{sshd}, a single bit difference in the binary
- \item<2-5> 31c3 talk had a live demo with a kernel module modifying source code in memory only
- \item<3-5> How can you be sure what's running on your machine or on a build
- daemon network connected to the net? Do you ever leave your computers physically alone?
- \item<4-5> Huge financial incentives to crack developer machines or a project's
- build infrastructure…
+ \item<2-6> 31c3 talk had a live demo with a kernel module modifying source code in memory only
+ \item<3-6> How can you be sure what's running on your machine or on a build
+ daemon network connected to the net? Do you ever leave your computers
+ physically alone?
+ \item<4-6> How much do you pay your admins? Enough to withstand a multi million
+ dollar attack?
+ \item<6> Legal challanges. Could you be forced to backdoor (some of) your
+ software (for some customers)?
\end{itemize}
\end{frame}
@@ -320,9 +335,8 @@ from a given source}
\begin{center}
\Large{
- Promise that anyone can always generate
- identical binary packages
- from a given source}
+ Promise that anyone can always and indipendently generate
+ identical binary packages from a given source}
\end{center}
\end{frame}
@@ -344,7 +358,10 @@ from a given source}
\begin{itemize}
\item Build a package 5 times, get 5 .debs with different checksums
\item Build a package 5 times, get 5 .debs with the same checksum\\
- \only<2>{Yes, it's really this simple.}
+ \item<2-4>{Yes, it's really this simple.}
+ \item<3-4>{And works the same with RPMs.}
+ \item<4>{Signed RPMs are a bit more complicated but the principle stays the
+same.}
\end{itemize}
% show this once running in plain sid,
% and then in sid with our modified toolchain.
@@ -376,8 +393,8 @@ from a given source}
\frametitle{More benefits than "just" security…}
\begin{itemize}
\item smaller deltas, thus faster updates possible
- \item in Debian: lots of QA benefits
- \item Google does reproducible builds, to save money
+ \item lots of QA benefits
+ \item Google does reproducible builds, to save time and money
\item …
\end{itemize}
\end{frame}
@@ -449,6 +466,16 @@ from a given source}
}
+
+\begin{frame}
+ \frametitle{two more tools}
+
+ \begin{itemize}
+ \item \texttt{strip-nondeterminism}
+ \item<2> \texttt{reprotest}
+ \end{itemize}
+\end{frame}
+
\placelogotrue
@@ -460,10 +487,10 @@ from a given source}
\texttt{experimental}
\item Also testing: coreboot, OpenWrt, LEDE, NetBSD, FreeBSD,
Arch Linux, Fedora and soon F-Droid too
- \item 8-12 \texttt{amd64} nodes, 150 cores and soon 500 GB RAM - thanks to
+ \item 12 \texttt{amd64} nodes, 150 cores and soon 500 GB RAM - thanks to
Profitbricks.com!
- \item 22 \texttt{armhf} nodes, 98 cores and 53 GB RAM
- \item 329 jenkins jobs running on jenkins.debian.net
+ \item 44 \texttt{armhf} nodes, 98 cores and 53 GB RAM
+ \item 486 jenkins jobs running on jenkins.debian.net
\item 43 scripts in Python and Bash, 283 lines of code in average
\item 37 contributors for \texttt{jenkins.debian.net.git}
\end{itemize}
@@ -556,7 +583,7 @@ hour, minute & \multicolumn{2}{l}{hour is usually the same… usually, the minut
\item \texttt{https://reproducible-builds.org/specs/}
\item many upstreams support it already
\item has been adopted by other distributions
- (OpenWrt, LEDE, NetBSD, FreeBSD, Arch Linux, coreboot, Guix, …) and many many
+ (SuSE, OpenWrt, LEDE, NetBSD, FreeBSD, Arch Linux, coreboot, Guix, …) and many many
upstreams (GCC, dpkg, rpm, mkisofs, ghostscript, libxslt, sphinx,
texlive-bin, …)
\end{itemize}
@@ -611,6 +638,17 @@ hour, minute & \multicolumn{2}{l}{hour is usually the same… usually, the minut
\end{frame}
\begin{frame}
+ \frametitle{Sending progress upstream}
+ \begin{itemize}
+ \item So we filed a lot of bugs… with patches…!
+ \item … but only in Debian and we rely on Debian maintainers sending them
+ upstream.
+ \item<2> Bernard Wiedemann (from OpenSUSE) thought that wasn't good enough
+ and created \texttt{https://github.com/orgs/distropatches}
+ \end{itemize}
+\end{frame}
+
+\begin{frame}
\frametitle{Details on tests.reproducible-builds.org}
\begin{itemize}
@@ -831,9 +869,9 @@ where}\only<2>{gamblingmachines}!)
\item How to get started?
\begin{itemize}
\item Build something twice, run diffoscope on the results.
- \item Talk to Dennis or h01ger here or talk to us on IRC or via mail.
- \item RTFM, there is lots of documentation
\item Experiment - learning by doing
+ \item RTFM, there is lots of documentation
+ \item Talk to Dennis or h01ger here or talk to us on IRC or via mail.
\end{itemize}
\end{itemize}
\end{frame}
diff --git a/2017-01-27-devconf.cz/TODO b/2017-01-27-devconf.cz/TODO
index e2ec33b..6ca375e 100644
--- a/2017-01-27-devconf.cz/TODO
+++ b/2017-01-27-devconf.cz/TODO
@@ -1,26 +1,35 @@
+meta:
+ thank people for their work, diffoscope, disorderfs, armhf, mattia, val, … - mention peoples names and thank them. there's time now.
+
explain problem and solution better
+ include our new definition
also mention qa side effecs
+replace j.d.n contributors with all involved projects?
-meta: thank people for their work, diffoscope, disorderfs, armhf, mattia, val, … - mention peoples names and thank them.
-
+update skipping some
+update debian numbers
+update debian team
+update variation slide!
gsoc + outreachy
-
-
-check dennis bio slide
- gpg fingerprint?
have debian+fedora logo together on more slides
-
-
add back slide about reproducible builds in the commercial world
explain .buildinfo in debian in more detail
-
upstreaming patches project by bernhard
+
+fsf priority project
+john gilmore 1992 cygnus
+
+ars technica
+ debian is really stupid allowing developer build binaries to be uploaded from every developer
+ just because its useful to bootstrap new archs, which something like 3 people do
+ but the build network of fedora/redhat doesnt make things magically safe nor secure, OTOH its a ideal attack target… how much do you pay your admins? etc ;-)
+
+
+first fedora, then a suse slide:
mention suse in general
- patched rpm: https://build.opensuse.org/package/show/home:bmwiedemann:reproducible/rpm?expand=0
- < bmwiedemann> the new rpm-4.13 even has an option to override hostname via rpmmacros
< bmwiedemann> kvm -rtc base=2018-02-03 - for having test systems in the future
< bmwiedemann> stats so far: build-succeeded: 3172
< bmwiedemann> build-compare-failed: 1001
@@ -28,25 +37,13 @@ mention suse in general
< bmwiedemann> bit-by-bit-identical: 2117
< bmwiedemann> not-bit-by-bit-identical: 1055
-
diffoscope in fedora is 69
patched rpm from bernhard
+ patched rpm: https://build.opensuse.org/package/show/home:bmwiedemann:reproducible/rpm?expand=0
+ < bmwiedemann> the new rpm-4.13 even has an option to override hostname via rpmmacros
mock, koji and .buildinfo files
-dnf and yum might create different environment
-
-update skipping some
-update debian graphs
-update debian team
-update variation slide!
+dnf and yum might create different environments
-fsf priority project
-
-ars technica
- debian is really stupid allowing developer build binaries to be uploaded from every developer
- just because its useful to bootstrap new archs, which something like 3 people do
- but the build network of fedora/redhat doesnt make things magically safe nor secure, OTOH its a ideal attack target… how much do you pay your admins? etc ;-)
build path proposal
-john gilmore 1992 cygnus
-
mention logo
diff --git a/2017-01-27-devconf.cz/images/stats_bugs_sin_ftbfs_state.png b/2017-01-27-devconf.cz/images/stats_bugs_sin_ftbfs_state.png
index 995899b..917903b 100644
Binary files a/2017-01-27-devconf.cz/images/stats_bugs_sin_ftbfs_state.png and b/2017-01-27-devconf.cz/images/stats_bugs_sin_ftbfs_state.png differ
diff --git a/2017-01-27-devconf.cz/images/stats_pkg_state_testing.png b/2017-01-27-devconf.cz/images/stats_pkg_state_testing.png
index 964396e..865b46a 100644
Binary files a/2017-01-27-devconf.cz/images/stats_pkg_state_testing.png and b/2017-01-27-devconf.cz/images/stats_pkg_state_testing.png differ
diff --git a/2017-01-27-devconf.cz/images/stats_pkg_state_unstable.png b/2017-01-27-devconf.cz/images/stats_pkg_state_unstable.png
index b9c4f5d..9b0e33b 100644
Binary files a/2017-01-27-devconf.cz/images/stats_pkg_state_unstable.png and b/2017-01-27-devconf.cz/images/stats_pkg_state_unstable.png differ
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/presentations.git
More information about the Reproducible-commits
mailing list