[reproducible-website] 01/01: reorder and a bit of reformatting

Holger Levsen holger at layer-acht.org
Thu Mar 9 12:32:38 UTC 2017 

This is an automated email from the git hooks/post-receive script.

holger pushed a commit to branch master
in repository reproducible-website.

commit d3729d5248cdc1aeac7e68118ad1ed64b29fa18d
Author: Holger Levsen <holger at layer-acht.org>
Date:   Thu Mar 9 13:32:33 2017 +0100

    reorder and a bit of reformatting
    
    Signed-off-by: Holger Levsen <holger at layer-acht.org>
---
 _events/berlin2016/userverification.md | 51 ++++++++++++++++++----------------
 1 file changed, 27 insertions(+), 24 deletions(-)

diff --git a/_events/berlin2016/userverification.md b/_events/berlin2016/userverification.md
index 14cb40f..63e8ba5 100644
--- a/_events/berlin2016/userverification.md
+++ b/_events/berlin2016/userverification.md
@@ -1,6 +1,6 @@
 ---
 layout: event_detail
-title: userverification
+title: User verification
 event: berlin2016
 order: 60
 permalink: /events/berlin2016/userverification/
@@ -9,34 +9,12 @@ permalink: /events/berlin2016/userverification/
 user-facing reproduciblity interactions
 =======================================
 
-raw post-it content
--------------------
-
-- distributing build responsibility
-- reproducibility as barrier to installation
-- trusted pool of builders (what trust model?)
-- define necessary inputs for builds (visible to user's pkg manager)
-- identifiable builders
-- policy grant e.g. k-of-n in agreement
-  - fall back to build from source (?)
-- treat dissenters same as compromised keys or VCEs
-- how to determine agreement in build reports
-- workflow for failure modes
-- something ismilar to apt list-bugs
-- no UI (except for errors)
-- treat non-reproducibility as lack-of-signature
-- how do you find this info
-- "system health" (crossed out: "security number") score for operating system as a whole
-- random sampling rebuild (e.g. guix challeng)
-- using reproducibility to audit toolchain (easily)
-- reporting non-reproducibility
-- cross-platform build sepcs
 
 
 review
 ------
 
-(A couple of the above, expanded with a little more context)
+(A couple of the raw post-it notes reproduced below, expanded with a little more context)
 
 - it's important that we incentivise repro-attempt builds *actually* being done by multiple different parties
 - we may want to use a check at package installation time for reproducibility status to encourage package creators to be reproducible!
@@ -54,8 +32,33 @@ short summary
 -------------
 
 Reproducible builds are becoming available -- now it's time to answer questions about how we want regular users (not just developers and advanced system administrators) to experience the benefits.
+
 Changing package managers so that they will *ONLY* install builds which are reproducibile seems like one likely avenue (both to improve end-user security, and to incentivize distro packages to demand reproducibility before releasing).
+
 We believe it is necessary to *SHOW* the full records of *multiple builds* to the end-user's package manager, so that the package manager can locally confirm that the builds were reproducible -- there is no improvement if we simply trust a single signature from an upstream *claiming* a package is reproducible: we want to see *multiple signitures* of independent parties who performed their own builds.
+
 Future work is necessary to describe how we identify different builders, how we share their logs, and how we should determine which build records are appropriate to compare.
 
+raw post-it content
+-------------------
+
+- distributing build responsibility
+- reproducibility as barrier to installation
+- trusted pool of builders (what trust model?)
+- define necessary inputs for builds (visible to user's pkg manager)
+- identifiable builders
+- policy grant e.g. k-of-n in agreement
+  - fall back to build from source (?)
+- treat dissenters same as compromised keys or VCEs
+- how to determine agreement in build reports
+- workflow for failure modes
+- something ismilar to apt list-bugs
+- no UI (except for errors)
+- treat non-reproducibility as lack-of-signature
+- how do you find this info
+- "system health" (crossed out: "security number") score for operating system as a whole
+- random sampling rebuild (e.g. guix challeng)
+- using reproducibility to audit toolchain (easily)
+- reporting non-reproducibility
+- cross-platform build sepcs
 -

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/reproducible-website.git

More information about the Reproducible-commits mailing list