[reproducible-website] 01/01: more formatting
Holger Levsen
holger at layer-acht.org
Thu Mar 9 13:24:54 UTC 2017
This is an automated email from the git hooks/post-receive script.
holger pushed a commit to branch master
in repository reproducible-website.
commit 00fe92f1930aa2eb755ffc87c7ccf968446afe94
Author: Holger Levsen <holger at layer-acht.org>
Date: Thu Mar 9 14:24:50 2017 +0100
more formatting
Signed-off-by: Holger Levsen <holger at layer-acht.org>
---
_events/berlin2016/RPM.md | 32 ++++++++++++----------------
_events/berlin2016/agenda.md | 4 ++--
_events/berlin2016/embedded.md | 39 ++++++++++++----------------------
_events/berlin2016/userverification.md | 2 +-
4 files changed, 29 insertions(+), 48 deletions(-)
diff --git a/_events/berlin2016/RPM.md b/_events/berlin2016/RPM.md
index 77a42cd..505530f 100644
--- a/_events/berlin2016/RPM.md
+++ b/_events/berlin2016/RPM.md
@@ -6,22 +6,16 @@ order: 80
permalink: /events/berlin2016/RPM/
---
-brainstorming notes:
-
-Open build service ( http://openbuildservice.org/ ) that runs various configuration for RPM. Vary environment / ... easy.
-Build service sign the binaries that get published to the mirror infrastructure
-~
-Discussion point: signatures, you can copy signatures to on the newly built package to obtain the same package.
-~
-OpenSUSE might still have MD5 in some places, Fedora has switched to SHA-256.
-~
-for fedora "Mock" creates the environment and chroot, install build dependencies and build. So build is failing when missing depenency.
-(END)
-Needs to set SOURCE_DATE_EPOCH? Timestamp will be different, but timestamp is in the spec file? A end-user might want to download a source package from anywhere.
-
-Problems in RPM?
- - What is the base level of info to have a reproducible build? Is RPM sufficient?
-
+### brainstorming notes:
+- Open build service ( http://openbuildservice.org/ ) that runs various configuration for RPM. Vary environment / ... easy.
+- Build service sign the binaries that get published to the mirror infrastructure
+- Discussion point: signatures, you can copy signatures to on the newly built package to obtain the same package.
+- OpenSUSE might still have MD5 in some places, Fedora has switched to SHA-256.
+- for fedora "Mock" creates the environment and chroot, install build dependencies and build. So build is failing when missing depenency.
+- Needs to set SOURCE_DATE_EPOCH? Timestamp will be different, but timestamp is in the spec file? A end-user might want to download a source package from anywhere.
+
+### Problems in RPM?
+* What is the base level of info to have a reproducible build? Is RPM sufficient?
* srpm does not specify the actual dependencies that will be used to build (gcc x.y.z). Maybe need a build-info file.
* not custom field in rpm metadata? No, cannot add arbitrary build metadata to RPM
Can the metadata extended? Potentially
@@ -59,7 +53,7 @@ Problems in RPM?
Capture uname is easy but capturing mock or similar fake environment builder.
take idea from the debian build infos files.
-Report:
- What info on build info file to be reproducible and what kind of tool to make it easy.
+### Report:
+* What info on build info file to be reproducible and what kind of tool to make it easy.
+
--
diff --git a/_events/berlin2016/agenda.md b/_events/berlin2016/agenda.md
index 6dd3131..dc3ff60 100644
--- a/_events/berlin2016/agenda.md
+++ b/_events/berlin2016/agenda.md
@@ -31,9 +31,9 @@ Day 1
* 14.30 Working Sessions I
- **[diffoscope]({{ "/events/berlin2016/diffoscope/" | prepend: site.baseurl }})**
- **[reprotest]({{ "/events/berlin2016/reprotest/" | prepend: site.baseurl }})**
- - **[Documentation]({{ "/events/berlin2016/documentation/" | prepend: site.baseurl }})**
+ - **[Documentation I]({{ "/events/berlin2016/documentation/" | prepend: site.baseurl }})**
- **[User verification]({{ "/events/berlin2016/userverification/" | prepend: site.baseurl }})**
- - **[Embedded]({{ "/events/berlin2016/embedded/" | prepend: site.baseurl }})**
+ - **[Embedded / Coreboot]({{ "/events/berlin2016/embedded/" | prepend: site.baseurl }})**
- **[RPM]({{ "/events/berlin2016/RPM/" | prepend: site.baseurl }})**
* 16.00 Closing Session
diff --git a/_events/berlin2016/embedded.md b/_events/berlin2016/embedded.md
index 02beb34..0c46aa8 100644
--- a/_events/berlin2016/embedded.md
+++ b/_events/berlin2016/embedded.md
@@ -1,35 +1,22 @@
---
layout: event_detail
-title: embedded
+title: Embedded / Coreboot
event: berlin2016
order: 70
permalink: /events/berlin2016/embedded/
---
-Coreboot/ Embedded session
-Coreboot cannot (currently) ship binaries.
+- Coreboot cannot (currently) ship binaries.
+- SquashFS needs work.
+- Proprietary Firmware is involved. So we cannot ship binaries.
+- Cannot read a binary once it is burned in. Or if I can, how can I enssure that what I "read" is really what is installed?
+- We want to have assurance of trust.
+- Checking that the firmware in flash, is what I wrote into flash?
+- If I buy from a vendor how do I know the vendor hasn't put "bad" firmware in it?
+- Can we trust the storage?
+- I can check the integrity of a hard disk by mounting it read-only on a trusted machine. But how can I check a flash EEprom on a trusted machine?
+- Currently coreboot does not publish any hashes. Should they publish hashes for standard configurations?
+- We should encourage third party vendors to publish hashes of firmware shipped with hardware.
+- Coreboot should be encouraged to publish hashes for a select number of standard configurations/boards.
-SquashFS needs work.
-
-Proprietary Firmware is involved. So we cannot ship binaries.
-
-Cannot read a binary once it is burned in. Or if I can, how can I enssure that what I "read" is really what is installed?
-
-We want to have assurance of trust.
-
-Checking that the firmware in flash, is what I wrote into flash?
-
-If I buy from a vendor how do I know the vendor hasn't put "bad" firmware in it?
-
-Can we trust the storage?
-
-I can check the integrity of a hard disk by mounting it read-only on a trusted machine. But how can I check a flash EEprom on a trusted machine?
-
-Currently coreboot does not publish any hashes. Should they publish hashes for standard configurations?
-
-We should encourage third party vendors to publish hashes of firmware shipped with hardware.
-
-Coreboot should be encouraged to publish hashes for a select number of standard configurations/boards.
-
--
diff --git a/_events/berlin2016/userverification.md b/_events/berlin2016/userverification.md
index 63e8ba5..d345de8 100644
--- a/_events/berlin2016/userverification.md
+++ b/_events/berlin2016/userverification.md
@@ -61,4 +61,4 @@ raw post-it content
- using reproducibility to audit toolchain (easily)
- reporting non-reproducibility
- cross-platform build sepcs
--
+
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/reproducible-website.git
More information about the Reproducible-commits
mailing list