[reproducible-website] 01/01: more formatting

Holger Levsen holger at layer-acht.org
Thu Mar 9 13:24:54 UTC 2017 

This is an automated email from the git hooks/post-receive script.

holger pushed a commit to branch master
in repository reproducible-website.

commit 00fe92f1930aa2eb755ffc87c7ccf968446afe94
Author: Holger Levsen <holger at layer-acht.org>
Date:   Thu Mar 9 14:24:50 2017 +0100

    more formatting
    
    Signed-off-by: Holger Levsen <holger at layer-acht.org>
---
 _events/berlin2016/RPM.md              | 32 ++++++++++++----------------
 _events/berlin2016/agenda.md           |  4 ++--
 _events/berlin2016/embedded.md         | 39 ++++++++++++----------------------
 _events/berlin2016/userverification.md |  2 +-
 4 files changed, 29 insertions(+), 48 deletions(-)

diff --git a/_events/berlin2016/RPM.md b/_events/berlin2016/RPM.md
index 77a42cd..505530f 100644
--- a/_events/berlin2016/RPM.md
+++ b/_events/berlin2016/RPM.md
@@ -6,22 +6,16 @@ order: 80
 permalink: /events/berlin2016/RPM/
 ---
 
-brainstorming notes:
-    
-Open build service ( http://openbuildservice.org/ ) that runs various configuration for RPM. Vary environment / ... easy.
-Build service sign the binaries that get published to the mirror infrastructure
-~
-Discussion point: signatures, you can copy signatures to on the newly built package to obtain the same package.
-~
-OpenSUSE might still have MD5 in some places, Fedora has switched to SHA-256.
-~
-for fedora "Mock" creates the environment and chroot, install build dependencies and build. So build is failing when missing depenency.
-(END)
-Needs to set SOURCE_DATE_EPOCH? Timestamp will be different, but timestamp is in the spec file? A end-user might want to download a source package from anywhere.
-
-Problems in RPM?
-  - What is the base level of info to have a reproducible build? Is RPM sufficient?
-
+### brainstorming notes:
+- Open build service ( http://openbuildservice.org/ ) that runs various configuration for RPM. Vary environment / ... easy.
+- Build service sign the binaries that get published to the mirror infrastructure
+- Discussion point: signatures, you can copy signatures to on the newly built package to obtain the same package.
+- OpenSUSE might still have MD5 in some places, Fedora has switched to SHA-256.
+- for fedora "Mock" creates the environment and chroot, install build dependencies and build. So build is failing when missing depenency.
+- Needs to set SOURCE_DATE_EPOCH? Timestamp will be different, but timestamp is in the spec file? A end-user might want to download a source package from anywhere.
+
+### Problems in RPM?
+* What is the base level of info to have a reproducible build? Is RPM sufficient?
 * srpm does not specify the actual dependencies that will be used to build (gcc x.y.z). Maybe need a build-info file.
 * not custom field in rpm metadata? No, cannot add arbitrary build metadata to RPM
   Can the metadata extended? Potentially
@@ -59,7 +53,7 @@ Problems in RPM?
   Capture uname is easy but capturing mock or similar fake environment builder.
   take idea from the debian build infos files.
 
-Report:
-  What info on build info file to be reproducible and what kind of tool to make it easy.
+### Report:
+* What info on build info file to be reproducible and what kind of tool to make it easy.
+
 
--
diff --git a/_events/berlin2016/agenda.md b/_events/berlin2016/agenda.md
index 6dd3131..dc3ff60 100644
--- a/_events/berlin2016/agenda.md
+++ b/_events/berlin2016/agenda.md
@@ -31,9 +31,9 @@ Day 1
 *    14.30 Working Sessions I
      -   **[diffoscope]({{ "/events/berlin2016/diffoscope/" | prepend: site.baseurl }})**
      -   **[reprotest]({{ "/events/berlin2016/reprotest/" | prepend: site.baseurl }})**
-     -   **[Documentation]({{ "/events/berlin2016/documentation/" | prepend: site.baseurl }})**
+     -   **[Documentation I]({{ "/events/berlin2016/documentation/" | prepend: site.baseurl }})**
      -   **[User verification]({{ "/events/berlin2016/userverification/" | prepend: site.baseurl }})**
-     -   **[Embedded]({{ "/events/berlin2016/embedded/" | prepend: site.baseurl }})**
+     -   **[Embedded / Coreboot]({{ "/events/berlin2016/embedded/" | prepend: site.baseurl }})**
      -   **[RPM]({{ "/events/berlin2016/RPM/" | prepend: site.baseurl }})**
 
 *    16.00 Closing Session
diff --git a/_events/berlin2016/embedded.md b/_events/berlin2016/embedded.md
index 02beb34..0c46aa8 100644
--- a/_events/berlin2016/embedded.md
+++ b/_events/berlin2016/embedded.md
@@ -1,35 +1,22 @@
 ---
 layout: event_detail
-title: embedded
+title: Embedded / Coreboot
 event: berlin2016
 order: 70
 permalink: /events/berlin2016/embedded/
 ---
 
-Coreboot/ Embedded session
 
-Coreboot cannot (currently) ship binaries.
+- Coreboot cannot (currently) ship binaries.
+- SquashFS needs work.
+- Proprietary Firmware is involved.  So we cannot ship binaries.
+- Cannot read a binary once it is burned in. Or if I can, how can I enssure that what I "read" is really what is installed?
+- We want to have assurance of trust.
+- Checking that the firmware in flash, is what I wrote into flash?
+- If I buy from a vendor how do I know the vendor hasn't put "bad" firmware in it?
+- Can we trust the storage?
+- I can check the integrity of a hard disk by mounting it read-only on a trusted machine.  But how can I check a flash EEprom on a trusted machine?
+- Currently coreboot does not publish any hashes.  Should they publish hashes for standard configurations?
+- We should encourage third party vendors to publish hashes of firmware shipped with hardware.
+- Coreboot should be encouraged to publish hashes for a select number of standard configurations/boards.
 
-SquashFS needs work.
-
-Proprietary Firmware is involved.  So we cannot ship binaries.
-
-Cannot read a binary once it is burned in. Or if I can, how can I enssure that what I "read" is really what is installed?
-
-We want to have assurance of trust.
-
-Checking that the firmware in flash, is what I wrote into flash?
-
-If I buy from a vendor how do I know the vendor hasn't put "bad" firmware in it?
-
-Can we trust the storage?
-
-I can check the integrity of a hard disk by mounting it read-only on a trusted machine.  But how can I check a flash EEprom on a trusted machine?
-
-Currently coreboot does not publish any hashes.  Should they publish hashes for standard configurations?
-
-We should encourage third party vendors to publish hashes of firmware shipped with hardware.
-
-Coreboot should be encouraged to publish hashes for a select number of standard configurations/boards.
-
--
diff --git a/_events/berlin2016/userverification.md b/_events/berlin2016/userverification.md
index 63e8ba5..d345de8 100644
--- a/_events/berlin2016/userverification.md
+++ b/_events/berlin2016/userverification.md
@@ -61,4 +61,4 @@ raw post-it content
 - using reproducibility to audit toolchain (easily)
 - reporting non-reproducibility
 - cross-platform build sepcs
--
+

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/reproducible-website.git

More information about the Reproducible-commits mailing list