Re: Please review the draft for August's report

2024-09-04 Thread Holger Levsen 
On Wed, Sep 04, 2024 at 11:14:16AM +0100, Chris Lamb wrote:
> > I still need to publish my slides for both my r-b talks at DebConf24
> > and then the 2nd talk needs to be mentioned in the report as well. :)
> Ooh, good idea. I'll hold off on publishing until you can land those.

I've pushed my slides now and added relevant metadata+FIXME to the
August report. I'm sorry this took me so long!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

This is the year of gpg on the desktop! (Gunnar Wolf)


signature.asc
Description: PGP signature

Re: Please review the draft for August's report

2024-09-02 Thread Holger Levsen 
Hi Chris,

thank you for writing these great monthly reports!

On Mon, Sep 02, 2024 at 10:49:14AM -0400, Chris Lamb wrote:
> Please review the draft for August's Reproducible Builds report:
>   https://reproducible-builds.org/reports/2024-08/?draft

I still need to publish my slides for both my r-b talks at DebConf24
and then the 2nd talk needs to be mentioned in the report as well. :)

I shall commit those bits tomorrow.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Privacy is a Human Right. (Universal Declaration of Human Rights, article 12.)


signature.asc
Description: PGP signature

Re: (java) Builds not reproducible on armhf

2024-08-25 Thread Holger Levsen 
On Mon, Aug 26, 2024 at 06:46:35AM +0200, Mechtilde Stehmann wrote:
> > I'll note that fakeroot was probably broken on armel, armhf since
> > the t64 migration until mid-August.
> > Is fakeroot involved in any way? If so, it might make sense to
> > discard any results from that period.
> Thanks for your explanations.
> Are there plans to ran the tests again?

normally that happens automatically, but the armhf builders have been very 
sad for at least a week, but rather more like 4 weeks, and mid August ist
like a week ago.

https://tests.reproducible-builds.org/debian/index_performance.html shows
zero armhf builds in the last week and 245 per day in the last 4 weeks.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

These heat waves aren’t tragedies, they’re crimes. The fossil fuel industry
knew decades ago that this is what their pollution was causing, so they
spent billions to lie to the public and block climate action.


signature.asc
Description: PGP signature

Re: Reproducible Builds Summit 2024

2024-07-11 Thread Holger Levsen 
On Wed, Jul 10, 2024 at 09:46:41PM +0200, Marek Marczykowski-Górecki wrote:
> This conflicts with Linux Plumbers, and almost conflicts with Qubes OS
> Summit :(

we've been aware of this, however we couldn't really schedule it at a
different time. and sadly (though probably rather: gladly) there will
always be some conflicts... we obviously try to minimize them, but that
doesnt always work.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

“It's easy to be a naive idealist. It's easy to be a cynical realist. It's
 quite another thing to have no illusions and still hold the inner flame.”
 (Marie-Louise von Franz)


signature.asc
Description: PGP signature

Reproducible Builds Summit 2024

2024-07-10 Thread Holger Levsen 
Hi,

I'm very glad to be able to announce that we will be having
the Reproducible Builds summit in 2024 from September 17 to 19
in Hamburg, in the same venue we've been in 2023:

https://reproducible-builds.org/events/hamburg2024/

Again and as previously, the exact content of the meeting will be 
shaped by the participants, these are our main goals as organizers:

- Physically meet each other after such a long time! ;-)
- Update & exchange about the status of reproducible builds in various projects.
- Improve collaboration both between and inside projects.
- Expand the scope and reach of reproducible builds to more projects.
- Establish space for more strategic and long-term thinking than is possible in 
virtual channels.
- Brainstorm designs on tools enabling users to get the most benefits from 
reproducible builds.
- Work together and hack on solutions.
- Discuss how reproducible builds will be usable and meaningful to users and 
developers alike.

All organisation details (incl how to register by sending an
email) are described on 
https://reproducible-builds.org/events/hamburg2024/
so I will keep this email short and just say that again we we very much 
welcome sponsors supporting this event and that I hope to see many
of at the summit!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

If you want energy independence, support renewable energy.


signature.asc
Description: PGP signature

Re: Nearly reproducible Bookworm 12.6 live images

2024-07-03 Thread Holger Levsen 
Hi Roland,

On Wed, Jul 03, 2024 at 06:44:37PM +0200, Roland Clobus wrote:
> I'm sooo close...
[...]

hehe, congrats & thanks for keeping us in the loop! In honor of your
work I've manually written the signature of this email...! :)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The devel is in the details.


signature.asc
Description: PGP signature

Re: mitigating non-determinism

2024-06-19 Thread Holger Levsen 
Dear Bernhard.

On Tue, Jun 18, 2024 at 12:57:33PM +0200, Bernhard M. Wiedemann via rb-general 
wrote:
> In https://github.com/bmwiedemann/theunreproduciblepackage/ I had collected
> the many issues that introduce non-determinism.
> 
> Today it is time to talk about mitigations - how can we avoid whole classes
> of problems that would prevent verification of the source->binary relation,
> without patching an infinite number of individual packages.
[...]

thank you very much for assembling this list, it's awesome!

> How to continue from here? I'd like to see some of this added to docs in a
> structured fashion under https://reproducible-builds.org/docs/ - any
> volunteer?

yes, please.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"I know what you're thinking" used to be an idiom but now it's a business model.


signature.asc
Description: PGP signature

Re: Reproducible Builds Summit 2024

2024-06-05 Thread Holger Levsen 
Hi Justin,

On Thu, May 30, 2024 at 12:55:46PM -0400, Justin Cappos wrote:
> I'd love to help host this in NYC.  We can certainly provide space to meet
> and work. 

that's an interesting offer! thank you!

> I'm not sure if cost / travel time would be prohibitive though.

true.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Dance like no one's watching. Encrypt like everyone is.


signature.asc
Description: PGP signature

Reproducible Builds Summit 2024

2024-05-30 Thread Holger Levsen 
hi,

I'm very happy to announce that this year we'll be holding the eighth
Reproducible Builds Summit!

The dates and location are not fixed yet, however if you don' help us
with finding a suitable location *soon*, it is very likely that we'll
meet again in Hamburg in the 2nd half of September 2024 in the venue
we've met at in 2023.

And while this was and is a very nice venue, we wouldn't mind to choose
a different location, not the least to be in a different geographic
area... so if you have concrete proposals, please reply to this email.

https://reproducible-builds.org/events/

I'm much looking forward to see you many of you there!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Society: Be Yourself!
Society: No, not like that.


signature.asc
Description: PGP signature

Re: May 2024: whatsrc.org distro status

2024-05-30 Thread Holger Levsen 
On Wed, May 29, 2024 at 08:36:05PM +0200, Simon Josefsson via rb-general wrote:
> > As of May 2024, I have imported source code data from the following
> > distributions:
> This is awesome!

indeed! thanks and kudos, kpcyrd, both for the code in the first place
as well as taking time & efford to announce, spread and improve it!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The climate crisis makes a minimum voting age of 18 look so extremely unfair.


signature.asc
Description: PGP signature

Re: Please review the draft for March's report

2024-04-11 Thread Holger Levsen 
Dear Chris et al,

On Thu, Apr 11, 2024 at 07:52:39PM +0100, Chris Lamb wrote:
> > Please review the draft for March's Reproducible Builds report:
> This has now been published — thanks to all who contributed.

great, thank you and everyone involved indeed!

I also like the final order of the entries, though when I skimmed
through https://reproducible-builds.org/reports/2024-03/ I wondered
whether we should add a table of contents to the top of each post?

What do y'all think?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Manchmal kommt der Wind von Lee. (Konny)


signature.asc
Description: PGP signature

Re: Please review the draft for March's report

2024-04-10 Thread Holger Levsen 
On Wed, Apr 10, 2024 at 10:02:56AM -0400, David A. Wheeler via rb-general wrote:
> I agree, this one is HUGE news. There's been a lot of awesome work related to 
> reproducible builds, but "minimal container userland is a 100% reproducible 
> build in a real-world widely-used distro" is a big step forward and should be 
> widely announced.

agreed.

I also think the news about Vagrant helping Debian to confirm the xz related
builds have been fine, deserves a bigger headline.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

You cannot ban abortion. You can only ban safe abortions.


signature.asc
Description: PGP signature

Re: Two questions about build-path reproducibility in Debian

2024-04-08 Thread Holger Levsen 
On Tue, Mar 12, 2024 at 08:45:03AM -0700, Vagrant Cascadian wrote:
> >> Note: I confused myself when writing this; in fact Salsa-CI reprotest 
> >> _does_
> >> continue to test build-path variance, at least until we decide otherwise.
> > this is in fact a bug and should be fixed with the next reprotest release.
> That is not a reprotest bug, but an infrastructure issue for the
> debian-specific salsa-ci configuration. Reprotest is not a
> debian-specific tool.

agreed.
 
> Reprotest should continue to vary build paths by default; reprotest
> historically and currently defaults to enabling all variations and
> making an exception does not seem worth the opinionated change of
> behavior. By design, reprotest is easy to configure which variations to
> enable and disable as needed.

agreed for the upstream release. for reprotest in Debian I'm still
not so sure. (and for reprotest running as part of salsaci I do think
the default should be not to vary path.)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"The two hardest problems in computer science are: (i) people, (ii), convincing
computer scientists that the hardest problem in computer science is people, and,
(iii) off by one errors." - Jeffrey P. Bigham


signature.asc
Description: PGP signature

Re: Reproducible Arch Linux in 2024/Q1 (irregular status update)

2024-03-13 Thread Holger Levsen 
hi,

from irc:

 kpcyrd: may i quote on rb-general what you wrote here?
 [11:56] < h01ger> kpcyrd: many thanks for your arch linux status 
update! i just wonder: does archlinux re-build in the same path as the original 
build or not? :)
 [11:59] < kpcyrd> | h01ger: yes, the build path always starts with 
/build/ plus what's configured in the build instructions, e.g. 
/build/libfoo-1.2.3/
 [12:00] < kpcyrd> with libfoo-1.2.3 usually coming from the source 
code .tar.gz
 h01ger: yes
 thanks


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Make earth cool again.


signature.asc
Description: PGP signature

Re: Two questions about build-path reproducibility in Debian

2024-03-12 Thread Holger Levsen 
On Mon, Mar 11, 2024 at 06:24:22PM +, James Addison via rb-general wrote:
> Please find below a draft of the message I'll send to each affected bugreport.

looks good to me, thank you for doing this!
 
> Note: I confused myself when writing this; in fact Salsa-CI reprotest _does_
> continue to test build-path variance, at least until we decide otherwise.

this is in fact a bug and should be fixed with the next reprotest release.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Historians have a word for Germans who joined the Nazi party, not because they
hated Jews,  but out of hope for  restored patriotism,  or a sense of economic
anxiety,  or a hope  to preserve their  religious values,  or dislike of their
opponents,  or raw  political opportunism,  or convenience,  or ignorance,  or 
greed.
That word is "Nazi". Nobody cares about their motives anymore.


signature.asc
Description: PGP signature

Re: Two questions about build-path reproducibility in Debian

2024-03-06 Thread Holger Levsen 
On Tue, Mar 05, 2024 at 11:51:16PM +, Richard Purdie wrote:
> FWIW Yocto Project is a strong believer in build reproducibiity
> independent of build path and we've been quietly chipping away at those
> issues.
[...] 
> OpenEmbedded-Core (around 1000 pieces of software) is 100% reproducible
> and we have the tests to prove it running daily, building in different
> build paths and comparing the output.

that's awesome!

btw, https://www.yoctoproject.org/reproducible-build-results/ (linked
from https://reproducible-builds.org/who/projects/#Yocto%20Project)
doesn't show any results?

> We're working on our wider layers too, e.g. meta-openembedded has
> another 2000+ pieces of software and less than 100 are not
> reproducible.

nice.

we had 35000 pieces of software in Debian of which ~2000 were not 
reproducible with undeterministic build pathes. Now with build pathes
as part of the build environment it's less than half.
 
> So even if debian doesn't do this, there is interest elsewhere and I
> believe good progress is being made.
 
nice!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Lebend in einer privilegierten Region und als Angehöriger einer Generation,
der es wahrscheinlich so gut geht wie keiner zuvor und danach, die in nicht
dagewesenem Maße die Ressourcen unserer Erde geplündert hat.


signature.asc
Description: PGP signature

Re: Two questions about build-path reproducibility in Debian

2024-03-04 Thread Holger Levsen 
On Mon, Mar 04, 2024 at 11:52:07AM -0800, John Gilmore wrote:
> Why would these become "wishlist" bugs as opposed to actual reproducibility 
> bugs
> that deserve fixing, just because one server at Debian no longer invokes this
> bug because it always uses the same build directory?

because it's "not one server at Debian" but what many ecosystems do: build in an
deterministic path (eg /$pkg/$version or whatever) or record the path as part
of the build environment, to have it deterministic as well.

in the distant past, before namespacing become popular, using a random path
was a solution to allow parallel builds of the same software & version.

and yes, this is a shortcut and a tradeoff, similar to demanding to build 
in a certain locale. also it makes reproducibilty from around 80-85% of all 
packages to >95%, IOW with this shortcut we can have meaningful reproducibility
*many years* sooner, than without.

and I'd really rather like to see Debian 100% reproducible in 2030, than in 
2038.
and some subsets today, or much sooner.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Homophobia is a sin against god.


signature.asc
Description: PGP signature

Re: Why is not everything reproducible yet?

2024-02-14 Thread Holger Levsen 
Hi Bernhard,

(this got lost in post end of the year busyness...)

On Wed, Dec 20, 2023 at 09:42:53AM +0100, Bernhard M. Wiedemann via rb-general 
wrote:
> Sometimes people wonder:
> Why is not everything reproducible yet?
> 
> And the general reason is that there are other interests that result in
> added non-determinism.
> I collected some with examples
> Performance (PGO, benchmarking, -march=native, parallelism/races)
> Simplicity (e.g. using random UUIDs instead of hashed inputs)
> Security (Signatures):
> Traceability of provenance (date+user+hostname):
> repeatable builds:
> Portability:

I really liked this post/list/summary and wondered whether we should have this
on https://reproducible-builds.org somewhere, maybe even in /news/, though I'd
think there should be an update at least every 6 months and I wonder if this is
feasable?

What do y'all think?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Because things are the way they are, things will not stay the way they are.
(Bertolt Brecht)


signature.asc
Description: PGP signature

Re: no more F-Droid RB updates

2023-12-05 Thread Holger Levsen 
Hi Fay,

On Sun, Nov 26, 2023 at 10:30:05PM +0100, Fay Stegerman wrote:
> Sadly, I've had to leave F-Droid.  I will thus no longer be working on
> Android reproducible builds or update the monthly overview of F-Droid
> apps published with reproducible builds.  AFAIK no one is planning to
> take over my work, thus I assume October's update will have been the
> last.

that's sad news, but thanks for letting us know and for all the nice
updates in the past in the first place! Also much luck & joy for your
further works in future!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

“I'll tell you what freedom is to me No fear.” (Nina Simone)


signature.asc
Description: PGP signature

Re: tests.reproducible-builds.org: build logs sent as gzip but no content-encoding, but only sometimes?

2023-11-17 Thread Holger Levsen 
On Fri, Nov 17, 2023 at 01:12:40PM +0100, наб wrote:
> If the scissors didn't give it away, this is a "proper" scissor-patch,
> which uses headers from the mail (herein: From:)
> and overrides under the cut line (herein: Subject:),
> but you do need -c or --scissors to apply it:

TIL, thanks.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Fischers Fritz fischt Plastik.


signature.asc
Description: PGP signature

Re: tests.reproducible-builds.org: build logs sent as gzip but no content-encoding, but only sometimes?

2023-11-17 Thread Holger Levsen 
hi,

On Wed, Nov 15, 2023 at 10:42:25PM +0100, наб wrote:
> -- >8 --
> Subject: [PATCH] jenkins.d.n: AddEncoding gzip .gz, such that the files aren't
>  re-compressed as gzip, which some clients can't deal with, and it's a waste
>  of time
> 
> The current approach, under bookworm apache 2.4.57-2, returns:
>   (no accept-encoding)-> content-encoding: gzip   + raw gzipped file
>   (accept-encoding: gzip) -> content-encoding: gzip, gzip + gzip(raw gzipped 
> file)
> 
> This is valid, but on systems with ESET, or under lynx, opening
>   
> https://tests.reproducible-builds.org/debian/rbuild/unstable/amd64/systemd-cron_2.3.0-1.rbuild.log.gz
> would just return a garbled result: they match content-encoding
> directly, instead of tokenising it.
> 
> The scary comment doesn't seem to apply to apache 2.4.57-2.
> ---
>  .../etc/apache2/sites-available/jenkins.debian.net.conf   | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git 
> a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net.conf 
> b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net.conf
> index 289c6240c..5e40b9aaa 100644
> --- a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net.conf
> +++ b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net.conf
> @@ -87,9 +87,7 @@
>   
>  
>   
> - Header append Content-Encoding gzip
> - # this causes errors 406 to clients connecting without 
> Accept-Encoding=gzip.
> - #AddEncoding gzip .gz
> + AddEncoding gzip .gz
>   ForceType text/plain
>   

I've deployed this patch now and am cc:ing Mattia, so he can doublecheck it's
fine.

Next time please do send a proper git patch, it was a tiny bit cumbersome to
extract it from the email and add a From: header. No big deal neither, but.

& thank you!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Make earth cool again.


signature.asc
Description: PGP signature

Re: tests.reproducible-builds.org: build logs sent as gzip but no content-encoding, but only sometimes?

2023-11-15 Thread Holger Levsen 
hi,

On Wed, Nov 15, 2023 at 03:23:59PM +0100, наб wrote:
> > so good on linux and bad on windows?
> This is what I kept coming back to, but refused to accept firefox would
> do something this weird just based on the target.
> 
> Forgot, of course, that both bad machines have ESET running,
> and disabling "HTTP(S) scanning" in ESET fixes this.
> Sorry for the noise, I s'pose.

:)
 
> That said, I think it's a miracle of standards conformance that
> curl and firefox understand the replies: [...]

the whole internet is magic! well, some parts at least. ;)

> But, indeed, t.r-b.o returns valid responses:

thanks for making this clear.

> So I'm assuming if you made it not do that then you'd both
> save on load and have a wider compatibility range?

seems reasonable, though I have to admit this won't get on my
todo list anytime soon, so if you could provide a patch against
https://salsa.debian.org/qa/jenkins.debian.net/-/blob/master/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net.conf
that would be very much appreciated.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Change is coming whether you like it or not.


signature.asc
Description: PGP signature

Re: reproducible-builds.org is down

2023-11-15 Thread Holger Levsen 
On Wed, Nov 15, 2023 at 02:14:31PM +0100, Julien Malka wrote:
> To whom it may concern, it looks like the
> https://reproducible-builds.org/ website is down.
 
thanks, it's back now.

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Make earth cool again.


signature.asc
Description: PGP signature

Re: tests.reproducible-builds.org: build logs sent as gzip but no content-encoding, but only sometimes?

2023-11-15 Thread Holger Levsen 
Hi,

On Tue, Nov 14, 2023 at 11:05:02PM +0100, наб wrote:
> Keep me in CC please.

ack, done.
 
> On opening
>   
> https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/systemd-cron.html
> I see garbage in the log view
> (screenshot at https://101010.pl/@nabijaczleweli/111410835559109343).
> 
> In the network log I see a request for
>   
> https://tests.reproducible-builds.org/debian/rbuild/unstable/amd64/systemd-cron_2.3.0-1.rbuild.log.gz
> which returns an expectedly-gzipped answer, but with no
> Content-Encoding: gzip header.
> 
> This reproduces when opening it directly.

what is the actual problem you are experiencing?
 
> For example, my firefox sees:
>   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) 
> Gecko/20100101 Firefox/87.0
[...]
> But another user's firefox sees
>   User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 
> Firefox/119.0

those are two very different versions of firefox and OSes.

> I tested this on four machines total:
>   my own   (win32   firefox, "Mozilla/5.0 (Windows NT 10.0; Win64; 
> x64; rv:87.0) Gecko/20100101 Firefox/87.0"):   bad
>   my brother's (x11 firefox): 
> good
>   my father's  (win32   firefox, "Mozilla/5.0 (Windows NT 10.0; Win64; 
> x64; rv:109.0) Gecko/20100101 Firefox/119.0"): bad
>   another tester's (wayland firefox, "Mozilla/5.0 (X11; Linux x86_64; 
> rv:109.0) Gecko/20100101 Firefox/119.0"):   good

so good on linux and bad on windows?

> the first three are the same exit address so this is not IP-bound,
> the only correlation I see with the data is that it's good when calling
> from UNIX and bad when calling from Win32?

seems like it.

> Requesting with curl/7.88.1 I see Content-Encoding: gzip.
> But adding --compressed I see Content-Encoding: gzip, gzip.
> Either way it's valid, but not an ideal approach.

what would you propose?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The devel is in the details.


signature.asc
Description: PGP signature

Re: Priority claim re bootstrapping

2023-11-13 Thread Holger Levsen 
On Sun, Nov 12, 2023 at 04:28:42PM -0800, John Gilmore wrote:
> I do think the topic is a suitable one for the Reproducible Builds
> community to discuss.  Politely conducted disputes should not be
> dismissed as "nonsense" with a suggestion that the parties unsubscribe
> from the list.  Inflating the emotional tone of the discussion is not
> constructive toward the community discovering whatever contemporaneous
> truths may be findable behind the various claims.

thanks for these words, John. fwiw, I agree with it in general and regret
that I here went too harsh too quickly. also thanks to Vagrant who very well
brought things into perspective.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Manchmal kommt der Wind von Lee. (Konny)


signature.asc
Description: PGP signature

Re: GNU Mes 0.25 released

2023-11-12 Thread Holger Levsen 
On Sun, Nov 12, 2023 at 09:00:55AM +0100, aho...@0w.se wrote:
> I only react on it being *explicitly referred* in the announcements
> on *this list* time and time again

nobody forced you to subscribe to this list, nobody forces you
to reply (I hope), unsubscribing is easy.
 
> P.S. Calling something "nonsense" even if you find it being offtopic is
> hardly the best choice of wording in a constructive conversation.

https://en.wikipedia.org/wiki/Brandolini%27s_law


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Make facts great again.


signature.asc
Description: PGP signature

Re: GNU Mes 0.25 released

2023-11-11 Thread Holger Levsen 
On Sat, Nov 11, 2023 at 09:16:38AM +0100, aho...@0w.se wrote:
> On Sat, Nov 11, 2023 at 07:38:42AM +0100, Janneke Nieuwenhuizen wrote:
> > We are happy to announce the release of GNU Mes 0.25!
> Regrettably, the post includes a reference to [...]
 
an, stop this *now*. Your repeated hostile nonsense is not welcome on this
list.

& kudos to the Mes team!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Make earth cool again.


signature.asc
Description: PGP signature

Re: Please review the draft for October's report

2023-11-11 Thread Holger Levsen 
On Sat, Nov 11, 2023 at 11:02:47AM +0100, Pol Dellaiera wrote:
> I just pushed a commit to actually publish it, hope it's ok !

I've seen those two commits pass by on IRC and the fact that they 
were not coming from Chris *and* included the words "report for November" 
(albeit in the commit message only) and then (rightfully as I realized
by now) corrected the date to November made me quickly revert them before
I saw this mail of you.

long story short: i'm sorry for needlessly reverting your changes!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Dance like no one's watching. Encrypt like everyone is.


signature.asc
Description: PGP signature

strip-nondeterminism usages (was Re: LibreOffice success story)

2023-11-08 Thread Holger Levsen 
On Tue, Nov 07, 2023 at 07:28:37PM +0100, Pol Dellaiera wrote:
> First, it is available in Nix: 
> https://search.nixos.org/packages?channel=23.05&show=perl536Packages.strip-nondeterminism&from=0&size=50&sort=relevance&type=packages&query=nondeterminism
> 
> A quick text search of `strip-nondeterminism` in `nixpkgs` showed that it is 
> being used in a couple of derivations:
> 
> - cieid
> - cie-middleware-linux
> - pridefetch
> - wireworld
> - stone-kingdoms
> - orthorobot
> - mari0
> - slimerjs
> - firefox (to fetch addons)
> - pcsx2
> - bisq-desktop
> 
> See it by yourself: 
> https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20strip-nondeterminism&type=code

oh, TIL, thanks for sharing!

any idea how to include this information on 
https://reproducible-builds.org/tools/#strip-nondeterminism
?

while at it we should also mention that it's automatically
used in Debian builds when using debhelper-compat 11(?) and
explain how/when it is used in Archlinux, so other distros
may consider it too.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

🔥 - this is fine.


signature.asc
Description: PGP signature

Re: Reproducibility terminology/definitions

2023-11-08 Thread Holger Levsen 
Hi Pol,

On Wed, Nov 08, 2023 at 04:38:19PM +0100, Pol Dellaiera wrote:
> I'm writing to express my enthusiasm for the discussions and initiatives that 
> took place during the meeting in Hamburg. Although I was regrettably unable 
> to attend, I have been closely following the outcomes and I'm particularly 
> interested in the effort to enhance the website with clear definitions of 
> terms related to reproducibility, a terminology.

It's nice to read about your enthusiasm!

> As a person deeply invested in reproducibility for work and personal 
> purposes, I am keen on contributing to this initiative. I believe that 
> establishing formal definitions is not only critical for our collective 
> understanding but also serves as a beacon for the academic community and 
> those new to the concept, guiding them towards a standardized comprehension 
> of reproducibility.

agreed.

> To that end, I'm currentlt drafting a formal definition of reproducibility 
> that I hope to contribute. However, before I proceed further, I would like to 
> know whether any of you have already worked on formulating such a definition. 
> Collaboration or alignment with existing efforts would be more productive 
> than working in isolation.

are you aware of https://reproducible-builds.org/docs/definition/ ? :)

> Additionally, I would highly appreciate the opportunity to have my draft 
> reviewed by peers within this group. Fresh perspectives and expert insights 
> would be invaluable in ensuring the precision and clarity of the definitions.
>
> If you are interested in reviewing my work or if there is already a draft in 
> progress that I could assist with, please let me know. I am eager to 
> contribute and collaborate with you all on this important aspect of our work 
> through a visio at any time.

please absolutly share your draft on this list! It's always good to be able
to look at things from different perspectives, and you'll surely add another! :)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Make facts great again.


signature.asc
Description: PGP signature

Re: LibreOffice success story

2023-11-07 Thread Holger Levsen 
On Tue, Nov 07, 2023 at 01:48:22PM +0100, Pol Dellaiera wrote:
> [...] it was strip-determinism that I was talking about, sorry for the 
> confusion !

oh, that's interesting! are you using strip-nonderminism on all NixOS builds
or only on some and if only on some, how do you opt-in (or -out)?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The purpose of propaganda isn't to make you believe something. It's to make you
believe nothing. So that you do nothing. (@DarthPutinKGB)


signature.asc
Description: PGP signature

Re: LibreOffice success story

2023-11-07 Thread Holger Levsen 
On Tue, Nov 07, 2023 at 11:46:12AM +0100, Pol Dellaiera wrote:
> @Holger: I'm also using Diffoscope with Nix/NixOS when something goes wrong, 
> so yeah that useful tool is used outside Debian!

diffoscope is widely used for sure. I was however speaking about 
strip-nondeterminism.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

There never has been more knowledge in the world with less conclusions.
(Die Goldenen Zitronen, 1996 or so)


signature.asc
Description: PGP signature

Re: LibreOffice success story

2023-11-07 Thread Holger Levsen 
On Tue, Nov 07, 2023 at 10:11:47AM +0100, Bernhard M. Wiedemann via rb-general 
wrote:
> Now there were only mtimes left in .jar and .zip files that were easily
> normalized with strip-nondeterminism.

nice to see strip-nondeterminism is used outside Debian.
 
> So today I hold in my hands the first two bit-identical LibreOffice rpm
> packages.
> And this is the success I wanted to share with you all today.
 
super awesome, thanks for sharing and kudos to Thorsten and you!

and now never wash these hands again! ;)

> It makes me feel as if we can solve anything.

:))


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Where will your kids go when they become climate refugees?


signature.asc
Description: PGP signature

Re: Website translation

2023-11-06 Thread Holger Levsen 
On Wed, Nov 01, 2023 at 06:37:55PM +0100, Marcus Hoffmann via rb-general wrote:
> I maintain the weblate insatallation for Codeberg at
> https://translate.codeberg.org which might be another potential option.
> We can (probably) also configure that to work with the gitlab api at salsa,
> which enables creating gitlab merge requests instead of pushing to a repo
> directly.

I'd like this too.

(And I regret not having included this email in my previous on this topic.)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Another end of the world is possible.


signature.asc
Description: PGP signature

Re: Website translation

2023-11-06 Thread Holger Levsen 
Hi Julien,

On Wed, Nov 01, 2023 at 05:16:01PM +0100, Julien Lepiller wrote:
> I've learned at the rb meeting that the website could be translated.
> Currently, the translation process looks like this: you clone the repo,
> figure that you need to add your language to _config.yml (languages),
> run bin/i18n.sh to generate the po files, translate the po files,
> create an account on salsa and send an MR.

oh dear.
 
> I've started translating and I'm waiting for my account to be validated
> by an admin.

has this happened by now?

> I manage the translation infrastructure at Guix, where we use Weblate
> for hosting the translations online. I think it's a good choice to make
> it easier, even for technical translators, to focus on their work. It
> includes a shared glossary, lint checks, screenshots, and support for
> automatic update and commit.

I agree from what I've seen with debian-edu-doc, which is also using
Weblate (and which I maintain except the translations...)

> Guix is hosted on Fedora's instance because they are open to other
> projects, and because the default instance used to use non-free
> javascript, which we didn't want our translators to be subjected to. It
> seems that it's no longer the case, so I have no strong argument
> against using it anymore. Maybe Debian has an instance or a similar
> system?

we're actually using 
https://hosted.weblate.org/projects/debian-edu-documentation/bookworm-manual/
 
> In terms of security, the Weblate instance needs to be allowed to pull
> and push commits to the repository. The server has an SSH key that
> needs to be added to an account on salsa (it could be a dedicated
> account or someone's account).

for debian-edu-doc we use a weblate branch which is manually synced
by a translation coordinator and manually merged into main too.

I think I prefer such a modell for the reproducible-website.git translations
too, at least for a start. Would you like to pick up that role? :)

> What do people think?

I <3 translated content, thank you for working on that!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

:wq


signature.asc
Description: PGP signature

Re: Blog post about a talk by Ken Thompson and the original Trusting Trust attack finally released

2023-10-26 Thread Holger Levsen 
On Thu, Oct 26, 2023 at 11:36:32AM +0200, Marcel Fourné wrote:
> Russ Cox posted https://research.swtch.com/nih and disseminates the original 
> Ken Thompson compiler backdoor in this, together with a link 
> https://research.swtch.com/v6/ to follow along in a simulator.
> More of historical importance, but definitely interesting and relevant to 
> this group, which is also mentioned in the posting.
> The talk by Thompson which sparked all this is linked to as well at 
> https://www.youtube.com/watch?v=kaandEt_pKw&t=643s

neato! \o/ it's really fantastic to see how reproducible builds have become
recognized part of solving this decade old problem.

thanks for sharing, Marcel!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Make facts great again.


signature.asc
Description: PGP signature

Re: Registration open for the 2023 Reproducible Builds Summit in Hamburg, Germany

2023-10-16 Thread Holger Levsen 
hi,

it seems we didnt mail rb-general once more about this fantastic event
taking place in two weeks tomorrow:

https://reproducible-builds.org/events/hamburg2023/

read on for much more info

On Mon, Aug 07, 2023 at 12:24:28AM +0200, Mattia Rizzolo wrote:
> Hello everybody!
> 
> Many of you should have already received an invitation email for the
> upcoming summit, as previously announced.
> Indeed, not counting the organizer we already have one registration!! ;)
> 
> I'm copying it here down below, and if any of you reading here didn't
> get said invitation but would still like to attend, by all means mail us
> (2023-summit-team at l.rb.o) to register :)
> 
> Also, tell us if you'd like to receive invitations to the next summits,
> and we will add you to our list of people to mail!
> 
> 
> I'm copying down the full invitation I've sent:
> 
> 
> 
> 
> We are pleased to invite you to the next Reproducible Builds Summit,
> and we are very much looking forward to seeing you there!
> 
> Contents
> 
> 
> - Event URL
> - Dates
> - Location
> - Other attendees
> - Sponsors wanted (and how you can help)
> - participation costs and financial support
> - Accommodation on site
> - Registration deadlines
> - Meeting goals and likely topics
> - (Private) contact information
> 
> Event URL
> 
> 
> https://reproducible-builds.org/events/hamburg2023/
> 
> In case you don't read this long email you find *most* of the info here.
> (And in any case, please don't hesitate to ask anything!)
> 
> Dates
> =
> 
> The 2023 Reproducible Builds Summit will take place on:
> 
> October 31st 2023 — November 2nd 2023
> 
> These dates are inclusive — ie. the summit will be 3 full days,
> "9 to 5", therefore:
> 
> Recommended arrival day:   Monday, October 30th
> Recommended departure day: Friday, November 3rd
> 
> Location
> 
> 
> The event will take place at:
> 
> dock europe e.V.
> Bodenstedtstr. 16
> 22765 Hamburg
> Germany
> https://dock-europe.net/
> 
> 
> Other attendees
> ===
> 
> If you believe somebody should attend, please feel free to forward
> this mail to them, and let them know they should contact us at:
> 
> <2023-summit-t...@lists.reproducible-builds.org>
> 
> 
> Sponsors wanted
> ===
> 
> If you think you or your company/organization can help out, please reach
> out to us at <2022-summit-t...@lists.reproducible-builds.org> and/or
> pass on our sponsor plans for entities donating at least 1000€:
> 
> 
> 
> 
> If you are attending on behalf of your company, a corporate registration
> to the summit is available, starting at 1000€ (including the
> accommodation described below). Please contact us if you are interested
> in this option. Likewise, if you or your company can pay for your own
> meals, please do let us know as well.
> 
> Participation costs and financial support
> =
> 
> Attendance to the summit itself is free of charge! (Although see below
> for accommodation information.)
> 
> We hope we'll be able to confirm sponsors to support the event, who will
> offset the shared expenses for everybody (meeting rooms, meals,
> stationary, etc.)
> 
> In an effort to maximize inclusion and expand the diversity of the
> community, we are offering additional travel support on a case by case
> basis. See the event page linked earlier on this email for more
> information, and tell us if you'd need such support.
> 
> 
> Accommodation
> =
> 
> The event space also has accommodation for 28 people in modern
> two-person bedrooms in close proximity to the event rooms. Please tell
> us if you are interested in staying at the venue; the lodging costs will
> be 200€ for the above 5 days / 4 nights for one bed in a double (ie.
> shared) room, inclusive of breakfast and linen.
> 
> Again, we are open for sponsors: if your company is able to we may be
> able to support us we could offset the lodging costs. Please reach out
> to us in that case.
> 
> 
> Registration deadlines
> ==
> 
> Deadline for the registration is:
> 
> 24th September 2023
> 
> After that date we will start finalizing things so we may or may not be
> able to accommodate you. Note that we have a limited number of space for
> attendees, and acceptance will be on a first-come / first-serve basis.
> 
> If you plan to attend, you *MUST* reply to this email (ie. to
> 2023-summit-t...@lists.reproducible-builds.org) with:
> 
> "I want to attend!"
> 
> If you do not plan to attend, a short "no thank you" response would also
> be highly appreciated so we know that you are still interested in our
> project. Equally, please do tell us if we should stop with these
> invitations in the future.
> 
> 
> Meeting goals and likely topics
> ===
> 
> First and foremost, we want to meet each other and see how we are

Re: Upcoming changes to Debian Linux kernel packages

2023-09-27 Thread Holger Levsen 
On Mon, Sep 25, 2023 at 10:52:26AM +, Holger Levsen wrote:
> FYI, "this will make the build unreproducible"... :/

fwiw, after reading the replies to this thread (on the debian kernel list,
not here) I don't think this proposal will be implemented...


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Make lying wrong again.


signature.asc
Description: PGP signature

Upcoming changes to Debian Linux kernel packages

2023-09-25 Thread Holger Levsen 
FYI, "this will make the build unreproducible"... :/

- Forwarded message from Bastian Blank  -

Date: Sun, 24 Sep 2023 15:01:47 +0200
From: Bastian Blank 
To: debian-ker...@lists.debian.org
Cc: debian-b...@lists.debian.org, debian-rele...@lists.debian.org, 
debian-secur...@lists.debian.org,
d...@packages.debian.org
Subject: Upcoming changes to Debian Linux kernel packages
Message-ID: <20230924130147.qwnjrq4nvkm75...@shell.thinkmo.de>
List-Id: 

Hi folks

Debian currently does Secure Boot signing using a shim chained to the
Microsoft key.  This use requires that we follow certain rules.  And one
of the recent changes to those rules state that our method of signing
kernel modules also with the same key will not be allowed anymore.  Some
information are in #1040901.

We could just do the minimal change, sign the modules a different way
and let users walk into authenticated failures and other scary error
messages.  Or we could change the existing ABI setting on every upload,
creating a new set of binary packages.

But maybe we can enhance the user experience a bit, by reducing the
chance of scarry errors, but with the chance of simple errors like "you
need to reboot".  So let's do some more changes and hopefully don't
break the user experience too much.  The planned changes are discussed
in more detail.

## Kernel modules will be signed with an ephemeral key

The modules will not longer be signed using the Secure Boot CA like the
EFI kernel image itself.  Instead a key will be created during the build
and thrown away after.

Yes, this will make the build unreproducible, but no better solution
currently exists.  There are some plans, but no-one is working on them.
If a suitable replacement shows up, we can always switch to that
solution.

## Kernel release value includes complete Debian version

The kernel release is what "uname -r" shows, and how modules are
organized in /lib/modules.  This value will include the complete version
of the binary package, so even binNMU will somehow work.  This will make
sure the value changes with every upload and modules will not be
compatible already from that check.

Example: 6.5.3-2+b2-cloud-arm64

## Image packages contains more version info

By renaming the kernel packages we try to make several kernels
installable at the same time.  In contrast to rpm, where you can have
the same package installed multiple times in different versions, dpkg
only supports a single one at the same time.  So the co-installable
versions needs to have different package names.

The packages will include the full upstream version.  There exists the
exception of devel builds and uploads to experimental, wich will contain
even less of the version, to avoid new names in that cases.

Example: linux-image-6.5.3-cloud-arm64

There are some drawbacks.

The same upstream version in testing and backports will have the same
package name.  Multiple uploads of the same upstream version will have
the same package name, but those rarely happens.  Those packages will
not be compatible and a reboot is necessary to be able to load modules
again.

It will not longer be possible to reliably derive the package name from
kernel release (see above), as both values are not really related
anymore.

## Header and tool packages will not longer contain version

The headers packages will not longer include the version.  It won't be
reliably possible to derive the package name anyway from the running
kernel.

This means that only headers of one single version can be available on
the system at one time.  This might be a bit inconvinient for dkms, as
it can't longer build modules for multiple versions.

But we too often have the problem that image and headers go out of sync
and then you can't find the correct ones anyway.

Example: linux-headers-cloud-arm64

## Installer packages will not longer contain too much version

The installer can only ever handle one version of kernel.  Also it got
an internal mechanism to detect which packages belong together
(the Kernel-Version control entry).  So we have no need to rename them
and force a matching change in d-i itself just because a new kernel
exists.  So it will not longer contain the full version in the package
names if not needed.

## Further work

The changes outlined here try to avoid changes to the initramfs
protocol, aka /etc/kernel/.  There are larger change is cooking somehow,
see
https://lists.debian.org/msgid-search/y2gbkyerb10ky...@shell.thinkmo.de

Regards,
Bastian

-- 
You!  What PLANET is this!
-- McCoy, "The City on the Edge of Forever", stardate 3134.0


- End forwarded message -

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

we'll all die. make a difference while you can. disobey. smile.


signature.asc
Description: PGP signature

Re: Irregular status update about reproducible live-build ISO images

2023-07-04 Thread Holger Levsen 
Hi Roland,

On Sun, Jul 02, 2023 at 05:37:30PM +0200, Roland Clobus wrote:
> here is the 18th update of the status for reproducible live-build ISO images

many thanks for those 18 reports, i'm looking forward to the 19th! :)

> Reproducible status:
> * All major desktops build reproducibly with bullseye, bookworm, trixie and
> sid
[...]
> * The live images are generated officially by Debian

did you check already whether one can reproducibe the officially released
Debian bookworm live images?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Segregation was legal. Slavery was legal. Don't use legality as a guide to
morality.


signature.asc
Description: PGP signature

Re: Introducing: Semantically reproducible builds

2023-06-02 Thread Holger Levsen 
hi,

I was busy with the Debian Hamburg Reunion 2023 last week and the first
half of this, so I only started catching up on this thread yesterday...

On Fri, Jun 02, 2023 at 10:46:16AM -0400, David A. Wheeler wrote:
> Fair enough. The immediate issue is to reduce confusion.
> 
> The OSSGadget developers have decided to switch to the term "semantic 
> equivalency"
> and "semantically equivalent":

...and now I'm glad to read this! As several other have pointed out in this
thread the previously discussed term would have been very confusing, so I'm
happy you've found something else.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"Any fool can know. The point is to understand." - A. Einstein 


signature.asc
Description: PGP signature

Re: GCC, binutils, and Debian's build-essential set

2023-05-12 Thread Holger Levsen 
hi Vagrant,

On Sun, Apr 30, 2023 at 09:54:58PM -0700, Vagrant Cascadian wrote:
> I have been poking at gcc and binutils this month; they take a good long
> while to build...
[...]

wheee, kudos & thanks for sharing your progress here!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"Die Ereignisse von 1933 bis 1945 hätten spätestens 1928 bekämpft werden müssen,
später war es zu spät. Man darf nicht warten, bis der Freiheitskampf
Landesverrat genannt wird. Man muß den rollenden Schneeball zertreten;
die Lawine hält keiner mehr auf." Erich Kästner


signature.asc
Description: PGP signature

Re: Build the ring rust crate with a stable build path

2023-05-08 Thread Holger Levsen 
hi kpcyrd,

On Mon, May 08, 2023 at 02:08:09AM +0200, kpcyrd wrote:
> I was using github actions to compile my project but had trouble matching
> the binary, even when[...]

thanks for sharing your findings here!

[...]
> This can be run without root privileges if user namespaces are enabled. The
> script sets up two directories in /mnt to provide the source code, build
> directory and $CARGO_HOME folder at stable locations.
> 
> This view on the file system is exclusive to the compiler process and
> doesn't interfere with any other processes making use of the /mnt directory,
[...]

yes, this matches what Vagrant and myself recently discussed on IRC:

for build pathes we want predictable/deterministic build pathes,
because still way to many tools embedd the build pathes in their outputs.

> This allowed me to match the binary built by github actions with one built
> in my ubuntu:22.04 container. You still need to match all compilers used or
> you may run into "GNU AS 2.38" vs "GNU AS 2.40.0" or "GCC: (Ubuntu
> 11.3.0-1ubuntu1~22.04) 11.3.0" vs "GCC: (GNU) 13.1.1 20230429". And
> obviously to change the binary output is the whole point of releasing a new
> compiler version. Linux distributions are using buildinfo files for this,
> I'm not aware of any github native solutions for this.

doesn't github now support SBOMs and shouldnt those SBOMs contain that info?
 

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Dance like no one's watching. Encrypt like everyone is.


signature.asc
Description: PGP signature

Re: Full-Source Bootstrap has landed on Guix master

2023-04-27 Thread Holger Levsen 
On Wed, Apr 26, 2023 at 04:41:21PM +0200, Janneke Nieuwenhuizen wrote:
> Now that the core-updates development branch has been merged, the
> Full-Source Bootstrap has come to GNU Guix!  This means we're building
> packages from source all the way down.  Read all about it in this new
> post:
> 
>   
> https://gnu.org/software/guix/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/

wow, that's very awesome!

(and if you haven't I very much recommend to read the whole blogpost.)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

It's the end of the world as we know it - and I feel fine.


signature.asc
Description: PGP signature

Re: Sphinx: localisation changes / reproducibility

2023-04-27 Thread Holger Levsen 
On Wed, Apr 26, 2023 at 12:40:09PM -0700, Vagrant Cascadian wrote:
> Yes, ideally SOURCE_DATE_EPOCH does not matter. It is a workaround to
> embed a (hopefully meaningful) timestamp, when from a reproducible
> builds perspective, ideally there would be no timestamp at all in the
> resulting artifacts. 

I'm not sure I agree SOURCE_DATE_EPOCH is a workaround. Because, as you 
explain from a reproducible builds perspective no timestamps are ideal
(and as such I can see why you call it a workaround) but I don't think the
reproducible builds perspective is the only relevant perspective in
the world of software development nor usage. And as SOURCE_DATE_EPOCH,
or in other words, the release date of the software in question, is
meaningful to us humans, I also think having an automatic
way of retrieving the release date of a given software, which is
SOURCE_DATE_EPOCH, is more than a workaround.

differently said: I agree that removing timestamps is more often than
not the right thing to do. When this cannot be done or when this can
only be done badly (eg by setting filesystem times to 1970-01-01)
timestamps are best replaced by SOURCE_DATE_EPOCH.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

“It's easy to be a naive idealist. It's easy to be a cynical realist. It's
 quite another thing to have no illusions and still hold the inner flame.”
 (Marie-Louise von Franz)


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, tomorrow, 15 UTC

2023-04-24 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds
on the last Tuesday of the month, which is tomorrow in most timezones,
in a bit more than 24h. As usual we meet at 15 UTC on irc.oftc.net.
The meeting is supposed to last between 1-2h, maybe rather an hour, as 
of course we aim to keep it short.

However, I will very probably not be able to participate as I will be
travelling home from foss-north.se where I gave a talk on r-b today.
So I'd appreciate if someone else (you?!?) could do the chairing and hold
the meeting still.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this, please add new topics as you have them. (If you add topics
please add your nick as well.)



 Agenda for the April meeting
 ===

welcome to this monthly meeting, please briefly introduce yourself
follow-up of the action items from last meeting
short time slots for checkins from various projects:
(check which short slots will be used)
Alpine Linux: status update (Ariadne)
Arch Linux: status update (jelle)
live/install .iso status?
Debian: 
general status update (h01ger)
live-build (rclobus)
snapshot.d.o mirror status update (fepitre)
F-Droid (obfusk/_hc)
openSUSE: (bmwiedemann)
OpenWrt: (aparcar)
rebuild of released images?
Nix: (raboof)
https://reproducible.nixos.org
Any Other Business (AOB)
Debian Reunion Hamburg (h01ger)
https://wiki.debian.org/DebianEvents/de/2023/DebianReunionHamburg


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"All opinions are not equal. Some are a great deal more robust, sophicated and
 logical than others." - DouglasAdams


signature.asc
Description: PGP signature

Re: Sphinx: localisation changes / reproducibility

2023-04-14 Thread Holger Levsen 
Dear James,

many thanks also from me for your work on this and sharing your findings here.

I'm another happy sphinx user affected by those problems. :)


somewhat related:

i'm wondering whether distro-info should respect SOURCE_DATE_EPOCH: 
src:developers-reference builds different content based on the build
date, due to using distro-info and distro-info knows that in 398 days
 trixie will be released :))) 
see  
https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/arm64/diffoscope-results/developers-reference.html

(src:developers-reference is "my" package using sphinx.)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Imagine god created trillions of galaxies but freaks out because some dude
kisses another.


signature.asc
Description: PGP signature

Re: Real World Reproducibility in Debian (was Re: Debian and reproducible-builds.org incoherence?)

2023-04-14 Thread Holger Levsen 
On Thu, Apr 13, 2023 at 02:43:43PM -0700, Vagrant Cascadian wrote:
> > Any progress on that front? What can be done to change things so that the
> > packages people normally *use* are reproducible?

the Debian packages people normally use *are* already reproducible (well, 80-90%
of them, at least), we just don't systematically have the results from
https://beta.tests.reproducible-builds.org/ included in things like
https://tracker.debian.org which is being tracked as 
https://bugs.debian.org/1028615 "tracker.debian.org: tracker.d.o should 
display results of reproducible rebuilds, not just reproducible CI results".

(and beta.t.r-b.o is a bit stalled, and our snapshot lacks non-free-firmware
(and is amd64 only) and the debian snapshot server is not usable for large
scale testing and some other issues: we got new SDDs for our snapshot mirror
but had raid controller issues with those which were only fixed last week etc 
pp.)

so, cool Debian news: Debian bookworm will quite very probably ship 
debian-live made live images, which (mostly) Roland Clobus made reproducible
over the last year (with the help of our jenkins setup), so there's
that and that's also not yet been announced, because it's not ready yet. :)

there's more: mmdebstrap and friends now can create reproducible chroot tar 
archive
or docker container and someone should rebuild those latest debian-installer
releases to see if those are reproducible...

> I think it is not nearly as bad as people think, and we undersell
> ourselves when we say we do not have "real" reproducibility testing for
> Debian. The work we have done and continue to do has made significant
> real-world reproducibility possible!

YES. to every word here.

thankfully we'll have both a Debian release and a DebConf soon, which in
the last have been occassions were we summarized things and updated
where we are and want to be.

so stay tuned.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

We live in a world where teenagers get more and more desperate trying to
convince adults to behave like grown ups.


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, tomorrow, 15 UTC

2023-03-27 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds
on the last Tuesday of the month, which is tomorrow in most timezones,
in a bit more than 24h. As usual we meet at 15 UTC on irc.oftc.net,
which for many this time is a different localtime than last month!

The meeting is supposed to last between 1-2h, maybe rather an hour, as 
of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this, please add new topics as you have them. (If you add topics
please add your nick as well.)


 Agenda for the March meeting
 ===

welcome to this monthly meeting, please briefly introduce yourself
follow-up of the action items from last meeting
reproducible builds summit in november 2023 in hamburg
short time slots for checkins from various projects:
(check which short slots will be used)
Alpine Linux: status update (Ariadne)
Arch Linux: status update (jelle)
  live/install .iso status?
Debian: 
  general status update (h01ger)
  live-build (rclobus)
  snapshot.d.o mirror status update (fepitre)
F-Droid (obfusk/_hc)
openSUSE: (bmwiedemann)
OpenWrt: (aparcar)
  rebuild of released images?
Nix: (raboof)
Any Other Business (AOB)


Looking forward to talk to you soon!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"All opinions are not equal. Some are a great deal more robust, sophicated and
 logical than others." - DouglasAdams


signature.asc
Description: PGP signature

Re: Reproducible builds stickers and flyers needed for Chemnitz Linux Days 2023

2023-03-05 Thread Holger Levsen 
On Wed, Mar 01, 2023 at 11:54:34PM +0100, Mattia Rizzolo wrote:
> TTBOMK, the only person with some sticker in Europe at this time is
> Holger, and he should still have a few with him.

no, I gave them all away at FOSDEM and the 'we <3 free software' event of 
fsfe...
 
> Otherwise, it seems to me that you have been attending a few conferences
> so perhaps we should arrange to send you a batch of stickers…

yes.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Only change is constant.


signature.asc
Description: PGP signature

Re: hiding data/code in Android APK embedded signatures

2023-02-02 Thread Holger Levsen 
On Wed, Feb 01, 2023 at 08:40:46PM -0500, David A. Wheeler wrote:
> Maybe call it "Ways to combine reproducible builds with signatures and other 
> metadata"?
 
"other metadata" brings .buildinfo files^w^wSBOMs to my mind and indeed we
have (at least) two concepts here, including the .buildinfo into the package,
as Arch Linux does, and having a seperate .buildinfo file, like Debian does.

I've come to think that including the .buildinfo into the package is the
better way (because the advantages outweight the disadvantages), contrary
to what I thought in 2016 and later, but I don't see Debian changing this
"any time soon", sadly.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

None of us are safe until all of us are safe. Vaccinate the world.


signature.asc
Description: PGP signature

Re: hiding data/code in Android APK embedded signatures

2023-02-01 Thread Holger Levsen 
On Wed, Feb 01, 2023 at 12:53:24PM -0500, David A. Wheeler wrote:
> I recommend that the reproducible-builds website have a short article
> *specifically* recommending how signatures, OmniBOR data, & similar metadata 
> should be shared.
[...]
> Is there agreement on adding such a page?

Yes, I'd say so. I'm not sooo sure about agreement for what exactly should be 
on that
page ;) So, yes, please, patches welcome, also incrementially!

> At least one person I've talked to claims that reproducible builds are a 
> security vulnerability,
> because he assumes that signatures must be embedded within executables.
> That's wrong, but making it clear to others why it's wrong would be helpful.
 
well/yes/maybe/xkcd#386.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"In just 6 decades, roughly the life span of a blue whale, humans took blue 
whale
population down from 360,000 to just 1,000. In one century, whalers killed two
million baleen whales, which together weighed twice as much as all wild mammals
on Earth today."
https://www.theatlantic.com/science/archive/2021/11/whaling-whales-food-krill-iron/620604/


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, tomorrow, 15 UTC

2023-01-30 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds
on the last Tuesday of the month, which is tomorrow in most timezones,
in a bit less than 19h. As usual we meet at 15 UTC on irc.oftc.net.

The meeting is supposed to last between 1-2h, maybe rather an hour, as 
of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this, please add new topics as you have them. (If you add topics
please add your nick as well.)

 Agenda for the January meeting
 ===
welcome to this monthly meeting, please briefly introduce yourself
follow-up of the action points from last meeting
FOSDEM 2023
short time slots for checkins from various projects:
  (check which short slots will be used?)
  Alpine Linux: status update (Ariadne)
  Arch Linux: status update (jelle)
  Debian: live-build (rclobus)
  Debian: snapshot.d.o mirror status update (fepitre)
  Debian: status update (h01ger)
  F-Droid (obfusk/_hc)
  openSUSE: (bmwiedemann)
  OpenWrt: (aparcar)
  Any Other Business (AOB)

Looking forward to talk to you soon!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

All data, over time, approaches deleted, or public. (@quinnnorton)


signature.asc
Description: PGP signature

Re: Reproducible Builds Summit 2023 in Hamburg

2023-01-02 Thread Holger Levsen 
hi,

On Sun, Jan 01, 2023 at 12:58:06PM +, Chris Lamb wrote:
> > with 2022 soon coming to an end, I'd like to announce the date and
> > and the location of the next Reproducible Builds Summit in 2023!
> > When:  October 30th, November 1st-2nd 2023.
> > What:  Three days to continue the growth of the Reproducible Builds effort.
> Happy new year indeed… and a nice entry to put into the new calendar. :)

indeed & happy new year!
 
> Couldn't help but notice that we're skipping over October 31st. Can you
> just explicitly confirm that I'm reading that correctly? And, if I am,
> I assume that's because the venue isn't free?

doh. no, we're not skipping over the 31st, I've just made an off by
one error.

the correct dates are: October 31th, November 1st-2nd 2023.

October 30th will be arrival day and November 3rd departure day.

sorry for the confusion!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

It's not about saving the climate or the planet, it's about saving us, the
children and grandchildren. The planet will survive anyway.


signature.asc
Description: PGP signature

Reproducible Builds Summit 2023 in Hamburg

2022-12-30 Thread Holger Levsen 
Moin! :)

with 2022 soon coming to an end, I'd like to announce the date and
and the location of the next Reproducible Builds Summit in 2023!

When:  October 30th, November 1st-2nd 2023.
What:  Three days to continue the grow of the Reproducible Builds effort.
   As previously, the exact content of the meeting will be shaped by
   the participants.
Where: Hamburg, Germany at https://dock-europe.net/
Www:   https://reproducible-builds.org/events/hamburg2023/

The venue has been booked and confirmed for these dates, so if you ponder
attending, do reserve those dates in your calendar now. Also please pass
this info around as appropriate.

There are several hotels around and some on-site accomodation is available
as well. More information on that in February 2023, or so!
(This is also when registration for the event will open.)

I'm hoping to see many of you there and wish all of you a great start
into 2023!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

If you want energy independence, support renewable energy.


signature.asc
Description: PGP signature

Re: Journal article in reproducible builds

2022-12-08 Thread Holger Levsen 
Hi Simon,

On Thu, Dec 01, 2022 at 06:36:46PM +, Simon Butler wrote:
> LGTM - everybody is there. One small issue, the closing parenthesis is
> missing from the link
> 
> There are 4 papers referenced in the bibliography that may also be of
> interest.
 
thanks you for providing merge requests for these! all applied now.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Heilpraktiker ist kein Beruf. Es ist eine Lücke im Rechtssystem. (@lam3th)


signature.asc
Description: PGP signature

Re: F-Droid: overview of apps using reproducible builds

2022-12-08 Thread Holger Levsen 
On Tue, Dec 06, 2022 at 02:14:11AM +0100, FC Stegerman wrote:
> TL;DR: we added 11 new apps using reproducible builds in November,
> making for a total of 31 RB apps in F-Droid as of December 1st [1].
> [1] https://gitlab.com/fdroid/fdroiddata/-/issues/2844

that's really cool, thank you for sharing this here! ;)

do you plan to make this more/better available and regularily updated?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

These heat waves aren’t tragedies, they’re crimes. The fossil fuel industry
knew decades ago that this is what their pollution was causing, so they
spent billions to lie to the public and block climate action.


signature.asc
Description: PGP signature

Re: On android "secure messengers" and reproducible builds (or lack thereof)

2022-12-08 Thread Holger Levsen 
On Tue, Dec 06, 2022 at 02:17:02AM +0100, FC Stegerman wrote:
> I looked at how several android messenger apps claiming to have
> reproducible builds actually verify that they do [1].
> TL;DR: It's quite possible these messengers actually have reproducible
> builds, but the verification scripts they use don't actually allow us
> to verify whether they do.
> [1] https://gist.github.com/obfusk/c51ebbf571e04ddf29e21146096675f8

that's really cool, thank you for sharing this here! the results are 
actually a bit depressing but it's good to have them in presentable form.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

:wq


signature.asc
Description: PGP signature

Re: Journal article in reproducible builds

2022-11-30 Thread Holger Levsen 
Hi Simon,

On Wed, Nov 30, 2022 at 07:47:46PM +, Simon Butler wrote:
> >> I'm pleased to announce that Software Quality Journal have published a
> >> article on reproducible builds. The article is open access and is at
> >> https://link.springer.com/article/10.1007/s11219-022-09607-z
> > wow, awesome & thanks for sharing this here!
> Thank you

now also linked on https://reproducible-builds.org/docs/publications/
- it would be nice if you could quickly confirm I got all the authors
listed correctly there.
 
> Indeed, it was pleasing to discover that a safety body was happy to
> certify a software development process using R-B. I expect that there
> are examples in other safety-critical domains, but we didn't find them
> in this study.

yes!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

I'll believe in climate change when Texas freezes over. (Ted Cruz)


signature.asc
Description: PGP signature

Re: Journal article in reproducible builds

2022-11-30 Thread Holger Levsen 
Hi Simon,

On Tue, Nov 29, 2022 at 07:36:58AM +, Simon Butler via rb-general wrote:
> I'm pleased to announce that Software Quality Journal have published a
> article on reproducible builds. The article is open access and is at
> https://link.springer.com/article/10.1007/s11219-022-09607-z

wow, awesome & thanks for sharing this here!

> The article describes an interview study that focuses on the adoption
> and uses of of R-Bs in industry - with examples, and some pros and
> cons. So, while the research is not particularly technical, it gives a
> perspective of practice and some applications. And, hopefully, some
> ideas.

I was very happy to learn that R-B is now used in (some of)
the industry for the development of flight safety-critical applications!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"There's no glory in prevention." (Christian Drosten)


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, tomorrow, 15 UTC

2022-11-28 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds
on the last Tuesday of the month, which is tomorrow in most timezones,
in a bit less than 22h. As usual we meet at 15 UTC on irc.oftc.net.

The meeting is supposed to last between 1-2h, maybe rather an hour, as 
of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this, please add new topics as you have them. (If you add topics
please add your nick as well.)

 Agenda for the November meeting
 ===
welcome to this monthly meeting, please briefly introduce yourself
follow-up of the action points from last meeting
reports from the summit in Venice
short time slots for checkins from various projects:
(check which short slots will be used?)
Alpine Linux: status update (Ariadne)
Arch Linux: status update (jelle)
live/install .iso status?
Debian: snapshot.d.o mirror status update (fepitre)
Debian: status update (h01ger)
Debian: live-build (rclobus)
F-Droid (obfusk/_hc)
openSUSE: (bmwiedemann)
OpenWrt: (aparcar)
rebuild of released images?
Any Other Business (AOB)


Looking forward to talk to you soon!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

All data, over time, approaches deleted, or public. (@quinnnorton)


signature.asc
Description: PGP signature

Re: Debian NMU Sprints in December, Thursdays 17:00 UTC!

2022-11-21 Thread Holger Levsen 
hi Vagrant,

On Sun, Nov 20, 2022 at 04:28:10PM -0800, Vagrant Cascadian wrote:
> Since the previous sprints were fun and productive, I am planning on
> doing NMU sprints every Thursday in December (1st, 8th, 15th, 22nd,
> 29th). We are planning on meeting on irc.oftc.net in the
> #debian-reproducible channel at 17:00UTC and going for an hour or two or
> three. Feel free to start early or stay late, or even fix things on some
> other day!
[...]
> Let's fix some bugs!

that's awesome, thanks for taking the lead here and making this a weekly
event!

I'll try to attend all of them, but I already can see how the 29th
might not work out for me personally.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Masseninfektion nicht Durchseuchung zu nennen ist wie einen Krieg
"militärische Spezialoperation" zu nennen.


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, tomorrow, 15 UTC

2022-09-26 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds
on the last Tuesday of the month, which is tomorrow in most timezones,
in a bit more than 27h. As usual we meet at 15 UTC on irc.oftc.net.

The meeting is supposed to last between 1-2h, maybe rather an hour, as 
of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this, please add new topics as you have them. (If you add topics
please add your nick as well.)

I noticed someone has put things above the various time slots and I suppose
we should give that a try. What do you think?

Agenda for the September meeting
===

   welcome to this monthly meeting, please briefly introduce yourself
   diffoscope on BSD:
It seems diffoscope 221 is not vailable on NetBSD, which only has 
134nb2.
It seems diffoscope 221 is not available on MacPorts, which only has 
137.
   r-b summit 2022 (mapreri)
   short time slots for checkins from various projects:
Alpine Linux: status update (Ariadne)
Arch Linux: status update (jelle)
live/install .iso status?
Debian: snapshot.d.o mirror status update (fepitre)
Debian: status update (h01ger)
Debian: live-build (rclobus)
F-Droid (obfusk/_hc)
openSUSE: (bmwiedemann)
OpenWrt: reboot of rebuilder (aparcar)
rebuild of released images?
   Any Other Business (AOB)

Looking forward to talk to you soon!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

All data, over time, approaches deleted, or public. (@quinnnorton)


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, *today*, 15 UTC

2022-08-30 Thread Holger Levsen 
hi,

this is a very late reminder for our next IRC meeting on #reproducible-builds
on the last Tuesday of the month, which is TODAY, in a bit more than 3h. 
As usual we meet at 15 UTC on irc.oftc.net. I'm sorry for the late reminder
and hope you already had it in your calendar anyway! ;)

The meeting is supposed to last between 1-2h, maybe rather an hour, though
we have lots of time (just after 23-42m on one topic we move on anyway),
though of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this, please add new topics as you have them. (If you add topics
please add your nick as well.)

Agenda for the August meeting
=
welcome to this monthly meeting, please briefly introduce yourself
short time slots for checkins from various projects:
Alpine Linux: status update (Ariadne)
Arch Linux: status update (jelle)
Debian: snapshot.d.o mirror status update (fepitre)
Debian: status update (h01ger)
Debian: live-build (rclobus)
F-Droid (obfusk)
openSUSE: (bmwiedemann)
OpenWrt: reboot of rebuilder (aparcar)
r-b summit 2022 (mapreri)
Any Other Business (AOB)

Looking forward to talk to you soon!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

All data, over time, approaches deleted, or public. (@quinnnorton)


signature.asc
Description: PGP signature

Re: Reproducible builds stickers and flyers needed for FrOSCon 2022

2022-08-05 Thread Holger Levsen 
On Fri, Aug 05, 2022 at 08:55:42AM +0200, Fabian Keil wrote:
> FrOSCon 2022 [0] is coming up and I registered a booth
> for ElectroBSD [1] (and Privoxy [2] and zogftw [3]).

yay!
 
> I usually also offer project-related materials and am
> thus currently looking for reproducible builds stickers
> and flyers.
> Does anyone have some and could share?

we never made flyers afaik...

> The page "Brainstorming the reproducible builds logo design" [4]
> mentions stickers but it's unclear to me if stickers have been
> created (yet).

we've printed stickers and buttons with the logo, but sadly we don't have
any stickers in Europe atm which can be shipped to you in time for FrOSCon.
It's really a unfortunate timing, if you had asked 48h earlier it would
have been possible to ship some to you, but now the person with the stickers
is away from them for some / too many days...


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Not everything was bad during capitalism.


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, *today*, 15 UTC

2022-07-26 Thread Holger Levsen 
hi,

this is a very late reminder for our next IRC meeting on #reproducible-builds
on the last Tuesday of the month, which is TODAY, in 4h. As usual we meet at
15 UTC on irc.oftc.net. I'm sorry for the late reminder and hope you already
had it in your calendar anyway! ;)

The meeting is supposed to last between 1-2h, maybe rather an hour, though
we have lots of time (just after 23-42m on one topic we move on anyway),
though of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this, please add new topics as you have them. (If you add topics
please add your nick as well.)

Agenda for the July meeting
==

welcome to this monthly meeting, please briefly introduce yourself
short time slots for various projects:
(if these people are present)
Alpine Linux: status update (Ariadne)
Arch Linux: status update (jelle)
Debian: snapshot.d.o mirror status update (fepitre)
Debian: rebuilder (beta.t.r-b.o) status update (h01ger)
Debian: live-build (rclobus)
F-Droid (obfusk)
openSUSE: (bmwiedemann)
OpenWrt: reboot of rebuilder (aparcar)
r-b summit 2022 (mapreri)
Any Other Business (AOB)

Looking forward to talk to you soon!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

All data, over time, approaches deleted, or public. (@quinnnorton)


signature.asc
Description: PGP signature

Re: translations for the r-b.o website

2022-06-09 Thread Holger Levsen 
On Wed, Jun 08, 2022 at 07:30:28PM +0200, Mattia Rizzolo wrote:
> I hoped to find some settings on how to prevent that in the weblate's
> project settings.  I would have liked something that makes weblate only
> propose merging languages that are… I don't know… probably 75% or more
> translated.

excluding the monthly report, the old weekly blogs and also excluding
the reports from our events I'd say.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The greatest danger in times of turbulence is not the turbulence;
it is to act with yesterdays logic. (Peter Drucker)


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, May 31st, 15 UTC

2022-05-30 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds on the
last Tuesday of the month, which is tomorrow, the 31st of May. As usual
we meet at 15 UTC on irc.oftc.net, which is in slightly less than 23h from
now ;)

The meeting is supposed to last between 1-2h, maybe rather an hour, though
we have lots of time (just after 23-42m on one topic we move on anyway),
though of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this, please add new topics as you have them. (If you add topics
please add your nick as well.)

Agenda for the May meeting
==

welcome to this monthly meeting, please briefly introduce yourself or update us 
on recent or planned projects

short time slots for checkins from various projects:
Alpine Linux: status update (Ariadne, absent)
Arch Linux: status update (jelle)
Hamburg Debian Reunion 2022 (h01ger
Debian: snapshot.d.o mirror status update (fepitre)
Debian: rebuilder (beta.t.r-b.o) status update (h01ger)
Debian: live-build (rclobus)
F-Droid (obfusk)
openSUSE: (bmwiedemann)
rebuilderd: status update (kpcyrd, absent)
OpenWrt: reboot of rebuilder (aparcar)
r-b summit 2022 (mapreri)
Any Other Business (AOB)


Looking forward to talk to you then!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

All data, over time, approaches deleted, or public. (@quinnnorton)


signature.asc
Description: PGP signature

Re: JDK 19+21 early-access build is reproducible

2022-05-12 Thread Holger Levsen 
Hi John,

On Fri, May 06, 2022 at 01:48:20PM -0700, John Neffenger wrote:
> Starting yesterday, for the first time, the JDK can create reproducible
> builds of the JDK!
[...] 
> That also means there's nothing in the JDK that's holding back any Java
> application from having reproducible builds.
[...]
> A big thank you to Magnus Ihse Bursie and Andrew Leonard for doing much of
> the work to make this possible.

that's quite fantastic news, kudos & thanks for sharing! 


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Kinda weird that we’re all gonna experience climate change as a series of
short, apocalyptic videos until eventually it’s your phone that’s recording.
(@shocks)


signature.asc
Description: PGP signature

Re: faketime breaks quilt patched file times in Debian

2022-05-01 Thread Holger Levsen 
Hi Roland,

On Sat, Apr 30, 2022 at 03:53:13PM +0200, Roland Rosenfeld wrote:
> [tl;dr faketime results on broken file timestamps for quilt patched
> files on salsa]

which is one of several reasons why (in 2014 or so) we choose not to use
faketime to achieve reproducible-builds.
 
> Since some time I observe random broken reproducibilty in some of my
> Debian packages (xfig, igerman98, libsnmp-session-perl) in the weekly
> salsa CI runs.
> 
> Today I tracked this down to faketime being used in Salsa CI
> reprotest in combination with quilt modifying the file.

why is salsa CI using faketime in the first place?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

In Germany we don‘t say "Combat 18, Nordkreuz, Gruppe S., Hannibal, NSU 2.0,
Lübcke, Halle, Hanau", we say "Wir müssen jetzt etwas gegen den Linksruck tun!"


signature.asc
Description: PGP signature

Re: #r-b irc meeting, Tuesday, April 26th, 15 UTC

2022-04-25 Thread Holger Levsen 
On Mon, Apr 25, 2022 at 03:12:56PM +, Holger Levsen wrote:
> this is a reminder for our next IRC meeting on #reproducible-builds on the
> last Tuesday of the month, which is tomorrow, the 25th of April. As usual
> we meet at 15 UTC on irc.oftc.net, which is in slightly less than 24h from
> now ;)

obviously today is the 25th and tomorrow/Tuesday is the 26th, so
until in <24h on Tuesday the 26th at 15 UTC.

sorry for the noise.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"I know what you're thinking" used to be an idiom but now it's a business model.


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, April 25th, 15 UTC

2022-04-25 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds on the
last Tuesday of the month, which is tomorrow, the 25th of April. As usual
we meet at 15 UTC on irc.oftc.net, which is in slightly less than 24h from
now ;)

The meeting is supposed to last between 1-2h, maybe rather an hour, though
we have lots of time (just after 23-42m on one topic we move on anyway),
though of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this, please add new topics as you have them. (If you add topics
please add your nick as well.)

 Agenda for the April meeting
 ===

welcome to this monthly meeting, please briefly introduce yourself
short time slot for checkins from various projects:
Alpine Linux: status update (Ariadne, absent)
Arch Linux: status update (jelle)
Debian: snapshot.d.o mirror status update (fepitre)
Debian: rebuilder (beta.t.r-b.o) status update (h01ger)
Debian: live-build (rclobus)
F-Droid (obfusk)
openSUSE: (bmwiedemann)
rebuilderd: status update (kpcyrd, absent)
OpenWrt: reboot of rebuilder (aparcar)
r-b summit 2022 (mapreri)
Any Other Business (AOB)
help with tevent/samba bug regarding debug symbols (vagrant):

https://lists.samba.org/archive/samba-technical/2022-March/137172.html
list discussion about reproducible builds usefullness in real life

(Are those AOB topics still needed?)

Looking forward to talk to you then!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

All data, over time, approaches deleted, or public. (@quinnnorton)


signature.asc
Description: PGP signature

Re: Request regarding SquashFS documentation

2022-04-25 Thread Holger Levsen 
Hi Larry,

On Sat, Apr 23, 2022 at 09:53:11PM -0700, Larry Doolittle wrote:
> In https://reproducible-builds.org/docs/system-images/ there's a paragraph
> about SquashFS metadata & compression.  It's superficially OK, but points
> to IMHO an obsolete fork of mksquashfs.  No offense to lynxis!  He did
> a good job getting usable tools in our hands early on.  But the main
> squashfs-tools project has caught up, specifically version 4.5.1 that's now
> in Debian testing.  I've used it (and some predecessor versions) for a while
> now, and its output is demonstrably reproducible IRL.  (If I'm wrong, please
> let me and the squashfs-tools developers know!)

oh, nice, thanks for informing us!

> Here's my attempt to rewrite that paragraph.
> 
> When building SquashFS images, older versions of the tools sometimes
> yielded unreproducible results.  A good mksquashfs will
>  * honor $SOURCE_DATE_EPOCH for various timestamps
>  * clamp content timestamps to $SOURCE_DATE_EPOCH
>  * not reorder fragments based on multithreading conditions
> (squashfs-tools)[https://github.com/plougher/squashfs-tools] 4.5.1 
> (in Debian Bookworm) is good here,
> having absorbed important features from 
> (squashfskit)[https://github.com/squashfskit/squashfskit]

sounds good. could you please provide a patch for
https://salsa.debian.org/reproducible-builds/reproducible-website
to ease mergeing this?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

三人成虎- Three men make a tiger.
In other words, if one guy says "there's a tiger over there" you might not 
believe 
them, if three guys in a row all say this- you think there's a tiger there. A 
lie, 
repeated often enough, will be accepted as truth.


signature.asc
Description: PGP signature

Re: Reproducible Central hits the 500 fully reproduced builds of upstream projects releases for the JVM

2022-04-05 Thread Holger Levsen 
On Tue, Mar 29, 2022 at 08:11:57AM +0200, Hervé Boutemy wrote:
> > to bring things into perspective, when you say "500 fully reproduced builds
> > of upstream projects releases", out of how many upstream projects in total?
> > 550? 5000? 5? :)
> I don't have the statistics on releases published each day, but I suppose 
> it's 
> more than 500 (yes, each day)
[...]
> It's really an important proof of feasibility at scale, before more projects 
> embrace the movement.

got it. thanks for bringing this into perspective!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The planet will be fine. We won't.


signature.asc
Description: PGP signature

Re: SOURCE_DATE_EPOCH and timezone with FAT images

2022-03-29 Thread Holger Levsen 
Hi Thomas,

sorry for only getting back to you on this a month later...
(and only very specifically on one aspect of your email.)

On Wed, Feb 23, 2022 at 08:54:05PM +0100, Thomas Schmitt wrote:
> I quoted https://reproducible-builds.org/docs/source-date-epoch/:
> > >   "At present, we do not have a proposal that includes anything
> > >resembling a "time zone"."
> 
> > Oh yeah, that does sound a little unhelpful out of context today.
> 
> How about:
> 
>   We demand to apply timezone UTC whenever a timezone is involved in
>   formatting timestamps at build time. Beyond this demand, we currently
>   do not have a proposal that includes anything resembling a "time zone".

I think this would be an excellent addition! Could you please file a 
merge request via 
https://salsa.debian.org/reproducible-builds/reproducible-website/
though please note however that the quoted paragraph is below a heading 
called "History and alternative proposals", so that I've actually just done 
a commit removing the 'At present' quoted above.

I think part of the confusion here is applying a timezone to SOURCE_DATE_EPOCH
at all, something we never considered, as "obviously" SOURCE_DATE_EPOCH are
the seconds since the epoch, which is an UTC timestamp.

I'm not sure how to clarify 
https://reproducible-builds.org/docs/source-date-epoch/
further but I'm also sure I'm too close and too entangled to see. As such, 
and as always, feedback and patches very welcome.

I guess a sentence like 'SOURCE_DATE_EPOCH specifies the last modification of
the source (measured) in seconds since the unix epoch which is January 1st 1970,
00:00:00 UTC.' on top of https://reproducible-builds.org/docs/source-date-epoch/
would be helpful.

I'm also sure this is far from perfect, so please improve:

commit 3764949f50fe3d8f557de2b4d26e740f55760c31 (HEAD -> master, origin/master)
Author: Holger Levsen 
Date:   Wed Mar 30 01:42:39 2022 +0200

explain SOURCE_DATE_EPOCH on /docs/source_date_epoch

Signed-off-by: Holger Levsen 

diff --git a/_docs/source-date-epoch.md b/_docs/source-date-epoch.md
index 21718ae..822d7b3 100644
--- a/_docs/source-date-epoch.md
+++ b/_docs/source-date-epoch.md
@@ -4,8 +4,11 @@ layout: docs
 permalink: /docs/source-date-epoch/
 ---
 
+
 `SOURCE_DATE_EPOCH` is a [standardised environment 
variable](https://reproducible-builds.org/specs/source-date-epoch/) that 
distributions can set centrally and have build tools consume this in order to 
produce reproducible output.
 
+In practice `SOURCE_DATE_EPOCH` specifies the last modification of something, 
usually the source code, (measured) in seconds since the unix epoch, which is 
January 1st 1970, 00:00:00 UTC.


& thanks, too!

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Some people say that the climate crisis  is something that we all have created,
but  that is not true,  because if everyone is guilty  then no one is to blame.
And someone is to blame.  Some people, some companies,  some decision-makers in
particular, have known exactly what priceless values they have been sacrificing
to continue making unimaginable amounts of money. (Greta Thunberg)


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, March 29th, 15 UTC

2022-03-28 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds on the
last Tuesday of the month, which is tomorrow, the 29th of March. As usual
we meet at 15 UTC on irc.oftc.net, which is in less than 23h from now ;)
(mind the DST changes!)

The meeting is supposed to last between 1-2h, maybe rather an hour, though
we have lots of time (just after 23-42m on one topic we move on anyway),
though of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this, please add new topics as you have them. (If you add topics
please add your nick as well.)

 Agenda for the March meeting
 ===

welcome to this monthly meeting, please briefly introduce yourself 
or update us on recent or planned projects
short time slot for checkins from various projects:
Alpine Linux: status update (Ariadne, absent)
Arch Linux: rebuilder status update (kpcyrd)
Debian: snapshot.d.o mirror status update (fepitre)
Debian: rebuilder (beta.t.r-b.o) status update (h01ger)
Debian: live-build (rclobus)
F-Droid (obfusk)
openSUSE: (bmwiedemann)
rebuilderd: status update (kpcyrd)
r-b summit 2022 (mapreri)
Any Other Business (AOB)


Looking forward to talk to you then!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

All data, over time, approaches deleted, or public. (@quinnnorton)


signature.asc
Description: PGP signature

Re: Reproducible Central hits the 500 fully reproduced builds of upstream projects releases for the JVM

2022-03-28 Thread Holger Levsen 
Hi Hervé,

On Sun, Mar 27, 2022 at 08:27:11AM +0200, Hervé Boutemy wrote:
> I just wanted to share how the number of projects that produce reproducible 
> releases for the JVM is growing, year after year.
> 
> This forced me to rewrite the reporting system, that did not work any more in 
> one unique page listing every builds: now the main page lists projects, and  
> releases reproducibility status is displayed in a per-project page
> 
> see https://github.com/jvm-repo-rebuild/reproducible-central

that's great news, thanks for sharing!

to bring things into perspective, when you say "500 fully reproduced builds of
upstream projects releases", out of how many upstream projects in total? 550?
5000? 5? :)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Some of my friends and I overcommit to things, so we made "Saying No to Things"
punch cards. If you say no to 10 things, your friends have to buy you an ice
cream. In a pilot study, we found participants both said no to more things and
got more free ice cream. (@leah_pierson)


signature.asc
Description: PGP signature

Re: rb meetup at openSUSE conference in Nuremberg

2022-03-12 Thread Holger Levsen 
Hi Bernhard,

On Thu, Mar 10, 2022 at 04:23:06AM +0100, Bernhard M. Wiedemann wrote:
> I submitted a rb workshop session proposal for
> https://events.opensuse.org/conferences/oSC22
> 
> Even if that is not accepted, this conf would be an opportunity for a
> small meetup of rb people.

coolio!
 
> Who would be interested to join? Add yourself to
> https://dudle.inf.tu-dresden.de/NUE-rb-meetup-2022/
> (times are in CEST and are just rough indicators)

I've added myself to the poll now, though I haven't fully made up
my mind yet whether I'll really go and if, for how many days.

https://wiki.debian.org/DebianEvents/de/2022/DebianReunionHamburg
is taking place the week before..


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

It's not the lockdown which is unbearable, but the virus.


signature.asc
Description: PGP signature

Re: Thinking of our next summit this year

2022-03-04 Thread Holger Levsen 
On Wed, Mar 02, 2022 at 09:08:39AM +0100, Hans-Christoph Steiner wrote:
> I live in Vienna, which has lots of good train connections all over Europe,
> but it is more expensive to fly to.  I'm happy to help the organizers if its
> in Vienna.  Fr example, I can recommend this hotel, which is a funky place
> and also a social project that employs refugees:
> https://www.magdas-hotel.at/

the hotel indeed looks nice, but their meeting facilities are likely to small
for us, their biggest room is 100m² and I'd say we need one room which is at
least twice as big. 

( https://www.magdas-hotel.at/tagen-feiern/ for an overview of their rooms.)

But thanks for the offer, Hans-Christoph! We've indeed thought about Vienna
already for the next summit because of the location and connectivity, so we
might come back to this.

That said, we would appreciate offers from people in other locations too. ;)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Ich bin so alt, ich hab im Kindergarten noch Aschenbecher getöpfert.
(@joanalistin)


signature.asc
Description: PGP signature

Re: Thinking of our next summit this year

2022-03-03 Thread Holger Levsen 
hey,

On Thu, Mar 03, 2022 at 06:25:04PM -, Chris Lamb wrote:
> Mattia, I could see myself travelling this September for an RB summit.
> Like others have mentioned, I would prefer somewhere Europe for a
> variety of reasons.

same for me. and yay, already looking forward to that! :)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Because things are the way they are, things will not stay the way they are.
(Bertolt Brecht)


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, February 22nd, 15 UTC

2022-02-19 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds on the
last Tuesday of the month, so 22nd of February, at 15 UTC on irc.oftc.net,
which is in roughly 62h from now ;)

The meeting is supposed to last between 1-2h, maybe rather an hour, though
we have lots of time (just after 23-42m on one topic we move on anyway),
though of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this, please add new topics as you have them. (If you add topics
please add your nick as well.)


 Agenda for the February meeting
 ===
welcome
short time slots for checkins from various projects:
Alpine Linux: status update (Ariadne)
Arch Linux: rebuilder status update (kpcyrd)
Debian: snapshot.d.o mirror status update (fepitre)
Debian: rebuilder (beta.t.r-b.o) status update (h01ger)
Debian: live-build (rclobus)
F-Droid (obfusk)
rebuilderd: status update (kpcyrd)
r-b summit 2022 (mapreri)
https://pad.sfconservancy.org/p/grow-r-b-debian (h01ger)
Any Other Business (AOB)


Looking forward to talk to you then!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"I became an antifascist out of a sense of common decency.” – Marlene Dietrich


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, January 25th, 15 UTC

2022-01-22 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds on the
last Tuesday of the month, so 25th of January, at 15 UTC on irc.oftc.net,
which is in roughly 70h from now.

The meeting is supposed to last between 1-2h, maybe rather an hour, though
we have lots of time (just after 23-42m on one topic we move on anyway),
though of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this, please add new topics as you have them. (If you add topics
please add your nick as well.)


 Agenda for the January meeting
 ===
welcome
short time slots for checkins from various projects:
Alpine Linux: status update (Ariadne)
Arch Linux: rebuilder status update (kpcyrd)
Debian: snapshot.d.o mirror status update (fepitre)
Debian: rebuilder status update (h01ger)
beta.t.r-b.o
Debian live-build (rclobus)
F-Droid (obfusk)
rebuilderd: status update (kpcyrd)
r-b summit 2022 (mapreri)
r-b.o/docs/rebuilders and conflict with r-b.o/tools (h01ger)
Any Other Business (AOB)


Looking forward to talk to you then!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

We live in a world where teenagers get more and more desperate trying to
convince adults to behave like grown ups.


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, November 30th, 15 UTC

2021-11-28 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds on the
last Tuesday of the month, so 30th of November, at 15 UTC on irc.oftc.net.

This is two days from now. :) Also please note that 15 UTC this month is likely
a different local time than 15 UTC last month...

The meeting is supposed to last between 1-2h, maybe rather an hour, though
we have lots of time (just after 23-42m on one topic we move on anyway),
though of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this. If you add topics please add your nick as well.

Agenda for the meeting on the 30th of November 2021
---
welcome to this monthly meeting, please briefly introduce yourself or 
update us on recent or planned projects
short time slot for checkins from various projects:
 Alpine Linux: status update (Ariadne)
 Arch Linux: rebuilder status update (kpcyrd)
 Debian: snapshot.d.o mirror status update (fepitre)
 Debian: rebuilder status update (h01ger)
 beta.t.r-b.o
 Debian live-build (rclobus)
 F-Droid (obfusk)
 rebuilderd: status update (kpcyrd)
r-b summit 2022 (mapreri)
r-b.o/docs/rebuilders and conflict with r-b.o/tools (h01ger)
there should also be a list of rebuilder instances/deployments, like 
https://wiki.archlinux.org/title/Rebuilderd#Package_rebuilders
Any Other Business (AOB)

Looking forward to talk to you then!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

We live in a world where teenagers get more and more desperate trying to
convince adults to behave like grown ups.


signature.asc
Description: PGP signature

Re: #r-b irc meeting, Tuesday, October 26th, 15 UTC

2021-10-25 Thread Holger Levsen 
hi,

this is just a quick reminder that this is today, in 7.5h!

On Thu, Oct 21, 2021 at 04:32:45PM +, Holger Levsen wrote:
> this is a reminder for our next IRC meeting on #reproducible-builds on the
> last Tuesday of the month (so 26th of October) at 15 UTC on irc.oftc.net.
> This is five days from now. :)
> 
> The meeting is supposed to last between 1-2h, maybe rather an hour, though
> we have lots of time (just after 23-42m on one topic we move on anyway),
> though of course we aim to keep it short.
> 
> The meetings are logged via https://meetbot.debian.net/reproducible-builds
> 
> The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
> looks like this. If you add topics please add your nick as well.
> 
> Agenda for the meeting on the 26th of October 2021
> --
> welcome to this monthly meeting, please briefly introduce yourself or 
> update us on recent or planned projects
> short time slot for checkins from various projects:
>   Alpine Linux: status update (Ariadne)
>   Arch Linux: rebuilder status update (kpcyrd)
>   Debian: snapshot.d.o mirror status update (fepitre)
>   Debian: rebuilder status update (h01ger)
>   beta.t.r-b.o 
>   Debian live-build (rclobus)
>   F-Droid (obfusk)
>   rebuilderd: status update (kpcyrd)
> r-b summit 2022 (mapreri)
> r-b ecosystem (lamby)
> r-b.o/docs/rebuilders and conflict with r-b.o/tools (h01ger)
> Any Other Business (AOB)
> 
> 
> Looking forward to talk to you then!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Kinda weird that we’re all gonna experience climate change as a series of
short, apocalyptic videos until eventually it’s your phone that’s recording.
(@shocks)


signature.asc
Description: PGP signature

#r-b irc meeting, Tuesday, October 26th, 15 UTC

2021-10-21 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds on the
last Tuesday of the month (so 26th of October) at 15 UTC on irc.oftc.net.
This is five days from now. :)

The meeting is supposed to last between 1-2h, maybe rather an hour, though
we have lots of time (just after 23-42m on one topic we move on anyway),
though of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this. If you add topics please add your nick as well.

Agenda for the meeting on the 26th of October 2021
--
welcome to this monthly meeting, please briefly introduce yourself or 
update us on recent or planned projects
short time slot for checkins from various projects:
Alpine Linux: status update (Ariadne)
Arch Linux: rebuilder status update (kpcyrd)
Debian: snapshot.d.o mirror status update (fepitre)
Debian: rebuilder status update (h01ger)
beta.t.r-b.o 
Debian live-build (rclobus)
F-Droid (obfusk)
rebuilderd: status update (kpcyrd)
r-b summit 2022 (mapreri)
r-b ecosystem (lamby)
r-b.o/docs/rebuilders and conflict with r-b.o/tools (h01ger)
Any Other Business (AOB)


Looking forward to talk to you then!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Bottled water companies don't produce water, they produce plastic bottles.


signature.asc
Description: PGP signature

Re: Please review the draft for September's report

2021-10-04 Thread Holger Levsen 
On Mon, Oct 04, 2021 at 10:54:19PM +, Holger Levsen wrote:
> On Mon, Oct 04, 2021 at 10:34:03PM -, Chris Lamb wrote:
> > Sorry for the slight delay; been under the weather over the weekend. Anyway,
> > please review the draft for September's Reproducible Builds report:
> >   https://reproducible-builds.org/reports/2021-09/?draft

fixed now, this url has up2date content now.
 
(a review from myself is still pending however :)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

If nothing saves us from death, may love at least save us from life.


signature.asc
Description: PGP signature

Re: Please review the draft for September's report

2021-10-04 Thread Holger Levsen 
hi,

On Mon, Oct 04, 2021 at 10:34:03PM -, Chris Lamb wrote:
> Sorry for the slight delay; been under the weather over the weekend. Anyway,
> please review the draft for September's Reproducible Builds report:
>   https://reproducible-builds.org/reports/2021-09/?draft

jenkins is also not doing well, so the above URL doesn't show the correct draft
atm, please rather review via git for the moment:
 
> … or, via the Git repository itself:
>   
> https://salsa.debian.org/reproducible-builds/reproducible-website/blob/master/_reports/2021-09.md


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"I know what you're thinking" used to be an idiom but now it's a business model.


signature.asc
Description: PGP signature

Re: stage0-posix release

2021-10-03 Thread Holger Levsen 
On Sun, Oct 03, 2021 at 09:38:50PM +, jerem...@pdp10.guru wrote:
> Thanks to the incredible efforts of Andrius Štikonas over the last 4
> months, today  we announce the release of version 1.4 of stage0-posix.
[...] 
> As always all supported architectures are able to cross-verify all other
> architectures. And the bootstrap root is under 1024bytes:
[...]
> and builds to everything needed to bootstrap MesCC, TCC, GCC and Gnu Guix.

wow, that's pretty neat! congrats!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The vision of self driving cars is nothing compared to the vision of no cars at 
all.


signature.asc
Description: PGP signature

#r-b irc meeting, tomorrow, Tuesday, 15 UTC

2021-09-27 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds on the
last Tuesday of the month (so 28th of September) at 15 UTC on irc.oftc.net.

The meeting is supposed to last between 1-2h, maybe rather an hour, though
we have lots of time (just after 23-42m on one topic we move on anyway),
though of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this. If you add topics please add your nick as well.


Agenda for the meeting on the 28th of September 2021
-
welcome to this monthly meeting, please briefly introduce yourself or 
update us on recent or planned projects
short time slot for checkins from various projects:
Alpine Linux: status update (Ariadne)
Arch Linux: rebuilder status update (kpcyrd)
Debian: snapshot.d.o mirror status update (fepitre)
Debian: rebuilder status update (h01ger)
Debian live-build (rclobus)
F-Droid (obfusk)
i-probably-didnt-backdoor-this (kpcyrd)
rebuilderd: status update (kpcyrd)
r-b ecosystem (lamby)
r-b.o/docs/rebuilders and conflict with r-b.o/tools (h01ger)
Any Other Business (AOB)


Looking forward to talk to you then!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Bottled water companies don't produce water, they produce plastic bottles.


signature.asc
Description: PGP signature

FYI: Debian hackmeeting in Hamburg open for R-B folks

2021-09-16 Thread Holger Levsen 
hi,

FYI: from Sep 26 til Oct 1 there will be a small Debian hackmeeting
taking place in Hamburg, Germany, where we would be delighted to
welcome people working on Reproducible Builds in general! (IOW: this
not limited to Debian)

If you are located somewhat nearby, please check out
https://wiki.debian.org/DebianEvents/de/2021/DebianReunionHamburg
and consider attending. (Please make extra sure to read the
paragraph "Covid things" on that page...)

So far there will be two R-B people attending, mostly working on 
Debian, Archlinux and Alpine... :)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

If nothing saves us from death, may love at least save us from life.


signature.asc
Description: PGP signature

Re: Recoding the configuration for live-build images

2021-09-06 Thread Holger Levsen 
Hi Janneke,

On Mon, Sep 06, 2021 at 12:41:49PM +0200, Jan Nieuwenhuizen wrote:
> I'm thinking about the binary seed that's used to produce a new release,
> as far as I understand it, Debian's binary seed is "build-essential".
> 
> I imagine that for a new Debian binary release, e.g., Bullseye, first
> all Bulleye's build-essential packages are built using binaries from
> Buster.

that's sadly not true.

https://en.wikipedia.org/wiki/Debian#Development is surprisingly accurate,
as is the "Flowchart of the life cycle of a Debian package" on the right.

In short: a package is once uploaded to unstable, then it's build, then
it migrates to testing, which eventually becomes stable. If there's no
new upload that package stays in unstable and (the new) testing and stable
"forever".

A package is never rebuild in Debian without a new upload.

An existing Debian port/architecture is never bootstrapped again.

(Sad. And been like this since decades so not that easy to change.)

> The idea would be to reduce the binary seed needed to build
> "build-essential".  Does that make sense?

Sadly on very differently in Debian...


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"I know what you're thinking" used to be an idiom but now it's a business model.


signature.asc
Description: PGP signature

Re: Recoding the configuration for live-build images

2021-09-04 Thread Holger Levsen 
On Sat, Sep 04, 2021 at 09:18:16AM +0200, Jan Nieuwenhuizen wrote:
> [...]  It would be amazing to get
> a GNU Mes based reduced binary seed bootstrap into Debian. 

what does or would that mean? Debian is a binary distribution and sadly
Debian is only bootstrapped once per port. (Not trying to discourage you,
just stating how things were the last 25y and wondering how/what you'd like
to change.)

so are you talking about reproducibly bootstrapping Debian? :) or something
else?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

This is the year of gpg on the desktop! (Gunnar Wolf)


signature.asc
Description: PGP signature

#r-b irc meeting, tuesday in 4 days, 15 UTC

2021-08-28 Thread Holger Levsen 
hi,

this is a reminder for our next IRC meeting on #reproducible-builds on the
last Tuesday of the month (so 31st of August) at 15 UTC on irc.oftc.net.

The meeting is supposed to last between 1-2h, maybe rather an hour, though
we have lots of time (just after 23-42m on one topic we move on anyway),
though of course we aim to keep it short.

The meetings are logged via https://meetbot.debian.net/reproducible-builds

The agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep and currenly
looks like this. If you add topics please add your nick as well.


Agenda for the meeting on the 31st of August 2021
-

welcome to this monthly meeting, please briefly introduce yourself or 
update us on recent or planned projects
short time slot for checkins from various projects:
Debian: snapshot.d.o mirror status update (fepitre)
Debian: rebuilder status update (h01ger)
Arch Linux: rebuilder status update (kpcyrd)
rebuilderd: status update (kpcyrd)
Alpine Linux: status update (Ariadne)
Debian live-build (rclobus)
F-Droid (obfusk)
r-b ecosystem (lamby)
r-b.o/docs/rebuilders and conflict with r-b.o/tools (h01ger)
Any Other Business (AOB)


Looking forward to talk to you then!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Bottled water companies don't produce water, they produce plastic bottles.


signature.asc
Description: PGP signature

Reproducible Buster, Bullseye & Bookworm - where we come from and where we are going

2021-08-23 Thread Holger Levsen 
hi,

I'll be given a talk at DebConf21 tomorrow, which will be streamed at 19 UTC:

https://debconf21.debconf.org/talks/86-reproducible-buster-bullseye-bookworm-where-we-come-from-and-where-we-are-going/

The streams are linked from https://debconf21.debconf.org

Reproducible Buster, Bullseye & Bookworm - where we come from and where we are 
going
Speaker: Holger Levsen
Language: English
Track: Introduction to Free Software & Debian
Type: Long talk (45 minutes)
Room: Talks 1
Time: Aug 24 (Tue): 19:00 UTC
Duration: 0:45

In this talk Holger Levsen will give an update on Reproducible Builds of 
Debian. He’ll briefly sum up the status in Buster, then present developsments 
in and for Bullseye and give an outlook on Bookworm, what’s planned, being 
built and wished for!

Bullseye will be the third Debian release since work on Reproducible Builds of 
Debian has really started: we started with the beginning of the Stretch cycle, 
then continued for Buster and we are still not done with our work on Bullseye, 
though hopefully at the time of the talk we will be. And then of course we will 
continue for Bookworm and beyond!

The last paragraph might leave you wondering, what exactly has changed, where 
we are, why we still are not “there” yet and what our immediate plans are. So 
come and see this talk!


--
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

If you upload your address book to "the cloud", I don't want to be in it.


signature.asc
Description: PGP signature

Re: i-probably-didnt-backdoor-this: Reproducible Builds for upstreams

2021-08-20 Thread Holger Levsen 
hi kpcyrd,

On Thu, Aug 19, 2021 at 11:16:29PM +, kpcyrd wrote:
> I uploaded a github repo that distributes a Hello World in various
> formats (ELF binary, Docker image, 3rd party(!) Arch Linux package) and
> documented every file and command needed to reproduce the artifacts
> bit-for-bit:
> 
> https://github.com/kpcyrd/i-probably-didnt-backdoor-this
> 
> I'm not very confident with the reproducible docker image yet, but the
> rest should be ok. I'm planning to combine this with the reproducible Alpine
> Raspberry Pi images me and other people have been working on.

wow, that's awesome! Very much the direction we need to be moving with
Reproducible Builds as well..!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Alles weird gut.


signature.asc
Description: PGP signature

Re: Help us map the reproducible builds ecosystem

2021-08-11 Thread Holger Levsen 
Hi Richard,

thanks for your feedback!

On Thu, Aug 05, 2021 at 04:46:27PM +0100, Richard Purdie wrote:
> For yocto, we can generate packages and we do run tests of our default config 
> on those:
> 
> https://www.yoctoproject.org/reproducible-build-results/
> 
> so 36 exclusions (known issues, effectively golang) of 34170 packages.
> 
> This is for our core layer only though.  There are many layers/configurations 
> and our aim is to provide the tools and configurations that let anyone build 
> something which is reproducible and prove that though testing themselves. We 
> therefore use our core test as an indication that we can build reproducible 
> things and that our testing process works.

*nods*

layers in yocto are like a core layer and a kde layer and then when you add 
a cups layer kde is build with cups support (and else not), or what are layers
exactly?

If so I think it's yet something different (though more similar) to eg OpenWrt 
hich has different configurations and packages for different targets...

(more similar because iirc one can configure different libc implementation
on OpenWrt which will affect packages builds.)

or how would you describe this layer concept? :)

> From Yocto, this then feeds into Linux distros from our members/users like 
> Wind River, Montavista, ENEA, Automotive Grade Linux (AGL), OpenBMC and
> many other projects, some we know, many we don't. An example end result would
> be reproducible binaries in your car, aeroplane and TV :)

:)

> Not sure how that looks on your map! We struggle a lot to know where Yocto
> ends up too.

heh

> FWIW we've been trying to get people to add known users to
> https://wiki.yoctoproject.org/wiki/Project_Users but that is ongoing and
> currently far from being even remotely complete.

impressive list!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Life is short but a sea of morons is forever.


signature.asc
Description: PGP signature

Re: [Git][reproducible-builds/reproducible-website][master] Migrate 'history' from the Debian wiki.

2021-08-10 Thread Holger Levsen 
On Mon, Aug 09, 2021 at 08:53:48PM +, Holger Levsen wrote:
> And then, those lists are formatted incorrectly on 
> https://reproducible-builds.org/docs/history/
> and I fail to find a fix right this. This affects not only the list of
> contributors but also lists, like the FOSMEM 2015 aftermath one or the
> "to be sorted out" entries from 2015 as well.

I've commited a fix for this now.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

A ship is always safe at shore, but that is not what it's built for.
(Albert Einstein)


signature.asc
Description: PGP signature

Re: [Git][reproducible-builds/reproducible-website][master] Migrate 'history' from the Debian wiki.

2021-08-09 Thread Holger Levsen 
Hi,

On Sat, Jul 31, 2021 at 01:21:48PM +, Chris Lamb (@lamby) wrote:
> Chris Lamb pushed to branch master at Reproducible Builds / 
> reproducible-website
> 
> 
> Commits:
> 1b5838fe by Chris Lamb at 2021-07-31T14:21:01+01:00
> Migrate 'history' from the Debian wiki.

yay, thank you Chris for doing this move, which IMO was long overdue...

Now, we got to keep this page better up2date and probably also add some bits
to make sure we will remember in years to come. Everyone: please contribute!

As a first step, I'd suggest checking 
https://reproducible-builds.org/docs/history/
whether your name appears there and if not, and if it should, please just commit
a fix or create a MR :)

And then, those lists are formatted incorrectly on 
https://reproducible-builds.org/docs/history/
and I fail to find a fix right this. This affects not only the list of
contributors but also lists, like the FOSMEM 2015 aftermath one or the
"to be sorted out" entries from 2015 as well.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Deadly heatwaves, floods, storms, wildfires, droughts, crop failures... 
This is not “the new normal”. We’re at the very beginning of a climate and
ecological emergency, and extreme weather events will only become more and
more frequent.


signature.asc
Description: PGP signature

Re: Help us map the reproducible builds ecosystem

2021-08-05 Thread Holger Levsen 
On Thu, Aug 05, 2021 at 02:51:17PM +0100, Chris Lamb wrote:
> There is definitely an argument to be as complete as possible, but I
> think the best thing from the perspective of the ecosystem map is to
> be as consistent as possible across similar entities.

I'm not sure there is so much consistancy...
 
> Therefore we should _probably_ stick to "% reproducible of packages",
> as this is a number that most, if not all, distributions have.

tails doesnt have any packages, nor yocto, and the java world has artifacts
(which doesnt really matches the packages concept AIUI) and the BSD people 
really
dont like the term (maybe its also wrong in their world) and rather use 'ports'
instead (while ports in the linux world is something else :)

and then we do have the distinction between reproducible in the real 
distributed world 
and reproducible in some CI setup. (which not every project has or even would 
strive
for...)

for Debian I would love to track the distinction between packages, d-i images,
calamares images and live images. oh, and of course those cloud images Debian 
also
provides :) though *maybe* that's too much for the ecosystem map.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

People call vaccine mandates "Orwellian" even though Orwell died at 46 of
tuberculosis, which is now preventable with a vaccine.


signature.asc
Description: PGP signature

Re: Help us map the reproducible builds ecosystem

2021-08-02 Thread Holger Levsen 
On Mon, Aug 02, 2021 at 11:07:21AM +0100, Chris Lamb wrote:
> Thanks to everyone who contributed to this so far. I've spent a little
> time this morning tidying up, merging and elaborating all of your
> input — it is looking a lot more useful and complete now.
> 
> However, can everyone have another look to see if it makes sense to
> them, and of course, whether anything is missing?
> 
>https://pad.riseup.net/p/rbecosystemmapping-keep

one additional note: this pad now also contains the stuff Chris, Gunner and
myself came up with before we asked this list for input. It's still not
done and complete by any means, so indeed please have another look! :)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

It started as a virus and has mutated into an IQ test.


signature.asc
Description: PGP signature

  1   2   3   >