16:04:46 #startmeeting 16:04:46 Meeting started Tue Jul 17 16:04:46 2018 UTC. The chair is vagrantc. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:04:46 Useful Commands: #action #agreed #help #info #idea #link #topic. 16:05:02 everyone feel free to introduce themselves 16:05:48 #topic roll call 16:06:00 #topic roll call and agenda 16:06:07 sparse agenda: https://pad.riseup.net/p/reproducible-irc-meeting-20180717-16UTC 16:06:20 * jelle waves 16:06:49 yeah, rather sparse... 16:07:17 1) intros & absensces 2) yashsriv: update on Debian Rebuilder 3) NYU repro-builds for application security (take 2?) 16:07:35 lamby apologizes for not being present 16:07:57 oh, and of course 4) any other business 16:08:09 let's wait a few minutes to let people show up and then begin? 16:08:25 sure 16:13:39 ok 16:14:02 #topic Debian Rebuilder 16:14:06 yashsriv: you're on! 16:14:44 hi.. so basically I had divided debian rebuilder into 3 modules..... a builder/rebuilder, a visualizer to expose info and a scheduler to schedule builds 16:15:15 The first 2 are now complete with an ansible configuration for easy deployment. The whole thing is at https://salsa.debian.org/yashsriv-guest/debian-rebuilder-setup/tree/integrate-srebuild 16:15:42 #link https://salsa.debian.org/yashsriv-guest/debian-rebuilder-setup/tree/integrate-srebuild 16:16:08 yashsriv: pretty cool :) 16:17:06 The TODO file gives a better idea of the current status. So basically what is left is just scheduling stuff 16:17:07 sangy: nice! 16:17:48 yashsriv: do you have anything sketched out on that side? 16:17:56 yashsriv: have a pretty good idea where to take it, or do you need anything from the community at large? 16:18:15 that is currently a little vague as there isn;t anything in the current infrastructure which could help. 16:18:28 I had discussed something regarding that with lamby after the last meeting 16:18:57 ah yes: this issue - https://github.com/lamby/buildinfo.debian.net/issues/48 16:19:18 So I'm thinking of working on this as well so that we could have something deployable 16:20:29 using "since" might be a bit odd ... because if you have multiple rebuilders and they're all rebuilding and submitting the same most recent buildinfos ... 16:20:30 that'd be nice. So ideally it'd be adding this api endpoint and then writing a very lightweight daemon polling ever N minutes/hours/etc? 16:21:09 vagrantc.. they'll be maintaining what they have already rebuilt / submitted, so they won't trigger builds again 16:21:44 yashsriv: all of the independent third-party rebuilders? 16:21:44 sangy: that's the idea 16:22:10 ah.. as far as I know, nobody else use buildinfo.debian.net for scheduling builds? 16:22:15 e.g. you have, say 15 different organizations running rebuilders ... 16:22:52 This configuration I have written works in a way such that even if 15 different organisations, run this same configuration - it would work 16:22:54 the point of this project is to be able to easily set up an independent rebuilder ... so eventually they may be the majority of rebuilders 16:23:01 vagrantc: each of them would have a local scheduler db I believe, and discard any buildinfo that belongs to an already-built package 16:23:19 ^yeah this 16:23:24 i'm just wondering if it wouldn't make more sense to rebuild the most stale builds 16:24:09 vagrantc: I see your point. Probably having a different scheduling policy may be more interesting 16:24:20 e.g., get the N packages that have been rebuilt the least 16:24:28 at any rate, get something working before getting to bogged down in it :) 16:24:50 but maybe note the idea of various different scheduling strategies 16:24:54 vagrantc: yeah, we can probably play around with different scheduling strategies once the foundations are down 16:25:31 on the other hand, rebuilding the most recent builds simplifies the liklihood of not needing to use snapshot.debian.org too much :) 16:26:17 except if another rebuilder is making "recent" rebuilds of old packages... heh. :) 16:26:19 ahh, took me a second to see why that was 16:27:05 i guess using buildinfo.debian.net might be at mixed purposes to use as a data source for scheduling 16:27:48 yeah.. so the thing with using buildd is that we need to wait for the packages to either arrive in sid / snapshot before initiating a rebuild and that isn't possible 16:28:00 right 16:28:01 well, we could schedule right from the apt repositories too... 16:28:10 oh, TIL 16:28:30 you can also use a combination of incoming.debian.org and the rest of the archive 16:29:47 well, I wonder if we can make this scheduler lightweight enough so we can move from one datasource to another without much fuzz 16:29:53 right 16:30:47 yashsriv: well, so that sounds like a good goal :) 16:30:49 also, is the goal to rebuild specific buildinfo files, or to rebuild what's in the archive? 16:31:18 which i guess gets into data sources ... 16:31:20 vagrantc: I think the goal is to rebuild everything and anything that can be rebuilt in there 16:32:05 i think there's a way to query buildinfo.debian.net for a binary with a specific hash and find any matching .buildinfo files ... 16:32:24 as in, there's an API endpoint for that already? 16:32:32 so then, you could just use the hash of new packages in the archive to query for matching .buildinfo files, and try to rebuild them 16:32:43 sangy: i *think* so ... i recall requesting it 16:33:17 vagrantc: that sounds useful. Let's look into that too :) 16:33:29 then again, since the .buildinfo files from the archive aren't yet publicly available ... hrm. 16:33:32 either way, I think adding either of these API endpionts shouldn't be too hard to do, so we can take on that too 16:34:03 sounds to me like it'd just be an orm operation on that flask/django/-ish looking app 16:34:08 #link https://github.com/lamby/buildinfo.debian.net/issues/26 16:34:12 by-hash ^^ 16:35:05 hmm, I see. I guess we can pick that up and see what's up. What do you think yashsriv ? 16:35:52 any more on this topic? 16:36:07 yeah let me look into incoming.debian.net - I wasn't aware of it and then we can discuss more later. 16:36:26 incoming.debian.org 16:36:26 * yashsriv is satisfied 16:36:42 we've landed plenty more on your plate for now :) 16:36:47 lol yeah 16:37:13 so something on this topic that I want to bring up. NYU will most likely host a rebuilder 16:37:13 #topic NYU repro-builds for application security (take 2?) 16:37:41 sangy: ah, did i change topic too soon? 16:37:52 or is this a good segway? :) 16:37:54 vagrantc: I think, but it's very minor 16:38:14 I was just wondering if we'll have to have some process to enroll rebuilders or will it be open to everyone 16:38:37 it's probably something we could discuss on the ML later down the line? (once we can deploy rebuilders, for instance) 16:38:58 yeah, that sounds good for the mailing list once there's more specific rebuilder technology implemented :) 16:39:33 sangy: was it you who brought the current topic? 16:39:36 awesome, so let's continue with the topic at hand 16:39:38 yep 16:40:00 so, last year we did a series of reproducible builds sessions on NYU 16:40:35 for the application security course. This time we'll have a seminar on "secure systems engineering", which adds more space to do work on projects like reprobuilds 16:40:47 cool 16:40:53 so, this is the syllabus https://docs.google.com/document/d/1KR_vj411j9ARNSmQByvJnr1796XxXL-Ln_SKAD2qVW8/edit?usp=sharing 16:41:35 there's a calendar on the second page. We were thinking of devoting four weeks on finding and fixing reproducibility errors and whatnot like what we did last time 16:41:56 four consecutive weeks? 16:42:17 like last time, it'd be awesome if one or two poeple could drop by and talk about the project and how to fix repro bugs, etc. 16:42:41 vagrantc: yeah. It's a seminar, so we are aiming at hands-on work, hopefully contributing to FOSS projects while at it 16:42:48 nice 16:43:09 :) 16:43:18 sangy: if you proposed some potential dates on the mailing list, maybe you could get some specific people to commit 16:43:52 vagrantc: yeah I think that's what I'll do. I was hoping there was more quorum on this so I could see if the dates on the syllabus worked. I' 16:43:57 ll move it to the ML though :) 16:43:58 right 16:44:18 so, I think that's it for this topic... 16:44:33 looking forward to seeing it develop 16:44:34 :) 16:45:05 also, if you could arrange some of those dates to piggyback around a conference that people might want to attend, as a general idea 16:45:19 ah fair point. Let me check what's around 16:45:21 it might make multiple incentives to show up 16:45:30 * sangy jumps on the lwn weekly update\ 16:45:42 that was clumsy english, but hopefully you get the idea :) 16:46:00 lol yeah I did 16:46:25 ah it's too early to tell from the LWN list. I'll look around. Thanks for the tip :) 16:46:34 the next topic is ... 16:46:39 #topic any other business 16:46:58 i don't have anything in particular ... any thoughts that sprung up for anyone during the meeting? 16:47:30 hmm, I don't think so. Really looking forward to this rebuilder stuff! 16:47:47 should we schedule a meeting a month from now? 16:47:48 indeed ... part of making a theoretical project into a practical one! 16:48:11 we can probably make these every other month, so as topics pile up and more people show up? 16:49:09 14th? 21st? 16:49:42 seems like we'll actively need to add issues to make the meetings more enticing :) 16:49:57 not sure if the time is good/bad or what 16:50:18 yeah... I kinda feel we need something like this to keep updates going though >.< 16:51:02 i was also thinking of if the email reminder cut-and-paste the list of topics from the official agenda ... e.g. https://link-to-agenda ... followed by "list of agenda items so far" 16:51:11 any ideas on how to figure out a better date? probably at least accommodating more regulars would be a good idea 16:51:15 it might encourage folks to add items if they want 16:51:42 vagrantc: I can do that, and send a reminder every two weeks (i.e., one next week, and one the week before the meeting) 16:51:54 sangy: i think reminders are really helpful 16:52:03 will do then :) 16:52:35 and if there's some content in them beyond the link, it might help people who might read offline or something ... not sure 16:52:44 or just remind them of issues more directly 16:53:07 vagrantc: right. So should we tentatively say 21th but open for changes? 16:53:10 e.g. the X number of clicks between the person and content, you loose ~80% after the first click 16:53:18 sangy: sounds good to me 16:53:32 vagrantc: that had a name in my HCI classes 16:53:38 vagrantc: awesome, you got it ;) 16:53:47 https://pad.riseup.net/p/reproducible-irc-meeting-20180821-16UTC 16:53:52 ahh, fitt's law 16:54:09 wait no, not that one. Anyway 16:54:14 #link https://pad.riseup.net/p/reproducible-irc-meeting-20180821-16UTC 16:54:41 oh hi 16:54:49 sorry, i forgot about the meeting... 16:54:59 h01ger: welcome to the wrapping up of the meeting :) 16:55:24 h01ger: will not happen anymore, as I'll be spamming reminders in the ML :P 16:55:33 cool 16:56:09 i don't know if it would make sense, but setting up a cron job that screenscrapes the next meeting URL might be worth it so it doesn't rely on someone remembering 16:57:03 anyways, let's call that a meeting, and hope our amazing strategies for reminders will change it for the next round :) 16:57:08 vagrantc: so I can automate that, but for now I set a reminder on my calendar 16:57:16 #endmeeting