15:00:01 <h01ger> #startmeeting 15:00:01 <MeetBot> Meeting started Tue Jun 29 15:00:01 2021 UTC. The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:01 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 15:00:22 <h01ger> https://pad.riseup.net/p/rb-irc-meetings-keep has the agenda 15:00:45 <h01ger> #topic welcome to this monthly meeting, please briefly introduce yourself 15:01:03 * lamby is Chris Lamb, glad to see folks here 15:01:07 * h01ger Holger Levsen is happy we're finally resuming some regular meetings 15:01:16 <rgdd> Hi everyone, Rasmus Dahlberg here! My affiliations are Karlstad University (PhD student) and Mullvad VPN (software engineer). A large part of my work involves research and applications of transparent logs in practise. I am, e.g., involved in the System Transparency Project that was mentioned in January on rb-general. 15:01:27 <rgdd> Today my goal is to simply say hello and get the hang of the meeting structure, etc. 15:01:32 <rgdd> nice to meet you all! 15:01:35 <sangy> hello! sangy here, professor at purdue doing research on software supply chain security. Happy to see this resurface! 15:01:41 * bmwiedemann is Bernhard M. Wiedemann from openSUSE (also working on some SUSE Enterprise reproducibility as well as upstream) 15:01:45 <h01ger> rgdd: oh, hi! how nice you came by! 15:01:51 <rclobus> Hi, I'm Roland Clobus, I've been working on Pioneers for a long time. A few year ago I started on the documentation for the live images, and since then have been working on the live images too. 15:01:57 <lamby> hey rgdd 15:02:02 <rgdd> happy to be here =) 15:02:25 <obfusk> o/ 15:02:44 * fepitre is Frédéric Pierret (Phd) working primarily for Qubes OS at the IT level :) 15:02:44 * h01ger will give some more minutes for introductions & saying hi 15:03:09 * obfusk is Felix C. Stegerman 15:03:15 <tobiaswiese> Hi, Tobias Wiese here. Just a Student, but Interested in the Concept of making builds reproducible and trying to be helpful. 15:03:17 <h01ger> :) 15:03:31 <bmwiedemann> rgdd: nice to meet you. Would love to have some pointers on your work. 15:03:38 * sangy is happy to see so many students! 15:03:50 * ericonr is Érico Nogueira from Void Linux, mostly spectating and figuring how to move things forward in our distro 15:04:14 * dongcarl is Carl Dong from Bitcoin Core and sometimes Guix 15:04:23 * marmarek is Marek Marczykowski-Górecki - Qubes OS project lead 15:04:42 <gchristensen> hello, Graham Christensen from NixOS -- mostly observing today but around 15:04:51 <rgdd> bmwiedemann: definitely, i was thinking I would propose an actual agenda item about tlogs and R-B applications for a future meeting 15:04:51 <dongcarl> work meeting cancelled so I get to join this meeting (much cooler meeting) :-) 15:05:04 * obfusk is bad at introductions but has a website with a brief into at https://obfusk.ch 15:05:07 <rgdd> (happy to provide pointers sooner though, lets leave that for after intros then!) 15:05:14 <lamby> Nice to put some 'IRC faces' to names. 15:05:16 * obfusk likes diagnosing & fixing bugs 15:05:19 * h01ger is very happy to see so many nice short intros 15:05:20 <Foxboron> Yooo, Morten Linderud. Arch Linux reprobuilds team, general supply chain security stuff :) Wrote my master thesis about applying transparency logs to debian, reprobuilds and rebuilders! 15:05:33 <elibrokeit> Hi, Eli Schwartz here (eschwartz/elibrokeit most of the time). I'm a packager for Arch Linux and contribute when I can with package-specific reproducibility patches. I'm also one of the developers of our package manager and have helped get our tooling in shape to record buildinfo etc. and written one of our two rebuilder tools 15:05:46 * obfusk has worked on RB for f-droid and python-for-android 15:06:16 * realtime-neil is a random Debian user who likes reproducible builds and packaging them as part of his day job. 15:06:21 <h01ger> you can also all still add stuff to the agenda at https://pad.riseup.net/p/rb-irc-meetings-keep :) right now it has some general bits, some nixos and 3 debian topics ;) 15:06:43 * obfusk is a package maintainer for Debian and NixOS 15:06:51 * obfusk is a student :) 15:07:23 * h01ger is responsible for all the bad parts of tests.r-b.o ;) for some of the good parts too :) 15:07:51 * fepitre thinks h01ger is doing an awesome work all the time 15:07:57 <lamby> +1 15:08:00 <rclobus> +! 15:08:28 <h01ger> :) 15:08:46 <h01ger> thanks 15:08:54 <vagrantc> hello, i work on debian and to a small degree guix and also maitain some of the tests.reproducible-builds.org infrastructure 15:10:49 <h01ger> ok, hello everyone & thanks for all the intros! i guess its safe to move on to the next topic... 15:11:17 <h01ger> #topic what shall this monthly meeting be about? 15:11:30 <h01ger> or as i wrote in the agenda: 15:11:32 <h01ger> General: is "monthly IRC meeting" a good term? should this be more of a (structured) lounge or a meeting? or, ..., OR? (h01ger) 15:11:34 <h01ger> less about the term but more about *what* we'd like this to be 15:12:04 <h01ger> i wrote this because i thought a 1h meeting was a bit short and rushed in the past 15:12:13 <h01ger> so i came up with 15:12:24 <h01ger> "the meetings are supposed to last between 1-2h, maybe rather an hour, but we have lots of time (just after 23-42m we move on anyway)" (also from the agenda) 15:12:52 <h01ger> (after 23-42m on *one* topic we should move on to the next.. as a rule of thumb obviously) 15:13:03 <rclobus> I think it would be good to summarise the activities of the previous month and then a short overview of planned activities 15:13:28 <obfusk> +1 15:14:08 <h01ger> that sounds like a good addition, so s#welcome to this monthly meeting, please briefly introduce yourself#welcome to this monthly meeting, please briefly introduce yourself or update us on your last months activities and/or next months plans# ?! i like it 15:14:16 <vagrantc> it's a bit tricky to not re-invent our monthly reports in real-time, though. striking a balance between what makes sense for an irc meeting vs. a mailing list post vs. montlhy report 15:14:56 <bmwiedemann> much easier to read+write status asynchronously 15:15:33 <h01ger> bmwiedemann: was that an argument pro having those here or rather in the monthly report? 15:15:34 <bmwiedemann> we can still discuss interesting questions about that here, e.g. if someone wants to join in an activity 15:15:34 <obfusk> I think it would be nice to know what people are working on, esp anything that could use more input/help. 15:16:03 <bmwiedemann> ML seems better for some of that 15:16:20 <bmwiedemann> i.e. rb-general 15:17:06 * h01ger likes the ability to give a quick overview, a mail feels more heavy to write 15:17:17 <obfusk> ^ 15:17:21 <h01ger> and for longer stuff, mails are certainly better 15:17:26 <bmwiedemann> agree 15:17:27 <vagrantc> sure, just trying to point out that there is a balance to be struck :) 15:17:28 <obfusk> ML seems more for "formal request for help" 15:17:29 <rclobus> Not everyone is 24/7 on IRC (is the chat archived in any way?), but I noticed that the IRC channel is a nice supplement to status-mails on the mailing list. I see the monthly report more like something for the outsider, to get a glimpse of the activities of the reproducible team, without too many technical details. 15:17:50 <h01ger> rclobus: this chat meeting is archived on https://metboot.debian.net 15:18:10 <h01ger> #save 15:18:13 <rclobus> h01ger: This meeting indeed, but outside the meeting? 15:18:27 <h01ger> not outside 15:19:07 <h01ger> so, do you think its a good idea to give 1-2h room for the meeting (as opposed to the 1h we had before)? 15:19:17 * obfusk (and others using a bouncer) should have logs 15:19:50 <rclobus> I mean that a lot of the discussions on IRC are invisible to many who are not logged on permanently. 15:20:01 <vagrantc> h01ger: holding N people's attention simultaneously for more than an hour seems like a lot of time to block off 15:20:12 * obfusk would like to help w/ more stuff. but it can be hard to know where to start (unless someone explicitly asks for help). irc seems more suited for that than the ML. 15:20:47 <h01ger> vagrantc: i'm happy for shorter meetings but i also think the meetings we had last year were too rushed to make them end after one hour 15:20:51 <elibrokeit> Remember that the point of IRC is, mostly, to get real time communications. Bouncer logs for those not here may be nice, but aren't the most important point of IRC. 15:21:30 * h01ger agrees that hardly anyone will read those logs except maybe AIs ;) 15:21:57 <rclobus> elibrokeit: Indeed, that's why I summarised in the info gathered on IRC to the mailing list. 15:22:18 <obfusk> if there's something really interesting going on on IRC, maybe have someone copy paste it somewhere for wider sharing? (if all participants agree) 15:22:41 <obfusk> (outside of meetings I mean) 15:22:50 <elibrokeit> e.g. this is a *meeting*, meetings are all about realtime rather than posting requests and status updates to the communal message board of the mailing list 15:22:57 <h01ger> discussing irc outside of the meeting is a bit off-topic now 15:23:08 <bmwiedemann> start an etherpad with a collaborative summary and mail that to rb-general when done 15:23:32 <bmwiedemann> similar to meeting minutes 15:23:42 <h01ger> so i guess the other implied question, should this be called lounge or meeting or whatever has also been answered: meeting is a good term, the other time might be described as a lounge maybe, or simply irc chat 15:24:11 <vagrantc> i guess what i would like to see is a semi-structured short time slot for checkins from various projects 15:24:27 <rgdd> maybe an easy way to let people do short reports is to just have a bullet list in the agenda 15:24:29 <vagrantc> by short, i mean maybe ten minutes 15:24:34 <rgdd> where people can add in advance short update + pointers 15:24:52 <rgdd> doesn't have to take too much time of the actual meeting unless there are discuss actions from that, in which case it should probably be an actual agenda item 15:25:13 <obfusk> I would assume these meetings to fall in between the "formal" ML and the "really informal" regular IRC. so more structure than IRC, but less detail and more off-the-cuff than ML. 15:25:16 * h01ger likes 15:25:20 <vagrantc> rgdd: i like your "add in advance" angle :) 15:25:33 <elibrokeit> And one of the uses of this could be to help collect knowledge about what we're all up to, that could then be consolidated into status reports on the ML? 15:25:50 <obfusk> +1 15:25:56 <Foxboron> elibrokeit: that's what our monthly newsletters does? 15:26:08 <raboof> yes, I like having an 'updates section' of the agenda, with things we can write (and read) in preparation of the meeting, and that may or may not lead to thing to be discussed 15:26:28 <raboof> if they're part of the meeting minutes and likely also in the monthly status reports that seems sufficient to me 15:26:37 <bmwiedemann> Foxboron: partially. but that is for a wider audience, so written differently 15:26:40 <vagrantc> really, i see this as an opportunity to share a bit about what we're doing and get everyone excited that we're part of some larger community working on similar things with similar goals 15:27:00 <vagrantc> rather than a few people acting more-or-less in isolation 15:27:08 * obfusk thinks it's a lot easier to ask a few small questions on IRC vs the ML 15:27:16 <vagrantc> the semi-realtimeness of IRC can help for that 15:27:16 <Foxboron> bmwiedemann: I think keeping a balance if going to be hard :p 15:27:18 * h01ger has edited the next meetings agenda based on suggestions here (same url as current meetings agenda, just scroll down) 15:27:38 <obfusk> vagrantc: +1 15:27:42 <h01ger> vagrantc: i see this happening right now 15:27:57 <vagrantc> h01ger: agreed :) 15:28:32 <bmwiedemann> team-building happens in real-time :-) 15:28:34 <h01ger> #info h01ger has edited the next meetings agenda based on suggestions here (same url as current meetings agenda, just scroll down) 15:29:04 <sangy> h01ger: I was curious about the "proper rebuilder 15:29:10 <h01ger> shall we move on to the next topic or do you have some more good ideas? 15:29:23 <h01ger> sangy: thats a topic in 4 topics :) 15:29:33 <sangy> ah, wait, we are discussing on moving the lower list stuff into the upper list? my bad 15:30:34 <h01ger> np 15:31:06 <raboof> ok, I'm next up I guess :) 15:31:21 <h01ger> raboof: i guess so too 15:31:23 <raboof> so, the part that should have been an update: in NixOS we recently hit the (somewhat arbitrary) milestone of having our minimal ISO image reproducible \o/ 15:31:33 <h01ger> #topic NixOS: reproducible minimal ISO (raboof) 15:31:44 <h01ger> raboof: yay! 15:31:46 <Foxboron> \o/ 15:31:50 <dongcarl> woohoo! 15:31:59 <gchristensen> <3 raboof thank you so much for your hard work on getting that done 15:32:00 * kushal forgot once again 15:32:01 <h01ger> raboof: do you have some write up for that? :) 15:32:07 <bmwiedemann> great thing to achieve 15:32:14 <rgdd> awesome! 15:32:20 <raboof> this was somewhat unexpectedly picked up by HackerNews (https://news.ycombinator.com/item?id=27573393), which was a bit unfortunate because we didn't have a nice writeup about it yet ;) 15:32:31 <sangy> it's definitely a v. good milestone! 15:32:52 <sangy> raboof: it's never late for a writeup though! I would assume it'd also help to reason about future directions in terms of reproducibility inside of nixos? 15:33:00 <raboof> so there was some confusion on why this matters and we didn't really credit all the work done by the wider r-b community properly 15:33:10 <raboof> sangy: yeah definitely want to do one for the monthly report 15:33:28 <gchristensen> raboof: do you have an idea of a next target? I know we've done a run for the GNOME iso, but not since February 15:34:04 <sangy> raboof: nice! and don't worry, I think overall "what is reproducibility and how do you get it" is a... constantly misunderstood notion :P 15:34:04 <h01ger> raboof: do you have some tests in place to ensure this will always stay like this now? and what will happen if it doesnt? 15:34:15 <raboof> dirty little secret: even though people have successfully reproduced the ISO among each other, there's still some weirdness in our CI system that the 'official' ISO is actually different, there is like 3 file timestamps that are still wrong ;) - working on it. 15:34:27 <lamby> raboof: :o 15:35:10 <h01ger> raboof: i'd love to see this documented/explained/linked on https://reproducible-builds.org/projects/#NixOS too ;) 15:35:16 <sangy> reproducible until proven guilty 15:35:20 <gchristensen> haha 15:35:22 <raboof> h01ger: we have a 'dashboard' (https://r13y.com/, https://status.nixos.org/grafana/d/cUz63QLWz/reproducibility-of-nixos-unstable-iso_minimal-x86_64-linux), so we will keep an eye on that 15:35:23 <h01ger> .oO( good work always creates more work ) 15:35:44 <h01ger> #save 15:35:56 <raboof> h01ger: beyond that there's some thinking about including it in our CI/review process, but no very specific proposals yet I think 15:36:09 <h01ger> #info in NixOS we recently hit the (somewhat arbitrary) milestone of having our minimal ISO image reproducible 15:36:20 <h01ger> #info this was somewhat unexpectedly picked up by HackerNews (https://news.ycombinator.com/item?id=27573393) 15:36:21 <sangy> raboof: I wonder if you'd like to use reprotest in your CI instead 15:36:41 <h01ger> #info https://r13y.com/ 15:36:50 <h01ger> #info https://status.nixos.org/grafana/d/cUz63QLWz/reproducibility-of-nixos-unstable-iso_minimal-x86_64-linux 15:36:56 <sangy> not sure if it's overkill, but I've seen some projects put it in there to make tests fail if this particular build doesn't reproduce 15:37:18 <h01ger> btw, anyone can use #info (at the beginning of the line) and those lines will automagically show up in the automated summary meetbot writes 15:37:20 <raboof> as for 'next goals', I think reproducing the 'bigger' ISO's is cool, but at this point it is equally interesting to give people a nicer way to consume the reproducibility information. https://github.com/tweag/trustix is an interesting project for us there, but it's early days still, not really working yet right now 15:37:33 <h01ger> raboof: much agreed 15:38:10 <raboof> I think that's what I wanted to share, any things I missed? 15:38:33 <sangy> raboof: this is something I've been hoping to get to with rebuilderd + in-toto. Have you had a chance to take a look at the apt-transport? 15:38:43 <h01ger> raboof: getting another round of applause! :) 15:38:47 * h01ger claps 15:38:57 <sangy> I think the QubesOS ppl have also done amazing stuff to get rebuilder attestations shared between rebuilders 15:39:03 * sangy applause 15:39:16 <fepitre> yes indeed, we do have start generating intoto metadata for Debian 15:39:17 <raboof> of course it's the work of many people, so I'm joining in the general applause ;) 15:39:38 <h01ger> :)) 15:40:15 <h01ger> so then next topic i guess.. 15:40:41 <h01ger> #topic Debian: a brief intro to https://debian.notset.fr/snapshot/ (fepitre/h01ger) 15:41:02 * sangy clicks 15:41:07 <h01ger> sadly fepitre cannot be here right now to present his work, so i'll have to do :) 15:41:14 <fepitre> I'm here? 15:41:18 <h01ger> oh 15:41:20 <h01ger> hi 15:41:24 <h01ger> i thought.. anyhow 15:41:37 <h01ger> #info https://debian.notset.fr/snapshot/ is a snapshot.d.o amd64 mirror 15:41:42 <fepitre> ok so the original issue is snapshot.d.o having throttling limits for scale rebuild of debian 15:41:42 <lamby> :) 15:41:44 <h01ger> #info there 15:41:50 <h01ger> #info there's API documentation: https://github.com/fepitre/debian-snapshot#api 15:42:08 <fepitre> for example when you try to rebuild more than one package at the time, you are screwed up 15:42:19 <h01ger> and its still work in progress at the moment, but we want more users for this service :) 15:42:21 <sangy> wait this sounds super useful 15:42:27 <fepitre> so I've started mirroring snapshot.d.o for data at first 15:42:39 <rclobus> I'm already planning to use this service 15:42:42 <fepitre> but then I finally wrote the corresponding API to the data like snapshot.d.o would do 15:42:43 <h01ger> we're also in the process of adding another machine in front of it, at OSUOSL.org 15:42:59 <fepitre> (currently all of this is home served) 15:43:19 <fepitre> on this snapshot instance, you have access to Debian data since 2017 to now 15:43:32 <sangy> fepitre: hmm, what's the scale of traffic we're expecting here? I think I can probably donate some compute/network... 15:43:33 <h01ger> which hopefully shouldnt take that long (but then there's a heatwave in portland atm and all our machines there are actually turned off at the moment..) 15:43:35 <fepitre> for unstable, buster and bullseye and arch source, all and amd64 15:43:58 <h01ger> sangy: we'll sort this out at osuosl.. things have already been started there. but thanks! 15:44:00 <fepitre> sangy, scale means several rebuilder in parallel hitting snapshot.d.o throttling issues 15:44:05 <rclobus> Feature request: will there also be an API for 'the latest, completed mirror timestap'? 15:44:35 <sangy> got it, may be better if I host a rebuilder then :) 15:44:41 <h01ger> fepitre: what are the disk ressources used atm? last you told me 4TB space 15:44:57 <fepitre> I can check it's roughly still the same 15:45:01 * h01ger nods 15:45:31 <fepitre> no need to say that has been a real pain to mirror all this amount of data 15:45:32 <vagrantc> pretty deep into debian's freeze cycle right now, not likely to change a lot day to day 15:45:32 <bmwiedemann> I have a snapshot mirror for openSUSE in IPFS at opensuse.zq1.de - if there is was some 6 TB sponsored space, It could be mirrored there with 2 years worth of history. 15:45:47 * h01ger has shared what he wanted to share. happy to have some more discussion here and now, but more details could also be discussed later/anytime. this is an ongoing unfinished project :) 15:45:57 <bmwiedemann> but we can discuss that later - don't want to be offtopic here. 15:46:16 <h01ger> vagrantc: i dont see how this its related to the release cycle? 15:46:43 <vagrantc> h01ger: the amount of data stored changes less during freezes? 15:46:50 <fepitre> few last words, I'm improving the API results sto help rebuilder properly finding package 15:47:08 <h01ger> vagrantc: i'm actually not convinced, there might be more uploads. but thats a guess too :) 15:47:20 <fepitre> because right now, snapshot.d.o just tell you in which archive a package is, not really the dist 15:47:31 <vagrantc> h01ger: i get emails daily about all the .buildinfo files ... it has slowed to a crawl :) 15:47:46 <fepitre> so in rebuilder, if you may want to rebuild only specific suite, it helps 15:47:47 <h01ger> :) 15:48:12 <h01ger> fepitre: we have 'rebuilder' as a seperate topic.. :) 15:48:18 <vagrantc> fepitre: thanks so much for your work on this ... it unblocks numerous other projects :) 15:48:19 <fepitre> (sorry :)) 15:48:24 <h01ger> shall we move on? 15:48:33 <fepitre> +1 15:48:44 <h01ger> and yes, fepitre: *many* thanks for implementing this!! 15:48:52 <fepitre> sure, you are welcome 15:48:58 <h01ger> #topic live-builds (rclobus) 15:49:12 <rclobus> Hi, I wrote a mail yesterday about the status. 15:49:27 <rclobus> In short: the very first live image is now being built by Jenkins 15:49:38 <rclobus> (Many) more to come 15:49:38 <h01ger> #info https://lists.reproducible-builds.org/pipermail/rb-general/2021-June/002288.html 15:49:42 <sangy> fepitre: just to be extra sure, that github link over there is where it all lives 15:50:18 <h01ger> rclobus: and those/that image is reproducible too! \o/ 15:50:23 <fepitre> sangy, for the whole snapshot service (data management, api etc, yes) 15:50:35 <rclobus> So soon, all major live images will be checked by Jenkins for reproducibility. 15:50:39 <h01ger> somehow we didnt hit hackernews with that ;) 15:51:15 <rclobus> That is, the live images generated by live-build. The current official Debian live images are created by live-wrapper, but that's a totally different topic. 15:51:47 <h01ger> rclobus: do you have plans to work on those too? 15:51:48 <sangy> rclobus: care to give a rundown on how live-build used to introduce non-determinism? or is this more of a "a base group of packages in the default live-build config are all repro" 15:52:02 <obfusk> h01ger: debian's been doing RB for so long it's no longer "news"? :p 15:52:26 <obfusk> sangy: +1 15:52:33 <h01ger> #info https://wiki.debian.org/ReproducibleInstalls/LiveImages 15:52:36 <h01ger> sangy: ^ 15:52:41 <rclobus> live-wrapper used vmdebootstrap, which requires Python 2.7, which is not present any more on Bullseye. A suitable solution must be found... 15:52:52 <h01ger> rclobus: ah 15:53:26 <lamby> Hm. 15:53:28 <rclobus> The main changes I did for live-build are e.g. adding '-a' to 'cp' commands, but the most tricky one was the generation of the UEFI image. 15:54:06 <h01ger> rclobus: so are there currently no live-wrapper images for bullseye or are they being built on buster? 15:54:24 <rclobus> I only have 'hacks' for 2 packages at the moment (they already have their bug ticket) to make their configuration files reproducible. 15:54:30 <h01ger> rclobus: did you try to submit those changes to live-build? 15:54:36 <h01ger> ah, cool 15:54:42 <sangy> > # Use LD_PRELOAD to replace uuid_generate_random with a less random version 15:54:45 <sangy> ah I see! 15:54:48 <rclobus> Live-wrapper is currently used for buster and bullseye 15:55:10 <rclobus> I'm in contact with live-build, the git repo is the latest and greatest. 15:55:32 <rclobus> LD_PRELOAD was a really ugly hack, but it works :-) 15:55:42 <h01ger> hehe 15:55:58 <sangy> hey, it's better than ln -s /dev/zero /dev/random orso :P 15:56:30 <bmwiedemann> been there, done that 15:56:32 <h01ger> :) 15:56:48 <rclobus> Perhaps eventually the small C-file could be properly packaged to avoid compiling while building the image. 15:56:48 <h01ger> rclobus: or anyone: anything else or should we move on? 15:57:00 <obfusk> I see there are some "successors" to vmdebootstrap but I can't quickly find whether they handle RB 15:57:04 <h01ger> rclobus: i guess so. or added to some existing package 15:57:08 <rclobus> That it. Thanks for your attention. 15:57:25 <h01ger> thanks for the work and keeping us informed! 15:57:32 <raboof> yes, nice! 15:57:53 <obfusk> rclobus: do you know if the vmdebootstrap "successors" handle RB? 15:57:56 <elibrokeit> Why do you need a successor, can't it be ported to python3? 15:58:07 <obfusk> "upstream discontinued" 15:58:11 * h01ger waits with changing topic 15:58:24 <obfusk> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907751 15:58:25 <elibrokeit> Oh lol, okay then 15:58:27 <bmwiedemann> https://github.com/bmwiedemann/reproducible-faketools/blob/master/reproducible-faketools.spec#L146 15:59:06 <rclobus> So far, I managed with the regular 'debootstrap' 15:59:34 * h01ger recommends mmdebstrap 15:59:54 * vagrantc likes mmdebstrap too 16:00:02 <vagrantc> but ... maybe next topic? :) 16:00:07 <h01ger> sure 16:00:16 <h01ger> #topic Debian: let's do a rebuilder now (h01ger) 16:00:27 <lamby> :) 16:00:38 <vagrantc> let's! :) 16:00:54 <jelle> \o/ 16:01:07 <sangy> \o/! 16:01:09 <vagrantc> catch up with those *other* distros :) 16:01:12 <h01ger> so as some of you know since forever^w2015 we have been rebuilding debian packages twice... and compared them and made stats and send patches and everything... 16:01:57 <h01ger> but, we (on tests.r-b.o) never did rebuilders and compared against the packages released via ftp.d.o 16:02:15 <marmarek> https://github.com/fepitre/debrebuild - fepitre do you want to say few words? 16:02:21 <h01ger> then there have been several rebuilder implementations, surprisingly many from different Arch Linux folks :) 16:02:28 <sangy> I think we have two very good candidate projects to do just that :) 16:02:30 <h01ger> marmarek: gimme a sec 16:02:46 <h01ger> i'm well aware and want to give the big(ger) picture 16:03:13 * marmarek nods 16:03:21 <h01ger> and some of these rebuilders are forks of projects which have then been rewritten. 16:03:47 * h01ger waves to josch, sangy, Foxboron, fepitre and now someone will tell me whom i forgot 16:03:56 <h01ger> kpcyrd! :) 16:03:59 <sangy> kpcyrd: is not here, but 16:04:01 <sangy> yeah, there! 16:04:30 <Foxboron> o/ 16:04:45 <h01ger> and i've also started something.. but got stuck at snapshot.d.o, which fepitre (with some help from josch and me..) unstuck 16:04:50 <h01ger> so 16:04:51 <h01ger> now 16:05:05 * elibrokeit waves at h01ger 16:05:30 <h01ger> i'd like to setup something.. on/for tests.r-b.o which later hopefully can also move to debian.org, dunno, dont care right now 16:05:58 <h01ger> and yes, one bit i'm lost is what codebase to choose now 16:05:59 <sangy> yeah, I think that'd be ideal. I'm also setting up another rebuilder, and we already ahve one at NYU for arch, which we can definitely upgrade 16:07:17 <sangy> well, I have a gsoc student working on in-toto + rebuilderd stuff, but I don't think we need to have just one implementation to exist (in fact, I like we have some diversity there) 16:07:32 <h01ger> not sure if i should start a wiki page listing all the different rebuilder implementations there are (for Debian only, i mean) 16:07:35 <sangy> I think debrebuild is a little bit more mature for te deb ecosystem (I think it works with the in-toto transport right now) 16:07:36 <kpcyrd> ah, I'm here, was just afk a moment doing laundry 16:08:01 <marmarek> h01ger: are you about integrating it into jenkins (as the overall oversight), or standalone? 16:08:08 <h01ger> sangy: thats debrebuild coming from the descripts source package, right? 16:08:13 <fepitre> If you need a standalone rebuilder orchestrator there is what I developed: https://github.com/fepitre/package-rebuilder/tree/devel110221 16:08:33 <fepitre> which currently use https://github.com/fepitre/debrebuild as Debian rebuilder tool 16:08:37 <fepitre> but others can be integrated 16:08:42 <h01ger> marmarek: either, shrugs. running on some of the same hosts 16:09:09 <sangy> h01ger: no ,I mean fepitre's 16:09:17 <h01ger> fepitre: and thats not using debrebuild from src:devscripts, right? 16:09:17 <kpcyrd> we've started establishing the terms "rebuilder" and "rebuilder-backend" to distinguish between actually building and orchestration 16:09:20 <marmarek> I'm asking specifically because having standalone would be easier for others to run it too (the more rebuilders the better, no?) 16:09:21 <lamby> I think its useful to differentiate between the rebuilder tools and the orchestrators (even though they are often integrated in some implementations) 16:09:28 <sangy> kpcyrd: +1 16:09:31 <fepitre> h01ger, no it is using my python implementation 16:09:32 <lamby> kpcyrd: Ah, I see there is already a term. :) 16:10:05 * h01ger agrees on differentiating between those two terms 16:10:14 <h01ger> i'd first like to talk about the rebuilding tool 16:10:32 <bmwiedemann> kpcyrd: which of the two is doing the orchestration? 16:10:35 <h01ger> without it, orchestration is a bit like swimming without water 16:10:36 <sangy> h01ger: so I think rebuilderd is mostly an orchestration 16:10:52 <jelle> yup 16:10:52 <sangy> kpcyrd: ...right? 16:11:00 <fepitre> on my side, package-rebuilder is the orchestrator 16:11:03 <kpcyrd> sangy: yes, it's building on top of archlinux-repro by Foxboron 16:11:04 <jelle> sangy: it reads the repository data and schedules packages 16:11:19 <h01ger> its really hard to follow this conversation, because these similar tools have similar names 16:11:36 <sangy> right, and my understanding is that tasks are mostly containerized, so we could use fepitre's debrebuild to do the magic? 16:11:37 <kpcyrd> it passes the parameters to the rebuilder backend and then expects it to output the rebuild package, then picks up from there again 16:11:47 <kpcyrd> *rebuilt package 16:12:06 <sangy> h01ger: what about we make a wiki page for rebuilder implementations to start settling terminology and such 16:12:14 <kpcyrd> +1 16:12:18 <h01ger> kpcyrd: where does that source code live? (eg github url) 16:12:24 <h01ger> sangy: YES 16:12:30 <fepitre> that's a very good idea 16:12:33 <h01ger> sangy: $(figlet YES) even 16:12:38 <kpcyrd> h01ger: https://github.com/kpcyrd/rebuilderd and https://github.com/archlinux/archlinux-repro 16:12:44 <h01ger> kpcyrd: thanks 16:12:58 <h01ger> any other urls to be shared here which should be part of the wiki page? 16:13:03 <vagrantc> almost seems like we could have a whole meeting talking about different rebuild implementations :) 16:13:10 <kpcyrd> there's also a frontend by jelle https://gitlab.archlinux.org/archlinux/rebuilderd-website 16:13:13 <h01ger> vagrantc: almost yes 16:13:34 <sangy> I think as an actionp oint to actually populate this wiki page... 16:13:44 <sangy> what's a good place to put it? r-b.org? 16:14:05 <h01ger> https://salsa.debian.org/debian/devscripts/-/blob/master/scripts/debrebuild.pl is the one from src:devscripts so available in bullseye right now 16:14:15 <h01ger> sangy: there's no wiki 16:14:21 <kpcyrd> then there's two proof of concepts that consume the results from the api, https://github.com/kpcyrd/ismyarchverifiedyet and https://github.com/archlinux/arch-repro-status 16:14:25 <sangy> fair, should we do it in markdown? 16:14:47 <h01ger> sangy: wiki.d.o seems natural here and now, but i see how you want to extend this to not only cover debian ;) 16:14:50 <bmwiedemann> https://github.com/bmwiedemann/reproducibleopensuse/blob/master/nachbau is the build portion of my rebuilder/verifier 16:15:23 <h01ger> sangy: i suppose a git wiki/repo on salsa/reproducible-builds is a good idea 16:15:33 * kushal has one small update from the SecureDrop project, if anyone can please ping him if we have time at the end. 16:15:39 <h01ger> kushal: noted 16:15:55 <fepitre> h01ger, I think wiki on salsa is fine and easy for everyone? 16:16:01 <h01ger> yes 16:16:07 <h01ger> probably just on the website 16:16:17 <h01ger> i think thats a good idea 16:16:35 <h01ger> a subpage on https://reproducible-builds.org/docs/ 16:16:44 <fepitre> on the website, I guess you can include the wiki page itself from salsa 16:17:01 <h01ger> the website is markdown so whats the diff to a wiki anyway :) 16:17:16 <fepitre> yes any solution is fine 16:17:40 <marmarek> broader edit access for a random wiki, than to a website? 16:17:54 <h01ger> #agreed we shall document the different existing rebuilder and orchestration tools for debian 16:18:23 <h01ger> #agreed (and then probably include other distros too if the rebuilders can rebuild more than one distro...) 16:18:37 <h01ger> #info h01ger suggests to use https://reproducible-builds.org/docs/ 16:18:53 <vagrantc> a fair number of people have edit access to the website, and merge requests can be done by nearly anymore 16:18:56 <vagrantc> anyone 16:19:07 <h01ger> marmarek: we are adding anyone asking to the salsa project, so i guess thats fine. there's hardly any free to edit wiki left too 16:20:22 <marmarek> a working copy could be on a pad, but that's hardly permanent place 16:20:46 <sangy> h01ger: +1 for either salsa or the website 16:21:29 <marmarek> if enough people has write access, then the website sounds good indeed 16:21:33 <kpcyrd> the idea is that the rebuilder-backends are very distro specific but the orchestrators don't necessarily have to 16:21:52 <h01ger> #info https://pad.riseup.net/p/rebuilders%2Borchestration-tools 16:22:05 <h01ger> please go ahead :) 16:22:21 <h01ger> i'll "later" (maybe in a week or 2) turn that into website.git 16:22:25 <h01ger> #save 16:23:01 <h01ger> kpcyrd: right 16:23:36 * h01ger is quite very happy how productive this topic has become and suggests to end it here and move on to the next :) 16:23:46 <fepitre> +1 16:26:02 <h01ger> #topic SecureDrop 16:26:08 <h01ger> kushal: ^ 16:26:43 <kushal> Till now SecureDrop Workstation project had all packages as reproducible and also the internal Python wheels https://github.com/freedomofpress/securedrop-debian-packaging 16:27:25 <kushal> There were some changes in the upstream pip, that required us to redo the toolings to keep getting reproducible wheels in future. 16:27:57 <h01ger> cool! 16:28:06 <kushal> Now, based on that work and as SecureDrop runs on a modern OS (not too modern), aka Ubuntu Focal, we are working on making the primary server side package also reproducible. 16:28:14 * sangy needs to drop, but this was fun! 16:28:22 <h01ger> sangy: o/ 16:28:38 <kushal> Following the same packaging guidelines and tools in the repo linked above. 16:28:45 <kushal> Hopefully next week. 16:28:52 <kushal> s/week/release. 16:29:04 <h01ger> kushal: nice! thanks for the update! 16:29:14 <kushal> <EOM> 16:29:18 * h01ger guesses we can move on? 16:29:21 <kushal> h01ger, thank you :) 16:29:33 * obfusk would like to ask two small questions at the end if there's time 16:30:06 <h01ger> #topic Any Other Business (AOB) 16:30:17 <lamby> kushal: Thanks for the update. Just wondering; are you seeing issues with strip-nondeterminism? You appear to working around some problem/issue in your debian/rules 16:30:56 <kushal> lamby, we had some trouble, I will get back to you what they were. I totally forgot now (also I am sleepy). 16:31:15 <lamby> sure 16:31:16 * h01ger notices any (on-topic) topic can be discussed now but suggests we try to keep it at one topic at a time :) 16:31:21 <kushal> lamby, ah now remember. 16:31:51 <obfusk> kushal: do you have a link for the pip changes? 16:32:05 <kushal> lamby, as we are installing Python dependencies from the wheels we build, they contain dates and other details which we had to remove. 16:32:14 <kushal> obfusk, yes, give me a minute please 16:32:59 * fepitre has to leave, don't hesitate to ask questions now or later I would answer ASAP. 16:33:02 * obfusk is not in a hurry 16:33:07 <h01ger> fepitre: o/ 16:33:24 <fepitre> cheers _o/ 16:33:35 <kushal> obfusk, https://github.com/pypa/pip/issues/9604 16:33:54 <obfusk> kushal: thx! 16:33:55 <lamby> kushal: (Ah, in that case I think there would be a "more Debian" way of achieving that, but it's no big deal...) 16:34:13 <kushal> lamby, perfect, I will ping you after meeting. 16:35:09 <h01ger> obfusk: your two other questions were 16:35:10 <h01ger> ? 16:35:49 <obfusk> a few days ago I mentioned here that "I want to create a tool for creating, provisioning, and managing declarative and reproducible (at least as close I can reasonably get at first) VMs (starting w/ libvirt & Debian, more backends & OSs later)." 16:35:49 <kpcyrd> since this seems to be "any topic goes", there's also progress on reproducible alpine: https://twitter.com/sn0int/status/1408853977106718724 16:36:12 <obfusk> so the snapshots mirrors seem very useful for that 16:36:27 <h01ger> #info progress on reproducible alpine: https://twitter.com/sn0int/status/1408853977106718724 16:36:38 <obfusk> and so would a vmdebootstrap successor 16:37:21 <h01ger> obfusk: seen https://tracker.debian.org/pkg/bdebstrap ? a YAML config based multi-mirror Debian chroot creation tool 16:37:32 <obfusk> if anyone familiar with vmdebootstrap successors or building reproducible kvm images has any tips, that would be appreciated. 16:37:35 <h01ger> kpcyrd: thanks for that update! 16:37:52 <obfusk> if anyone has an interest in this tool I'm planning to build, feedback is welcome. 16:38:00 <obfusk> that's #1 16:38:06 <h01ger> obfusk: isnt there vmdebootstrap2 also? 16:38:38 <obfusk> h01ger: there's vmdb2, but I can't find anything quickly about RB 16:38:38 <lamby> obfusk: I looked into roughtly this for Tails -- see https://public-redmine-archive.tails.boum.org/code/issues/15349/ and https://gitlab.tails.boum.org/tails/tails/-/issues/15349 16:39:06 <lamby> They had/have the same problem re. ongoing viability of using vmdebootstrap 16:39:24 <h01ger> obfusk: and again i'd recommend looking at https://tracker.debian.org/pkg/bdebstrap ? 16:39:50 <h01ger> kpcyrd: wow "that tweet" has much more content than expected! :) very nice work too! (and diffoscope pics!) 16:40:03 <obfusk> lamby: thx. but does tails need to create reproducible ext4 images? 16:40:43 <lamby> Not that I'm aware of... Was mostly just linking to overlapping problem spaces. 16:41:14 <h01ger> are there other 'AOB' topics? it feels like we're getting into too deep details now - or maybe i'm just tired after 100 minutes :) 16:41:17 <obfusk> lamby: ack and thx! 16:41:41 <obfusk> h01ger: I had one more small question :) 16:41:47 <h01ger> obfusk: go ahead! 16:41:53 <rgdd> i don't have anything more on topic to add right now, will probably have some for future meetings tho! 16:41:54 <kpcyrd> h01ger: there's been more progress after that thread with help from Ariadne in #reproducible-alpine, unfortunately editing takes forever due to the 280 char limit on twitter 16:42:06 * vagrantc suspects 15UTC will work out at least for summer, come winter it will be increasingly difficult :) 16:42:12 <h01ger> kpcyrd: *g* 16:42:26 <h01ger> rgdd: cool, looking forward! 16:43:07 <h01ger> vagrantc: i can understand your desire for winter right now ;) (and surely we can discuss time changes.. just please not monthly ;) 16:43:47 <obfusk> so... I'd like to help out more with making packages reproducible, but unless I happen to come across a bug that looks like something I can help with, it's kind of hard to find something that *I* can help with. 16:44:00 <h01ger> obfusk: packages where? 16:44:14 <vagrantc> h01ger: i was more saying "this is working!" 16:44:18 <obfusk> h01ger: mostly Debian. 16:44:23 <h01ger> vagrantc: ah cool! :) 16:45:05 <h01ger> obfusk: you've read https://reproducible-builds.org/contribute/debian/ ? (it probably still needs more updating but its a start) 16:45:12 <vagrantc> obfusk: happy to discuss strategies to find and work on packages 16:45:37 <vagrantc> obfusk: i at least have a workflow that works for me ... i tend to do bursts of just finding and submitting patches 16:46:11 * h01ger is happy to give this 5min now but would like to close the meeting then. or close now and you discuss then? 16:46:11 <obfusk> h01ger: yes, but it's hard to narrow down the number of bugs to someting I can help with. 16:46:21 * obfusk is fine w/ either 16:47:34 * h01ger supposes vagrantc is typing and waits :) 16:48:31 <obfusk> vagrantc mentioned something about python sphynx docs but looking for that I mostly found packages w/ lots of other issues I would not be able to easily help with. 16:49:06 <lamby> Assuming the meeting is ending shortly, I'm going to have to go afk for a bit -- thanks for the meeting; am looking forward to the next one. o/ 16:49:17 <h01ger> lamby: o/ 16:49:20 <obfusk> o/ 16:49:30 * h01ger is giving vagrantc two more minutes before wrapping up 16:49:38 <rgdd> thanks for the meeting 16:49:42 <h01ger> you can start saying good-bye now :) 16:49:44 <rgdd> many new links for me to digest, v. helpful! 16:50:19 * h01ger is happy and thankful for the meeting and all the nice info and time! 16:51:14 <bmwiedemann> was a nice meeting. We might even talk more to each other before the next one :-D 16:52:01 <h01ger> :) 16:52:05 <h01ger> alright 16:52:11 <h01ger> thank you all! 16:52:15 <h01ger> #endmeeting