15:00:04 <h01ger> #startmeeting rb-general 15:00:04 <MeetBot> Meeting started Tue Jul 27 15:00:04 2021 UTC. The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:04 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 15:00:10 <h01ger> \o/ 15:00:26 <h01ger> welcome to this monthly meeting, please briefly introduce yourself or briefly update us on recent or planned projects 15:00:58 * h01ger = Holger Levsen, juggling jenkins/tests.r-b.o things as usual :) 15:01:19 <obfusk> o/ 15:01:20 <rclobus> Hi, I'm Roland Clobus, a Debian Contributor. I'm working on reproducible Debian live images 15:01:21 <h01ger> the full agenda for today is at https://pad.riseup.net/p/rb-irc-meetings-keep 15:01:25 * obfusk = Felix C. Stegerman | F-Droid core contributor | Debian & nixpkgs maintainer | Python/Haskell/web dev | they/them 15:01:56 <h01ger> the meetings are supposed to last between 1-2h, maybe rather an hour, but we have lots of time (just after 23-42m on one topic we move on anyway), though of course we aim to keep them short. the meetings are logged via https://meetbot.debian.net/reproducible-builds 15:02:14 <h01ger> #info anyone can leave information in the meetbot log like this 15:02:15 <raboof> o/ Arnout Engelen, Scala/JVM, Nix, pretty busy so no 'current projects' tbqh ;) 15:02:17 * lamby Chris Lamb, playing around with quite a few things but often returning to diffoscope and patching various parts of Debian. 15:02:31 * kpcyrd = kpcyrd | rebuilderd developer/maintainer | Reproducible Arch Linux and Alpine 15:02:31 <sangy> sangy = Santiago Torres-Arias | in-toto lead | Arch Security Person | Professor @ Purdue University | He/Him 15:03:48 <lamby> Nice to see you all. 15:04:10 * fepitre , Frédéric Pierret, Qubes OS project 15:04:55 * marmarek = Marek Marczykowski-Górecki, Qubes OS too 15:05:00 <h01ger> hello everyone. i'll wait 2-3 more minutes for people to introduce themselves and then we'll move on 15:05:21 * tobiaswiese student, currently mainly occupied with my exams 15:06:00 * bmwiedemann Bernhard M. Wiedemann, doing r-b fixes for openSUSE / SUSE 15:07:45 <h01ger> wheeehooo - glad to see so many nice folks around! 15:07:57 * vagrantc waves 15:07:57 <Ariadne> hi 15:08:04 <lamby> hey Ariadne 15:08:44 <h01ger> o/ 15:08:48 <h01ger> let's go 15:08:50 <h01ger> #topic short time slot for checkins from various projects: Debian: snapshot.d.o mirror status update (fepitre) 15:09:26 <fepitre> ok so I've added to snapshot api service a better to localize where is a package 15:09:36 <fepitre> https://github.com/fepitre/debian-snapshot#api-examples 15:09:59 <fepitre> you can better obtain info of which archive, suite, timestamp, component a package is 15:10:22 <h01ger> nice 15:10:23 <fepitre> this is still not finished because I'm not totally happy of how data are presented right now but any collaboration on that is welcomed 15:10:51 <sangy> fepitre: care to elaborate on what makes you unhappy about the data presented? 15:11:07 <fepitre> I would certainly try to simply json output 15:11:18 <h01ger> fepitre: can one simply replace snapshot.d.o URLs with your service? 15:11:19 <fepitre> on the same way I'm storing data in DB 15:11:36 <fepitre> archive-suite-component (list of range of timestamps) 15:12:06 <fepitre> the goal is to be able to implement metasnap feature of common timestamp for a buildinfo 15:12:14 <h01ger> ah 15:12:29 <h01ger> also to replace metasnap? 15:12:31 <fepitre> yes 15:12:40 <h01ger> (metasnap.debian.net) 15:12:41 <h01ger> cool 15:12:57 <fepitre> so right now it took weeks to provision a new DB to register every location that a package has seen 15:13:06 <sangy> fepitre: to make sure I understand. It seems there's a lot of duplication within the fileinfo object (i.e., there's a bunch of date ranges and a bunch of repeated data) is that right? 15:13:14 <kpcyrd> fepitre: do you store a full copy of everything on your snapshot service or just an index? :) 15:13:17 <fepitre> sangy, yes 15:13:19 <vagrantc> e.g. feed it a .buildinfo and it gives you the timestamp for the repository to use? 15:13:22 <h01ger> next topic? (aiming for short slots like 5min or so - we can always make this a bigger topic if needed though) 15:13:39 <h01ger> (happy to last this some more minutes though) 15:13:44 <fepitre> because a package for a given archive has "hole" in its history on snapshot, this is what josch highlighted 15:13:57 <sangy> fepitre: Got it. Just wanted to make sure I followed 15:14:14 <sangy> I can definitely take a look at this async. Happy to move on :) 15:14:19 <kpcyrd> (asking to get an idea on disk requirements) :) 15:14:24 <fepitre> kpcyrd, I store everything yes 15:14:38 <bmwiedemann> another topic: ismypackagereproducibleyet.org still looking for more data sources next to Debian, Arch, openSUSE 15:14:42 <fepitre> data + a DB with enough info to provide an usuable API 15:14:59 <h01ger> bmwiedemann: please add it to the pad 15:15:41 <fepitre> vagrantc, yes 15:15:56 <h01ger> kpcyrd: disk requirements were explained in the last meeting, you could check the log. something like 4tb atm.. 15:16:05 <kpcyrd> ok, thanks 15:16:09 <h01ger> shall we move on? 15:16:14 <fepitre> yep, another arches are coming. Done :) 15:16:20 <kpcyrd> fepitre: are you ok with people using your service? :) 15:16:23 <kpcyrd> like, public use 15:16:33 <h01ger> kpcyrd: yes 15:16:42 <kpcyrd> ok cool 15:16:43 <h01ger> there will be a better connected mirror, but yes 15:17:04 <h01ger> #topic short time slot for checkins from various projects: Debian: rebuilder status update (h01ger) 15:17:32 <h01ger> not too much has happened, https://pad.riseup.net/p/rebuilders%2Borchestration-tools got some updates after our last meetings 15:17:51 <h01ger> but hasnt been put on the website yet (to be discussed later) 15:18:26 <h01ger> one thing has happened though: i concluded to setup *both* rebuilderd implementations, the one from fepitre and the one from kpcyrd 15:18:41 <h01ger> and then we can see which we like better and if they produce the same results :) 15:19:06 <fepitre> h01ger, yes also I would love to have python-debian 1.40 in bullseye 15:19:06 <kpcyrd> note that rebuilderd is just a scheduler :) 15:19:23 <sangy> I've actually been meaning to bring up that there's a possibility to loop in the folks from tekton to have another scheduler 15:19:24 <h01ger> i'll certainly ask for help / document what i'm doing on #debian-reproducible... 15:19:43 <Ariadne> sangy: yes likely 15:19:56 <h01ger> fepitre: i think that ship has sailed. in bullseye-backports hopefully possible though 15:20:03 <fepitre> as package-rebuilder uses debrebuild, I would love to have some debrebuild release compatible with bullseye 15:20:11 <lamby> I can't believe how cheap a 4TB HDD is these days... :o 15:20:12 * h01ger done with updates on this topic.. 15:20:39 <h01ger> sangy: whats tekton? 15:20:49 <sangy> h01ger: tekton is a pipeline manager that works on top of kubernetes 15:21:12 * h01ger just ordered a external 4tb usb disc for 90€ (for a friends backup purposes, rb unrelated) 15:21:15 <sangy> it's v. extensible, so you can basically arrange it to build a rebuilder scheduler (that also manages the workloads) 15:21:18 <bmwiedemann> lamby: 12TB HDD for 280 EUR 15:21:51 <kpcyrd> I'm wondering if it'd make sense to rename one of the debrebuild's, we've had multiple srebuild in the past and that was confusing as well :) 15:21:53 <sangy> h01ger: not trying to go against any of the things that exist though. I love fepitre's and kpcyrd's work 15:22:03 <sangy> kpcyrd: +1 15:22:36 <fepitre> sangy, yes in fact I've used a very common orchestrator framework in python (celery) to have a standalone software doing all at once 15:22:36 <h01ger> kpcyrd: YES (renaming) 15:22:43 <Ariadne> i was originally planning to use tekton for alpine reproducibility testing, but … actually i’ll elaborate later :) 15:22:53 <fepitre> any other suggestion or workflow can be done 15:22:54 <lamby> bmwiedemann: madness! 15:22:57 <h01ger> shall we move on? 15:23:10 <vagrantc> please :) 15:23:32 <h01ger> (this is not the right topic to discuss various rebuilder implementations :) 15:23:43 <h01ger> #topic short time slot for checkins from various projects: Arch Linux: rebuilder status update (kpcyrd) 15:23:46 <h01ger> :) 15:24:28 <h01ger> kpcyrd: so how will you rename yours ;) 15:24:33 <h01ger> i mean, the stage is yours :) 15:24:36 <sangy> not sure if this is the place to talk about it, but one hesitation I've been having (from deploying rebuilders on NYU infra) is that there's no easy way to communicate workload information (e.g., expected memory, build time, cores) 15:24:37 <lamby> This is not directly related to the results on https://tests.reproducible-builds.org/archlinux/archlinux.html, right? 15:25:08 * h01ger thinks its more about https://reproducible.archlinux.org/ 15:25:10 <kpcyrd> https://reproducible.archlinux.org/ is still working fine, we've started classifying remaining un-reproducible packages and currently got 896 (54.37%) 15:25:29 <h01ger> kpcyrd: can you explain more about automatically classifying things? 15:25:29 <Ariadne> sangy: something fedora is considering is putting that information in the spec file 15:25:47 <bmwiedemann> sangy: for openSUSE packages, we have a _constraints file to describe required Disk, RAM, CPU, arch 15:26:03 <kpcyrd> most of it is due to haskell and because we currently don't set PYTHONHASHSEED=0 in our devtools 15:26:16 <sangy> Ariadne: that sounds like a good idea 15:26:27 <sangy> case in point, there's rebuilding going on here, but our poor cores.... http://reproducible-builds.engineering.nyu.edu/ 15:26:46 <sangy> I also would like to be able to limit worker resources in some sort of "native" way 15:26:56 <rclobus> Would 'export PYTHONHASHSEED=${SOURCE_DATE_EPOCH}' also make sense? 15:27:18 <bmwiedemann> rclobus: I had =42 and it caused some testsuites to fail 15:27:19 <sangy> bmwiedemann: do you have any info on this? 15:27:23 <lamby> sangy: Those are NYU-hosted semi-cloud nodes? 15:27:23 <h01ger> sangy: please stop the side discussion... (and add it to topic if there's more to discuss on the topic) 15:27:36 <kpcyrd> h01ger: it's not automated (except the ^haskell- packages), it's a script that takes a random unclassified package, opens a diffoscope in your browser and generates note until you enter an empty line, then opens the next diffoscope 15:27:37 <sangy> lamby: yeah, these are on the internal NYU servers 15:27:47 <obfusk> rclobus: I've used that for python-for-android 15:27:49 <sangy> h01ger: oh, I thought it was part of the rebuilderd discussion? 15:27:51 <h01ger> kpcyrd: ah 15:28:27 <h01ger> can we please stay on topic. following three discussions at once on three topics is a bit hard on the brain :) 15:28:43 <bmwiedemann> sangy: I have an example: https://build.opensuse.org/package/view_file/openSUSE:Factory/chromium/_constraints 15:28:48 <h01ger> kpcyrd: are you done with updates on the arch rebuilder? 15:28:50 <sangy> my bad, I thought i was being on topic 15:28:52 <kpcyrd> rclobus: yes, but 0 works too, this currently has to be set in every package until there's a decision by the devtools devs 15:29:26 <kpcyrd> the NYU ones are Arch Linux rebuilders too :) 15:29:29 <h01ger> kpcyrd: next topic? 15:29:48 <kpcyrd> in case I didn't miss anything in the backlog - yes 15:29:53 <h01ger> #topic short time slot for checkins from various projects: rebuilderd: status update (kpcyrd) 15:30:15 <kpcyrd> there's quite a bit of overlap between the topics 15:30:19 * h01ger nods 15:30:26 <sangy> ah, now I see 15:30:28 <h01ger> happy to move on if everything has been said already 15:30:38 <kpcyrd> we're currently desperatly looking for more _independent_ people running rebuilders :) 15:30:50 <sangy> so I'll add that we should be expecting one from Purdue university by end of August 15:30:55 <sangy> I want to host kpcyrd, and fepitre's 15:31:00 <h01ger> sangy: nice! 15:31:09 <h01ger> & same here :) (tests.r-b.o) 15:31:09 <sangy> also, I don't have access to NYU's anymore, so we're independent now :D 15:31:10 <kpcyrd> I think jelle (currently on vacation) currently knows best what kind of resources people would need 15:31:24 <kpcyrd> sangy: yey! 15:31:44 <h01ger> #info https://github.com/kpcyrd/rebuilderd 15:32:03 <h01ger> next topic then? 15:32:25 <kpcyrd> something I strongly suggest when running rebuilderd is using two instances, one for results, one for builds 15:32:42 <kpcyrd> the api on the NYU one is very slow sometimes for example 15:32:45 * h01ger hopes this is documented in the README :) 15:33:18 <sangy> kpcyrd: yeah, I think that's where the issue lies. I want to figure out a way to use all 96 cores for builds though. That's why I'd like to have the scheduler be able to control workload limits 15:33:54 <vagrantc> kpcyrd: what do you mean by "results" and "builds" ? 15:35:11 <sangy> vagrantc: so rebuilderd has a web view to report resuilts, and then a backend that schedules builds. So schedule the builds somewhere else, and host the web-view in something that doesn't get hit by workers clogging the CPU 15:35:16 <kpcyrd> vagrantc: reproducible.archlinux.org runs on a 3€/month VPS and is just keeping track of everything, the build servers should be external so they don't impact the api if they start swapping 15:36:00 <vagrantc> got it, thanks for clarifying :) 15:36:06 <kpcyrd> you're welcome :) 15:36:44 <h01ger> then.. 15:36:47 <h01ger> #topic short time slot for checkins from various projects: Alpine Linux: status update (Ariadne) 15:37:30 <Ariadne> alpine reproducibility effort is starting to ramp up… kpcyrd’s work on making the raspberry pi installation image reproducible is starting to land in upstream components (for example apk indices are now reproducible) 15:37:54 <h01ger> very nice! 15:38:02 <Ariadne> there’s a couple of patches still pending on that but then all install media (except ISOs) should be reproducible 15:38:23 <lamby> Ah, apk indices are included on install media? 15:38:39 <Ariadne> .buildinfo support is headed for abuild as well 15:38:51 <sangy> dang, nice job! 15:38:57 <h01ger> https://reproducible-builds.org/projects/who#Alpine currently links to https://tests.reproducible-builds.org/alpine/alpine.html but that page hasnt been really updated since april 2020... 15:39:20 <h01ger> is there a more current url of these effors? (either tests, or documentation or ...) 15:39:23 <kpcyrd> lamby: not the full index, but the packages that get baked into the install medium get tracked in an APKINDEX :) 15:39:23 <Ariadne> lamby: yes, we create a minirepo on the install media, and then use that to install a live environment into tmpfs 15:39:37 <lamby> Cool 15:39:52 <Ariadne> i think debian media have similar indices to support cdebootstrap 15:40:49 <Ariadne> h01ger: i’ve no idea who set up or runs that URL, but we are working issues in #alpine-reproducible on OFTC 15:41:24 <h01ger> kpcyrd and myself worked on that url a while ago 15:41:37 <Ariadne> anyway once the buildinfo stuff is merged into abuild we will set up a rebuilder and all that :) 15:41:44 <Ariadne> probably next month i would guess 15:41:59 <h01ger> :thumbsup: 15:42:06 <Ariadne> and that’s about it 15:42:42 <Ariadne> so you can next topic if you want :) 15:42:44 <h01ger> Ariadne: https://salsa.debian.org/reproducible-builds/reproducible-website/-/blob/master/_data/projects.yml#L1 is what you want to update one day 15:42:54 * h01ger nods, thank you! 15:43:09 * h01ger waits for 60secs for questsions 15:43:12 <h01ger> -s 15:43:35 <h01ger> #topic short time slot for checkins from various projects: Debian live-build (rclobus) 15:43:47 <rclobus> I've written a summary to the mailing list: https://lists.reproducible-builds.org/pipermail/rb-general/2021-July/002303.html 15:44:07 <h01ger> :thumbsup: :) 15:44:10 <fepitre> rclobus, are you already using my snapshot instance? 15:44:23 <rclobus> In short: all regular images (except for cinnamon) are reproducible, then though I only tested standard, GNOME and KDE. 15:44:30 <rclobus> fepitre: Not yet. 15:44:54 <rclobus> First I wanted to add artifacts, so the ISO files could be downloaded for later inspection. 15:44:59 <vagrantc> that's a pretty comprehensive set to test 15:45:18 <rclobus> Due to some oversight, I managed to fill /tmp on the Jenkins master node... Oops! 15:45:26 <h01ger> does 'comprehensive' mean 'small' or 'inclusive' here? 15:45:50 <fepitre> rclobus, sure, don't hesitate to ping me, I look at any issue and help into solving them (if exists) 15:45:56 <rclobus> The set contains the configuration of all current Debian Live images 15:45:58 <vagrantc> h01ger: complete ? 15:46:10 <vagrantc> h01ger: or ... nearing complete 15:46:41 <h01ger> vagrantc: thanks :) 15:47:02 <rclobus> At this moment, I see a non-reproducibility that can be reproduced with PERL_HASH_SEED. 15:47:18 <rclobus> And for some reason diffoscope quit on Jenkins, but not on my computer 15:47:22 <rclobus> Anyway, 15:47:31 <vagrantc> rclobus: really excited to see this work :) 15:47:58 <kpcyrd> +1 15:48:06 <rclobus> the artifacts are disabled for the moment, but I'm planning to reintroduce that feature. But this time without risk of filling all drives on the Jenkins nodes 15:48:10 * h01ger too - just unhappy about the debian live situation in general, but thats unrelated/offtopic here (though i'd be happy to explain in a unlogged situation...) 15:48:30 <h01ger> next topic? 15:48:33 <rclobus> Yes. 15:48:51 <h01ger> #topic short time slot for checkins from various projects: https://ismypackagereproducibleyet.org looking for more datasources ( bmwiedemann ) 15:49:56 <kpcyrd> bmwiedemann: the datasource you want to use for Arch Linux is probably https://reproducible.archlinux.org/api/v0/pkgs/list :) 15:50:25 <obfusk> kpcyrd: arch seems to be included already 15:50:38 <vagrantc> bmwiedemann: what data sources do you have currently? 15:51:17 <kpcyrd> obfusk: it's using a different datasource though: https://ismypackagereproducibleyet.org/?pkg=rebuilderd&query=query 15:51:52 <obfusk> ah. 15:52:11 <vagrantc> maybe cbaines knows something that could be used to query guix ? 15:52:33 <h01ger> and someone else nix? 15:52:53 <obfusk> I have no idea how the nix RB infrastructure works, but (as a nix package maintainer) I'd be happy to help :) 15:53:24 <h01ger> seems we lost bmwiedemann :/ 15:53:28 <bmwiedemann> ah, back 15:53:29 <Foxboron> I don't think there is any easy API for it? cc gchristensen 15:53:34 <h01ger> bmwiedemann: ah hi :) 15:53:41 <bmwiedemann> we have Arch, openSUSE, Debian 15:54:16 <raboof> we don't currently check reproducibility of the whole nixpkgs, so we'd either have to publish partial results from something like https://r13y.com/iso_gnome or make progress on https://github.com/tweag/trustix 15:54:31 <gchristensen> 1. our build infrastructure at hydra.nixos.org has rudimentary support for reproducibility checking, but it is mostly POC-grade. r13y.com is a smallish wrapper around Nix that substitutes the binaries, then does a check build locally of each one, and publishes the report. it does this via buildkite on a schedule 15:54:42 <bmwiedemann> the arch data is a bit optimistic, as it reports packages as reproducible if there is one reproducible subpackage 15:54:43 <gchristensen> not sure what the API would look like but happy to talk about one 15:55:25 <bmwiedemann> raboof: partial results would be a good start. everyone has different packages anyway 15:55:29 * h01ger is reminded of https://m.xkcd.com/2494/ :) 15:55:32 <vagrantc> oh, this isn't looking as good as it used to: https://data.guix-patches.cbaines.net/repository/2/branch/master/latest-processed-revision/package-reproducibility 15:55:36 <h01ger> (flawed data) 15:56:12 <h01ger> shall we move on and leave the details here for later? 15:56:36 <h01ger> (bmwiedemann) 15:57:07 <bmwiedemann> gchristensen: I import json data about packages. You can check the sources for data from others. 15:57:11 <bmwiedemann> OK to move on. 15:57:28 <h01ger> ok 15:57:33 <h01ger> #topic short time slot for checkins from various projects: F-Droid (obfusk) 15:58:46 <obfusk> we now have 1 more app that uses signatures embedded in the metadata: Bitcoin Wallet 15:59:12 <vagrantc> this is a good or bad thing? :) 15:59:20 <obfusk> vagrantc: good. 15:59:24 <h01ger> nice. is there a list of those apps? a way to only show these in the fdroid ui? 15:59:41 <vagrantc> obfusk: the signature is only in metadata, not in the artifact the end-user installs? 15:59:56 <obfusk> https://f-droid.org/docs/Reproducible_Builds/ 16:00:08 * sangy needs to step out now. Pleasure everyone 16:00:15 <h01ger> sangy: o/ 16:00:24 <obfusk> we support 1) link to a published official APK. if it's "equal" we only publish that 16:00:52 <obfusk> and 2) extract APK signatures and embed them in our metadata repository. 16:01:28 <obfusk> in that case we copy the sigs to the unsigned apk to generate the published official APK. 16:01:54 <obfusk> if that verifies it's reproducible and we publish both that and - as usual - an APK signed by f-droid itself. 16:02:32 <obfusk> so that combines both our normal built-and-signed-by-us and provided-by-developer-and-guaranteed-to-correspond-to-source 16:02:47 <h01ger> obfusk: i have "vlc" installed from fdroid. how can i see if thats reproducible? 16:03:10 <obfusk> h01ger: it's not :( 16:03:26 <obfusk> you can check the metadata for Binaries: or a signatures/ directory 16:03:32 <obfusk> you can also see it on the website. 16:03:40 <obfusk> e.g. https://f-droid.org/en/packages/de.schildbach.wallet/ 16:04:01 <obfusk> "It is built and signed by F-Droid, and guaranteed to correspond to this source tarball." + " It is built and signed by the original developer." 16:04:43 <h01ger> ok, so i need to search for a url somehow and then look for a string there ;) 16:04:45 <obfusk> ony of my own apps had some build issues which have been fixed now. it's not published yet, though so it *could* still fail :') 16:05:12 <obfusk> https://f-droid.org/packages/dev.obfusk.jiten will hopefully show v1.1.0 soon 16:05:23 <obfusk> (CI passed though) 16:05:29 <h01ger> allright, thanks for the updates! move on? 16:05:35 <obfusk> not yet :) 16:05:41 <obfusk> (I'll try to be brief) 16:05:44 <h01ger> ok! 16:06:32 <obfusk> I also decided today to look into supporting verifying signed git tags from upstream repos soon. 16:06:39 <obfusk> and finally: 16:06:56 <obfusk> (related to Android but not F-Droid directly) 16:07:30 <obfusk> starting next month google play will require developers to use "app bundles" instead of APKs (for now apps). which means they need to hand over their signing keys to google. 16:07:43 <obfusk> they do provide "code transparency" (https://developer.android.com/guide/app-bundle/code-transparency) 16:08:03 <lamby> obfusk: Huh. What's the reason for that change? 16:08:31 <obfusk> which is a very weak form of RB that doesn't check anything but binary code and doesn't actually check anything by default on install time. can only be done manually. 16:08:50 <vagrantc> egads! 16:09:10 <obfusk> lamby: I assume b/c it allows google to build multiple APKs specifically targeted to devices from the app bundle it saves them bandwith. 16:09:17 <obfusk> of course it also gives them a lot more control. 16:09:30 <vagrantc> "hand over your signing keys" sounds like a huge you're doing it wrong 16:09:55 <obfusk> vagrantc: well... technically f-droid does that too. except there's no "hand over", just *signed by us* 16:10:15 <h01ger> the url given states "It uses a code transparency signing key, which is solely held by the app developer." 16:10:19 <vagrantc> obfusk: that's fine and honest ... 16:10:42 <obfusk> h01ger: yes. but that's only for that *optional* and incomplete feature 16:10:51 <h01ger> ic 16:11:05 <obfusk> https://developer.android.com/guide/app-bundle/ 16:11:20 <h01ger> shall we move on? (discussing android/google politics is kinda offtopic here and now ;) 16:12:36 <obfusk> yes. 16:12:42 <h01ger> ok 16:12:52 <h01ger> thats for all the 'short' updates! :) 16:13:00 * h01ger learned a lot 16:13:04 <h01ger> #topic r-b ecosystem (lamby) 16:13:22 <lamby> Thanks 16:13:48 <lamby> This is mostly just a reminder and pointer to check out the "Help us map the reproducible builds ecosystem" thread on our mailing list 16:13:49 <lamby> https://lists.reproducible-builds.org/pipermail/rb-general/2021-July/002302.html 16:14:13 <lamby> The background is not too extensive, but probably doesn't make sense to simply repeat it here on IRC 16:14:55 <h01ger> #info https://pad.riseup.net/p/rbecosystemmapping-keep 16:15:10 <obfusk> lamby: I just added python-for-android 16:15:34 <lamby> One thing folks here can easily do is see if their project, organisation, goal or initiative is covered there. 16:15:35 <lamby> And if not, simply add it: no need to be "pretty", we can always go through and tidy it up later. 16:15:38 <lamby> obfusk: perfect, thanks 16:16:29 <obfusk> lamby: should I add apksigcopier? 16:16:41 <h01ger> yes please :) 16:16:45 <lamby> obfusk: Sure, yes. 16:16:51 * fepitre has to leave. thank you and see you soon 16:16:58 <h01ger> fepitre: o/ 16:16:58 <lamby> Do err on the side of adding "too much", if anything 16:17:02 <lamby> cheerio, fepitre 16:18:11 <h01ger> anything else on this topic? 16:18:29 <lamby> Nothing more from me, at least 16:18:45 <kpcyrd> lamby: there's a bit of overlap between that pad and https://pad.riseup.net/p/rebuilders%2Borchestration-tools :) 16:19:02 <lamby> Ah, that's a good spot. I'll add a link from one to the other. 16:19:46 <Ariadne> i linked that pad to some folks who i know to be funding RB work, to see if they want to add themselves 16:20:28 <lamby> Ariadne: 👍👍 16:21:02 <h01ger> ok, lets move on 16:21:06 <h01ger> # topic r-b.o/docs/verification.md or rebuilding.md (h01ger) 16:21:14 * raboof has to leave o/ 16:21:20 <h01ger> so i want to document https://pad.riseup.net/p/rebuilders%2Borchestration-tools properly, on our website 16:21:22 <h01ger> raboof: o/ 16:21:51 <h01ger> i'm just unsure whether to use r-b.o/docs/verification.md or rebuilding.md or something else. or both? 16:22:11 <h01ger> (and that page needs text too, not just links like the pad has right now) 16:23:07 <h01ger> what do you think? 16:23:29 <obfusk> h01ger: semi-related (and I forgot this earlier): https://verification.f-droid.org/ (https://f-droid.org/docs/Verification_Server/) 16:24:10 <kpcyrd> rebuilding.md would be "I want to run an independent build server" and verification.md would be "I'm a user, how do I ensure the package has been independently verified"? 16:24:23 <kpcyrd> *the package I'm about to install 16:24:46 <h01ger> thats a nice distinction 16:25:01 <obfusk> kpcyrd: that was my thought as well :) 16:26:20 <h01ger> ok, i can work with that. :) next topic then? 16:26:41 <h01ger> (i'll prepare those pages, half empty at first...) 16:27:58 <h01ger> #topic Any Other Business (AOB) 16:28:03 <h01ger> #topic Any Other Business (AOB) - Setting PYTHONHASSEED/PERL_HASH_SEED in reprotest (rclobus) 16:28:13 <h01ger> (we can have more AOB topics...) 16:28:33 <rclobus> I have a question about this: can we enforce e.g. the reverse ordering of hashes? 16:28:58 <rclobus> i.e. to guarantee a difference when the scripts runs for the second time? 16:29:29 <lamby> Hm. So I did a patch for this years ago, but IIRC it was rejected by upstream... 16:29:56 <lamby> For Python. 16:29:59 <rclobus> Because occasionally, the results are reproducible, when the second build is run. 16:30:00 <kpcyrd> I feel like I'm missing context :) 16:30:06 <rclobus> Context: 16:30:18 <rclobus> I'm running a Perl script, that contains a hash. 16:30:28 <rclobus> That uses a 'foreach' to list all elements 16:30:38 <rclobus> According to the docs, the hash order is undefined. 16:31:01 <kpcyrd> "hash" as in "set" instead of "cryptographic hash", right? :) 16:31:07 <obfusk> kpcyrd: yes 16:31:08 <obfusk> fwiw: python dicts (hashes) now preserve insertion order (sets don't) 16:31:20 <kpcyrd> I see, thanks 16:31:24 <obfusk> kpcyrd: key->value mapping 16:31:29 <rclobus> With PERL_HASH_SEED, we can enforce the order, but we cannot be certain that a different seed value will *certainly* result in a different order. 16:32:15 <rclobus> So, by accident, we might declare the script reproducible, even though it isn't. 16:33:17 <obfusk> rclobus: I would assume this only happens when the seed is not properly set though? 16:33:29 <obfusk> or am I missing a scenario? 16:33:51 <kpcyrd> rclobus: I wouldn't worry too much about this, if it's a problem it's going to show up in the wild given enough rebuilders :) 16:34:04 <h01ger> what kpcyrd says 16:34:16 <h01ger> also, if we can reproduce something, we can reproduce it :) 16:34:20 <obfusk> and the python situation is much improved now that dicts preserve insertion order. 16:34:22 <rclobus> kpyrd: Ok, I'll stop worrying :-) 16:34:38 <vagrantc> you can prove something is unreproducible, you can't prove it is reproducible 16:34:41 <kpcyrd> a rebuilder confirms "I've built the binary artifact out of this source input", it doesn't matter if it needs multiple tries (first try is still nice though) 16:35:14 <h01ger> (i disagree with the last 'it doesnt matter' but i'm fine to disagree here and now :) 16:35:40 <h01ger> (basically: it matters but not much) 16:35:41 <obfusk> (it's ok if) 16:35:42 <h01ger> #topic Any Other Business (AOB) - Setting PYTHONHASSEED/PERL_HASH_SEED in reprotest (rclobus) 16:35:47 <h01ger> bah, sorry 16:35:53 <h01ger> any other topic? 16:36:01 <vagrantc> last call 16:36:17 <lamby> None here. :) 16:36:22 <obfusk> h01ger: did you see my links to the f-droid verification server? 16:36:39 <h01ger> obfusk: yes 16:36:46 <obfusk> (so e.g. vlc is indeed not reproducible, not just not officially) 16:37:03 <obfusk> ack 16:37:08 <h01ger> obfusk: i wasnt asking about vlc i was asking about a general way to find out whether an fdroid app is reproducible 16:37:14 <h01ger> vlc was just an example 16:37:18 <rclobus> ; leaves now. Thanks for the meeting. 16:37:20 <obfusk> h01ger: I know :) 16:37:25 <obfusk> o/ 16:37:25 <h01ger> rclobus: o/ 16:37:46 <h01ger> obfusk: i didnt receive an answer to that general question though :) 16:38:00 <h01ger> maybe s#receive#understand# ;) 16:38:04 <vagrantc> i need to prod people giving talks related to reproducible-builds at the upcoming debconf to know what's up :) 16:38:09 <vagrantc> meant to ask on the list 16:38:14 <obfusk> https://verification.f-droid.org/ -> "This is the Verification Server for https://f-droid.org. It rebuilds apps from source that were built by f-droid.org and checks that the results match. If they match, then there is a file named *.verified.txt added next to the APK that was verified. If not, then there is output from diffoscope in HTML and text." 16:38:30 <vagrantc> and would also be curious if anyone is giving talks at any upcoming conferences related to reproducible builds 16:38:31 <obfusk> (the .txt seems to be missing, but there's a verified: in a .json) 16:38:48 <h01ger> vagrantc: maybe we should discuss merging out talks? 16:39:19 <vagrantc> i got the impression there were maybe also other talks 16:39:36 <vagrantc> h01ger: yeah, maybe we merge ... 16:39:48 <vagrantc> h01ger: but maybe take it outside the "meeting" 16:40:07 <obfusk> h01ger: e.g. https://verification.f-droid.org/org.videolan.vlc_13030408.apk.json -> verified: false 16:40:42 <h01ger> obfusk: https://verification.f-droid.org/ indeed has the info, i'm just not impressed with the different names there "org.vi_server.red_screen_2" compared to how the app is called on the device user facing.. 16:40:47 <h01ger> vagrantc: yeah 16:41:08 <h01ger> obfusk: the app is called 'vlc' not 'org.videolan.vlc_13030408' ;p 16:41:27 <h01ger> anyhow, any other topic or should we finish this meeting for today? 16:41:34 <obfusk> h01ger: yes. 16:41:42 <obfusk> but https://f-droid.org/packages/org.videolan.vlc/ -> https://f-droid.org/repo/org.videolan.vlc_13030408.apk 16:41:56 <h01ger> org.videolan.vlc != vlc 16:42:01 <obfusk> but a nice api would be fine 16:42:07 <h01ger> but i'm repeating myself :) 16:42:22 <obfusk> s/fine/nice/ 16:42:28 <h01ger> :) 16:42:38 <h01ger> #topic closing time 16:42:44 <vagrantc> thanks all! 16:42:50 <obfusk> thanks! 16:42:50 <lamby> Thanks for arranging and running the meeting, h01ger. Looking forward to the next one... 16:42:52 <h01ger> unless someone has a very last topic... 16:43:10 <h01ger> #info next meeting will be Tuesday, 31st of August at 15 UTC, here 16:43:28 <h01ger> thank you all! it's been a pleasure and quite informative! 16:43:33 <h01ger> o/ 16:44:11 <obfusk> o/ 16:44:14 <obfusk> vagrantc: last meeting you suggested you could help me with my "how do I find debian packages I can help with problem"... 16:44:17 <tobiaswiese> o/ 16:44:26 <vagrantc> obfusk: oh, i did, didn't i :) 16:44:32 <obfusk> h01ger: should I add the android app bundle stuff to the report or is that OT? 16:44:53 <h01ger> obfusk: add anything to the report, lamby is a great editor :) 16:44:56 <vagrantc> obfusk: now might not be a great time for me ... but maybe sometime thursday? 16:45:01 <h01ger> "anything" obviously :) 16:45:18 <obfusk> what? no fanfiction? 16:45:35 <h01ger> \o 16:45:38 <h01ger> #endmeeting