#reproducible-builds log

14:59:48 <h01ger> #startmeeting
14:59:48 <MeetBot> Meeting started Tue Aug 31 14:59:48 2021 UTC.  The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:59:48 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:00:04 <h01ger> #topic welcome to this monthly meeting, please briefly introduce yourself or update us on recent or planned projects
15:00:18 <lamby> hey hey
15:00:20 <h01ger> info: agenda is at https://pad.riseup.net/p/rb-irc-meetings-keep
15:00:21 <lamby> I am back with tea
15:00:28 <h01ger> hey, ho, let's go!
15:00:48 * h01ger waves with coffee (and sandwhich needing finishing touches..)
15:00:53 <rgdd> hello!
15:01:06 * h01ger = Holger Levsen, working on tests-r.b.o and other stuff
15:01:15 <lamby> The finishing touch on a sandwich is to eat it
15:01:19 <rgdd> anyone have a matrix link to this channel?
15:01:25 <rgdd> have a colleague that wants to join!
15:01:27 <sangy> sangy = Santiago Torres-Arias, working on overall supply chain security. Happy to be here!
15:01:53 <h01ger> rgdd: i'm afraid there is none, but there is webchat.oftc.net
15:02:05 * lamby = Chris Lamb, working on diffoscope, various package and toolchain fixes in/around Debian, misc bits of publicity etc. etc
15:02:12 <rgdd> h01ger: tanks!
15:02:15 <rgdd> thanks*
15:02:31 * rclobus = Roland Clobus, working on live-build ISO images
15:02:41 * fepitre from Qubes OS :)
15:03:03 <h01ger> please check whether the agenda at https://pad.riseup.net/p/rb-irc-meetings-keep misses anything important. this intro topic will continue for 3 more minutes or so
15:03:12 <rgdd> rgdd = Rasmus Dahlberg, PhD student at Karlstad University, software engineer at Mullvad VPN. Working on transparent logs and more :)
15:03:19 * obfusk = Felix C. Stegerman | F-Droid core contributor | Debian & NixOS package maintainer | bugfixer | former FSFE deputy coordinator .nl | #python #haskell | they/them
15:03:34 <h01ger> #save
15:03:39 * kpcyrd = kpcyrd, rebuilderd and reproducible builds for multiple distros
15:04:06 <h01ger> for those who joined later, backlog is at http://meetbot.debian.net/reproducible-builds/2021/reproducible-builds.2021-08-31-14.59.html (incl full log)
15:04:27 * Cadero = Robert Arkenklo, infrastructure engineer at mullvad VPN, working on System Transparency and more
15:05:06 <kfreds> kfreds = Fredrik Strömberg. Cofounder of Mullvad VPN and team lead of Trustworthy Computing Research at Mullvad. Working on System Transparency, www.sigsum.org, PADSEC, and lots of other stuff TBA.
15:05:36 <lamby> hey, mullvad folks
15:05:46 <Cadero> lamby: o/
15:05:48 <h01ger> very nice to see new and old faces :)
15:05:52 <kfreds> Hi!
15:05:52 * Foxboron = Morten Linderud, Arch Linux reprobuilds, misc supply chain topics (verified boot, transparency logs)
15:07:27 <h01ger> allright, thanks for those introductions, lets move on & those arriving later can still introduce themselves :)
15:07:41 <h01ger> #topic     short time slot for checkins from various projects
15:08:13 <h01ger> these really should be short updates, if there's more too discuss maybe better make a seperate topic (only..)
15:08:22 * jelle = Jelle van der Waa, Arch Linux reproducible builds
15:08:25 <h01ger> so 3-5min each or less
15:08:47 <h01ger> #topic short time slot for checkins from various projects: DebConf21 quick infos
15:09:11 <h01ger> last week DebConf21 online took place and we had three talks related to r-b there
15:09:27 <h01ger> info: all 3 debconf21 talks are linked at https://reproducible-builds.org/resources/
15:09:52 <lamby> \o/
15:10:04 * Foxboron realized he needs to add his talks to the page
15:10:18 <h01ger> the talks where about r-b in general and debian (mine), about r-b going into more detail (vagrants) and about a new snapshot.d.o mirror (fepitre & josch)
15:10:36 <h01ger> Foxboron: that was part of the reason i added this subtopic ;)
15:10:57 <h01ger> nothing else to say from me on this, i hoped you enjoyed debconf21! :)
15:11:38 <rrnewton> [Introduction, since late ones are allowed] rrnewton = Ryan Newton. I'm representing a few teams at FB interested in reproducible builds.
15:11:38 <rrnewton> More context: We previously presented some research on reproducible containers at the Repro builds summit 2019, and a couple times on the mailing list:
15:11:38 <rrnewton> https://lists.reproducible-builds.org/pipermail/rb-general/2020-February/001833.html
15:11:38 <rrnewton> Now we're working on similar topics @ Facebook and interested in engaging with the broader community.
15:12:11 <h01ger> rrnewton: oh, cool & welcome here!
15:12:15 <h01ger> #topic short time slot: Debian: snapshot.d.o mirror status update
15:12:26 <h01ger> fepitre: ^ your time slot :)
15:12:29 <fepitre> thank you
15:12:47 <lamby> rrnewton: Oh hey, I didn't know you folks were @ FB. I remember talking to some folks at FB a couple of years ago...
15:12:50 <fepitre> so current running snapshot service is working as expected: a full debian rebuild is in progress thanks to that service
15:13:00 <Foxboron> fepitre: \o/
15:13:21 <h01ger> s#the talks where about r-b in general and debian (mine)#the talks where about r-b status in several projects and debian (mine)# - i really should know better how to describe my talk ;)
15:13:38 <fepitre> the status is here: https://debian.notset.fr/rebuild/results/
15:13:49 <fepitre> for the rebuild of most of core package sets
15:14:14 <fepitre> and in-toto metadata are here: https://debian.notset.fr/rebuild/sources/
15:14:38 <h01ger> fepitre: nice! i can also add: we got two offers for more disksspace now so in the mid future or so we will have all archs, not only amd64. but this needs work, not hw offers :) (and lets not discuss those offers here and thank you for offering :)
15:15:30 <h01ger> fepitre: anything else to add or next topic?
15:15:37 <fepitre> I hope to be able to build a minimal debian with only reproducible builds package verified soon.
15:15:45 <h01ger> #info the status is here: https://debian.notset.fr/rebuild/results/
15:15:47 <fepitre> else that's all for me now :)
15:15:55 <h01ger> #info in-toto metadata are here: https://debian.notset.fr/rebuild/sources/
15:16:02 <h01ger> fepitre: awesome!
15:16:28 * h01ger waits 30-60sec for other comments||questions
15:16:53 <rclobus> fepitre: You also recently added the installer section and udebs. And extended the API to include 'latest' snapshot date.
15:16:58 <fepitre> ah and the next dedicated server is almost available
15:17:18 <h01ger> :))
15:17:24 <h01ger> #topic short time slot: Debian: rebuilder status update
15:18:12 <h01ger> there's no update, so 'skip'. next month there should be an update
15:18:43 <h01ger> #topic short time slot: Arch Linux: rebuilder status update
15:18:47 <h01ger> kpcyrd: ^
15:19:31 <kpcyrd> We made some progress on python bytecode, we're still mostly addressing upstream issues at this point
15:19:47 <kpcyrd> the python bytecode patch didn't land yet, it was proposed for pacman 6.0.1 though
15:19:54 <lamby> Fixing upstream stuff is good :)
15:19:59 * h01ger also liked what he read in https://vulns.xyz/2021/08/monthly-report/ about it :)
15:20:10 <kpcyrd> :)
15:20:34 <lamby> #info https://vulns.xyz/2021/08/monthly-report/
15:20:54 <h01ger> (btw, i've concluded that i want to setup both rebuilderd implementations and verify that their results (for Debian) match ;)
15:20:56 <kpcyrd> a "minimal arch linux install" according to the wiki is "base + linux + linux-firmware", all of them are reproducible besides the kernel
15:21:19 <h01ger> (both=the one from kpcyrd and the one from fepitre) & not write a third ;)
15:21:21 <jelle> kpcyrd: perl too now?
15:21:29 <h01ger> kpcyrd: wheehoo!
15:21:34 <kpcyrd> jelle: is perl part of base? :o
15:21:35 <obfusk> kpcyrd: any progress w/ reproducible *unoptimised* bytecode upstream?
15:21:42 <jelle> kpcyrd: can't recall.. honestly
15:21:48 <h01ger> kpcyrd: with what installer?
15:21:59 <h01ger> or how do you get base?
15:22:08 <jelle> h01ger: with pacman basically :)
15:22:13 <h01ger> hehe, ok
15:22:24 <jelle> kpcyrd: maybe also note that ghc issue you find a while ago?
15:22:30 <kpcyrd> h01ger: the official install instructions: https://wiki.archlinux.org/title/Installation_guide#Install_essential_packages
15:22:33 <h01ger> lets not get too much into details here, these should be short time slots
15:22:36 <jelle> ok :)
15:22:37 <h01ger> kpcyrd: wow, nice
15:22:55 * jelle wants the ghc debug issue to be fixed /o\
15:23:04 <h01ger> (there is a ghc subtopic for 'any tother business' at the end of the meeting)
15:23:05 <kpcyrd> obfusk: I didn't look into optimized/unoptimized bytecode only what's distributed in arch
15:23:23 <h01ger> next short slot?
15:23:38 * kpcyrd checks if there are any missed questions
15:23:46 * h01ger holds the line
15:24:03 <kpcyrd> next slot? :)
15:24:18 <h01ger> kpcyrd: subtile difference! :)
15:25:21 <kpcyrd> Joy Liu finished her GSoC project for in-toto integration with rebuilderd, there's an open PR to upstream it.
15:25:48 <kpcyrd> I'm currently still waiting but will just merge and fix it up myself in case I don't hear back :)
15:26:22 <kpcyrd> sangy submitted some fixes for debrebuild integration and the docker-compose setup should be somewhat working now
15:26:51 <h01ger> nice. sangy++
15:27:02 <kpcyrd> although debian support isn't finished yet and running archlinux-repro in docker is tricky
15:27:19 <kpcyrd> that's mostly it :)
15:27:34 <lamby> neat
15:27:41 <h01ger> sangy: are you running it on debian or arch?
15:28:08 <kpcyrd> the NYU rebuilder runs on debian afaik
15:28:14 * raboof = Arnout Engelen, NixOS & JVM stuff, and late :D
15:28:19 <sangy> sorry I'm trying to remember the name
15:28:31 <sangy> wait, yes, it's a xen host on arch, and we are going to set up workers for both, arch and debian
15:28:56 <h01ger> raboof: hi and backlog is at http://meetbot.debian.net/reproducible-builds/2021/reproducible-builds.2021-08-31-14.59.html
15:28:58 <h01ger> #save
15:29:12 <h01ger> sangy: neat.
15:29:20 <h01ger> and next topic, i suppose? :)
15:29:30 <kpcyrd> if there are no questions, yes
15:30:03 * h01ger nods and waits and bites his sandwhich
15:30:44 <h01ger> Ariadne: ^
15:31:11 <Ariadne> there's nothing to report yet, we are still working on the integration of buildinfo data into abuild
15:31:48 <Foxboron> Ariadne: is that feature written up anywhere?
15:31:49 <Ariadne> will likely be proposed for merged into next abuild version
15:31:53 * h01ger nods
15:32:01 <Ariadne> s/merged/merge/
15:32:03 <lamby> (oh hey Ariadne)
15:32:17 <h01ger> we'll also discuss .buildinfo data later in this meeting (about .buildinfo data for debian live images)
15:32:26 <Ariadne> (sorry, i am in two meetings at once :D)
15:32:37 <lamby> haha
15:32:46 <h01ger> Ariadne: you're doing well (double featuring)
15:33:29 <h01ger> so there's a patch for abuild but it hasnt been produced for official merging yet?
15:35:10 <Ariadne> yes
15:35:17 <h01ger> nice!
15:35:23 <kpcyrd> yey!
15:35:34 <h01ger> next topic? :)
15:36:59 <h01ger> #topic short time slot: Debian live-build
15:37:02 <h01ger> rclobus: ^
15:37:04 <rclobus> As in the last two months, I prepared a summary: https://lists.reproducible-builds.org/pipermail/rb-general/2021-August/002352.html
15:37:26 <rclobus> I focussed on the infrastructure.
15:37:29 <h01ger> #info summary at https://lists.reproducible-builds.org/pipermail/rb-general/2021-August/002352.html
15:37:58 <rclobus> I misused the fact that Cinnamon had issues with diffoscope, to help fix diffoscope
15:38:05 <h01ger> (btw, anyone can say use #info it just needs to be in the beginning of the line. then it will appear automatically in the meetbot log summary)
15:38:18 <h01ger> O_o
15:38:48 <rclobus> At the moment only bullseye is in Jenkins, but bookworm will start soon.
15:39:09 <rclobus> By then, I'll have the Cinnamon build fixed as well.
15:39:35 <fepitre> rclobus, you will find also bookworm installer files on my snapshot service :)
15:39:41 <rclobus> h01ger: I'll contact you at a later moment to talk about future tests in Jenkins and how to set them up.
15:40:00 <rclobus> fepitre: Thanks, I'm using your snapshot server now.
15:40:00 * h01ger nods
15:40:55 <rclobus> Slightly off-topic: I've seen OpenQA before, and after DebConf21, it seems to be a suitable test structure to verify the correct behaviour of the live images.
15:41:13 <h01ger> rclobus: yes. talk to fil on #debian-qa (about openqa)
15:41:25 <h01ger> obfusk: ^^ F-Droid
15:41:37 * rclobus will contact fil
15:42:22 <rclobus> I added a new topic regarding '.buildinfo'-like files, but that doesn't fit in the short time slot here.
15:42:27 <h01ger> obfusk: still around?
15:42:44 <h01ger> your name is on the agenda on this topic :)
15:42:52 <h01ger> if there are no news, thats good news too ;)
15:43:04 * obfusk missed the topic change ^^'
15:43:17 <h01ger> happens to the best :)
15:43:25 <obfusk> it looks like an android RB bug might soon be fixed: https://issuetracker.google.com/issues/195968520 (requires google login)
15:43:51 <obfusk> sadly, the new r8 version is not yet available via the maven repo's f-droid considers acceptable.
15:43:52 <h01ger> thats also the one causing the german corona warn app to have become unreproducible, right?
15:44:01 <h01ger> #info it looks like an android RB bug might soon be fixed: https://issuetracker.google.com/issues/195968520 (requires google login)
15:44:16 <obfusk> h01ger: yes. hopefully this fixes CCTG, newpipe, and the swiss covid cert apps.
15:44:36 <obfusk> thats 1)
15:44:45 <h01ger> nice
15:45:20 <obfusk> 2) is https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/246 lead me to work on a prototype tool for parsing/verifying android signatures in pure python: https://github.com/obfusk/apksigtool
15:45:45 <h01ger> cool. and thats also now used by diffoscope, or will be?
15:46:14 <obfusk> not yet, it currently uses androguard (which partially supports this already). but maybe in future when it's ready? :)
15:46:23 <lamby> ^ Nod :)
15:46:41 <h01ger> :))
15:46:44 <h01ger> next topic?
15:46:47 <obfusk> 3) is hopefully fdroidserver will soon support verifying git tags https://gitlab.com/fdroid/fdroidserver/-/merge_requests/989 (and I'll be working on improving HSM support as well soon)
15:46:59 <jelle> nice!
15:47:18 <obfusk> 4) is not really RB related, but we were in the news this week: https://fsfe.org/news/2021/news-20210830-01.en.html ^^'
15:47:23 <h01ger> what does fdroidserver will soon support verifying git tags mean for whom? users? dev?
15:47:41 <h01ger> obfusk: i read & enjoyed that news! :)
15:47:51 <obfusk> 5) will hopefully be RB related: I've been hired to get https://github.com/wireapp/wire-android into f-droid.
15:48:02 <h01ger> #info https://github.com/obfusk/apksigtool
15:48:29 <obfusk> h01ger: pretty much what uscan does: verify upstream's git tags when we have their pubkey on file.
15:48:34 <h01ger> ah!
15:48:36 <obfusk> (when building etc.)
15:48:38 <h01ger> wire is finally non beta?
15:48:57 <h01ger> obfusk: nice updates, thanks!
15:49:19 * h01ger gives it some more secs for more questions / comments
15:50:09 <lamby> obfusk: "on file" ?
15:50:42 <obfusk> lamby: present in the fdroiddata repo.
15:50:56 <lamby> nod
15:51:11 <h01ger> (uscan is a debian checker for new upstream versions of software)
15:51:32 <h01ger> so, next, kpcyrd probably didnt backdoor that
15:51:49 <h01ger> #topic short time slot: i-probably-didnt-backdoor-this
15:51:52 <h01ger> kpcyrd: ^
15:52:08 <h01ger> https://github.com/kpcyrd/i-probably-didnt-backdoor-this
15:52:14 <h01ger> #save
15:52:17 <kpcyrd> ok, I mostly added this in case there are any questions :)
15:52:48 <h01ger> kpcyrd: fine. lets wait 2min for questions then :)
15:53:01 <kpcyrd> the project is specifically about distributing pre-built artifacts without the luxury of being a distro maintainer (and using the distros infra)
15:53:38 <kpcyrd> on the flip side, the threat model of the project assumes that pre-built packages in distros are trustworthy/safe to use
15:53:53 <h01ger> *g*
15:54:29 <h01ger> if you haven't looked at this repo (its mostly just a bit text) i recommend you do!
15:54:48 <h01ger> so, next topic then, i'm sure kpcyrd will be happy to answer questions anytime! :)
15:54:56 <h01ger> #topic r-b ecosystem
15:55:00 <h01ger> ^ lamby
15:55:37 <lamby> Unfortunately, there is no update on this item for this meeting
15:55:41 <h01ger> (and a general reminder that these monthly meetings are supposed to last between 1-2h. we try to keep them short, but we take our time as needed)
15:55:51 <h01ger> lamby: thats ok
15:56:02 <lamby> I hoped to get something to show people this time, but left the placeholder item in the agenda just to say things are still WIP
15:56:07 <lamby> :)
15:56:19 <h01ger> where was the pad again?
15:56:31 <kpcyrd> https://pad.riseup.net/p/rb-irc-meetings-keep
15:56:33 <h01ger> i'm not sure facebook nor mullvad are in it :)
15:56:47 <h01ger> kpcyrd: thats the agenda. i ment the ecosystem map pad :)
15:56:50 <lamby> https://pad.riseup.net/p/rbecosystemmapping-keep
15:56:59 <h01ger> thanks, lamby
15:57:30 <lamby> :
15:57:32 <lamby> * :)
15:58:02 <h01ger> rrnewton: kfreds: Cadero: if you could fill in your companies in there that would be really nice. i'm sure you know best where/if they fit...
15:58:22 <lamby> Ah yes
15:58:22 <lamby> thanks
15:58:49 <kfreds> Ok.
15:59:44 <h01ger> #topic r-b.o/docs/rebuilders and conflict with r-b.o/tools
16:00:30 <h01ger> i created the former page as a result from our last meetings here and then found the later page, which was actually there earlier. then i wondered what to do to solve this conflict and brought up the topic here
16:01:08 <h01ger> now after looking at those two urls again, i think the rebuilders page should mostly be merged into the tools page, not sure if doc/rebuilders should have any content at all?
16:01:17 <h01ger> https://reproducible-builds.org/docs/rebuilders/
16:01:23 <h01ger> https://reproducible-builds.org/tools/
16:01:35 <h01ger> what do you think?
16:02:31 <kpcyrd> maybe we should have categories for the tools page
16:02:47 <lamby> That's certainly worth a try, yeah.
16:02:56 <lamby> Or at least a link from page to another
16:03:36 <kpcyrd> we might also need a page that lists active rebuilder deployments in the near future
16:03:45 <rclobus> Perhaps also an introductory paragraph that explains to newbies what a rebuilder does. I got the impression that the rebuilder is for mass-rebuilding.
16:03:56 <h01ger> kpcyrd: right, though i dont see that under /docs/ but rather... elsewhere
16:03:58 <kpcyrd> similar to this: https://wiki.archlinux.org/title/Rebuilderd#Package_rebuilders
16:04:04 <h01ger> rclobus: right
16:04:35 <h01ger> #action h01ger will look into adding categories to the tools page and/or linking with the rebuilders page
16:04:51 * h01ger would be fine to move on now, to the next topic.. shall we?
16:05:45 <h01ger> #topic Where to put reproducible information (specifically for the live images)
16:05:56 <h01ger> rclobus: lamby: ^ :)
16:06:17 <rclobus> After I posted my summary, there was a discussion to place the .buildinfo-like information somewhere: https://lists.reproducible-builds.org/pipermail/rb-general/2021-August/002355.html
16:06:39 <kpcyrd> I've also wondered about this topic for the install mediums for Arch Linux and Alpine
16:06:41 <lamby> I'm happy to continue this discussion on-list if you prefer, as IRC may not be the best medium for getting into the technical weeds.
16:06:41 <rclobus> The .buildinfo is intentionally outside the artifact to verify
16:06:56 <lamby> (Although v. happy to talk high-level stuff!)
16:07:08 <kpcyrd> with alpine specifically we'd need one set of packages that is used inside the image and one set of packages that was used on the host system
16:07:14 <rclobus> I could create an external file, or I could embed the reproducible information inside the artifact.
16:07:33 <lamby> kpcyrd: I have similar early thoughts about a .buildinfo-like document for debian installer images too.
16:07:45 <h01ger> tails publishes their hash as part of the release info? (which also explain how to rebuild that tails version.) so tails only needs to communicate two strings.
16:07:49 <h01ger> (AIUI)
16:07:51 <lamby> I would be very -1 on embedding the info inside the artifact
16:07:59 <lamby> Oh yes, have a look at how tails do it
16:08:15 <lamby> Especially as Tails has been doing it for some years (and people actually validate their checksums)
16:08:24 <kpcyrd> h01ger: I didn't look too much into tails yet but as I understood it all info is contained in their repo
16:08:38 <rclobus> Currently, the configuration that I use is generated on-the-fly, so it's not so easily hash-able.
16:08:46 <h01ger> embedding the buildinfo into the artifact has advantages and imo they outweight the disadvantages
16:09:38 <h01ger> kpcyrd: yes. so you only need to know the git tag (which has a name like 2.4.1) and one sha256 hash of the iso file. so two strings. thats pretty neat.
16:09:57 <h01ger> (as compared for eg reproducing a debian package where a .buildinfo file contains many many 'strings')
16:10:29 <kpcyrd> I'm not sure if the sha256sum is even needed for the build :)
16:10:31 <h01ger> rclobus: so if you could save all .buildinfo data in a signed git tag somewhere... you'd be getting close to that :)
16:10:46 <h01ger> kpcyrd: well you need to verify against something :)
16:10:52 <rclobus> I could also publish the configuration in some git repo and then only the sha256 hash of the resulting ISO would be needed additionally.
16:11:03 <h01ger> rclobus: yes
16:12:00 <obfusk> the downside of git tags is that they can change. using `git describe --long` gets you both the tag and the commit hash, which won't change. we're planning on using that in f-droid.
16:12:12 <h01ger> rclobus: is that a good enough plan so you can continue the details (which information is needed in detail to be saved via this git tag) on the list?
16:12:24 <h01ger> obfusk: right, important detail! :)
16:12:32 <rclobus> #action rclobus will contact the list and discuss the plan further. Thank you all for the input.
16:12:53 <kpcyrd> obfusk: I thought about this too, but I'm not sure if it makes much of a difference in practice
16:13:22 <h01ger> #info the plan is to put .buildinfo data in git, access it with a signed git tag (like tails) and then distribute the iso hash together with that git tag information
16:13:33 <kpcyrd> theoretically tails could change the tag to a different commit but that'd just make all future rebuilds fail
16:13:55 * h01ger nods kpcyrd - i also dont see a real attack vector here
16:13:57 <kpcyrd> (unless the new commit is similar enough that it doesn't have any impact on the release artifact)
16:14:00 <obfusk> kpcyrd: yes. but I think it would be nice to know *why* they failed, which is easier to see if you also have the commit hash :)
16:14:12 <kpcyrd> obfusk: that is true :)
16:14:21 <h01ger> so next topic? (which is any other business)
16:15:13 * h01ger assumes so
16:15:23 <h01ger> #topic any other business (AOB)
16:15:39 <h01ger> #topic any other business - anyone here involved with robotnix?
16:15:52 * h01ger wonders what robotnix is? unix for robots?
16:16:03 <obfusk> I just heard about robotnix yesterday
16:16:04 <obfusk> https://nlnet.nl/project/Robotnix/
16:16:04 <lamby> .oO (  He's the badguy from Sonic the Hedgehog  )
16:16:19 <obfusk> wondering if anyone here is involved?
16:16:19 <h01ger> lamby: *g*
16:16:47 <h01ger> #info Robotnix enables a user to easily build Android (AOSP) images using the Nix package manager.
16:17:19 <h01ger> we do have nix people around, sometimes, though
16:17:47 * obfusk is nix package maintainer, by accident ^^'
16:17:54 <h01ger> hehe
16:18:04 <h01ger> #topic any other business - anyone here involved with ghc?
16:18:26 * obfusk is not involved w/ ghc, but interested in anything haskell-related :)
16:18:41 <kpcyrd> a major chunk of the remaining unreproducible packages in Arch Linux are currently haskell related
16:18:48 <kpcyrd> the relevant issue is https://gitlab.haskell.org/ghc/ghc/-/issues/12935
16:19:14 <h01ger> #info a major chunk of the remaining unreproducible packages in Arch Linux are currently haskell related
16:19:21 <h01ger> #info the relevant issue is https://gitlab.haskell.org/ghc/ghc/-/issues/12935
16:19:38 <kpcyrd> -j1 fixes this but we have too much software for that to be a viable solution
16:19:44 <fepitre> Just in case this is also observed for Debian: https://debian.notset.fr/rebuild/log-ok-unreproducible/
16:19:55 <fepitre> I've got bunch of haskel packages not reproducible
16:21:36 <h01ger> ok, next
16:21:42 <h01ger> #topic any other business - anyone here involved with R?
16:21:51 <lamby> ^ yep, just curious.
16:22:10 <lamby> I have something I'd like to investigate.. and I saw the "anyone...?" questions. :)
16:22:26 <h01ger> :)
16:22:56 <h01ger> so if you know R, talk to lamby :)
16:23:03 <h01ger> #topic any other business ???
16:24:49 <lamby> None here. :)
16:25:22 <fepitre> Yes quickly
16:25:50 <h01ger> go go go
16:26:03 <fepitre> After my rebuild journey, I'll try to create a report with packages having a unreproducible status and those having failure (mostly related to debrebuild (python))
16:26:39 <fepitre> I hope to help into putting some light on "the lie" you mentioned on your talk
16:26:48 <kpcyrd> fepitre: any chance you could create something similar to what jelle built with https://reproducible.archlinux.org/ ?
16:27:06 <fepitre> kpcyrd, yes of course
16:27:17 <fepitre> that's the plan :)
16:27:25 <kpcyrd> that'd be really cool :D
16:27:30 <h01ger> fepitre: awesome. looking forward to join that journey
16:27:44 <h01ger> hey vagrantc - backlog at http://meetbot.debian.net/reproducible-builds/2021/reproducible-builds.2021-08-31-14.59.html
16:27:44 <lamby> nice
16:27:48 <h01ger> #save
16:27:55 <h01ger> though we are almost done, final topic :)
16:28:06 * vagrantc waves humbly
16:29:01 <h01ger> alrightyright, let's close this up, i have a DD visiting my place currently :)
16:29:09 <kpcyrd> a last note maybe:
16:29:13 <h01ger> sure
16:30:00 <kpcyrd> José Miguel Parrella from microsoft spent some time with i-probably-didnt-backdoor-this and got a different binary: https://github.com/kpcyrd/i-probably-didnt-backdoor-this/issues/1
16:30:13 <kpcyrd> I'm having trouble reproducing this (but also didn't spend too much time on the issue yet)
16:30:34 <h01ger> hehe, nice
16:31:34 <h01ger> bureado is also a DD, btw :) (or was? not sure)
16:31:50 <h01ger> (a dd is a debian developer..)
16:31:52 <kpcyrd> it'd be helpful if I could get more feedback if other people get the 35578eb... binary or the abdac109cfe... one
16:32:34 <kpcyrd> (that's everything) :)
16:32:45 <h01ger> i might try but i never used buildah and i hardly know podman)
16:33:17 <h01ger> (and i dont see me having a time slot for this before thursday..)
16:33:18 <Foxboron> kpcyrd: argueably changing docker with podman is a non-issue since the repo assumes same environment which implies docker.
16:33:23 <Foxboron> But it's still interesting that they do differ
16:33:25 <kpcyrd> buildah is for the docker image, this one is the elf binary :)
16:33:48 <Foxboron> i subscribed to the issue if I do have some time to look into it. I do prefer podman over docker so this is a neat thing to dig into
16:33:49 <kpcyrd> so it's just "docker run ... cargo build --release"
16:33:55 <h01ger> (and i dont have docker and its a bit work on qubes, so i'd rather have something else debug this)
16:33:55 <kpcyrd> Foxboron: thank you!
16:34:09 <h01ger> go go go Foxboron ;)
16:34:15 <h01ger> any other business? :)
16:34:40 <Foxboron> (I have a huggee backlog of things I want to get done and low motivation these days for anything :p no promises)
16:35:13 <h01ger> Foxboron: i've heard from some people that my dc21 talk motivated them. you might try it too? 8-)
16:35:46 <Foxboron> h01ger: haha, thanks<3
16:35:52 <obfusk> h01ger: ...your talk is part of my backlog ^^'
16:36:08 <Foxboron> ohhh, kpcyrd I should stream this.
16:36:27 <h01ger> :)
16:36:42 <kpcyrd> Foxboron: yes please :D
16:37:11 * h01ger sings to the yellow submarine tune: we all live on a large backlog, large backlog...
16:37:28 <h01ger> so, any other business? :) you dont want me singing  ;p
16:38:15 <h01ger> #topic next meeting: last tuesday of the month, 28th september 2021, 15 UTC
16:38:36 <h01ger> cu then & thanks for the nice meeting today! & keep up the great work & enjoy!
16:38:40 * h01ger waves
16:38:50 <obfusk> o/
16:38:56 <kpcyrd> o/
16:39:00 <h01ger> agenda for next month is again at https://pad.riseup.net/p/rb-irc-meetings-keep
16:39:09 <lamby> thanks o/
16:39:21 <rgdd> bye, thanks for today!
16:39:23 <kfreds> Bye. Thank you!
16:39:25 <fepitre> thanks _o/
16:39:53 <h01ger> #endmeeting