[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.76,0:00:02.08,Default,,0000,0000,0000,,Welcome and good morning
Dialogue: 0,0:00:03.72,0:00:07.22,Default,,0000,0000,0000,,This is the reproducible builds team,\Ntalking about
Dialogue: 0,0:00:07.22,0:00:09.94,Default,,0000,0000,0000,,"Stretching out towards trustworthy\Ncomputing"
Dialogue: 0,0:00:12.28,0:00:19.92,Default,,0000,0000,0000,,[Applause]
Dialogue: 0,0:00:22.28,0:00:25.88,Default,,0000,0000,0000,,We're 4 on stage, but actually this is a\Nteam effort.
Dialogue: 0,0:00:25.88,0:00:30.52,Default,,0000,0000,0000,,All these people listed here have\Ncontributed to the project at one point.
Dialogue: 0,0:00:30.52,0:00:33.19,Default,,0000,0000,0000,,The 4 of us, that's
Dialogue: 0,0:00:33.19,0:00:34.16,Default,,0000,0000,0000,,Lunar − me
Dialogue: 0,0:00:34.16,0:00:35.28,Default,,0000,0000,0000,,there's Dhole,
Dialogue: 0,0:00:35.28,0:00:36.38,Default,,0000,0000,0000,,Chris Lamb − lamby
Dialogue: 0,0:00:36.38,0:00:37.60,Default,,0000,0000,0000,,and Holger.
Dialogue: 0,0:00:38.54,0:00:42.57,Default,,0000,0000,0000,,But actually, this is DebConf and so a lot\Nmore of us have been or are
Dialogue: 0,0:00:42.57,0:00:46.96,Default,,0000,0000,0000,,currently here and so, if you want to\Nthank anybody that is working on this
Dialogue: 0,0:00:46.96,0:00:49.18,Default,,0000,0000,0000,,you need to actually thank all of\Nthese folks
Dialogue: 0,0:00:49.18,0:00:50.98,Default,,0000,0000,0000,,'cause, yay.
Dialogue: 0,0:00:51.42,0:00:56.20,Default,,0000,0000,0000,,[Applause]
Dialogue: 0,0:00:57.33,0:00:59.60,Default,,0000,0000,0000,,[Holger] The people in blue are here.
Dialogue: 0,0:01:03.90,0:01:05.57,Default,,0000,0000,0000,,[Lunar] Let's get started.
Dialogue: 0,0:01:05.57,0:01:07.88,Default,,0000,0000,0000,,Quick recap on what we're talking\Nabout.
Dialogue: 0,0:01:07.88,0:01:10.90,Default,,0000,0000,0000,,We have software, it's made from source.
Dialogue: 0,0:01:10.90,0:01:15.03,Default,,0000,0000,0000,,Source is readable by humans or at least\Na good amount of humans.
Dialogue: 0,0:01:15.03,0:01:17.44,Default,,0000,0000,0000,,In this room it's good.
Dialogue: 0,0:01:17.44,0:01:24.18,Default,,0000,0000,0000,,Binary, readable by computer and some\Ntiny fraction of humanity.
Dialogue: 0,0:01:24.18,0:01:30.04,Default,,0000,0000,0000,,Going from source to binary is called\Nbuild, or like building or compiling
Dialogue: 0,0:01:30.04,0:01:33.18,Default,,0000,0000,0000,,and we're doing free software and\Nfree software is awesome because
Dialogue: 0,0:01:33.18,0:01:37.54,Default,,0000,0000,0000,,we can actually run these binaries like\Nwe want
Dialogue: 0,0:01:37.54,0:01:44.00,Default,,0000,0000,0000,,We can actually study the software, how\Nit's been made by studying the source
Dialogue: 0,0:01:44.00,0:01:48.54,Default,,0000,0000,0000,,and by studying the source we can assess\Nthat it does what it's supposed to do
Dialogue: 0,0:01:48.54,0:01:50.74,Default,,0000,0000,0000,,and not something else that does not
Dialogue: 0,0:01:50.74,0:01:56.46,Default,,0000,0000,0000,,have malware, or trojans or security bugs
Dialogue: 0,0:01:56.46,0:02:00.82,Default,,0000,0000,0000,,So we have the binary that can be used,\Nfine.
Dialogue: 0,0:02:00.82,0:02:04.02,Default,,0000,0000,0000,,We have the source that can be verified.
Dialogue: 0,0:02:04.02,0:02:10.46,Default,,0000,0000,0000,,Problem is that right now, the only way we\Nknow that a binary that we get…
Dialogue: 0,0:02:10.46,0:02:15.68,Default,,0000,0000,0000,,We have to trust a website or a Debian\Nrepository that says
Dialogue: 0,0:02:15.68,0:02:18.26,Default,,0000,0000,0000,,"Well, this binary has been made with this\Nsource"
Dialogue: 0,0:02:18.26,0:02:23.00,Default,,0000,0000,0000,,But there's no way we can actually prove\Nthat.
Dialogue: 0,0:02:23.00,0:02:27.40,Default,,0000,0000,0000,,This is actually a problem that has been\Nwell explained by
Dialogue: 0,0:02:27.40,0:02:33.54,Default,,0000,0000,0000,,Mike Perry and Seth Schoen at the 31c3\Nin Hamburg last december.
Dialogue: 0,0:02:33.54,0:02:41.48,Default,,0000,0000,0000,,For example, Seth Schoen made a proof of\Nconcept exploit for the Linux kernel
Dialogue: 0,0:02:41.48,0:02:52.06,Default,,0000,0000,0000,,that when GCC was called, the kernel would\Nwithout modifying anything on the disk
Dialogue: 0,0:02:52.06,0:02:58.96,Default,,0000,0000,0000,,when the kernel detects that GCC is going\Nto read a C file, it will insert some
Dialogue: 0,0:02:58.96,0:03:06.26,Default,,0000,0000,0000,,extra lines of code, and these lines of\Ncode can be a very bad thing
Dialogue: 0,0:03:06.26,0:03:09.10,Default,,0000,0000,0000,,in the case of 31c3 talk I was just\Nrecalling.
Dialogue: 0,0:03:09.10,0:03:17.90,Default,,0000,0000,0000,,Actually, you can even have developers\Nwho are in very good faith, who have
Dialogue: 0,0:03:17.90,0:03:21.30,Default,,0000,0000,0000,,totally secure dev machines, or they\Nthought they have,
Dialogue: 0,0:03:21.30,0:03:24.36,Default,,0000,0000,0000,,who have reviewed all their source code\Nfor any bugs
Dialogue: 0,0:03:24.36,0:03:31.02,Default,,0000,0000,0000,,and we would still get totally owned as\Nsoon as their computer gets compromised
Dialogue: 0,0:03:31.02,0:03:34.12,Default,,0000,0000,0000,,or one of the build demons from Debian\Ngets compromised for example.
Dialogue: 0,0:03:34.12,0:03:41.24,Default,,0000,0000,0000,,This is not, like, hypothetical threats\Nhere we're discussing
Dialogue: 0,0:03:41.24,0:03:45.80,Default,,0000,0000,0000,,A couple of months after Seth an Mike's\Ntalk at 31c3,
Dialogue: 0,0:03:45.80,0:03:48.94,Default,,0000,0000,0000,,the Intercept revealed from the Snowden\Nleaks
Dialogue: 0,0:03:48.94,0:03:56.28,Default,,0000,0000,0000,,that at a CIA conference in 2012, one\Nof the talks that happened
Dialogue: 0,0:03:56.28,0:03:58.92,Default,,0000,0000,0000,,was about a project called Strawhorse.
Dialogue: 0,0:03:58.92,0:04:04.94,Default,,0000,0000,0000,,Strawhorse is about modifying Apple XCode,\Nwhich is the development environment
Dialogue: 0,0:04:04.94,0:04:08.86,Default,,0000,0000,0000,,for MacOS 10 and iOS applications
Dialogue: 0,0:04:08.86,0:04:11.14,Default,,0000,0000,0000,,and well, they were modifying XCode so\Nit would produce,
Dialogue: 0,0:04:11.14,0:04:13.48,Default,,0000,0000,0000,,without the developer knowing,
Dialogue: 0,0:04:13.48,0:04:23.02,Default,,0000,0000,0000,,binaries with trojans, malware,\Nwatermarked binaries, lots of bad things.
Dialogue: 0,0:04:23.18,0:04:25.40,Default,,0000,0000,0000,,So, solution:
Dialogue: 0,0:04:25.40,0:04:29.42,Default,,0000,0000,0000,,enable anyone to reproduce identical\Nbinary packages from a given source.
Dialogue: 0,0:04:29.42,0:04:34.90,Default,,0000,0000,0000,,Because if using a source, using the same\Nenvironment,
Dialogue: 0,0:04:34.90,0:04:39.98,Default,,0000,0000,0000,,multiple people on different computers, on\Ndifferent networks, at different times,
Dialogue: 0,0:04:39.98,0:04:42.88,Default,,0000,0000,0000,,can all get the same thing\Nfrom the same source
Dialogue: 0,0:04:42.88,0:04:44.62,Default,,0000,0000,0000,,all the same binary, byte for byte,
Dialogue: 0,0:04:44.62,0:04:47.08,Default,,0000,0000,0000,,then there's a good chance that…
Dialogue: 0,0:04:47.08,0:04:54.88,Default,,0000,0000,0000,,Well, everybody could be owned,\Nbut let's be more joyful and say that
Dialogue: 0,0:04:54.88,0:04:58.84,Default,,0000,0000,0000,,probably, if everybody gets the same\Nresult, there was actually no problem
Dialogue: 0,0:04:58.84,0:05:01.38,Default,,0000,0000,0000,,and everybody is safe.
Dialogue: 0,0:05:01.84,0:05:04.46,Default,,0000,0000,0000,,We call that solution\N"reproducible builds"
Dialogue: 0,0:05:06.66,0:05:07.68,Default,,0000,0000,0000,,Yay.
Dialogue: 0,0:05:08.48,0:05:10.56,Default,,0000,0000,0000,,[Applause]
Dialogue: 0,0:05:12.72,0:05:14.68,Default,,0000,0000,0000,,Actually, it's not only about security.
Dialogue: 0,0:05:14.68,0:05:19.06,Default,,0000,0000,0000,,For Debian, we have, if you're doing\N"Multi-arch: same" packages,
Dialogue: 0,0:05:19.06,0:05:24.88,Default,,0000,0000,0000,,well they only have the same bytes if\Nthey are built for different architectures,
Dialogue: 0,0:05:24.88,0:05:27.80,Default,,0000,0000,0000,,the files in the package.
Dialogue: 0,0:05:27.80,0:05:34.46,Default,,0000,0000,0000,,Debug packages, you can create at a later\Ntime, if you forgot to have debug packages
Dialogue: 0,0:05:34.46,0:05:35.74,Default,,0000,0000,0000,,in the first place,
Dialogue: 0,0:05:35.74,0:05:42.48,Default,,0000,0000,0000,,you can pass the no-strip option later and\Nbecause the package is reproducible,
Dialogue: 0,0:05:42.48,0:05:46.58,Default,,0000,0000,0000,,you will get the debug symbols that work\Nfor software that has been shipped already
Dialogue: 0,0:05:46.58,0:05:50.36,Default,,0000,0000,0000,,We do early detection of FTBFS that way
Dialogue: 0,0:05:50.36,0:05:53.58,Default,,0000,0000,0000,,because if we try pretty quickly\Nto reproduce a build,
Dialogue: 0,0:05:53.58,0:05:55.14,Default,,0000,0000,0000,,then it has to work.
Dialogue: 0,0:05:55.14,0:05:58.32,Default,,0000,0000,0000,,It's useful for build profiles.
Dialogue: 0,0:05:58.32,0:06:01.68,Default,,0000,0000,0000,,We can get smaller .deb deltas,
Dialogue: 0,0:06:01.68,0:06:05.38,Default,,0000,0000,0000,,because from one version to the next we\Nmight have the same content.
Dialogue: 0,0:06:05.38,0:06:08.86,Default,,0000,0000,0000,,We can do validation of cross-builds,
Dialogue: 0,0:06:08.86,0:06:11.72,Default,,0000,0000,0000,,Helmut Grohne can talk to you about that.
Dialogue: 0,0:06:11.72,0:06:16.70,Default,,0000,0000,0000,,And also, Niels Thykier told me that
Dialogue: 0,0:06:16.70,0:06:21.08,Default,,0000,0000,0000,,he was very interested in reproducible\Nbuilds because it would enable him to
Dialogue: 0,0:06:21.08,0:06:23.62,Default,,0000,0000,0000,,test debhelper better, because
Dialogue: 0,0:06:23.62,0:06:28.51,Default,,0000,0000,0000,,if the package builds reproducibly,\Nthen he makes a change to debhelper,
Dialogue: 0,0:06:28.51,0:06:32.11,Default,,0000,0000,0000,,then he can rebuild
Dialogue: 0,0:06:32.11,0:06:36.13,Default,,0000,0000,0000,,the same version of a package with a newer\Ndebhelper and see what has changed
Dialogue: 0,0:06:36.13,0:06:39.92,Default,,0000,0000,0000,,and this change can be isolated to only\Nwhat he has worked on debhelper
Dialogue: 0,0:06:39.92,0:06:41.60,Default,,0000,0000,0000,,for example.
Dialogue: 0,0:06:43.21,0:06:45.04,Default,,0000,0000,0000,,And, oh my.
Dialogue: 0,0:06:45.04,0:06:47.82,Default,,0000,0000,0000,,The whole world is watching us.
Dialogue: 0,0:06:47.82,0:06:56.48,Default,,0000,0000,0000,,Since two years or a year and a half ago,\Neverybody I meet in security conference,
Dialogue: 0,0:06:56.48,0:06:59.10,Default,,0000,0000,0000,,in hacker conference, in free software\Nconference is like
Dialogue: 0,0:06:59.10,0:07:01.16,Default,,0000,0000,0000,,"Oh you're working on that,\Nthat's awesome."
Dialogue: 0,0:07:01.16,0:07:08.62,Default,,0000,0000,0000,,And, I mean, I've been the one doing quite\Na lot of talks, and everybody comes to me
Dialogue: 0,0:07:08.62,0:07:11.10,Default,,0000,0000,0000,,and I'm like "Wow wow, this is way bigger",
Dialogue: 0,0:07:11.10,0:07:15.68,Default,,0000,0000,0000,,but we're actually leading the field here.
Dialogue: 0,0:07:15.68,0:07:18.58,Default,,0000,0000,0000,,Yay Debian.
Dialogue: 0,0:07:18.58,0:07:25.56,Default,,0000,0000,0000,,[Applause]
Dialogue: 0,0:07:25.95,0:07:29.32,Default,,0000,0000,0000,,[Holger] So, we are not the only ones \Nleading the field,
Dialogue: 0,0:07:29.32,0:07:33.24,Default,,0000,0000,0000,,Bitcoin and Tor made their software\Nreproducible before us,
Dialogue: 0,0:07:33.24,0:07:36.90,Default,,0000,0000,0000,,Coreboot also succeeded, if you build\NCoreboot without any payload,
Dialogue: 0,0:07:36.90,0:07:38.56,Default,,0000,0000,0000,,that's 100% reproducible.
Dialogue: 0,0:07:38.56,0:07:43.70,Default,,0000,0000,0000,,FreeBSD has a page on their wiki since\N2013
Dialogue: 0,0:07:43.70,0:07:48.84,Default,,0000,0000,0000,,saying there are 5 reproducibility issues\Nin their base system.
Dialogue: 0,0:07:48.84,0:07:51.86,Default,,0000,0000,0000,,We're at the moment trying to\Nconfirm this.
Dialogue: 0,0:07:51.86,0:07:57.08,Default,,0000,0000,0000,,On jenkins.debian.net, I've also set up\Nnow tests for FreeBSD, NetBSD,
Dialogue: 0,0:07:57.08,0:07:58.92,Default,,0000,0000,0000,,Coreboot and OpenWrt.
Dialogue: 0,0:07:58.92,0:08:02.88,Default,,0000,0000,0000,,So if you go to\Nreproducible.debian.net/
Dialogue: 0,0:08:02.88,0:08:04.90,Default,,0000,0000,0000,,you get that tested.
Dialogue: 0,0:08:04.90,0:08:07.94,Default,,0000,0000,0000,,And there's more in the pipeline.
Dialogue: 0,0:08:07.94,0:08:10.98,Default,,0000,0000,0000,,There are other projects interested\Nas well.
Dialogue: 0,0:08:10.98,0:08:15.12,Default,,0000,0000,0000,,NetBSD also has a variable MKREPRO\Nwhich you can set
Dialogue: 0,0:08:15.12,0:08:17.16,Default,,0000,0000,0000,,and that builds reproducibly.
Dialogue: 0,0:08:17.16,0:08:20.28,Default,,0000,0000,0000,,Though they think "I'm keeping some\Ntimestamps it's fine" and then
Dialogue: 0,0:08:20.28,0:08:21.90,Default,,0000,0000,0000,,filtering them out later".
Dialogue: 0,0:08:21.90,0:08:23.20,Default,,0000,0000,0000,,We disagree.
Dialogue: 0,0:08:23.20,0:08:28.40,Default,,0000,0000,0000,,So this is how Debian looks like,\NDebian Sid,
Dialogue: 0,0:08:28.40,0:08:30.02,Default,,0000,0000,0000,,but this is a lie.
Dialogue: 0,0:08:30.02,0:08:31.60,Default,,0000,0000,0000,,This is not the truth.
Dialogue: 0,0:08:31.60,0:08:33.92,Default,,0000,0000,0000,,This is just our test setup.
Dialogue: 0,0:08:33.92,0:08:35.66,Default,,0000,0000,0000,,Sid is not like this.
Dialogue: 0,0:08:35.66,0:08:40.10,Default,,0000,0000,0000,,For Sid, it's all orange, there's zero\Nreprodicibility in Sid today.
Dialogue: 0,0:08:40.10,0:08:43.96,Default,,0000,0000,0000,,But we'll talk now and in the following\Nround table,
Dialogue: 0,0:08:43.96,0:08:46.78,Default,,0000,0000,0000,,it's to actually make Sid reproducible.
Dialogue: 0,0:08:46.78,0:08:52.46,Default,,0000,0000,0000,,The current status is
Dialogue: 0,0:08:52.46,0:08:57.98,Default,,0000,0000,0000,,we're working on this in Debian since\Ntwo years ago.
Dialogue: 0,0:08:57.98,0:09:01.94,Default,,0000,0000,0000,,We have weekly reports about our project\Nnow since May
Dialogue: 0,0:09:01.94,0:09:07.20,Default,,0000,0000,0000,,and we've given several talks, especially\Nin the last year
Dialogue: 0,0:09:07.20,0:09:11.42,Default,,0000,0000,0000,,and all these talks, presentation, also\Nother stuff is linked in the wiki.
Dialogue: 0,0:09:11.42,0:09:14.92,Default,,0000,0000,0000,,There's a page with information about\NDebian, these BSDs,
Dialogue: 0,0:09:14.92,0:09:18.96,Default,,0000,0000,0000,,other Linuxes, upstream softwares\Nall on this wiki.
Dialogue: 0,0:09:22.85,0:09:26.56,Default,,0000,0000,0000,,Since DebConf14, which is merely\Na year ago,
Dialogue: 0,0:09:26.86,0:09:28.72,Default,,0000,0000,0000,,we've made quite some changes.
Dialogue: 0,0:09:28.72,0:09:32.78,Default,,0000,0000,0000,,We have introduced\N{\i1}strip-nondeterminism{\i0}
Dialogue: 0,0:09:32.78,0:09:38.88,Default,,0000,0000,0000,,which is called by dh at the end\Nof the build of the package
Dialogue: 0,0:09:38.88,0:09:45.46,Default,,0000,0000,0000,,and will normalize some things\Nwhich Chris will explain later
Dialogue: 0,0:09:45.46,0:09:50.04,Default,,0000,0000,0000,,We have decided on a fixed build path
Dialogue: 0,0:09:50.04,0:09:53.76,Default,,0000,0000,0000,,because the build path is leaked\Nin the binaries and several things
Dialogue: 0,0:09:53.76,0:09:57.08,Default,,0000,0000,0000,,We didn't find a way yet to make\Nthe build path arbitrary.
Dialogue: 0,0:09:57.08,0:10:03.46,Default,,0000,0000,0000,,We designed a way to record the build\Nenvironment
Dialogue: 0,0:10:03.46,0:10:08.06,Default,,0000,0000,0000,,because to rebuild, you need to recreate\Nthe build environment.
Dialogue: 0,0:10:08.06,0:10:11.62,Default,,0000,0000,0000,,We set up this Jenkins setup.
Dialogue: 0,0:10:11.62,0:10:17.38,Default,,0000,0000,0000,,We wrote diffoscope which used to be\Ncalled debbindiff
Dialogue: 0,0:10:17.38,0:10:21.40,Default,,0000,0000,0000,,which shows differences between two\Npackages or two directories or
Dialogue: 0,0:10:21.40,0:10:23.60,Default,,0000,0000,0000,,two filesystems by now.
Dialogue: 0,0:10:23.60,0:10:30.93,Default,,0000,0000,0000,,There's {\i1}SOURCE{\u1}DATE{\u0}EPOCH{\i0}, which is a way\Nthat the tools expose
Dialogue: 0,0:10:30.93,0:10:33.69,Default,,0000,0000,0000,,the last modification of the source.
Dialogue: 0,0:10:33.69,0:10:37.28,Default,,0000,0000,0000,,Because the build date, people want to\Ninclude the build date
Dialogue: 0,0:10:37.28,0:10:39.46,Default,,0000,0000,0000,,because they think this is a \Nmeaningful indication:
Dialogue: 0,0:10:39.46,0:10:42.26,Default,,0000,0000,0000,,when a build was done,\Nwhich software used.
Dialogue: 0,0:10:42.46,0:10:45.56,Default,,0000,0000,0000,,But if the build always recreates \Nthe same results
Dialogue: 0,0:10:45.56,0:10:47.34,Default,,0000,0000,0000,,the build date becomes meaningless
Dialogue: 0,0:10:47.34,0:10:50.68,Default,,0000,0000,0000,,and the really interesting thing is\Nthe latest modification of the source.
Dialogue: 0,0:10:52.39,0:10:55.84,Default,,0000,0000,0000,,We have written patches for the tools
Dialogue: 0,0:10:58.08,0:11:03.59,Default,,0000,0000,0000,,[Lunar] strip-nondeterminism:\Nis Andrew Ayer in the audience?
Dialogue: 0,0:11:03.59,0:11:05.92,Default,,0000,0000,0000,,Yay! He did it!
Dialogue: 0,0:11:05.92,0:11:12.36,Default,,0000,0000,0000,,It's written in Perl because we didn't\Nwant to have a new build dependency
Dialogue: 0,0:11:12.36,0:11:13.56,Default,,0000,0000,0000,,in all Debian packages.
Dialogue: 0,0:11:13.56,0:11:18.44,Default,,0000,0000,0000,,Basically it takes anything and tries\Nto normalize it as much as it can
Dialogue: 0,0:11:18.44,0:11:27.10,Default,,0000,0000,0000,,replacing timestamps or file permissions\Nor removing some issues.
Dialogue: 0,0:11:27.10,0:11:30.90,Default,,0000,0000,0000,,It's working very well on many formats, \Nit's meant to be extensible
Dialogue: 0,0:11:30.90,0:11:38.00,Default,,0000,0000,0000,,so we can actually add more things and\Nit's run by dh at the end of the process, as Holger said.
Dialogue: 0,0:11:38.00,0:11:45.42,Default,,0000,0000,0000,,The .buildinfo is currently a proposal \Nwe have not yet totally agreed
Dialogue: 0,0:11:45.42,0:11:48.58,Default,,0000,0000,0000,,but we are generating them as part \Nof the test we have
Dialogue: 0,0:11:48.58,0:11:56.88,Default,,0000,0000,0000,,and basically it's a new control file that\Nwill tie the sources, the generated binary
Dialogue: 0,0:11:56.88,0:12:00.56,Default,,0000,0000,0000,,the packages that were used to build this\Nbinary and their version.
Dialogue: 0,0:12:00.56,0:12:08.50,Default,,0000,0000,0000,,The idea is that we can use this file to\Nreinstall all the specific versions from snapshot
Dialogue: 0,0:12:08.50,0:12:16.70,Default,,0000,0000,0000,,So we recreate the same build environment\Nthen we can just start the build from that source
Dialogue: 0,0:12:16.70,0:12:20.98,Default,,0000,0000,0000,,that was mentioned and see if the binary\Nthat has been generated matches.
Dialogue: 0,0:12:23.05,0:12:28.40,Default,,0000,0000,0000,,What it looks like for now, you see there is\Na source binary, the build path
Dialogue: 0,0:12:28.40,0:12:33.88,Default,,0000,0000,0000,,because currently we don't have any good\Npost-processing tool for buildpaths
Dialogue: 0,0:12:33.88,0:12:41.06,Default,,0000,0000,0000,,in elf and dwarf binaries, we just decided\Nto specify the build path so when we do
Dialogue: 0,0:12:41.06,0:12:44.94,Default,,0000,0000,0000,,a later rebuild we use that path and be safe.
Dialogue: 0,0:12:44.94,0:12:51.52,Default,,0000,0000,0000,,The source is dsc, the binary is .deb and\Na list of packages with the versions.
Dialogue: 0,0:12:53.32,0:13:01.93,Default,,0000,0000,0000,,We currently use the base files version\Nto know which Debian release is to be used
Dialogue: 0,0:13:01.93,0:13:04.04,Default,,0000,0000,0000,,as the basis.
Dialogue: 0,0:13:11.33,0:13:17.85,Default,,0000,0000,0000,,[Holger] The general procedure for testing is:\Nwe build the source, we save the results,
Dialogue: 0,0:13:17.85,0:13:22.66,Default,,0000,0000,0000,,we modify the environment and we build\Nit again and compare the results.
Dialogue: 0,0:13:22.66,0:13:31.74,Default,,0000,0000,0000,,That started as a shell script last year which I\Nput on jenkins and then it exploded a bit
Dialogue: 0,0:13:32.00,0:13:36.14,Default,,0000,0000,0000,,and now we have 67 jenkins jobs running on\N7 hosts.
Dialogue: 0,0:13:36.14,0:13:44.82,Default,,0000,0000,0000,,Since last week we have 4 armhf small boards\Nwhere we will be able to test armhf,
Dialogue: 0,0:13:44.82,0:13:46.00,Default,,0000,0000,0000,,but very slowly.
Dialogue: 0,0:13:46.00,0:13:48.90,Default,,0000,0000,0000,,We have two new amd64 build nodes.
Dialogue: 0,0:13:48.90,0:13:53.04,Default,,0000,0000,0000,,The code is now split into Python and bash\Nscripts.
Dialogue: 0,0:13:53.04,0:13:58.54,Default,,0000,0000,0000,,For all the other distro testing there's a\Nlot of bash code now which is mostly
Dialogue: 0,0:13:58.54,0:14:04.74,Default,,0000,0000,0000,,boilerplate and it's 5 lines or something\Nto build FreeBSD and 5 lines to build NetBSD
Dialogue: 0,0:14:04.74,0:14:08.84,Default,,0000,0000,0000,,but there's 100 lines boilercode around so it's\Nreally not that much code.
Dialogue: 0,0:14:08.84,0:14:12.52,Default,,0000,0000,0000,,We do test Testing, Unstable and Experimental.
Dialogue: 0,0:14:12.52,0:14:15.56,Default,,0000,0000,0000,,For arm we only start with Unstable.
Dialogue: 0,0:14:15.56,0:14:22.06,Default,,0000,0000,0000,,We do like hardware so if you have hardware\Nto donate to us, that would be great,
Dialogue: 0,0:14:22.06,0:14:24.96,Default,,0000,0000,0000,,we need ssh and then root basically.
Dialogue: 0,0:14:26.92,0:14:34.15,Default,,0000,0000,0000,,We are testing Coreboot, OpenWrt and the\NBSD's, soon I will also set up a Fedora test
Dialogue: 0,0:14:34.15,0:14:39.68,Default,,0000,0000,0000,,I don't want to test all the 20,000 Fedora\Npackages but just 200 or something:
Dialogue: 0,0:14:39.68,0:14:44.12,Default,,0000,0000,0000,,the base system of Fedora to examine how\Nrpm works
Dialogue: 0,0:14:44.12,0:14:47.74,Default,,0000,0000,0000,,to get really the whole Free Software world\Nreproducible.
Dialogue: 0,0:14:47.74,0:14:53.46,Default,,0000,0000,0000,,This is all run on ProfitBricks hardware \Nsince 2002, so thanks to ProfitBricks.
Dialogue: 0,0:14:56.86,0:15:00.08,Default,,0000,0000,0000,,This is the variations we do for Debian.
Dialogue: 0,0:15:01.74,0:15:07.26,Default,,0000,0000,0000,,It's the hostname, username, timezone,\Nlocale.
Dialogue: 0,0:15:07.26,0:15:14.10,Default,,0000,0000,0000,,Chris will explain what modifications \Nthis causes, variances...
Dialogue: 0,0:15:14.10,0:15:19.06,Default,,0000,0000,0000,,We are not testing at the moment differences\Nin date so the date is always the same
Dialogue: 0,0:15:19.06,0:15:20.38,Default,,0000,0000,0000,,the time is a bit different.
Dialogue: 0,0:15:20.38,0:15:25.52,Default,,0000,0000,0000,,[Lunar] Well almost! Because we cheat with\Nthe timezone, we use one timezone that is
Dialogue: 0,0:15:25.52,0:15:32.24,Default,,0000,0000,0000,,GMT-14 and then GMT+12 so it's more than\N24 hours appart.
Dialogue: 0,0:15:32.65,0:15:35.94,Default,,0000,0000,0000,,[Holger] On the first of the month we\Nsometimes find new bugs where there's
Dialogue: 0,0:15:35.94,0:15:38.00,Default,,0000,0000,0000,,packages which record the month.
Dialogue: 0,0:15:41.00,0:15:43.82,Default,,0000,0000,0000,,We don't have variations of the CPU type\Nat the moment.
Dialogue: 0,0:15:45.78,0:15:50.90,Default,,0000,0000,0000,,Both time and CPU type variations, we'll\Nhave them about one or two weeks
Dialogue: 0,0:15:50.90,0:15:53.66,Default,,0000,0000,0000,,the nodes are being prepared at the moment.
Dialogue: 0,0:15:53.66,0:16:00.80,Default,,0000,0000,0000,,Then we will test all the meaningful\Nvariations we could think of.
Dialogue: 0,0:16:01.23,0:16:05.02,Default,,0000,0000,0000,,There will be probably some packages which\Nbuild different according to the number of
Dialogue: 0,0:16:05.02,0:16:11.14,Default,,0000,0000,0000,,number of CD drives attached or whatever\Nthings, but those will be find by you.
Dialogue: 0,0:16:12.49,0:16:16.89,Default,,0000,0000,0000,,[Lunar] We are doing all these tests because\Nwe want when you rebuild a package on
Dialogue: 0,0:16:16.89,0:16:22.02,Default,,0000,0000,0000,,your machine that if any this is different from\Nthe build deamons in Debian you get
Dialogue: 0,0:16:22.02,0:16:23.29,Default,,0000,0000,0000,,the same results.
Dialogue: 0,0:16:23.29,0:16:30.01,Default,,0000,0000,0000,,We use this to detect this problems early\Nbefore you actually a false positive that we have
Dialogue: 0,0:16:30.01,0:16:34.15,Default,,0000,0000,0000,,to investigate when someone rebuilds a\Npackage on their machine.
Dialogue: 0,0:16:37.32,0:16:42.54,Default,,0000,0000,0000,,To understand the difference that we found\Nfrom one build to the other.
Dialogue: 0,0:16:42.54,0:16:50.54,Default,,0000,0000,0000,,It started also as a 10 lines shellscript\Nand then it felt okeyish
Dialogue: 0,0:16:50.54,0:16:51.94,Default,,0000,0000,0000,,and so Python!
Dialogue: 0,0:16:51.94,0:16:57.60,Default,,0000,0000,0000,,And now it's a lot of code and it actually\Ngrew way beyond a Debian package.
Dialogue: 0,0:16:57.60,0:17:03.04,Default,,0000,0000,0000,,We changed the name, it was called debbindiff\Nbut it's absolutely not tied to Debian anymore.
Dialogue: 0,0:17:03.04,0:17:07.42,Default,,0000,0000,0000,,It's called diffoscope, thanks to Jocelyn\Nfor the name.
Dialogue: 0,0:17:07.42,0:17:12.02,Default,,0000,0000,0000,,Basically what it does: it tries to get to\Nthe bottom of what is different between
Dialogue: 0,0:17:12.02,0:17:13.80,Default,,0000,0000,0000,,two archives or directories.
Dialogue: 0,0:17:13.80,0:17:22.26,Default,,0000,0000,0000,,Because it's not useful to compare bytes that\Nare compressed by gzip or xz, that will not
Dialogue: 0,0:17:22.26,0:17:27.02,Default,,0000,0000,0000,,lead you to understand what is different\Nyou need to uncompress and look at
Dialogue: 0,0:17:27.02,0:17:32.80,Default,,0000,0000,0000,,uncompressed data, and if the thing actually\Ncompressed is a tarball, you might actually
Dialogue: 0,0:17:32.80,0:17:35.06,Default,,0000,0000,0000,,want to compare the files inside the tarball.
Dialogue: 0,0:17:35.06,0:17:42.26,Default,,0000,0000,0000,,If there is a PDF inside this archive, you\Ndon't want to compare the bytes of the PDF
Dialogue: 0,0:17:42.26,0:17:43.98,Default,,0000,0000,0000,,you want to compare the text of the PDF.
Dialogue: 0,0:17:43.98,0:17:49.68,Default,,0000,0000,0000,,So this is basically what diffoscope does,\Nit tries to transform anything that is
Dialogue: 0,0:17:49.68,0:17:56.60,Default,,0000,0000,0000,,a container and compare things in this\Ncontainer and if they can be transformed into
Dialogue: 0,0:17:56.60,0:18:01.18,Default,,0000,0000,0000,,a human readable form it will try to do\Nthat, and compare these human readable form.
Dialogue: 0,0:18:01.18,0:18:05.15,Default,,0000,0000,0000,,And if it doesn't find any difference but\Nthere are still differences from the bin
Dialogue: 0,0:18:05.15,0:18:07.32,Default,,0000,0000,0000,,it will fall back to binary comparison.
Dialogue: 0,0:18:07.52,0:18:12.68,Default,,0000,0000,0000,,Try it, extend it; it's Python, it's modular,\Nit's great.
Dialogue: 0,0:18:12.68,0:18:23.04,Default,,0000,0000,0000,,It already supports squashfs, ISO, rpm,\Ngettext, mo files files and so many different things.
Dialogue: 0,0:18:23.04,0:18:29.98,Default,,0000,0000,0000,,You can have HTML output like that,\Nso this is what is displayed on many
Dialogue: 0,0:18:29.98,0:18:34.02,Default,,0000,0000,0000,,examples we've shown so far, and also\Nto make it easier for copy paste
Dialogue: 0,0:18:34.02,0:18:38.14,Default,,0000,0000,0000,,and post processing we have the text output.
Dialogue: 0,0:18:38.14,0:18:43.06,Default,,0000,0000,0000,,You can also use it to review packages before\Nuploading them to Debian.
Dialogue: 0,0:18:43.06,0:18:49.16,Default,,0000,0000,0000,,It does fuzzy matching, so even if the\Ndirectory is different in the archive it will
Dialogue: 0,0:18:49.16,0:18:52.44,Default,,0000,0000,0000,,find it like git does.
Dialogue: 0,0:18:52.44,0:18:58.56,Default,,0000,0000,0000,,It has grown way more beyond just build\Nreproducibly. A useful tool.
Dialogue: 0,0:19:01.45,0:19:07.37,Default,,0000,0000,0000,,[Dhole] In order to solve timestamp issues, we are\Nproposing the SOURCE{\u1}DATE{\u0}EPOCH variable.
Dialogue: 0,0:19:07.38,0:19:11.85,Default,,0000,0000,0000,,This is because most of the times having\Nthe build date embedded in a package
Dialogue: 0,0:19:11.85,0:19:16.39,Default,,0000,0000,0000,,is not useful for the user, because you could\Ntake a really old package and build it today
Dialogue: 0,0:19:16.39,0:19:19.00,Default,,0000,0000,0000,,and that day would not be useful.
Dialogue: 0,0:19:19.00,0:19:25.74,Default,,0000,0000,0000,,We are standardizing a replacement for build\Ndates so that tools can use it.
Dialogue: 0,0:19:25.74,0:19:31.96,Default,,0000,0000,0000,,When this value is set, the tool instead of\Nembedding the current date, it will embed
Dialogue: 0,0:19:31.96,0:19:37.50,Default,,0000,0000,0000,,the date taken from SOURCE{\u1}DATE{\u0}EPOCH which\Nwill contain a Unix epoch timestamp.
Dialogue: 0,0:19:37.50,0:19:42.88,Default,,0000,0000,0000,,This is a general solution we are trying to\Nstandardize so that not only Debian uses it,
Dialogue: 0,0:19:42.88,0:19:48.02,Default,,0000,0000,0000,,but other Free Software projects and \Ndistributions and in the case of Debian,
Dialogue: 0,0:19:48.02,0:19:52.46,Default,,0000,0000,0000,,we set this variable to the latest Debian\Nchangelog entry timestamp.
Dialogue: 0,0:19:55.10,0:20:00.72,Default,,0000,0000,0000,,We have already been sending patches to\Ndifferent packages, mostly it's documentation
Dialogue: 0,0:20:00.72,0:20:06.06,Default,,0000,0000,0000,,generation. So here's a list of bugs that\Nwe have opened which have been closed
Dialogue: 0,0:20:06.06,0:20:12.29,Default,,0000,0000,0000,,and merged; so it's help2man, epydoc,\Nghostscript, texi2html and sphinx.
Dialogue: 0,0:20:12.29,0:20:18.99,Default,,0000,0000,0000,,We are both sending these patches to Debian\Nand upstream so all the distributions can
Dialogue: 0,0:20:18.99,0:20:28.16,Default,,0000,0000,0000,,use them, and we have also been sending\Npatches to other packages which are still
Dialogue: 0,0:20:28.16,0:20:32.16,Default,,0000,0000,0000,,open, so we encourage you to take a look\Nat these packages if you are the maintainer
Dialogue: 0,0:20:32.16,0:20:34.62,Default,,0000,0000,0000,,and merge the patch.
Dialogue: 0,0:20:36.16,0:20:41.18,Default,,0000,0000,0000,,[Lunar] Thanks to Daniel Kahn Gillmor and\NXimin Luo for pushing this proposal forward.
Dialogue: 0,0:20:41.18,0:20:45.54,Default,,0000,0000,0000,,And also lots of these patches have been\Nwritten by Akira and Dhole as part of their
Dialogue: 0,0:20:45.54,0:20:48.68,Default,,0000,0000,0000,,Google Summer of Code, and you work really\Ngreat.
Dialogue: 0,0:20:52.02,0:20:56.74,Default,,0000,0000,0000,,[Applause]
Dialogue: 0,0:21:02.72,0:21:07.72,Default,,0000,0000,0000,,[Dhole] The gcc patch is: gcc uses two\Nmacros which are _{\u1}DATE{\u0}{\u1} and {\u0}{\u1}TIME{\u0}_
Dialogue: 0,0:21:07.72,0:21:14.30,Default,,0000,0000,0000,,which embed the timestamp and I wrote a\Npatch so that if SOURCE{\u1}DATE{\u0}EPOCH is set
Dialogue: 0,0:21:14.30,0:21:18.74,Default,,0000,0000,0000,,instead of adding the current time, it takes\Nthe time from that variable.
Dialogue: 0,0:21:18.74,0:21:25.56,Default,,0000,0000,0000,,I sent this patch to gcc, it's still there\Nforgotten with many other patches
Dialogue: 0,0:21:25.56,0:21:29.40,Default,,0000,0000,0000,,but hopefully at some point they will\Nrealize that this is interesting and they
Dialogue: 0,0:21:29.40,0:21:30.42,Default,,0000,0000,0000,,will merge it.
Dialogue: 0,0:21:38.88,0:21:46.33,Default,,0000,0000,0000,,[Lamby] Hey. Let's very quickly run you\Nthrough some really simple ways
Dialogue: 0,0:21:46.33,0:21:50.44,Default,,0000,0000,0000,,to fixing packages. The details don't\Nnecessarily matter, it's just to give you
Dialogue: 0,0:21:50.45,0:21:55.64,Default,,0000,0000,0000,,of what needs to be changed and basically\Nto point out that it's not rocket science.
Dialogue: 0,0:21:55.64,0:21:57.66,Default,,0000,0000,0000,,So you can just come in and jump in.
Dialogue: 0,0:21:57.66,0:22:07.86,Default,,0000,0000,0000,,For example gzip, it's a very old tool\Nand they decided to add timestamps when
Dialogue: 0,0:22:07.86,0:22:11.94,Default,,0000,0000,0000,,you generate it, but it's an easy fix, you\Njust add -n flag.
Dialogue: 0,0:22:11.94,0:22:19.98,Default,,0000,0000,0000,,Some other things easy to change: some\NPython stuff had tag_date=True, which
Dialogue: 0,0:22:19.98,0:22:25.08,Default,,0000,0000,0000,,I don't know if you can see it but adds a\Ntimestamp to eggs. You just change it to
Dialogue: 0,0:22:25.08,0:22:26.40,Default,,0000,0000,0000,,False to get rid of it.
Dialogue: 0,0:22:26.40,0:22:34.34,Default,,0000,0000,0000,,Static libraries, they are just ar archives\Nso the same format as .deb, and you
Dialogue: 0,0:22:34.34,0:22:37.94,Default,,0000,0000,0000,,can just use binutils or strip-nondeterminism\Ntool.
Dialogue: 0,0:22:37.94,0:22:44.36,Default,,0000,0000,0000,,PNG has timestamps for some reason, you can\Nget rid of them, that's ImageMagick and it's
Dialogue: 0,0:22:44.36,0:22:49.30,Default,,0000,0000,0000,,a bit ugly, but also strip-nondeterminism\Ngets rid of it.
Dialogue: 0,0:22:49.30,0:22:54.64,Default,,0000,0000,0000,,Tarballs are quite interesting, they will\Nby default capture user and group
Dialogue: 0,0:22:54.64,0:22:58.34,Default,,0000,0000,0000,,you just pass --owner=root bla bla bla...
Dialogue: 0,0:22:58.34,0:23:04.50,Default,,0000,0000,0000,,Ordering, this is interesting as well, it\Nwill usually use file system ordering
Dialogue: 0,0:23:04.50,0:23:10.64,Default,,0000,0000,0000,,which is completely non-deterministic. So\Nyou need to sort with LC_ALL=C.
Dialogue: 0,0:23:14.74,0:23:18.78,Default,,0000,0000,0000,,[Lunar] Think about the locale! Because\Nsorting order varies from local to the next.
Dialogue: 0,0:23:22.68,0:23:28.08,Default,,0000,0000,0000,,[Lamby] They also take timestamps, again\Nyou can set --mtime or you can mock around
Dialogue: 0,0:23:28.08,0:23:31.04,Default,,0000,0000,0000,,with find/xargs/touch bla bla...
Dialogue: 0,0:23:31.04,0:23:37.40,Default,,0000,0000,0000,,Lots of other files have timestamps: Erlang\Nfiles for no reason, even upstream don't
Dialogue: 0,0:23:37.40,0:23:39.60,Default,,0000,0000,0000,,know why they added a timestamp.
Dialogue: 0,0:23:42.48,0:23:48.60,Default,,0000,0000,0000,,We have now a patch for SOURCE{\u1}DATE{\u0}EPOCH,\Nwhich I think landed a couple days ago.
Dialogue: 0,0:23:49.88,0:23:57.14,Default,,0000,0000,0000,,Here's an interesting one, not necessarily\Nthe current build timestamp, so this is a
Dialogue: 0,0:23:57.14,0:24:04.64,Default,,0000,0000,0000,,timezone dependent date which Ruby loads\Nand then saves incorrectly as your local time.
Dialogue: 0,0:24:04.64,0:24:07.42,Default,,0000,0000,0000,,This gets mangled, so that's patching.
Dialogue: 0,0:24:07.42,0:24:14.50,Default,,0000,0000,0000,,I'm going from changing individual packages\Nto more toolchain things as you can see.
Dialogue: 0,0:24:14.50,0:24:21.00,Default,,0000,0000,0000,,Upstream configure scripts, you can maybe\Nsee the top that it just uses hostname
Dialogue: 0,0:24:21.00,0:24:26.24,Default,,0000,0000,0000,,for no reason. Sometimes you can override\Nit in debian/rules just by exporting something
Dialogue: 0,0:24:26.24,0:24:31.92,Default,,0000,0000,0000,,or passing a variable to dh_autobuild or\Nwhatever. That's just a little bit more
Dialogue: 0,0:24:31.92,0:24:33.88,Default,,0000,0000,0000,,involved, you have to look at it more\Ncarefully.
Dialogue: 0,0:24:33.88,0:24:40.44,Default,,0000,0000,0000,,Perl hash order, lot of Perl uses data\NData::Dumper to just output a bunch of stuff which
Dialogue: 0,0:24:40.44,0:24:46.76,Default,,0000,0000,0000,,is just not deterministic. So often just\Nsetting Sortkeys, but sometimes it's
Dialogue: 0,0:24:46.76,0:24:48.46,Default,,0000,0000,0000,,a completely different solution.
Dialogue: 0,0:24:48.46,0:24:53.32,Default,,0000,0000,0000,,Header files, so you can maybe see that\Nthey are using the timestamp essentially
Dialogue: 0,0:24:53.32,0:24:59.48,Default,,0000,0000,0000,,as a unique identifier, you probably have\Nto start re-writing these something saner
Dialogue: 0,0:24:59.48,0:25:03.90,Default,,0000,0000,0000,,because this is a wrong use of timestamp\Nanyway.
Dialogue: 0,0:25:03.90,0:25:12.80,Default,,0000,0000,0000,,More Makefiles, the deeper they timestamp\Nin the upstream package the more you have
Dialogue: 0,0:25:12.80,0:25:15.38,Default,,0000,0000,0000,,to start patching, so these kind of start\Nsucking a little.
Dialogue: 0,0:25:15.38,0:25:21.02,Default,,0000,0000,0000,,We've made a lot of toolchain changes, some\Nalready mentioned, some of them already
Dialogue: 0,0:25:21.02,0:25:25.20,Default,,0000,0000,0000,,merged, see more in this link. Again,\Ndetails don't matter, just check it out
Dialogue: 0,0:25:25.20,0:25:29.78,Default,,0000,0000,0000,,it isn't crazy, it's just working out\Nwhat's different.
Dialogue: 0,0:25:29.78,0:25:35.06,Default,,0000,0000,0000,,In terms of the work done we've sent these\Nmany patches: two patches a day,
Dialogue: 0,0:25:35.06,0:25:37.90,Default,,0000,0000,0000,,which is not too bad, on average.
Dialogue: 0,0:25:40.17,0:25:46.44,Default,,0000,0000,0000,,[Applause]
Dialogue: 0,0:25:48.11,0:25:50.76,Default,,0000,0000,0000,,[Holger] I can't clap because I sent three\Nor something like that
Dialogue: 0,0:25:52.51,0:25:53.74,Default,,0000,0000,0000,,[Lamby] Holger does three per day.
Dialogue: 0,0:25:54.84,0:25:59.64,Default,,0000,0000,0000,,And this doesn't count other bugs we found\Nin the process of building packages, like
Dialogue: 0,0:25:59.64,0:26:00.80,Default,,0000,0000,0000,,fail to build.
Dialogue: 0,0:26:00.80,0:26:08.36,Default,,0000,0000,0000,,This is blue the ones that are open and\Norange are done.
Dialogue: 0,0:26:08.36,0:26:14.00,Default,,0000,0000,0000,,You can see that someone went a bit crazy\Nin February filing bugs and eventually they
Dialogue: 0,0:26:14.00,0:26:17.20,Default,,0000,0000,0000,,were being fixed; slowly.
Dialogue: 0,0:26:18.42,0:26:23.59,Default,,0000,0000,0000,,[Holger] And actually we filed more bugs\Nbecause the fail to build from source bugs
Dialogue: 0,0:26:23.59,0:26:28.70,Default,,0000,0000,0000,,are excluded, I think we filed 300 FTBFS\Nin the last two or three months.
Dialogue: 0,0:26:30.85,0:26:34.40,Default,,0000,0000,0000,,[Lamby] And those include fail to build\Nbecause of reproducibility things as well
Dialogue: 0,0:26:34.40,0:26:36.14,Default,,0000,0000,0000,,but we haven't split them up.
Dialogue: 0,0:26:40.02,0:26:46.64,Default,,0000,0000,0000,,[Lunar] What's left to be done because\NHolger said "the graph is a lie".
Dialogue: 0,0:26:46.64,0:26:58.24,Default,,0000,0000,0000,,The main thing that is blocking a lot of\Nwork is dpkg. Right now the output of dpkg
Dialogue: 0,0:26:58.24,0:27:09.26,Default,,0000,0000,0000,,will be not deterministic 100% of the time,\Nbecause of timestamps and at least the
Dialogue: 0,0:27:09.26,0:27:15.38,Default,,0000,0000,0000,,file ordering. We also have a patch that\Ncreates these .buildinfo files that we've
Dialogue: 0,0:27:15.38,0:27:22.42,Default,,0000,0000,0000,,shown that works. It's not submitted yet\Nto dpkg because we need to agree on the
Dialogue: 0,0:27:22.42,0:27:27.02,Default,,0000,0000,0000,,format. At least we have ftpmaster or\Nmaybe dpkg, well we have a lot of people
Dialogue: 0,0:27:27.02,0:27:29.50,Default,,0000,0000,0000,,and that's what we are going to do the\Nnext hour.
Dialogue: 0,0:27:29.50,0:27:38.56,Default,,0000,0000,0000,,Debhelper also has a few changes; the make\Nmtimes, debhelper might also not be
Dialogue: 0,0:27:38.56,0:27:42.78,Default,,0000,0000,0000,,best place, maybe we want that in dpkg.
Dialogue: 0,0:27:42.78,0:27:47.50,Default,,0000,0000,0000,,I've been trying to put patches in tar so\Nwe can make it easier. It's complicated to
Dialogue: 0,0:27:47.50,0:27:54.24,Default,,0000,0000,0000,,see where's the best place but so far we've\Nbeen doing our tests with this frame and it works.
Dialogue: 0,0:27:54.24,0:27:59.96,Default,,0000,0000,0000,,[Holger] In our repository we have these\Npackages with these bugs fixed so when
Dialogue: 0,0:27:59.96,0:28:03.62,Default,,0000,0000,0000,,you want to test reproducibility issues on\Nyour own machine you need to use the
Dialogue: 0,0:28:03.62,0:28:07.19,Default,,0000,0000,0000,,repository which has these patches applied\Nat the moment.
Dialogue: 0,0:28:07.19,0:28:10.20,Default,,0000,0000,0000,,In pure sid you cannot create reproducible\Npackages.
Dialogue: 0,0:28:10.46,0:28:18.20,Default,,0000,0000,0000,,[Lunar] I heard that the SOURCE{\u1}DATE{\u0}EPOCH\Npatch is in git already, so it's going to happen.
Dialogue: 0,0:28:18.20,0:28:26.64,Default,,0000,0000,0000,,cdbs also needed to export SOURCE{\u1}DATE{\u0}EPOCH\Nand we are starting to do more infrastructure
Dialogue: 0,0:28:26.64,0:28:34.38,Default,,0000,0000,0000,,work: Josch mainly and Akira on sbuild,\Nbecause we wanted to have this
Dialogue: 0,0:28:34.38,0:28:40.42,Default,,0000,0000,0000,,srebuild script, where you give it a\Nbuildinfo and it will do the rebuild and
Dialogue: 0,0:28:40.42,0:28:47.10,Default,,0000,0000,0000,,it needs changes in build daemon for the\Nbuild path and also a couple of changes in
Dialogue: 0,0:28:47.10,0:28:48.94,Default,,0000,0000,0000,,sbuild itself.
Dialogue: 0,0:28:48.94,0:28:53.30,Default,,0000,0000,0000,,[Holger] And the script is not ready yet,\Nthis "Finish" means it uses our repository
Dialogue: 0,0:28:53.30,0:28:56.96,Default,,0000,0000,0000,,at the moment, we need to change it to only\Nuse Sid and snapshot.
Dialogue: 0,0:28:56.96,0:29:01.70,Default,,0000,0000,0000,,[Lunar] So there is the buildd issue that\Nwe need to discuss
Dialogue: 0,0:29:01.70,0:29:08.74,Default,,0000,0000,0000,,and we also need to see how we could include\Nor not, or somewhere give this buildinfo
Dialogue: 0,0:29:08.74,0:29:12.50,Default,,0000,0000,0000,,control file to the world so they can\Nrebuild the packages, so it's not yet
Dialogue: 0,0:29:12.50,0:29:14.42,Default,,0000,0000,0000,,clear where's the best place to store\Nthem.
Dialogue: 0,0:29:14.42,0:29:20.82,Default,,0000,0000,0000,,Because adding 22,000 files, some\Npeople get cranky of this idea.
Dialogue: 0,0:29:20.82,0:29:25.84,Default,,0000,0000,0000,,[Holger] It's more than 22,000 files, it's\N22,000 source packages multiplied by
Dialogue: 0,0:29:25.84,0:29:30.40,Default,,0000,0000,0000,,10 architectures; but there's a lot of\Narch builds so that's probably 100,000
Dialogue: 0,0:29:30.40,0:29:37.56,Default,,0000,0000,0000,,buildinfo files, multiplied by Stretch and\NSid, so it's 200,000 files or more on
Dialogue: 0,0:29:37.56,0:29:40.00,Default,,0000,0000,0000,,the file servers and on the mirrors we\Nwould like to have it.
Dialogue: 0,0:29:40.00,0:29:43.88,Default,,0000,0000,0000,,That's the same amount of files which are\Ncurrently there. The mirror operators are
Dialogue: 0,0:29:43.88,0:29:49.00,Default,,0000,0000,0000,,currently not happy, they will not take it,\Nso our current idea is just concatenate
Dialogue: 0,0:29:49.00,0:29:54.68,Default,,0000,0000,0000,,all these files into one file that's 140 MB\Nuncompressed, 40 MB compressed.
Dialogue: 0,0:29:54.68,0:29:56.44,Default,,0000,0000,0000,,That's easier to handle.
Dialogue: 0,0:29:56.44,0:29:59.88,Default,,0000,0000,0000,,And then probably have a service\Nbuildinfo.debian.org where you can
Dialogue: 0,0:29:59.88,0:30:02.78,Default,,0000,0000,0000,,download individual buildinfo files if you\Nneed them.
Dialogue: 0,0:30:03.66,0:30:09.90,Default,,0000,0000,0000,,[Lunar] And so when we will be done with\Nall that we can maybe add a final patch
Dialogue: 0,0:30:09.98,0:30:16.30,Default,,0000,0000,0000,,it would be to Debian policy, mandating\NDebian packages be reproducible.
Dialogue: 0,0:30:19.51,0:30:22.73,Default,,0000,0000,0000,,[Applause]
Dialogue: 0,0:30:24.23,0:30:31.15,Default,,0000,0000,0000,,I can say again that the dream of mine is\Nthat we would stop uploading .deb when
Dialogue: 0,0:30:31.15,0:30:37.88,Default,,0000,0000,0000,,we upload a package, but instead just upload\Nthe hash of the binary, have the buildd
Dialogue: 0,0:30:37.88,0:30:43.05,Default,,0000,0000,0000,,build again this package and only if these\Ntwo match they can enter the archive.
Dialogue: 0,0:30:43.05,0:30:47.86,Default,,0000,0000,0000,,So we are sure that at least the two\Nmachines, the developer machine and the
Dialogue: 0,0:30:47.86,0:30:50.52,Default,,0000,0000,0000,,build deamon agree that they've built the\Nsame thing.
Dialogue: 0,0:30:51.02,0:30:55.40,Default,,0000,0000,0000,,[Applause]
Dialogue: 0,0:30:58.16,0:31:02.78,Default,,0000,0000,0000,,[Holger] I share this dream but I think\Nhaving this in policy is a mass requirement
Dialogue: 0,0:31:02.78,0:31:15.92,Default,,0000,0000,0000,,sadly something only for Stretch + 1, but\NI'm curious if we had fixed dpkg and
Dialogue: 0,0:31:15.92,0:31:21.66,Default,,0000,0000,0000,,debhelper now, would you think we should\Nupgrade all these wishlist bugs to important now?
Dialogue: 0,0:31:22.63,0:31:26.34,Default,,0000,0000,0000,,[Audience] Yes!
Dialogue: 0,0:31:31.06,0:31:33.59,Default,,0000,0000,0000,,[Holger] We'll talk about this later soon.
Dialogue: 0,0:31:34.32,0:31:36.64,Default,,0000,0000,0000,,[Lunar] But before that we actually have\Nwork to do.
Dialogue: 0,0:31:40.14,0:31:43.64,Default,,0000,0000,0000,,[Dhole] In order to fix your package, the\Nfirst thing you can do is go to
Dialogue: 0,0:31:43.64,0:31:51.34,Default,,0000,0000,0000,,reproducible.debian.net/package, and you\Ncan the web interface where you can see
Dialogue: 0,0:31:51.34,0:31:56.19,Default,,0000,0000,0000,,notes on the package, we have tags to\Nidentify different issues that make packages
Dialogue: 0,0:31:56.19,0:31:59.18,Default,,0000,0000,0000,,not reproducible, with links to the wiki\Nabout how to solve them.
Dialogue: 0,0:32:04.81,0:32:08.74,Default,,0000,0000,0000,,[Holger] When you see this, you want to\Nclick on this debbindiff link.
Dialogue: 0,0:32:08.74,0:32:12.44,Default,,0000,0000,0000,,It's still called debbindiff not diffoscope,\Nthis will show all the differences,
Dialogue: 0,0:32:12.44,0:32:17.08,Default,,0000,0000,0000,,if there is a note. If the package is \Nunreproducible and there's no note
Dialogue: 0,0:32:17.08,0:32:21.04,Default,,0000,0000,0000,,it will automatically display the\Ndebbindiff, and if your package is fine
Dialogue: 0,0:32:21.04,0:32:23.24,Default,,0000,0000,0000,,there's here a sun.
Dialogue: 0,0:32:29.50,0:32:34.14,Default,,0000,0000,0000,,[Dhole] You can also see an entry in the\Ntracker, stating if your package is
Dialogue: 0,0:32:34.14,0:32:35.48,Default,,0000,0000,0000,,reproducible or not.
Dialogue: 0,0:32:38.75,0:32:45.60,Default,,0000,0000,0000,,You can also find information in DDPO and\NDMD. You can find tips on the wiki it's
Dialogue: 0,0:32:45.60,0:32:53.94,Default,,0000,0000,0000,,ReproducibleBuilds wiki, we are working on\Na Howto to have detailed steps on different
Dialogue: 0,0:32:53.94,0:33:01.14,Default,,0000,0000,0000,,issues and how to solve them. Lunar gave\Na talk at CCCamp where there's many issues
Dialogue: 0,0:33:01.14,0:33:05.46,Default,,0000,0000,0000,,really well explained and the solutions for\Nthem.
Dialogue: 0,0:33:05.46,0:33:11.26,Default,,0000,0000,0000,,You can also come to our irc channel which\Nis #debian-reproducible and ask for help
Dialogue: 0,0:33:11.26,0:33:12.88,Default,,0000,0000,0000,,or go to the mailing-list.
Dialogue: 0,0:33:14.24,0:33:21.23,Default,,0000,0000,0000,,In order to test locally if your package is\Nreproducible right now we are using a
Dialogue: 0,0:33:21.23,0:33:29.40,Default,,0000,0000,0000,,script that uses pbuilder in a custom\Nconfiguration, you need to set up our
Dialogue: 0,0:33:29.40,0:33:35.24,Default,,0000,0000,0000,,reproducible repository. In the Howto in\Nthe wiki there's the steps on how to set up
Dialogue: 0,0:33:35.24,0:33:38.86,Default,,0000,0000,0000,,the chroot and everything, it's documented\Nin the wiki.
Dialogue: 0,0:33:38.86,0:33:44.28,Default,,0000,0000,0000,,Diffoscope is in unstable and today it's\Ngoing in Stretch.
Dialogue: 0,0:33:44.28,0:33:53.96,Default,,0000,0000,0000,,We plan to add these scripts to rebuild\Npackages in different settings in debscripts
Dialogue: 0,0:33:53.96,0:34:04.18,Default,,0000,0000,0000,,once dpkg is good, and we welcome you\Ntomorrow to the hacking session from
Dialogue: 0,0:34:04.18,0:34:06.98,Default,,0000,0000,0000,,2 to 7 in Stockholm room.
Dialogue: 0,0:34:10.46,0:34:15.20,Default,,0000,0000,0000,,[Lunar] That's for fixing your packages,\Nplease do that. If you want to have even
Dialogue: 0,0:34:15.20,0:34:18.74,Default,,0000,0000,0000,,more fun, then test your own package, join\Nus!
Dialogue: 0,0:34:18.74,0:34:25.00,Default,,0000,0000,0000,,This is the past year of my life, it has\Nbeen awesome because the team has been
Dialogue: 0,0:34:25.00,0:34:32.34,Default,,0000,0000,0000,,so great, it's been friendly atmosphere, lots of\Nnew understanding so many things you didn't
Dialogue: 0,0:34:32.34,0:34:39.24,Default,,0000,0000,0000,,want to learn about that you had to learn\Nabout, and basically it feels very good to
Dialogue: 0,0:34:39.24,0:34:46.46,Default,,0000,0000,0000,,be part of this actual changing the world\Nthing. It's just software but it has some
Dialogue: 0,0:34:46.46,0:34:51.12,Default,,0000,0000,0000,,profound effect. I've been told that the\Nwork we've been doing is being tossed
Dialogue: 0,0:34:51.12,0:34:58.16,Default,,0000,0000,0000,,around in Cisco and Google and Facebook;\Nall these big dot com companies bla bla,
Dialogue: 0,0:34:58.16,0:35:01.56,Default,,0000,0000,0000,,they actually want to do that as well even\Nthough they are not doing Free Software,
Dialogue: 0,0:35:01.56,0:35:03.40,Default,,0000,0000,0000,,which I find wired, but whatever.
Dialogue: 0,0:35:03.40,0:35:09.70,Default,,0000,0000,0000,,So what do we do? We review packages, we\Nhave these notes when we actually try to
Dialogue: 0,0:35:09.70,0:35:13.03,Default,,0000,0000,0000,,identify, so when the maintainer comes\Nthey don't have to think to much about
Dialogue: 0,0:35:13.03,0:35:19.13,Default,,0000,0000,0000,,the problem and just fix it. We try to\Nidentify common trends so when many
Dialogue: 0,0:35:19.13,0:35:23.74,Default,,0000,0000,0000,,packages have the same problem we make an\Nentry and explain and maybe think about fixes
Dialogue: 0,0:35:23.74,0:35:26.82,Default,,0000,0000,0000,,that could apply to the whole archive.
Dialogue: 0,0:35:26.82,0:35:33.50,Default,,0000,0000,0000,,We work on this reproducible.debian.net\Njenkins setup, the scripts.
Dialogue: 0,0:35:33.50,0:35:41.44,Default,,0000,0000,0000,,We hack on the diffoscope tool, we make\Nstrip-nondeterminism better, we propose
Dialogue: 0,0:35:41.44,0:35:45.44,Default,,0000,0000,0000,,changes for the toolchains when there are\Nneeds, some need a lot of patches,
Dialogue: 0,0:35:45.44,0:35:59.32,Default,,0000,0000,0000,,most of the bugs we have reported on\Nindividual packages have patches.
Dialogue: 0,0:36:01.35,0:36:03.79,Default,,0000,0000,0000,,[Holger] Bugs have patches\N[Lunar] Yes!
Dialogue: 0,0:36:04.26,0:36:08.80,Default,,0000,0000,0000,,And also we are actually writing some more\Ngeneral documentation from the
Dialogue: 0,0:36:08.80,0:36:15.18,Default,,0000,0000,0000,,understanding of these things we have been\Nhaving, we are preparing a reproducible
Dialogue: 0,0:36:15.18,0:36:22.46,Default,,0000,0000,0000,,builds Howto to explain to the Free Software\Nworld how they can do it so it's about some
Dialogue: 0,0:36:22.46,0:36:26.54,Default,,0000,0000,0000,,of what Chris explained but also more\Ngeneral consideration on what if you're
Dialogue: 0,0:36:26.54,0:36:29.44,Default,,0000,0000,0000,,not Debian and you want your thing\Nreproducible when you distribute as an
Dialogue: 0,0:36:29.44,0:36:35.72,Default,,0000,0000,0000,,independent vendor. So we want to work on\Nreference documentation so the whole world
Dialogue: 0,0:36:35.72,0:36:37.42,Default,,0000,0000,0000,,can actually do that.
Dialogue: 0,0:36:38.90,0:36:43.14,Default,,0000,0000,0000,,We do a lot of talks as you've seen and\Nit's been fun, and with all these
Dialogue: 0,0:36:43.14,0:36:48.96,Default,,0000,0000,0000,,presentations we've made so far it's all\Nin git. And everybody is free to take one
Dialogue: 0,0:36:48.96,0:36:52.94,Default,,0000,0000,0000,,of these slide decks and run with it\Nsomewhere, translate it...
Dialogue: 0,0:36:56.89,0:36:58.60,Default,,0000,0000,0000,,Questions?
Dialogue: 0,0:37:01.24,0:37:04.16,Default,,0000,0000,0000,,We have to run with the microphone, because\Nthere's no mic anymore.
Dialogue: 0,0:37:14.22,0:37:17.20,Default,,0000,0000,0000,,[Question] I just wanted to make two quick\Ncomments: so first of all diffoscope is
Dialogue: 0,0:37:17.20,0:37:22.14,Default,,0000,0000,0000,,really awesome, not only for reproducibility\Nbut also for example if you change your
Dialogue: 0,0:37:22.14,0:37:27.40,Default,,0000,0000,0000,,debian/rules in some way and want to see if\Nthe package is the same afterwards because
Dialogue: 0,0:37:27.40,0:37:31.56,Default,,0000,0000,0000,,you just cleaned up a bit, that's really\Nawesome for that, so thank you.
Dialogue: 0,0:37:31.56,0:37:37.48,Default,,0000,0000,0000,,And also I think the work you're doing now\Nis something that in 20 years time we're
Dialogue: 0,0:37:37.48,0:37:41.34,Default,,0000,0000,0000,,going to look back towards it and think,\Nwell, of course builds should be
Dialogue: 0,0:37:41.34,0:37:44.48,Default,,0000,0000,0000,,reproducible, so thank you very much for\Nyour work!
Dialogue: 0,0:37:44.82,0:37:49.02,Default,,0000,0000,0000,,[Applause]
Dialogue: 0,0:37:52.40,0:38:02.98,Default,,0000,0000,0000,,[Question] When reproducibility becomes\Npart of the Debian policy, will there be a
Dialogue: 0,0:38:02.98,0:38:05.90,Default,,0000,0000,0000,,lintian --reproducible?
Dialogue: 0,0:38:09.18,0:38:12.28,Default,,0000,0000,0000,,[Holger] I don't think lintian can detect\Nthat because lintian works on the source
Dialogue: 0,0:38:12.28,0:38:15.02,Default,,0000,0000,0000,,package and you need to build the package\Nfor this.
Dialogue: 0,0:38:15.68,0:38:20.58,Default,,0000,0000,0000,,[Lamby] Things that could be detected by\Nlintian from a static analysis point of view,
Dialogue: 0,0:38:20.58,0:38:26.24,Default,,0000,0000,0000,,yeah I'm sure, like looking for gzip\Nwithout -n for example, but that wouldn't
Dialogue: 0,0:38:26.24,0:38:28.94,Default,,0000,0000,0000,,be conclusive from lintian point of view.
Dialogue: 0,0:38:29.36,0:38:33.06,Default,,0000,0000,0000,,[Lunar] One thing that I really wanted to\Ndiffoscope at some point - the code is made
Dialogue: 0,0:38:33.06,0:38:37.54,Default,,0000,0000,0000,,the way that it's possible - it's to have\Nhints so when it actually looks up
Dialogue: 0,0:38:37.54,0:38:44.50,Default,,0000,0000,0000,,differences between two packages then you\Ncan have an idea, suggest you: hey you need
Dialogue: 0,0:38:44.50,0:38:49.80,Default,,0000,0000,0000,,to remove that timestamps, or you should\Nsort these keys. It's not done yet, but if
Dialogue: 0,0:38:49.80,0:38:52.58,Default,,0000,0000,0000,,anybody wants to do patches it's totally\Ndoable.
Dialogue: 0,0:38:58.48,0:39:04.02,Default,,0000,0000,0000,,[Question] Thank you for the work, have\Nyou thought about reproducible images?
Dialogue: 0,0:39:04.62,0:39:06.00,Default,,0000,0000,0000,,[Holger] It's on the todo list.
Dialogue: 0,0:39:07.70,0:39:15.06,Default,,0000,0000,0000,,Before images we need reproducible package\Ninstallation, and then we need reproducible
Dialogue: 0,0:39:15.06,0:39:19.56,Default,,0000,0000,0000,,images like squashfs has some things which\Nare not reproducible, but the package
Dialogue: 0,0:39:19.56,0:39:23.28,Default,,0000,0000,0000,,installation is not reproducible at the\Nmoment because apt installs packages in
Dialogue: 0,0:39:23.28,0:39:27.86,Default,,0000,0000,0000,,arbitrary order and then the post-inst\Ncreate for example users which get
Dialogue: 0,0:39:27.86,0:39:32.68,Default,,0000,0000,0000,,user-ids in the order the packages are\Ninstalled, so for that to fix either apt
Dialogue: 0,0:39:32.68,0:39:39.42,Default,,0000,0000,0000,,needs a way to install in a deterministic\Norder, but it's on the todo list file.
Dialogue: 0,0:39:39.84,0:39:43.88,Default,,0000,0000,0000,,[Lunar] Pabs started a wiki page a couple\Nof months ago that is called reproducible
Dialogue: 0,0:39:43.88,0:39:50.26,Default,,0000,0000,0000,,install. This is very important if we want\Ntools like Tails to actually be reproducible
Dialogue: 0,0:39:50.26,0:39:54.74,Default,,0000,0000,0000,,so some people will work on that, we do\Nwant to work on that.
Dialogue: 0,0:39:54.74,0:39:58.54,Default,,0000,0000,0000,,[Lamby] It's quite a deep problem for\Nexample d-i will install different stuff
Dialogue: 0,0:39:58.54,0:40:02.26,Default,,0000,0000,0000,,depending on your hardware, so that's\Nimmediately not reproducible.
Dialogue: 0,0:40:02.26,0:40:04.68,Default,,0000,0000,0000,,It'd be great.
Dialogue: 0,0:40:06.54,0:40:09.66,Default,,0000,0000,0000,,[Question] I've been working on a couple\Nof my packages to get them reproducible
Dialogue: 0,0:40:09.67,0:40:16.00,Default,,0000,0000,0000,,build, but I was often wondering if I\Nshould fix it in my package or actually
Dialogue: 0,0:40:16.00,0:40:23.22,Default,,0000,0000,0000,,that it should be fixed in higher up and I\Nguess I've been adding some fixes to my
Dialogue: 0,0:40:23.22,0:40:28.44,Default,,0000,0000,0000,,packages which may in the future even not\Nbe needed anymore and then it's just
Dialogue: 0,0:40:28.44,0:40:30.80,Default,,0000,0000,0000,,unnecessary code as well.
Dialogue: 0,0:40:30.80,0:40:35.56,Default,,0000,0000,0000,,So how do you see where things should be\Nfixed and how should we as package
Dialogue: 0,0:40:35.56,0:40:37.58,Default,,0000,0000,0000,,maintainers go about with this?
Dialogue: 0,0:40:38.44,0:40:44.02,Default,,0000,0000,0000,,[Holger] There's many things which there's\Nthe easy fix to whatever: set the timezone in
Dialogue: 0,0:40:44.02,0:40:50.66,Default,,0000,0000,0000,,debhelper or better in dpkg to UTC, but\Nthat will not fix the upstream bugs, so
Dialogue: 0,0:40:50.66,0:40:56.56,Default,,0000,0000,0000,,actually it's better not to fix, set the \Ntimezone or other things deterministically
Dialogue: 0,0:40:56.56,0:41:00.72,Default,,0000,0000,0000,,in these tools but rather have them fixed\Nupstream, that's what we want.
Dialogue: 0,0:41:00.72,0:41:06.94,Default,,0000,0000,0000,,Some things we will need to fix them in\Ndpkg to get a meaningful result but
Dialogue: 0,0:41:06.94,0:41:11.66,Default,,0000,0000,0000,,basically we want rather these distributions\Nwith just build from source which don't have
Dialogue: 0,0:41:11.66,0:41:15.06,Default,,0000,0000,0000,,debian/rules and they just build with\Nupstream Makefiles, we want the fixes
Dialogue: 0,0:41:15.06,0:41:17.32,Default,,0000,0000,0000,,to land there.
Dialogue: 0,0:41:18.10,0:41:21.50,Default,,0000,0000,0000,,[Lunar] We've been experimenting for two\Nand this is a lot of trials and errors,
Dialogue: 0,0:41:21.50,0:41:26.19,Default,,0000,0000,0000,,trying something, see how it fails, or\Nmaybe we can do better than that and
Dialogue: 0,0:41:26.19,0:41:30.02,Default,,0000,0000,0000,,changing. And I know this can be frustrating\Nat some point because you do changes
Dialogue: 0,0:41:30.02,0:41:35.60,Default,,0000,0000,0000,,and they all become unneeded, but in the\Nend this is how we make stuff that matters.
Dialogue: 0,0:41:35.60,0:41:40.98,Default,,0000,0000,0000,,And we move forward, it's not because we're\Ntrying to make the big picture at once,
Dialogue: 0,0:41:40.98,0:41:46.26,Default,,0000,0000,0000,,and I know in Debian we sometimes try to do\Nthat, so we experiment and learn from it.
Dialogue: 0,0:41:46.58,0:41:51.74,Default,,0000,0000,0000,,[Question] An example that I'm now looking\Ninto is actually the documentation is built
Dialogue: 0,0:41:51.74,0:41:57.76,Default,,0000,0000,0000,,for this package by looking in all the files\Nand generating but, for instances the
Dialogue: 0,0:41:57.76,0:42:05.50,Default,,0000,0000,0000,,index file is sorted, but I guess upstream\Nwould say: well, if you set some ordering
Dialogue: 0,0:42:05.50,0:42:11.36,Default,,0000,0000,0000,,in your LC parameters you want this page\Nto be order as you want, instead of forcing
Dialogue: 0,0:42:11.36,0:42:16.18,Default,,0000,0000,0000,,it in the sort, so I'm really wondering:\Nshould I now upstream this or should
Dialogue: 0,0:42:16.18,0:42:18.74,Default,,0000,0000,0000,,I just fix it in my rules because that's\Nthe logical place?
Dialogue: 0,0:42:20.57,0:42:29.36,Default,,0000,0000,0000,,[Lunar] Both. No, there's no good answer,\NI'm quite a strong proponent on the idea
Dialogue: 0,0:42:29.36,0:42:34.58,Default,,0000,0000,0000,,that if you use a computer you should be\Nable to talk and have the computer talk to
Dialogue: 0,0:42:34.58,0:42:41.04,Default,,0000,0000,0000,,you in the language that you choose, so if\Npeople want to have gcc error messages
Dialogue: 0,0:42:41.04,0:42:45.32,Default,,0000,0000,0000,,in German, they should have it.
Dialogue: 0,0:42:45.32,0:42:50.92,Default,,0000,0000,0000,,But local sorting, this is the kind of\NLC_ALL that can be very local and that
Dialogue: 0,0:42:50.92,0:42:54.18,Default,,0000,0000,0000,,you can do for just one tool, it's fine to\Ndo that.
Dialogue: 0,0:42:55.82,0:42:59.28,Default,,0000,0000,0000,,[Question] Do you have ideas on making\Nsources reproducible? Like upstreams
Dialogue: 0,0:42:59.28,0:43:03.94,Default,,0000,0000,0000,,calling make dist, or this infamous\Nautogen.sh files?
Dialogue: 0,0:43:06.74,0:43:12.46,Default,,0000,0000,0000,,[Lunar] I don't think that anybody in the\Nteam has looked into that yet, source
Dialogue: 0,0:43:12.46,0:43:22.66,Default,,0000,0000,0000,,files are easy to analyze way more than\Nbinary packages so, it would still be great
Dialogue: 0,0:43:22.66,0:43:29.78,Default,,0000,0000,0000,,to have easier ways; you have source\Ntarballs be byte for byte identical,
Dialogue: 0,0:43:29.78,0:43:37.33,Default,,0000,0000,0000,,but it's not as an issue as it is for\Nbinaries. If people want to look in that
Dialogue: 0,0:43:37.33,0:43:39.04,Default,,0000,0000,0000,,they should.
Dialogue: 0,0:43:43.56,0:43:48.70,Default,,0000,0000,0000,,[Question] Do you know a way to make git\Narchive build something reproducible?
Dialogue: 0,0:43:50.44,0:43:51.83,Default,,0000,0000,0000,,[Lunar] Well pristine-tar
Dialogue: 0,0:43:51.88,0:43:53.24,Default,,0000,0000,0000,,[Question] Yes, but without it.
Dialogue: 0,0:43:54.46,0:43:58.30,Default,,0000,0000,0000,,[Holger] There's one tool. You want to use\Na new one? Then write it.
Dialogue: 0,0:44:01.68,0:44:04.90,Default,,0000,0000,0000,,Why not use that tool which does the job?
Dialogue: 0,0:44:05.54,0:44:07.72,Default,,0000,0000,0000,,pristine-tar does it.
Dialogue: 0,0:44:10.64,0:44:16.54,Default,,0000,0000,0000,,[Lunar] This is for source and so that's\Nanother issue that what we are actually
Dialogue: 0,0:44:16.54,0:44:17.80,Default,,0000,0000,0000,,currently working on.
Dialogue: 0,0:44:21.75,0:44:25.91,Default,,0000,0000,0000,,[Holger] You're welcome to join the team and\Nextend our scope to sources.
Dialogue: 0,0:44:28.58,0:44:30.64,Default,,0000,0000,0000,,[Lunar] How many questions, two?
Dialogue: 0,0:44:33.05,0:44:35.54,Default,,0000,0000,0000,,Two more questions, two or three.
Dialogue: 0,0:44:44.36,0:44:52.42,Default,,0000,0000,0000,,[Question] So if there is a couple of other\Nenvironment variables that could be set
Dialogue: 0,0:44:52.42,0:44:59.24,Default,,0000,0000,0000,,in the environment to increase\Nreproducibility, where to put them?
Dialogue: 0,0:44:59.24,0:45:07.74,Default,,0000,0000,0000,,In the rules file? Or in the generic build\Nenvironment of all packages, or where
Dialogue: 0,0:45:07.74,0:45:09.68,Default,,0000,0000,0000,,should these things be placed?
Dialogue: 0,0:45:13.44,0:45:20.00,Default,,0000,0000,0000,,[Lamby] It'd be nice if upstream fixed it,\Nso if we just change it in debian/rules
Dialogue: 0,0:45:20.00,0:45:28.62,Default,,0000,0000,0000,,that's just only helping us, so often take\Nit upstream, would be the ideal solution.
Dialogue: 0,0:45:28.62,0:45:30.63,Default,,0000,0000,0000,,Are you referring to something else?
Dialogue: 0,0:45:31.90,0:45:40.13,Default,,0000,0000,0000,,[Question] For example many hashmaps have\Nrandomized data in the hash function, so if
Dialogue: 0,0:45:40.13,0:45:46.96,Default,,0000,0000,0000,,you have some code that relies on hash\Norder, at least some implementations of
Dialogue: 0,0:45:46.96,0:45:56.99,Default,,0000,0000,0000,,hash functions are leaving them be seeded\Nrather than using something random for
Dialogue: 0,0:45:56.99,0:46:02.68,Default,,0000,0000,0000,,a build thing, but you want the randomness\Nin your hash functions for normal users
Dialogue: 0,0:46:02.68,0:46:10.94,Default,,0000,0000,0000,,because else your hashmaps get open\Nto attacks.
Dialogue: 0,0:46:12.30,0:46:13.82,Default,,0000,0000,0000,,[Lamby] Correct, yes.
Dialogue: 0,0:46:16.26,0:46:21.57,Default,,0000,0000,0000,,[Lunar] In these cases we send patches\Nadding sort everywhere for the keys and
Dialogue: 0,0:46:21.57,0:46:27.74,Default,,0000,0000,0000,,it's solved. For very few cases, for Perl for\Nexample you can set and environment
Dialogue: 0,0:46:27.74,0:46:33.26,Default,,0000,0000,0000,,variable and some maintainers prefer to do\Nthat. But usually we try to push these
Dialogue: 0,0:46:33.26,0:46:35.90,Default,,0000,0000,0000,,changes upstream, because they are simple\Nenough and they like it.
Dialogue: 0,0:46:35.90,0:46:38.94,Default,,0000,0000,0000,,Actually it makes testing easier to them.
Dialogue: 0,0:46:42.26,0:46:45.14,Default,,0000,0000,0000,,There was one in the back, there.
Dialogue: 0,0:46:53.28,0:46:56.11,Default,,0000,0000,0000,,[Lunar] That's the last question
Dialogue: 0,0:46:56.34,0:46:59.80,Default,,0000,0000,0000,,[Question] Follow up question to what we\Nhad here before.
Dialogue: 0,0:46:59.80,0:47:10.04,Default,,0000,0000,0000,,You showed an open bug report against gcc\Nto support SOURCE{\u1}DATE{\u0}EPOCH to cover
Dialogue: 0,0:47:10.04,0:47:20.40,Default,,0000,0000,0000,,the mdate and mtime timestamps, so I have\Npatches to patch them out in my packages.
Dialogue: 0,0:47:20.40,0:47:24.36,Default,,0000,0000,0000,,Should I remove those patches and if so,\Nwhen?
Dialogue: 0,0:47:26.36,0:47:30.16,Default,,0000,0000,0000,,[Lunar] Have you seen any more emails\Nfrom the gcc maintainers?
Dialogue: 0,0:47:33.90,0:47:39.90,Default,,0000,0000,0000,,[Dhole] The mail is forgotten, I guess we\Nshould ping it again, and see if they
Dialogue: 0,0:47:39.90,0:47:49.50,Default,,0000,0000,0000,,reply, because what I read from the gcc\Nwebsite is that only the replies from
Dialogue: 0,0:47:49.50,0:47:54.86,Default,,0000,0000,0000,,maintainers are the ones that matter, and\NI think no maintainer replied to the
Dialogue: 0,0:47:54.86,0:47:58.16,Default,,0000,0000,0000,,message, so we should ping again.
Dialogue: 0,0:47:59.48,0:48:02.56,Default,,0000,0000,0000,,[Question] That was just an example, my\Nquestion was more general.
Dialogue: 0,0:48:02.56,0:48:08.82,Default,,0000,0000,0000,,At which time should I remove my patches\Nto fix things which were fixed higher up
Dialogue: 0,0:48:08.82,0:48:12.42,Default,,0000,0000,0000,,in the toolchain? Or should I just leave\Nthem in there?
Dialogue: 0,0:48:13.08,0:48:14.22,Default,,0000,0000,0000,,[Holger] Once they are in Sid.
Dialogue: 0,0:48:15.13,0:48:16.66,Default,,0000,0000,0000,,[Question] Ok thanks!
Dialogue: 0,0:48:18.26,0:48:20.04,Default,,0000,0000,0000,,[Lunar] Ok, I guess we're out of time.
Dialogue: 0,0:48:20.26,0:48:22.24,Default,,0000,0000,0000,,Thank you for listening.
Dialogue: 0,0:48:22.66,0:48:25.90,Default,,0000,0000,0000,,[Applause]
Dialogue: 0,0:48:25.90,0:48:28.86,Default,,0000,0000,0000,,[Lunar] Fix your packages!