I'm here today to talk to you about
diffoscope
and how you can use it as a better diff
or for Quality Assurance, etc., things
like that.
Moin!
Apparently that's like a north german
thing to say "welcome".
North german, north Denmark, Scandinavia,
that kind of thing, I'm told.
People are shaking their head, so I'm
going to assume that's true.
This is my first PC, an IBM 5155.
Sometimes, when you rebooted it, it would
launch into, it would somehow revert
from booting from the hard disk to booting
from a basic ROM,
as in the programming language ROM.
It was on my motherboard for some reason.
So, randomly, you just get a chance to
program in basic and then,
sometimes you wouldn't, I don't know why,
but… yeah.
It's quite fun with this kind of clicky
keyboard, and that folded in
and it was this kind of big desk thing.
Anyway…
This is my first Debian.
At the time it was already old.
What's this one? Is this Slink? 2.2?
Yeah.
And this is when we had US and non-US,
so that's really dating if you remember that.
This is my first contribution to Debian,
19th December 2006,
sending a patch to lillypond which is kind
of interesting
and the response was "Oh yeah, rock on,
many thanks. I'll upload this and
it'll be landing to Etch".
And this was super motivating because
Etch was just coming out and it was like
"Great, I've got let one line of tiny patch
in a release. This is super cool."
Thomas' response was super motivating.
So, after that, like that Christmas
basically spent ???
Debian webpages and stuff.
Very well timed.
That's kind of a good…
You know, someone sends a patch, be like
"Cool, thanks"
Like a little notice in the changelog.
It was, you know, so stupid but…
Yeah, do that kind of thing.
So, moving on.
Why diffoscope?
Why did we write diffoscope?
What's the background here?
It comes from reproducible builds.
The very quick outline is that once you
get the source code for free software,
you download the source code for nginx
or whatever,
pretty much everyone just runs binaries
on their servers or their systems.
You know, "apt install bla", "yum install",
whatever.
Android Playstore, whatever.
Can you actually trust whether these two
things correspond with each other?
You've gotten the source code, it looks
alright, and then you install this binary,
yeah…
Who generated that? Can you trust that
???
Can you trust who generated it?
Even if you could trust them, could you
trust them not to be exploited? Etc.