9:59:59.000,9:59:59.000 I'm here today to talk to you about[br]diffoscope 9:59:59.000,9:59:59.000 and how you can use it as a better diff 9:59:59.000,9:59:59.000 or for Quality Assurance, etc., things[br]like that. 9:59:59.000,9:59:59.000 Moin! 9:59:59.000,9:59:59.000 Apparently that's like a north german[br]thing to say "welcome". 9:59:59.000,9:59:59.000 North german, north Denmark, Scandinavia,[br]that kind of thing, I'm told. 9:59:59.000,9:59:59.000 People are shaking their head, so I'm[br]going to assume that's true. 9:59:59.000,9:59:59.000 This is my first PC, an IBM 5155. 9:59:59.000,9:59:59.000 Sometimes, when you rebooted it, it would[br]launch into, it would somehow revert 9:59:59.000,9:59:59.000 from booting from the hard disk to booting[br]from a basic ROM, 9:59:59.000,9:59:59.000 as in the programming language ROM. 9:59:59.000,9:59:59.000 It was on my motherboard for some reason. 9:59:59.000,9:59:59.000 So, randomly, you just get a chance to[br]program in basic and then, 9:59:59.000,9:59:59.000 sometimes you wouldn't, I don't know why,[br]but… yeah. 9:59:59.000,9:59:59.000 It's quite fun with this kind of clicky[br]keyboard, and that folded in 9:59:59.000,9:59:59.000 and it was this kind of big desk thing. 9:59:59.000,9:59:59.000 Anyway… 9:59:59.000,9:59:59.000 This is my first Debian. 9:59:59.000,9:59:59.000 At the time it was already old. 9:59:59.000,9:59:59.000 What's this one? Is this Slink? 2.2?[br]Yeah. 9:59:59.000,9:59:59.000 And this is when we had US and non-US,[br]so that's really dating if you remember that. 9:59:59.000,9:59:59.000 This is my first contribution to Debian,[br]19th December 2006, 9:59:59.000,9:59:59.000 sending a patch to lillypond which is kind[br]of interesting 9:59:59.000,9:59:59.000 and the response was "Oh yeah, rock on,[br]many thanks. I'll upload this and 9:59:59.000,9:59:59.000 it'll be landing to Etch". 9:59:59.000,9:59:59.000 And this was super motivating because[br]Etch was just coming out and it was like 9:59:59.000,9:59:59.000 "Great, I've got let one line of tiny patch[br]in a release. This is super cool." 9:59:59.000,9:59:59.000 Thomas' response was super motivating. 9:59:59.000,9:59:59.000 So, after that, like that Christmas[br]basically spent ??? 9:59:59.000,9:59:59.000 Debian webpages and stuff. 9:59:59.000,9:59:59.000 Very well timed. 9:59:59.000,9:59:59.000 That's kind of a good… 9:59:59.000,9:59:59.000 You know, someone sends a patch, be like[br]"Cool, thanks" 9:59:59.000,9:59:59.000 Like a little notice in the changelog. 9:59:59.000,9:59:59.000 It was, you know, so stupid but…[br]Yeah, do that kind of thing. 9:59:59.000,9:59:59.000 So, moving on. 9:59:59.000,9:59:59.000 Why diffoscope?[br]Why did we write diffoscope? 9:59:59.000,9:59:59.000 What's the background here? 9:59:59.000,9:59:59.000 It comes from reproducible builds. 9:59:59.000,9:59:59.000 The very quick outline is that once you[br]get the source code for free software, 9:59:59.000,9:59:59.000 you download the source code for nginx[br]or whatever, 9:59:59.000,9:59:59.000 pretty much everyone just runs binaries[br]on their servers or their systems. 9:59:59.000,9:59:59.000 You know, "apt install bla", "yum install",[br]whatever. 9:59:59.000,9:59:59.000 Android Playstore, whatever. 9:59:59.000,9:59:59.000 Can you actually trust whether these two[br]things correspond with each other? 9:59:59.000,9:59:59.000 You've gotten the source code, it looks[br]alright, and then you install this binary, 9:59:59.000,9:59:59.000 yeah… 9:59:59.000,9:59:59.000 Who generated that? Can you trust that[br]??? 9:59:59.000,9:59:59.000 Can you trust who generated it? 9:59:59.000,9:59:59.000 Even if you could trust them, could you[br]trust them not to be exploited? Etc.