I'm here today to talk to you about diffoscope and how you can use it as a better diff or for Quality Assurance, etc., things like that. Moin! Apparently that's like a north german thing to say "welcome". North german, north Denmark, Scandinavia, that kind of thing, I'm told. People are shaking their head, so I'm going to assume that's true. This is my first PC, an IBM 5155. Sometimes, when you rebooted it, it would launch into, it would somehow revert from booting from the hard disk to booting from a basic ROM, as in the programming language ROM. It was on my motherboard for some reason. So, randomly, you just get a chance to program in basic and then, sometimes you wouldn't, I don't know why, but… yeah. It's quite fun with this kind of clicky keyboard, and that folded in and it was this kind of big desk thing. Anyway… This is my first Debian. At the time it was already old. What's this one? Is this Slink? 2.2? Yeah. And this is when we had US and non-US, so that's really dating if you remember that. This is my first contribution to Debian, 19th December 2006, sending a patch to lillypond which is kind of interesting and the response was "Oh yeah, rock on, many thanks. I'll upload this and it'll be landing to Etch". And this was super motivating because Etch was just coming out and it was like "Great, I've got let one line of tiny patch in a release. This is super cool." Thomas' response was super motivating. So, after that, like that Christmas basically spent ??? Debian webpages and stuff. Very well timed. That's kind of a good… You know, someone sends a patch, be like "Cool, thanks" Like a little notice in the changelog. It was, you know, so stupid but… Yeah, do that kind of thing. So, moving on. Why diffoscope? Why did we write diffoscope? What's the background here? It comes from reproducible builds. The very quick outline is that once you get the source code for free software, you download the source code for nginx or whatever, pretty much everyone just runs binaries on their servers or their systems. You know, "apt install bla", "yum install", whatever. Android Playstore, whatever. Can you actually trust whether these two things correspond with each other? You've gotten the source code, it looks alright, and then you install this binary, yeah… Who generated that? Can you trust that ??? Can you trust who generated it? Even if you could trust them, could you trust them not to be exploited? Etc.