WEBVTT 99:59:59.999 --> 99:59:59.999 I'm here today to talk to you about diffoscope 99:59:59.999 --> 99:59:59.999 and how you can use it as a better diff 99:59:59.999 --> 99:59:59.999 or for Quality Assurance, etc., things like that. 99:59:59.999 --> 99:59:59.999 Moin! 99:59:59.999 --> 99:59:59.999 Apparently that's like a north german thing to say "welcome". 99:59:59.999 --> 99:59:59.999 North german, north Denmark, Scandinavia, that kind of thing, I'm told. 99:59:59.999 --> 99:59:59.999 People are shaking their head, so I'm going to assume that's true. 99:59:59.999 --> 99:59:59.999 This is my first PC, an IBM 5155. 99:59:59.999 --> 99:59:59.999 Sometimes, when you rebooted it, it would launch into, it would somehow revert 99:59:59.999 --> 99:59:59.999 from booting from the hard disk to booting from a basic ROM, 99:59:59.999 --> 99:59:59.999 as in the programming language ROM. 99:59:59.999 --> 99:59:59.999 It was on my motherboard for some reason. 99:59:59.999 --> 99:59:59.999 So, randomly, you just get a chance to program in basic and then, 99:59:59.999 --> 99:59:59.999 sometimes you wouldn't, I don't know why, but… yeah. 99:59:59.999 --> 99:59:59.999 It's quite fun with this kind of clicky keyboard, and that folded in 99:59:59.999 --> 99:59:59.999 and it was this kind of big desk thing. 99:59:59.999 --> 99:59:59.999 Anyway… 99:59:59.999 --> 99:59:59.999 This is my first Debian. 99:59:59.999 --> 99:59:59.999 At the time it was already old. 99:59:59.999 --> 99:59:59.999 What's this one? Is this Slink? 2.2? Yeah. 99:59:59.999 --> 99:59:59.999 And this is when we had US and non-US, so that's really dating if you remember that. 99:59:59.999 --> 99:59:59.999 This is my first contribution to Debian, 19th December 2006, 99:59:59.999 --> 99:59:59.999 sending a patch to lillypond which is kind of interesting 99:59:59.999 --> 99:59:59.999 and the response was "Oh yeah, rock on, many thanks. I'll upload this and 99:59:59.999 --> 99:59:59.999 it'll be landing to Etch". 99:59:59.999 --> 99:59:59.999 And this was super motivating because Etch was just coming out and it was like 99:59:59.999 --> 99:59:59.999 "Great, I've got let one line of tiny patch in a release. This is super cool." 99:59:59.999 --> 99:59:59.999 Thomas' response was super motivating. 99:59:59.999 --> 99:59:59.999 So, after that, like that Christmas basically spent ??? 99:59:59.999 --> 99:59:59.999 Debian webpages and stuff. 99:59:59.999 --> 99:59:59.999 Very well timed. 99:59:59.999 --> 99:59:59.999 That's kind of a good… 99:59:59.999 --> 99:59:59.999 You know, someone sends a patch, be like "Cool, thanks" 99:59:59.999 --> 99:59:59.999 Like a little notice in the changelog. 99:59:59.999 --> 99:59:59.999 It was, you know, so stupid but… Yeah, do that kind of thing. 99:59:59.999 --> 99:59:59.999 So, moving on. 99:59:59.999 --> 99:59:59.999 Why diffoscope? Why did we write diffoscope? 99:59:59.999 --> 99:59:59.999 What's the background here? 99:59:59.999 --> 99:59:59.999 It comes from reproducible builds. 99:59:59.999 --> 99:59:59.999 The very quick outline is that once you get the source code for free software, 99:59:59.999 --> 99:59:59.999 you download the source code for nginx or whatever, 99:59:59.999 --> 99:59:59.999 pretty much everyone just runs binaries on their servers or their systems. 99:59:59.999 --> 99:59:59.999 You know, "apt install bla", "yum install", whatever. 99:59:59.999 --> 99:59:59.999 Android Playstore, whatever. 99:59:59.999 --> 99:59:59.999 Can you actually trust whether these two things correspond with each other? 99:59:59.999 --> 99:59:59.999 You've gotten the source code, it looks alright, and then you install this binary, 99:59:59.999 --> 99:59:59.999 yeah… 99:59:59.999 --> 99:59:59.999 Who generated that? Can you trust that ??? 99:59:59.999 --> 99:59:59.999 Can you trust who generated it? 99:59:59.999 --> 99:59:59.999 Even if you could trust them, could you trust them not to be exploited? Etc.