[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I'm here today to talk to you about\Ndiffoscope
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and how you can use it as a better diff
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,or for Quality Assurance, etc., things\Nlike that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Moin!
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Apparently that's like a north german\Nthing to say "welcome".
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,North german, north Denmark, Scandinavia,\Nthat kind of thing, I'm told.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,People are shaking their head, so I'm\Ngoing to assume that's true.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This is my first PC, an IBM 5155.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Sometimes, when you rebooted it, it would\Nlaunch into, it would somehow revert
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,from booting from the hard disk to booting\Nfrom a basic ROM,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,as in the programming language ROM.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It was on my motherboard for some reason.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So, randomly, you just get a chance to\Nprogram in basic and then,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,sometimes you wouldn't, I don't know why,\Nbut… yeah.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It's quite fun with this kind of clicky\Nkeyboard, and that folded in
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and it was this kind of big desk thing.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Anyway…
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This is my first Debian.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,At the time it was already old.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,What's this one? Is this Slink? 2.2?\NYeah.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,And this is when we had US and non-US,\Nso that's really dating if you remember that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This is my first contribution to Debian,\N19th December 2006,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,sending a patch to lillypond which is kind\Nof interesting
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and the response was "Oh yeah, rock on,\Nmany thanks. I'll upload this and
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it'll be landing to Etch".
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,And this was super motivating because\NEtch was just coming out and it was like
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,"Great, I've got let one line of tiny patch\Nin a release. This is super cool."
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Thomas' response was super motivating.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So, after that, like that Christmas\Nbasically spent ???
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Debian webpages and stuff.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Very well timed.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,That's kind of a good…
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You know, someone sends a patch, be like\N"Cool, thanks"
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Like a little notice in the changelog.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It was, you know, so stupid but…\NYeah, do that kind of thing.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So, moving on.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Why diffoscope?\NWhy did we write diffoscope?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,What's the background here?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It comes from reproducible builds.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The very quick outline is that once you\Nget the source code for free software,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,you download the source code for nginx\Nor whatever,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,pretty much everyone just runs binaries\Non their servers or their systems.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You know, "apt install bla", "yum install",\Nwhatever.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Android Playstore, whatever.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Can you actually trust whether these two\Nthings correspond with each other?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You've gotten the source code, it looks\Nalright, and then you install this binary,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,yeah…
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Who generated that? Can you trust that\Nprocess?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Can you trust who generated it?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Even if you could trust them, could you\Ntrust them not to be exploited? Etc.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This is a big problem because you can\Nexploit a build farm and then
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,obviously exploit all of that, you know,\Na trojan into the build farm,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so every single binary that comes out\Nis compromised.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Kind of problematic.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You could also target individual developers\Nmachines,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so I could go of to, say, your machine,\Nadd a backdoor to it,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so every binary that you give to friends\Nand things like that,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,are compromised in some way, stealing\Nyour bitcoins or whatever.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I can also ???\Nand blackmail you into producing
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,software that has compromises or extra\Nfeatures, shall we say,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that don't exist in the source code.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So what will happen there is that you'd\Nrelease your source
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and the binaries you produce have\Nthis sort of backdoor that, you know,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,someone is forcing you into producing.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So, you don't want to do that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Anyway
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,enough of that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,What you do for reproducible builds is you\Nensure that every time you build
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,a piece of software, you get an identical\Nresult.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Multiple people then compare their builds\Nand check whether they all get
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,the same results
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and this means that an attacker must\Neither have infected everyone
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,at the same time, or they haven't\Ninfected anyone.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The point here is that you have to ensure\Nthat builds have identical results.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Ok, great.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So, we started the reproducible builds\Nproject, etc.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,And we build 2 debs.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Oh, I'm sorry about the colors there.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You probably can't see that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,That says "sha1sum a.deb b.deb".
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Anyway, we're comparing the sha1sums\Nof 2 binary Debian files.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So, these two files differ.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Ok, they're not reproducible.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Why is that?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So we run a diff on them.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Yeah…
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So, what can we learn from this?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Well, not very much, visibly they're\Ncompressed so
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,as soon as we see one change, we'll see\Nthey would just cascade changes
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because that's how compression works.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I guess we know it's a deb ???\Nformat file, not very useful.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Ok, great so we're gonna have a look in
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We'll do a binary diff and ok, well…
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Again, that's not really telling us\Nvery much
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,with the diff there.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Ok, great.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,???
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,"ar x" is on the new maintainer thing,\N"how you unpack a deb"
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Everyone remembers this, right?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You unpack a.deb with "ar x" and you\Ndo that to b.deb
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and then we diff the results of that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Ok, so…yeah, 7zip.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Ok, compressed content, not very useful.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Ok, so let's unpack the control.tar inside\Nthese debs.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,And then we run diff on that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Still not really telling anything useful\Nabout how to make this package reproducible
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So let's unpack the tar.xz into the tar.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Inside that tar, there's a file called\Nmd5sums and we start to see some differences
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,between some files in these two debs.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,??? meaningful, so now\Nwe have some idea that
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it has something to do with this\Nusr/bin/pmixer binary.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Ok, interesting.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We'll unzip that and then we do a diff on\Npmixer itself.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Now we're back into just binary\N??? mode
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This isn't very helpful and this is taking\Nquite a while
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and if I remember correctly, Debian has\Na lot of packages.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So this might take a little while.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So, basically, ??? meme
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I should build a better diff.