Re: Which conferences are folks attending these days?

Hi, Nowadays I tend to attend LF-managed confs. I don't think there's 100% overlap with e.g., FOSDEM attendees but they tend to fill a niche. In theory there's "SupplyChainSecurityCon" there, which I think does pull in a bunch of people. I've heard positive stuff about OSS Summit this year

Re: Why is not everything reproducible yet?

On Wed, Dec 20, 2023 at 09:42:53AM +0100, Bernhard M. Wiedemann via rb-general wrote: > Sometimes people wonder: > Why is not everything reproducible yet? > > And the general reason is that there are other interests that result in > added non-determinism. > I collected some with examples > >

[Call for Papers] SCORED Workshop

Hello all, I've been organizing an academic workshop around software supply chain security: The ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED '22). It is co-located with the Computer and Communications Security conference, also from the ACM. The goal is

Re: Making reproducible builds & GitBOM work together in spite of low-level component variation

On Wed, Jun 22, 2022 at 12:28:51PM -0700, Vagrant Cascadian wrote: > On 2022-06-22, Vagrant Cascadian wrote: > > On 2022-06-22, David A. Wheeler wrote: > >> GitBOM is explained at . As they explain it, its > >> purpose is to: > >>• Build a compact Artifact Dependency

Re: translations for the r-b.o website

On Wed, Jun 08, 2022 at 07:30:28PM +0200, Mattia Rizzolo wrote: > Hi, > > some time ago somebody worked on supporting l10n in the > reproducible-builds.org website, and integrated it with weblate, and > everything. > > Now we have this open MR >

Re: RBSummit 2022! Tentative planning dates

I voted! I don't know how to put this note anywhere but, please consider my vote "less", as I still don't know if I'll fix my visa by then... Thanks, -Santiago On Sat, Jun 04, 2022 at 12:30:33PM +0200, Mattia Rizzolo wrote: > Please remember to take part in this survey! > > We are going to

Re: The Open Source Software Security Mobilization Plan

On Wed, May 25, 2022 at 02:00:18PM +0100, Chris Lamb wrote: > Hey Larry, > > > [..] I am listed as a reviewer I believe. I pushed for a bunch of technologies (reprobuilds included, + in-toto and TUF) but I don't think I had much of a say what goes in, but rather what was technically wrong. I

Re: Help us map the reproducible builds ecosystem

On Thu, Aug 05, 2021 at 09:42:27PM +0200, Bernhard M. Wiedemann wrote: > > > On 05/08/2021 17.18, Santiago Torres-Arias wrote: > > Part of what I'm hoping is to involve r-b within IronHacks in > > the forseeable future: so as to encourage a hackathon on finding and > >

Re: Help us map the reproducible builds ecosystem

Hi! I realized I went a little bit on the verbose side, I may have also weaved in a little bit "beyond" r-b, so apologies if I diverge too much. > On 8/2/21 10:20 AM, Santiago Torres Arias wrote: > > On Mon, Aug 02, 2021 at 09:42:16AM -0700, Allen Gunn wrote: > >> Th

Re: Help us map the reproducible builds ecosystem

On Mon, Aug 02, 2021 at 09:42:16AM -0700, Allen Gunn wrote: > Thanks Santiago. Can you share what department or school at Purdue is > doing this work? Most definitely! It's my lab (TSEL) at Purdue's Electrical and Computer Engineering Department :) I'm also trying to get other parts of the

Re: Help us map the reproducible builds ecosystem

On Mon, Aug 02, 2021 at 11:07:21AM +0100, Chris Lamb wrote: > Hey, > > > In order to better grow and understand the Reproducible Builds project > > and community, a handful of us are in the process of building an > > "ecosystem map". > > Thanks to everyone who contributed to this so far. I've

Re: Possible new category for non-reproducible builds: --build-id=sha1

My Bad, I meant to link to: https://tests.reproducible-builds.org/debian/issues/unstable/build_id_variation_requiring_further_investigation_issue.html Cheers! -Santiago On Sat, Apr 24, 2021 at 04:52:08PM -0400, Santiago Torres Arias wrote: > On Sat, Apr 24, 2021 at 05:59:07PM +0200, Rol

Re: Possible new category for non-reproducible builds: --build-id=sha1

On Sat, Apr 24, 2021 at 05:59:07PM +0200, Roland Clobus wrote: > Hello list, > > I've looked the reproducible report for apt-cacher-ng [1]. > It looks like it is caused by a linker flag: -Wl,--build-id=sha1 > > I did not see a category for this type of difference. There are 31 > packages [2]

Re: Please review the draft for March's report

> Thanks! > > Where are those edits? I don't see them in reproducible-website.git or in > your reply. Oh, I just pushed, my bad (I wanted to double check it rendered properly locally and I went down a rabbit hole of fixing my gen environment...). Let me know if this helps... > > > I wasn't

Re: Please review the draft for March's report

> I think mentioning sigstore is value. Reproducible builds let you verify that > a given build *is* generated from a given source; sigstore can let you > verify that you got the *correct* source or build. I think mentioning sigstore is a good idea (Full disclosure, I'm involved in the effort),

Re: Reproducible Builds at Threema

On Wed, Dec 30, 2020 at 04:58:31PM +0100, Danilo wrote: > Hello RB Folks > Hello! > General feedback regarding the current RB setup for the Android app is > welcome too of course! I know that Briar[1] has a very reprobuilds setup[2]. I was very, very (ever so slightly) involved. Cheers!

Re: Attack on SolarWinds could have been countered by reproducible builds

Hello. On Thu, Dec 17, 2020 at 07:33:11PM -0500, David A. Wheeler wrote: > All: > > There’s been a recently-revealed attack on the SolarWinds product “Orion", a > Network Management System (NMS). This software is widely used and thus this > attack is extremely concerning. > > According to

Re: resuming regular r-b IRC meetings

> > To find a day and a time for the 1st meeting I've made a > > https://dudle.inf.tu-dresden.de/bYLa5qDzxg/ - please share your preferences > > there until Tuesday, the 29th, so I can announce the date on the 30th > > of September, so at least a week before the 1st meeting. > > > > I'm curious

Re: openorienteering-mapper FTBFS

This is a hail-mary, but: > 2: WARNING: PolygonTest::testJoins(simple joins) testdata > data/PolygonTest1-sample.png could not be located! Curious, is this file missing on the local build as well? Cheers! -Santiago signature.asc Description: PGP signature

Re: Reproducible Builds Verification Format

> > I'm mainly arguing that if we introduce a new concept/file format (the rbvf > > proposed above), we should be careful it won't prevent us from doing > > useful things (like indeed running multiple separate builds of the same > > package at the same time, or running a 'rebuild' without access

Re: Reproducible Builds Verification Format

On Tue, May 12, 2020 at 11:00:41AM -1000, Paul Spooren wrote: > Hi all, > > at the RB Summit 2019 in Marrakesh there were some intense discussions about > *rebuilders* and a *verification format*. While first discussed only with > participants of the summit, it should now be shared with a broader

[Disorderfs 0.5.9] doesn't pass signature verificatino

Hi, I tried to build disorderfs for Arch, and it seems to me that the tar.gz in [1] doesn't pass signature verification: [santiago@meme-cluster trunk]$ gpg --verify disorderfs-0.5.9.tar.gz disorderfs-0.5.9.tar.gz.asc gpg: Signature made Thu 16 Apr 2020 06:19:16 AM EDT gpg:

Re: make reproducible-builds.org translatable?

On Tue, Apr 14, 2020 at 11:55:39AM +0200, Hans-Christoph Steiner wrote: > > Hey all, > > Guardian Project currently working making translation of Markdown-based > websites work much better, particularly focused on Weblate as the > translation platform. If people thought it was a good idea, we

Diffoscope 139 not on the website?

Hi, I've been waiting for Diffoscope 139 to make it to [1]. It's been a couple of days since it was tagged on the vcs, but it hasn't been signed and moved over there. Is this url not used anymore? Thanks, -Santiago [1] https://diffoscope.org/archive/ signature.asc Description: PGP signature

Re: [rb-general] help needed: twitter irc bot down

On Wed, Jan 15, 2020 at 07:05:42PM +, Holger Levsen wrote: > hi, > > as you might have noticed, ReproBird, our friendly irc bot relaying > messages concerning reproducible builds from twitter and also allowing > us to post there, is down. > > Lunar, who thankfully has been operating it for

Re: [rb-general] What is the goal of reproducible builds?

On Mon, Dec 09, 2019 at 03:08:28PM +, Orians, Jeremiah (DTMB) wrote: > > I'm not absolutely convinced that reproducible builds does not help with > > the trusting trust attack. > Well one wouldn't want to help the trusting trust attack, one tries to defend > one's self against it If you

Re: [rb-general] What is the goal of reproducible builds?

On Mon, Dec 09, 2019 at 01:44:11PM +, Orians, Jeremiah (DTMB) wrote: > > TLDR: > > The goal of reproducible builds is to reduce the likelyhood of running > > software that was corrupted (during build) > > Absolutely correct. > For those that worry about the trusting trust attack, we have

Re: [rb-general] Interested In Reproducible Builds Summit 2019

Hi Omar. I don't speak for the whole team, but I think we'd be thrilled to see a preprint of your aproach. Speaking as a researcher from NYU I'd like to add that the reproducible builds community is great to work with, and that engaging with them head on is a great idea. I'm not sure if the

Re: [rb-general] Reproducible builds and distributed CI

On Sun, Aug 11, 2019 at 12:06:41PM +0300, Lars Wirzenius wrote: > Thank you for you thoughtful feedback! > > I've been pondering this topic again. It's important to me (meaning > that this is part of my main hobby project), but due to life reasons, > its not an urgent one for me. > > I came up