Re: Please review the draft for March's report
Holger Levsen wrote: > On Wed, Apr 10, 2024 at 10:02:56AM -0400, David A. Wheeler via rb-general > wrote: >> I agree, this one is HUGE news. There's been a lot of awesome work related >> to reproducible builds, but "minimal container userland is a 100% >> reproducible build in a real-world widely-used distro" is a big step forward >> and should be widely announced. > > agreed. > > I also think the news about Vagrant helping Debian to confirm the xz related > builds have been fine, deserves a bigger headline. Thank you for all the feedback so far. Unless someone makes these changes to the draft themselves, I will attend to this (and all the other critiques here and on Salsa) before publishing. Best wishes, -- o ⬋ ⬊ Chris Lamb o o reproducible-builds.org ⬊ ⬋ o
Re: Please review the draft for March's report
On Wed, Apr 10, 2024 at 10:02:56AM -0400, David A. Wheeler via rb-general wrote: > I agree, this one is HUGE news. There's been a lot of awesome work related to > reproducible builds, but "minimal container userland is a 100% reproducible > build in a real-world widely-used distro" is a big step forward and should be > widely announced. agreed. I also think the news about Vagrant helping Debian to confirm the xz related builds have been fine, deserves a bigger headline. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ You cannot ban abortion. You can only ban safe abortions. signature.asc Description: PGP signature
Re: Please review the draft for March's report
> On Apr 10, 2024, at 7:42 AM, kpcyrd wrote: > > On 4/10/24 12:58 PM, Chris Lamb wrote: >> https://reproducible-builds.org/reports/2024-03/?draft > > > Reproducible builds developer kpcyrd reported that that the Arch Linux > > "minimal container userland" is now 100% reproducible after work by > > developers dvzv and Foxboron on the one remaining package. The post, which > > kpcyrd suffixed with the question "now what?", continues on to outline some > > potential next steps, including validating whether the container image > > itself could be reproduced bit-for-bit. The post generated a significant > > number of replies. > > Thanks for the kind words :) maybe it should be listed higher though, in its > own section, as "major accomplishment within the community"? I agree, this one is HUGE news. There's been a lot of awesome work related to reproducible builds, but "minimal container userland is a 100% reproducible build in a real-world widely-used distro" is a big step forward and should be widely announced. Like press release level. I routinely hear "reproducible builds are impractical". Yes, in some cases they're hard, but clearly there are cases where it's practical. --- David A. Wheeler
Re: Please review the draft for March's report
On 4/10/24 12:58 PM, Chris Lamb wrote: https://reproducible-builds.org/reports/2024-03/?draft > Reproducible builds developer kpcyrd reported that that the Arch Linux "minimal container userland" is now 100% reproducible after work by developers dvzv and Foxboron on the one remaining package. The post, which kpcyrd suffixed with the question "now what?", continues on to outline some potential next steps, including validating whether the container image itself could be reproduced bit-for-bit. The post generated a significant number of replies. Thanks for the kind words :) maybe it should be listed higher though, in its own section, as "major accomplishment within the community"? It's also missing both the backseat-signed tool and the discussion in it's thread that highlights the idea of "maybe we should put unmodified git snapshots into .orig.tar.xz instead of allowing undocumented pre-processing", for the security properties this would have. Unfortunately the repo of the project is currently difficult to clone, I've put 60MB of test data into git LFS, but Github only grants 1GB of traffic on free tier, allowing about 16 clones. The files can currently not be downloaded because I'd need to buy data packs. I also didn't have any time to continue the email thread, however I think I have made all my points sufficiently clear, for the people reading the thread in the future. There's currently a similar discussion on hacker news: https://news.ycombinator.com/item?id=39988269 Thanks!
Please review the draft for March's report
Hi all, Sorry for the delay in getting this out — it was, quite genuinely, a bumper amount of things that needed condensing, rewriting and generally getting into readable shape. Anyway, if folks would be so kind as to review the draft for last months report here: https://reproducible-builds.org/reports/2024-03/?draft … or, via the Git repository itself: https://salsa.debian.org/reproducible-builds/reproducible-website/blob/master/_reports/2024-03.md I intend to publish it no earlier than: $ date -d 'Thu, 11 Apr 2024 17:30:00 +0100' https://time.is/compare/1730_11_Apr_2024_in_BST § As ever, please feel free and commit/push to drafts directly without the overhead of sending patches or merge requests. You should make your changes to the "_reports/2024-03.md" file in the "reproducible-website" repository: $ git clone https://salsa.debian.org/reproducible-builds/reproducible-website $ cd reproducible-website $ sensible-editor _reports/2024-03.md I am happy to reword and/or rework additions prior to publishing. If you currently do not have access to the above repository, you can request access by following the instructions at: https://reproducible-builds.org/contribute/salsa/ Regards, -- o ⬋ ⬊ Chris Lamb o o reproducible-builds.org ⬊ ⬋ o
