[Reproducible-builds] [presentations] 01/01: Add first version of the FOSDEM14 presentation

Jérémy Bobbio lunar at moszumanska.debian.org
Sun Jan 19 14:13:29 UTC 2014 

This is an automated email from the git hooks/post-receive script.

lunar pushed a commit to branch master
in repository presentations.

commit d291c0821bd68b244434858a94020bb4272b05a2
Author: Jérémy Bobbio <lunar at debian.org>
Date:   Sun Jan 19 15:12:29 2014 +0100

    Add first version of the FOSDEM14 presentation
---
 2014-02-01-FOSDEM14/2014-02-01-FOSDEM14-header.tex |   0
 2014-02-01-FOSDEM14/2014-02-01-FOSDEM14.mdwn       | 253 +++++++++++++++++++++
 2014-02-01-FOSDEM14/2014-02-01-FOSDEM14.pdf        | Bin 0 -> 189027 bytes
 2014-02-01-FOSDEM14/Makefile                       |  28 +++
 2014-02-01-FOSDEM14/images/tor-blog.png            | Bin 0 -> 135486 bytes
 5 files changed, 281 insertions(+)

diff --git a/2014-02-01-FOSDEM14/2014-02-01-FOSDEM14-header.tex b/2014-02-01-FOSDEM14/2014-02-01-FOSDEM14-header.tex
new file mode 100644
index 0000000..e69de29
diff --git a/2014-02-01-FOSDEM14/2014-02-01-FOSDEM14.mdwn b/2014-02-01-FOSDEM14/2014-02-01-FOSDEM14.mdwn
new file mode 100644
index 0000000..4c04e4b
--- /dev/null
+++ b/2014-02-01-FOSDEM14/2014-02-01-FOSDEM14.mdwn
@@ -0,0 +1,253 @@
+% Reproducible builds for Debian… and more?
+% Lunar \<lunar at debian.org\>
+% 2014-02-01 FOSDEM’14
+
+What are reproducible builds?
+-----------------------------
+
+\begin{center}
+\Large
+“reproducible” builds
+enable anyone to reproduce the exact same
+binary packages from a given source
+\end{center}
+
+Why?
+----
+
+ * Prevent targeted attacks
+ * Debugging: ensure known source; create missing debug symbols
+ * Help building `Multi-Arch: same` packages (Debian specific)
+
+How did this started?
+---------------------
+
+\begin{center}
+\includegraphics[width=0.8\textwidth]{images/tor-blog}
+\end{center}
+
+Nothing new
+-----------
+
+\texttt{\footnotesize%
+From: Martin Uecker <muecker at gmx.de> \\
+Cc: debian-devel at lists.debian.org \\
+Date: Sun, 23 Sep {\large 2007} 23:32:59 +0200 \\
+}
+
+\textit{%
+I think it would be really cool if the Debian policy required
+that packages could be rebuild bit-identical from source.
+At the moment, it is impossible to independly verify the
+integricity of binary packages.
+}
+
+\begin{flushright}
+\tiny
+\url{https://lists.debian.org/debian-devel/2007/09/msg00746.html}
+\end{flushright}
+
+Although, reactions were not enthuastic
+---------------------------------------
+
+\texttt{\footnotesize%
+From: Neil Williams <codehelp at debian.org> \\
+To: debian-devel at lists.debian.org \\
+Date: Mon, 24 Sep 2007 07:22:30 +0100 \\
+}
+
+\textit{%
+> Then third parties can recreate the binaries \\
+> and publish recreated hashes.
+}
+
+\textit{%
+Why? I see no benefit.
+}
+
+\begin{flushright}
+\tiny
+\url{https://lists.debian.org/debian-devel/2007/09/msg00747.html}
+\end{flushright}
+
+Although, reactions were not enthuastic
+---------------------------------------
+
+\texttt{\footnotesize%
+From: Manoj Srivastava <srivasta at debian.org> \\
+To: debian-devel at lists.debian.org \\
+Date: Sun, 23 Sep 2007 23:25:16 -0500 \\
+}
+
+\textit{%
+I, for one, think this technically infeasible, but hey, I'll be
+happy to be proved wrong.
+}
+
+\begin{flushright}
+\tiny
+\url{https://lists.debian.org/debian-devel/2007/09/msg00760.html}
+\end{flushright}
+
+BoF during DebConf13
+--------------------
+
+ * Planned at the last minute
+ * 30 attendees
+ * Kicked off  
+   `wiki.debian.org/ReproducibleBuilds`
+
+How?
+----
+
+ * Record the build environment
+ * Reproduce the build environment
+ * Eliminate unneeded variations
+
+Record the build environment
+----------------------------
+
+Record which versions of the build dependencies (and their dependencies) are
+installed.
+
+Reproduce the build environment
+-------------------------------
+
+`snapshot.debian.org`
+
+Source of variations
+--------------------
+
+ * Timestamps
+ * Build paths
+ * File order
+ * Locale
+ * …
+
+Timestamps
+----------
+
+`gzip` stores a timestamp.
+
+\tiny
+
+    $ file README.txt.gz
+    README.txt.gz: gzip compressed data, was "README.txt", from Unix,
+    last modified: Mon Mar  5 00:05:49 2012, max compression
+
+Timestamps
+----------
+
+`ar`, `tar`, `zip`, `jar`… store timestamps.
+
+\tiny
+
+    $ tar ztvf copyright-format.xml.tar.gz
+    -rw-r--r-- pbuilder/pbuilder   473 2012-03-05 00:02 Makefile
+    -rw-r--r-- pbuilder/pbuilder 56918 2012-03-05 00:05 copyright-format-1.0.html
+    -rw-r--r-- pbuilder/pbuilder 37218 2012-03-05 00:05 copyright-format-1.0.txt
+    -rw-r--r-- pbuilder/pbuilder 10007 2012-03-05 00:05 copyright-format-1.0.txt.gz
+    -rw-r--r-- pbuilder/pbuilder 53917 2012-03-05 00:02 copyright-format-1.0.xml
+    -rw-r--r-- pbuilder/pbuilder   808 2012-03-05 00:02 html.dsl
+    -rw-r--r-- pbuilder/pbuilder    97 2012-03-05 00:05 version.xml
+
+Timestamps
+----------
+
+`javadoc` writes timestamps:
+
+\tiny
+
+    $ head -n 5 /usr/share/doc/libjaxe-java-doc/api/serialized-form.html
+    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+    <!-- NewPage -->
+    <html lang="en">
+    <head>
+    <!-- Generated by javadoc (version 1.6.0_27) on Sat Jul 13 17:27:51 UTC 2013 -->
+
+Build paths
+-----------
+
+Build path is embedded in debug symbols:
+
+\tiny
+
+    $ readelf -w /usr/lib/debug/usr/bin/pidgin | grep '/tmp/build' | head -n 4
+    <11>     DW_AT_name        : /tmp/buildd/pidgin-2.10.6/./pidgin/pidginstock.c
+    <15>     DW_AT_comp_dir    : /tmp/buildd/pidgin-2.10.6/build/pidgin
+    <402d>   DW_AT_name        : /tmp/buildd/pidgin-2.10.6/./pidgin/gtkaccount.c
+    <4031>   DW_AT_comp_dir    : /tmp/buildd/pidgin-2.10.6/build/pidgin
+
+File order
+----------
+
+`readdir()` returns file in the order of the file system.
+
+Locale
+------
+
+Behaviour can change depending on configured locale:
+
+\tiny
+
+    $ printf 'a\nà\nb\n' | LC_ALL=C.UTF-8 sort
+    a
+    b
+    à
+
+    $ printf 'a\nà\nb\n' | LC_ALL=fr_FR.UTF-8 sort
+    a
+    à
+    b
+
+Misc.
+-----
+
+ * Hostname
+ * Uname output
+ * Username
+
+Cheat
+-----
+
+ * Use a VM: same kernel, same user, same build path
+ * `libfaketime`
+
+The hard path
+-------------
+
+ * Configure the toolchain:  
+   binutils `--enable-deterministic-archives`
+ * Add missing options:  
+   `javadoc --no-timestamps`
+ * Patch build systems:  
+   `gzip -n`
+
+Other distributions
+-------------------
+
+ * Fedora  
+   <http://securityblog.redhat.com/2013/09/18/reproducible-builds-for-fedora/>
+ * OpenSUSE build-compare  
+   <https://build.opensuse.org/package/show/openSUSE:Factory/build-compare>
+ * NixOS  
+   <http://lists.science.uu.nl/pipermail/nix-dev/2013-June/011357.html>
+
+Questions? Comments?
+--------------------
+
+\begin{center}
+\Huge
+?
+\end{center}
+
+\begin{center}
+\vspace{3em}
+\url{wiki.debian.org/ReproducibleBuilds}
+\end{center}
+
+\begin{flushright}
+\vspace{1em}
+\small
+\textit{Note: no harm was done to the privacy of any cat for this presentation.}
+\end{flushright}
diff --git a/2014-02-01-FOSDEM14/2014-02-01-FOSDEM14.pdf b/2014-02-01-FOSDEM14/2014-02-01-FOSDEM14.pdf
new file mode 100644
index 0000000..b82996f
Binary files /dev/null and b/2014-02-01-FOSDEM14/2014-02-01-FOSDEM14.pdf differ
diff --git a/2014-02-01-FOSDEM14/Makefile b/2014-02-01-FOSDEM14/Makefile
new file mode 100644
index 0000000..e9f387c
--- /dev/null
+++ b/2014-02-01-FOSDEM14/Makefile
@@ -0,0 +1,28 @@
+.PHONY: all source
+
+PRESENTATION = 2014-02-01-FOSDEM14
+
+all: $(PRESENTATION).pdf
+
+source: $(PRESENTATION)-src.tar.gz
+
+IMGS = $(shell echo $$(sed -n -e 's/^[^%]*\\includegraphics\([^{]*\)\?{\([^}]*\)}.*$$/\2.*/p' $(PRESENTATION).mdwn | sed -e 's/\.svg$$/\.pdf$$/' | sort -u))
+
+$(PRESENTATION).pdf: $(PRESENTATION).mdwn $(PRESENTATION)-header.tex $(IMGS)
+	pandoc -t beamer \
+		--include-in-header=$(PRESENTATION)-header.tex \
+		--variable=fontsize=14pt \
+		--latex-engine=lualatex -o $@ $<
+
+%.pdf: %.svg
+	inkscape --export-pdf=$@ --export-dpi=600 $<
+
+SRCS = \
+	$(shell find . -maxdepth 1 '(' -name '$(PRESENTATION).GNUMakefile' -o -name 'Makefile' ')' -printf '%P\n') \
+	$(PRESENTATION).mdwn \
+	$(PRESENTATION)-header.tex \
+	$(IMGS)
+
+$(PRESENTATION)-src.tar.gz: $(SRCS)
+	tar -zcvf $@ --transform 's,$(PRESENTATION)\.GNUMakefile,Makefile,;s,^,$(PRESENTATION)/,' $(SRCS)
+
diff --git a/2014-02-01-FOSDEM14/images/tor-blog.png b/2014-02-01-FOSDEM14/images/tor-blog.png
new file mode 100644
index 0000000..9bac1cb
Binary files /dev/null and b/2014-02-01-FOSDEM14/images/tor-blog.png differ

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/presentations.git

More information about the Reproducible-builds mailing list