2019-09-13-Cauldron2019-Reproducible-Toolchains-For-The-Win/Reproducible-Toolchains-For-The-Win.org

-#+TITLE: Reproducible Toolchains For The Win!
 #+AUTHOR: Vagrant Cascadian
+#+TITLE: Reproducible Toolchains For The Win!
 #+EMAIL: vagrant@reproducible-builds.org 
 #+DATE: Cauldron 2019, 2019-09-13
 #+LANGUAGE:  en
@@ -81,6 +81,51 @@ identical copies of all specified artifacts.
 
 [[./images/reproducible-builds.png]]
 
+
+* Why unreproducibilities exist (prehistorically)
+
+#+ATTR_BEAMER: :overlay <+->
+- Historically software was reproducible! Every bit counted.
+- And every bit was known.
+- Bit for bit reproducible GNU toolchain in the early 90s on 10(?) architectures.
+- *And then we all forgot.*
+
+* Motivation for reproducible builds
+
+#+ATTR_BEAMER: :overlay <+->
+- Why do we care about reproducible builds?
+
+  - Can detect backdoored build environments on developer systems or
+    project build machines
+
+  - Optimize build cache, limiting rebuilds
+
+  - License compliance verification
+
+  - It just feels right
+
+- What will reproducible builds not do for you?
+
+  - Cannot detect flaws in sources
+
+* License compliance: GPL
+
+GPL compliance
+
+#+ATTR_BEAMER: :overlay <+->
+  - source code is what it used to write free software
+  - binary code is what is actually used
+  - How can you prove that the binaries used are the result of the source code?
+
+* License compliance: hardware
+
+https://www.fsf.org/resources/hw/endorsement/respects-your-freedom
+
+#+ATTR_BEAMER: :overlay <+->
+- Firmware
+- Operating system
+- Other software
+
 * The problem is one of Time
 
 https://reproducible-builds.org/docs/source-date-epoch/
@@ -91,17 +136,16 @@ Support for SOURCE_DATE_EPOCH added to gcc 2019-04:
 
 https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=e3e8c48c4a494d9da741c1c8ea6c4c0b7c4ff934
 
-* Build Paths
-
-https://reproducible-builds.org/specs/build-path-prefix-map/
-
-* gcc: build paths
+* gzip: time
 
-https://tests.reproducible-builds.org/debian/issues/unstable/gcc_captures_build_path_issue.html
+#+ATTR_BEAMER: :overlay <+->
+- gzip --no-name (a.k.a. -n)
+- [PATCH] Do not store mtime when compressing stdin
+  https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32342
 
-618: reproducible (possibly due to -ffile-prefix-map)
+* Build Paths
 
-1015: still unreproducible
+https://reproducible-builds.org/specs/build-path-prefix-map/
 
 * gcc: build paths
 
@@ -114,49 +158,172 @@ https://tests.reproducible-builds.org/debian/issues/unstable/gcc_captures_build_
 
 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70268
 
+* gcc: build paths
+
+https://tests.reproducible-builds.org/debian/issues/unstable/gcc_captures_build_path_issue.html
+
+618: reproducible (possibly due to -ffile-prefix-map)
+
+1015: still unreproducible
+
+
+
 * gcc: a block in the road, a line in the sand
 
 https://gcc.gnu.org/ml/gcc-patches/2016-11/msg00182.html
 https://gcc.gnu.org/ml/gcc-patches/2017-04/msg00513.html
 https://gcc.gnu.org/ml/gcc-patches/2017-07/msg01315.html
 
-* Copyright
+* gcc: LTO
 
-  Copyright 2019 Vagrant Cascadian <vagrant@reproducible-builds.org>
+Report LTO-induced indeterminism from global constructors
 
-  This work is licensed under the Creative Commons
-  Attribution-ShareAlike 4.0 International License.
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91307 
 
-  To view a copy of this license, visit
-  https://creativecommons.org/licenses/by-sa/4.0/
+* Sort your wildcards
 
-* TODO
+GNU make
 
-solved:
+#+ATTR_BEAMER: :overlay <+->
+- wildcard/glob should be sorted
+
+  https://savannah.gnu.org/bugs/index.php?52076
+
+- src/read.c (parse_file_seq): [SV 52076] Sort wildcard results.
 
-https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32342 gzip
-https://gitlab.kitware.com/cmake/cmake/merge_requests/432
-https://github.com/rpm-software-management/rpm/pull/536
-https://github.com/rpm-software-management/rpm/pull/485
-https://bugreports.qt.io/browse/QTBUG-62511
   https://git.savannah.gnu.org/cgit/make.git/commit/?id=eedea52afb2069e54188508cd87cb7724b30dd6a
 
-open:
+* build essential: debian unstable
+
+https://tests.reproducible-builds.org/debian/unstable/amd64/pkg_set_build-essential.html
+
+** image
+    :PROPERTIES:
+    :BEAMER_col: 0.5
+    :END:
+
+[[./images/unstable-build-essential.png]]
+
+** text
+    :PROPERTIES:
+    :BEAMER_col: 0.5
+    :END:
 
-https://github.com/ImageMagick/ImageMagick/pull/1270
-https://github.com/python/cpython/pull/12341
-https://issues.apache.org/jira/browse/MJAVADOC-619 maven-javadoc-plugin
-plus more missing java patches
-and there is still the whole python py_compile mess left
+of 54 packages:
 
->> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32342 gzip
->> https://git.savannah.gnu.org/cgit/make.git/commit/?id=eedea52afb2069e54188508cd87cb7724b30dd6a
+6 (11.1%) unreproducible: bash+ linux perl# gmp gcc-9 binutils
+
+3 (5.6%) failed to build: pcre2 glibc xz-utils
+
+45 (83.3%) reproducible: ...
+
+
+* build essential: debian bullseye
+
+https://tests.reproducible-builds.org/debian/bullseye/amd64/pkg_set_build-essential.html
+
+** image
+    :PROPERTIES:
+    :BEAMER_col: 0.5
+    :END:
+
+[[./images/bullseye-build-essential.png]]
+
+** text
+    :PROPERTIES:
+    :BEAMER_col: 0.5
+    :END:
+
+53 packages:
+
+1 (1.9%) unreproducible: gcc-9
+
+1 (1.9%) failed to build: xz-utils
+
+1 (1.9%) other problems: libgcrypt20
+
+50 (94.3%) reproducible:: ...
+
+
+* build essential build depends: debian unstable
+
+https://tests.reproducible-builds.org/debian/unstable/amd64/pkg_set_build-essential-depends.html
+
+** image
+    :PROPERTIES:
+    :BEAMER_col: 0.5
+    :END:
+
+[[./images/unstable-build-essential-depends.png]]
+
+** text
+    :PROPERTIES:
+    :BEAMER_col: 0.5
+    :END:
+
+of 3061 packages:
+
+312 (10.2%) unreproducible
+
+83 (2.7%) failed to build
+
+4 (0.1%) misc issues
+
+2662 (87.0%) reproducible
+
+
+* build essential build depends: debian bullseye
+
+https://tests.reproducible-builds.org/debian/bullseye/amd64/pkg_set_build-essential-depends.html
+
+** image
+    :PROPERTIES:
+    :BEAMER_col: 0.5
+    :END:
+
+[[./images/bullseye-build-essential-depends.png]]
+
+** text
+    :PROPERTIES:
+    :BEAMER_col: 0.5
+    :END:
+
+of 3144 packages:
+
+100 (3.2%) unreproducible
+
+69 (2.2%) failed to build
+
+13 (0.4%) misc issues
+
+2962 (94.2%) reproducible
+
+
+* bootstrapping
+
+https://bootstrappable.org/
+
+What compiler do you use to compile your compiler?
+
+* Untangling the bootstraping Mes
+
+https://savannah.gnu.org/projects/mes
+
+GNU Mes
+
+Mutual self-hosting Scheme interpreter written in ~5,000 LOC of simple
+C and a Nyacc-based C compiler written in Scheme.
+
+* Copyright
+
+  Copyright 2019 Vagrant Cascadian <vagrant@reproducible-builds.org>
+
+  Copyright 2019 Holger Levsen <holger@layer-acht.org>
+
+  This work is licensed under the Creative Commons
+  Attribution-ShareAlike 4.0 International License.
+
+  To view a copy of this license, visit
+  https://creativecommons.org/licenses/by-sa/4.0/
 
-[gcc/nvme-cli](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91307 report
-LTO-induced indeterminism from global constructors
 
-> _reports/2019-06.md:* Richard Biener submitted a patch for the [GCC
-GNU Compiler Collection](https://gcc.gnu.org/) to [fix differences in
-the runtime debugging info between
-builds](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90778) in its D
-programming language support.

2019-09-13-Cauldron2019-Reproducible-Toolchains-For-The-Win/images/reproducible-builds.png

+../../2019-08-04-Linuxdev-BR-There-and-Back-Again-Reproducibly/images/reproducible-builds.png
\ No newline at end of file

2019-09-13-Cauldron2019-Reproducible-Toolchains-For-The-Win/images/vagrantupsidedown.png

+../../2019-08-04-Linuxdev-BR-There-and-Back-Again-Reproducibly/images/vagrantupsidedown.png
\ No newline at end of file