Hi!

Holger proposed to bundle the .buildinfo files into .deb archives
during the DebConf talk. I've mentioned to Holger that I'm not seeing
this as being feasible and mentioned various reasons why, but I'm also
still open to explore this possibility. So I've added these in a wiki
page:

<https://wiki.debian.org/Teams/Dpkg/Spec/BundledBuildinfo>

Please let me know whether I've missed anything, whether you can think
of other possibilities, etc. :)

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

[adding rb-general to CC]

Hi Guillem,

Holger proposed to bundle the .buildinfo files into .deb archives
during the DebConf talk. I've mentioned to Holger that I'm not seeing
this as being feasible and mentioned various reasons why, but I'm also
still open to explore this possibility. So I've added these in a wiki
page:

<https://wiki.debian.org/Teams/Dpkg/Spec/BundledBuildinfo>

The majority Debian's documentation is either littered around the
internet, in obscure mailing list posts, in IRC backlogs or simply in
people's minds. This kind of document pushes back against this
organisational antipattern, so thank you.

With regards to your question, I do not believe you are missing
anything here, except perhaps to clarify exactly which .debs you would
put the .buildinfo into. I assume you mean all of the binary .debs
(noting your later caveat regarding .udebs), but it might be worth
being specific for clarity.

In terms of my own opinion, you remark that:

this would make a simple file comparison [..] require some
kind of tool

This does indeed go against one of the stated original design
principles as well as the unstated æsthetic ones that I hold
personally. I have also empirically observed that the platforms that
adopt a "oh, you just need this small tool" approach do not appear to
gain as much traction too.

Now, I cannot back this up scientifically, but I don't believe this is
purely for technical reasons but also cognitive ones. As in, there is
something deeply psychologically reassuring and satisfying to humans
when a reproducible artefact can be seen to be identical using just
our "eyes" and without any tools whatsoever. I might completely trust
some tool technically and even trust it from a security perspective (!)
yet it somehow does not feel nearly as "secure", right or intuitive.

(As an obiter dictum, are we sure it was Holger who was proposing this
idea in the talk, rather than mentioning it? I think he has previously
echoed my view on the "no special tools" principle, hence this minor
remark. Am willing to be corrected either way.)


Regards,

--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Dear Chris,

On Mon, Aug 31, 2020 at 12:02:03PM -0000, Chris Lamb wrote:

(As an obiter dictum, are we sure it was Holger who was proposing this
idea in the talk, rather than mentioning it? I think he has previously
echoed my view on the "no special tools" principle, hence this minor
remark. Am willing to be corrected either way.)

yes, it was me who proposed it (watch my dc20 talk! :) and who still
thinks it's a good idea. sadly I didn't have the time to start the
discussion in a bug (I only came to this conclusion the day before the
talk, though I have thought about this for the last 5 years) and I
probably still won't have the time until next week. (*)

I'd appreciate we'd use a bug for discussing this, so whatever the outcome
will be, we'll have a canonical and truely long living url to reference the discussion.

thanks.

(*) so the blame for not discussing this in a bug right now in the first
place, goes to me. hooray.

similarily, I don't think an internal Debian discussion immediatly belongs
on the rb-general list... I do believe we have these two distict lists
for a reason :)

also, I will not share my thoughts about Guillem's and Chris' reply
here (and *now*), before I had the opportunity to put the reasoning
behind my thoughts in a bug report. And I'd hope my thoughts why are laid
out clearly in my talk available at

https://meetings-archive.debian.net/pub/debian-meetings/2020/DebConf20/49-reproducing-bullseye-in-practice.webm

finally, I'm sorry if I come accross harsh. I feel pressured and misunder- stood and that I need to react now. I wish I felt different.


--
cheers,
Holger

-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

That morning, the young barista woman told me that a customer came in with a mask, but not wearing it. When she asked the customer to put on her mask please, the woman said: "Why? There's no-one in here."

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl9M72YACgkQCRq4Vgaa qhxO6RAAm0XtiaRGs2HLuXk1lby481elRI9yCY0lmCjRBKYpBovrM1fbQj8+f2zq jy7PHmogxleiL9s+BqfNJNuqe6t/WOS6BlZEJWgUCcwz1jH0oCRqhbsWxSTQzI3o JRZHbKo6vnS1Trn7gcPKeTpt2gl3rKl9hDl41dTNZMaj6khPY4VDtJxFNSLLUMaQ k00XaARcHnehGsbM8o7fxnUhiZdya3KEq55Vt5gdKS2stXad0Huj5dzlgU2JwI9n am8bHvQsjeFGXScjZZZ8AWZHaor/9osqGrwBk/BU89hW2WVhWwbspDNHcLrD8QX4 X0YiCfaZa59DeIekO54P93/DQ3TKnRoWoSZx6OZSlvJUu03VzO6eCT4VpgGekORC KYu9tE4JpNn3b+9hr1NL69ldej+/mLwvt3y7AcQR1tOYLWtpzkOxoaILZg1Vc297
3ZJ

Hi!

On Mon, 2020-08-31 at 12:39:07 +0000, Holger Levsen wrote:

On Mon, Aug 31, 2020 at 12:02:03PM -0000, Chris Lamb wrote:

(As an obiter dictum, are we sure it was Holger who was proposing this
idea in the talk, rather than mentioning it? I think he has previously echoed my view on the "no special tools" principle, hence this minor remark. Am willing to be corrected either way.)

yes, it was me who proposed it (watch my dc20 talk! :) and who still
thinks it's a good idea. sadly I didn't have the time to start the
discussion in a bug (I only came to this conclusion the day before the
talk, though I have thought about this for the last 5 years) and I
probably still won't have the time until next week. (*)

I'd appreciate we'd use a bug for discussing this, so whatever the outcome will be, we'll have a canonical and truely long living url to reference the discussion.

As I hinted (but should probably have been more clear, sorry about
that) on our private mail exchange, a bug report seemed premature to
me, given that it's really not clear (to me at least) this is the way
to go. I tend to find bug reports not a very good medium for broad
design work TBH, and they end up not being very visible once they are
closed, so need to be referenced from other places, such as a wiki. :)

As a summary of a concluded spec to be implemented sure, but otherwise
(at least for dpkg) they feel more like clutter than anything else. If
you insist on opening a bug, then I'll go along, as closing would seem inappropriate though, but meh. :D

also, I will not share my thoughts about Guillem's and Chris' reply
here (and *now*), before I had the opportunity to put the reasoning
behind my thoughts in a bug report. And I'd hope my thoughts why are laid
out clearly in my talk available at

I think the reasoning is clear, but perhaps I didn't capture it
correctly in the wiki page, but the problem I'm seeing is in the
implications of the (current) proposal. As I mention in there perhaps
there are other ways to accomplish a similar thing but I'm not seeing
either how those alternatives could unstuck the current infra
deployment problem TBH.

https://meetings-archive.debian.net/pub/debian-meetings/2020/DebConf20/49-reproducing-bullseye-in-practice.webm

finally, I'm sorry if I come accross harsh. I feel pressured and misunder- stood and that I need to react now. I wish I felt different.

Oh! Hmm I didn't mean this as pressure, I thought you were actually
eager to get this discussed publicly, so I went ahead and published
what I understood the proposal was, which perhaps I've not captured
correctly either. I'm happy to sit on this for whatever time you need, personally I see no hurry myself. :)

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Holger,

(As an obiter dictum, are we sure it was Holger who was proposing this
idea in the talk, rather than mentioning it? I think he has previously echoed my view on the "no special tools" principle, hence this minor remark. Am willing to be corrected either way.)

yes, it was me who proposed it (watch my dc20 talk! :) and who still
thinks it's a good idea.

Ah, I am clearly misremembering both parts. I must have incorrectly
connected you mentioning the idea with you repeating it from someone
else. (I was very much present at your talk although I admit I did not
rewatch it in order to write my message earlier today.)

I am also clearly misremembering a discussion on the actual merits of
the idea from our summit meetings. But it is of no real consequence,
and you would surely be 'allowed' to change your mind in any case. :)

finally, I'm sorry if I come across harsh. I feel pressured and misunder- stood and that I need to react now. I wish I felt different.

Oof, I am sorry to hear that. It will likely be of no real help to
you, but like Guillem implied in his own email, this was not my
intention. In fact, it was quite the opposite — I was trying to ensure
that your views were accurately represented. I suspect I share much of
the frustration that underlies this.


Regards,

--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Guillem (& others),

On Sat, Aug 29, 2020 at 03:38:27AM +0200, Guillem Jover wrote:

Holger proposed to bundle the .buildinfo files into .deb archives
during the DebConf talk. I've mentioned to Holger that I'm not seeing
this as being feasible and mentioned various reasons why, but I'm also
still open to explore this possibility. So I've added these in a wiki
page:

<https://wiki.debian.org/Teams/Dpkg/Spec/BundledBuildinfo>

that page is awesome, thank you.

And yes, "...the proposal has definitely not really been fleshed out...",
I'd rather call it an idea at the current stage and my current plan is to (jointly) work on a pad first, to flesh out the idea into one or several proposals. and then (soon) I'll very much appreciate feedback on this.

it might have been a bit premature to throw out this idea at dc20, for
various reasons or also because online conferences work differently than
real life ones, but anyway, i'm happy 'the idea is out' (even too roughly
and even though due to the medium people reply to this idea while i would
have prefered to be able to lay out an proposal and not just an idea),
so tl;dr; I'll soon present $something. (not daring to call it an idea
nor an proposal, because...)

a pad it will be, first. and then, i'll ask for feedback (and it to be torn
in pieces or not or only some parts.) and this call for feedback will probably only include 3-5 people.

it's hard to mimic conference dynamics offline (but i'm sure that this proposal by now would have either been substancialy better or thorn in many pieces by now ;)

Please let me know whether I've missed anything, whether you can think
of other possibilities, etc. :)

I'll try^wdo, one way or the other! ;) For now, please just hold on a bit.

Thank you, mucho! (I know and I can see how you want dpkg to be part of the solution. That rocks and makes me smile quite a bit.)


--
cheers,
Holger

-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

"There's no glory in prevention." (Christian Drosten)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl9aoQYACgkQCRq4Vgaa qhxhsRAAmmOssh0rsuUk6AvZDpzQhWjLF+cbuOgERALIl0W/pYv3ui+99EuGm6Gh r8vvJYk4fHfi6h+xXI404ZF9B+McM+eby/GbFKT3QEw9v4TBk7sXPhhvxZOfkdr9 Ab+Zac5Bjub/AeWmHz0HrW4NovFL9Ml0Lwi0qxjgVRX56gLIXindwWlRw4uoNlpu wszhzwFpO7m7o1M9G7Nr4gUCopKl1ScGI/Ftbu7iKlBkiynNdg76CtwtHDds2psp gC2BaYF4pkh1sMOVaDo7qmxR3lRmIsJF3XKHQIhhOSF+eTTxUb+ZetMTezYBk6oT t1bTCV8gi/OiSD0F5FUYwsKntW56riXutf8M0YK2dVkJmms984pRovmQf+CPcphz FkF1nI68wVIlOgZMRL3qVY4oQFI07lcyMfwVUqEStFDzy2Xm384f64EcAk5I1WPn OFt3egHutZmEC/3cEkAOaQAgc0fUe8BQYhxrJuexcXqnjrPvRgoKtgxkDXqVKupy 850uYORBbrFyCR6/On+tqs45yv2QoG4wlH1EhoYJLt1pwYptEvV4GXFFkfSHDJXE pvV0MI/DCJb5cR0PjrkP2Vbv