Posts by vagrantc@floss.social
(DIR) Post #ASCxq0igzBXq4EcWaO by vagrantc@floss.social
2023-01-31T16:43:20Z
1 likes, 0 repeats
@Ninjatrappeur Whoah, you need to run guix pull, that was fixed in https://git.savannah.gnu.org/cgit/guix.git/commit/?id=168a7933c0e138dc7061a3f0dc96871e16da5c5f
(DIR) Post #ASxCjvPxLqUNbtJiDo by vagrantc@floss.social
2023-02-23T00:09:59Z
0 likes, 0 repeats
Picked up a #FrameworkLaptop and there are a lot of nice things about a laptop designed to be taken apart and put back together again!Running #Debian bookworm and it mostly works ok.Unfortunately, for a while I was convinced the USB-A adapters were not working, but apparently, they work fine on the left side ports, just not on the right side. HDMI and USB-C work fine on the right side ports, so the ports are not completely broken...Anyone else encountered this issue?@frameworkcomputer
(DIR) Post #AVFcibUC8uYdUIEyky by vagrantc@floss.social
2023-05-02T01:16:36Z
1 likes, 1 repeats
I am growing increasingly concerned that while all the discussion and excitement around #SBOM is definitely an prerequisite for software #SupplyChain security...It still seems to just be a marginal improvement over #JustTrustUs because there is no way to verify the software claimed in the SBOM is the software used... or is there?With #ReproducibleBuilds you get everything an SBOM has, but also the ability to independently verify it, by rebuilding and getting bit-for-bit identical results!
(DIR) Post #AVYEvBVzn8cQNH4pyS by vagrantc@floss.social
2023-05-11T03:48:18Z
0 likes, 0 repeats
@CKsTechNews So the end-to-end encryption in matrix (or just the element client?) has no back doors, just, uh, a way to send encrypted mesages to, uh ... third parties ... as a funding model?I will very happily stick with #XMPP and #OMEMO thanks!
(DIR) Post #AVbtGSCZWcI5qiZIDg by vagrantc@floss.social
2023-05-02T15:50:17Z
0 likes, 1 repeats
@yojimbo In simple terms, an SBOM is a list of dependencies for some software project, product, etc.Knowing what was used to build your software is a precondition for reproducible builds, so reproducible builds projects have been doing SBOM-like things (often called .buildinfo files) since before 2016... ...with the added benefit of also providing the information necessary to prove the sources used are sufficient to produce a given software artifact. In other words, a verifyable SBOM.
(DIR) Post #AVbtGSlfQ8MbbYzJvE by vagrantc@floss.social
2023-05-02T15:55:02Z
0 likes, 0 repeats
@yojimbo I guess it seems like a pretty low bar to simply list the dependencies of a software project, and yet it is somehow exciting for the industry at large?I worry that it will stop at some weak and unverifiable compliance checklist and go no further. We can do so much better!
(DIR) Post #AWYuvFzQniVpGMQyTw by vagrantc@floss.social
2023-06-10T22:20:45Z
0 likes, 1 repeats
Hard to believe I started practicing at my current #Aikido dojo twenty years ago!Today I had the honor of teaching a full class for the first time...Focused on #ikkyo (a.k.a. "first technique") as an important component for subsequent #nikyo and #sankyo techniques.These techniques are on subsequent #kyu tests, which to me are more about building a framework for learning than earning rank!I hope I conveyed that learning one technique can help with learning other techniques.
(DIR) Post #AWrYKX334e9jKeRuoS by vagrantc@floss.social
2023-06-19T21:03:27Z
0 likes, 2 repeats
I will be presenting about #ReproducibleBuilds at #FOSSY this year:Breaking the Chains of Trusting Trust: Reproducible Builds and More!https://2023.fossy.us/schedule/presentation/118/Pretty excited, and a lot of interesting developments in recent years!@reproducible_builds #SupplyChain #BootstrappableBuilds
(DIR) Post #AX6dfNF0cfTIytoxRg by vagrantc@floss.social
2023-06-27T01:51:53Z
1 likes, 0 repeats
Recently was pointed to this great article that really succinctly gets at an important issue for #FOSShttps://drewdevault.com/2021/01/20/FOSS-is-to-surrender-your-monopoly.html
(DIR) Post #AYSN4jh2oIvsoe26qW by vagrantc@floss.social
2023-08-04T14:10:29Z
0 likes, 1 repeats
With a few small bumps, managed to get the #Librem5 booting into a #Mobian installer, and installed with an encrypted rootfs!So far, only have #Dino configured, but that is enough for this to be a hugely useful communications device, especially with #JMPchat to connect up to telephony networks!Love the kill switches for cellular modem, wifi/bluetooth and camera/mic!This is my first #Debian #Trixie based computer, as there may be issues with the now-stable #Bookworm on this hardware.
(DIR) Post #AYSN4lQSMwquBmHtGi by vagrantc@floss.social
2023-08-04T21:31:57Z
0 likes, 0 repeats
This reminds me of a talk I gave at #DebConf 17 about installing #Debian on #ARM based systems and exploring the idea of using a live image for the installer.https://debconf17.debconf.org/talks/116/Not a new idea, really, and the #Calamares installer by #Mobian used lacks a lot of flexibility that #DebianInstaller provides...Still, this may be the first time I actually used a live installer for real and perhaps best of all, I did very little of the work!Thanks everyone who made it possible!
(DIR) Post #AZwgvc3FtPQKx5i2l6 by vagrantc@floss.social
2023-09-19T22:19:46Z
0 likes, 2 repeats
Verifying #ReproducibleBuilds of packages actually in #Debian ... is not exactly a new thing, but is harder than it ought to be, because you need to rebuild with the exact same packages that the original build was built with, and snapshot.debian.org is less than entirely reliable...So I tried rebuilding packages recently built on buildd.debian.org and it was reasonably successful. Long-term we will still need some sort of snapshot-like functionality...https://lists.reproducible-builds.org/pipermail/rb-general/2023-September/003076.html
(DIR) Post #AbO7ao4ES20b2SKikC by vagrantc@floss.social
2023-07-17T22:21:56Z
0 likes, 1 repeats
Gave a talk at #FOSSY yesterday about #ReproducibleBuilds and #BootstrappableBuilds and how close we are to actually counter the infamous #TrustingTrust attack.The slides are packaged as a Debian package, including a signed .buildinfo file, so you should be able to recreate my slides bit-for-bit identically!https://www.aikidev.net/~vagrant/talks/2023/fossy/However, my actual talk included a fair amount of non-determinism, thanks for all the great questions!https://2023.fossy.us/schedule/presentation/118/Videos should be available soon!
(DIR) Post #AbO7aqYRChMIkiTs6S by vagrantc@floss.social
2023-09-02T18:53:53Z
0 likes, 1 repeats
Breaking the Chains of Trusting Trust video now available:https://archive.org/details/fossy2023_Breaking_the_Chains_of_Trustin#FOSSY #FOSSY2023 #ReproducibleBuilds #BootstrappableBuilds #TrustingTrust @reproducible_builds
(DIR) Post #AbPQrIEc9KblWPixyS by vagrantc@floss.social
2023-10-15T22:56:10Z
0 likes, 1 repeats
I gave a talk at Open Source Firmware Conference this year, Reproducible Builds All The Way Down:https://www.osfc.io/2023/talks/reproducible-builds-all-the-way-down/Slides available:https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/tree/master/2023-10-11-Reproducible-Builds-All-The-Way-DownIt was well received, highlighting many historic #ReproducibleBuilds issues in firmware projects that I maintain in #Debian and touching on the hows and whys of Reproducible Builds.Open Source Firmware can be a great example of 100% reproducibility, with a narrow scope of code, and is often a key part in early system boot!
(DIR) Post #AbPQrKHAYnq9quw2Ea by vagrantc@floss.social
2023-10-15T23:09:46Z
0 likes, 0 repeats
#OSFC2023 did not have any sort of #Mask policy.While I knew that going into it and consciously decided to go despite that, this was the first time I attended a conference without a masking policy.I got higher quality masks for myself and a CO2 monitor to help gauge and mitigate my personal risk. The venue at least had reasonable ventilation, between 600 and 700 PPM, although flights and public transit often spiked into much riskier levels.I do not think I will be doing that again! :(
(DIR) Post #AbPQrN0GQ76GJM34ng by vagrantc@floss.social
2023-10-17T02:55:06Z
0 likes, 0 repeats
I made attempts to make the actual slides I used reproducible, as well, although quirks in Debian packaging behavior and timestamps in debian/changelog from the future ... lead to the .deb not actually being reproducible. :(The PDF file itself is still reproducible, which is the only meaningful artifact inside the .deb!Thanks to @CyrilBrulebois for troubleshooting the issue with future timestamps!Now that it is in the past, future rebuilds are reproducible!https://www.aikidev.net/~vagrant/talks/2023/osfc/
(DIR) Post #AkarZqhJMFa9aNgsoi by vagrantc@floss.social
2024-08-03T05:01:39Z
0 likes, 0 repeats
@zacchiro @osuosl It was great to see a couple talks at #FOSSY24 the past couple days about OSUOSL!#OSUOSL have been hosting machines for #ReproducibleBuilds for many years!I have personally performed thousands of manual builds debugging reproducibility issues using their machines!And thousands of automated package (re)builds per day, across several different software distributions:https://salsa.debian.org/qa/jenkins.debian.net/-/blob/d34fd5c049d628e03611c39f8dfad4eb3adca9e7/README.infrastructure#L41Huge thanks to the people keeping all this great infrastructure running!
(DIR) Post #AmLQGcB7b2CcWLs0iu by vagrantc@floss.social
2024-09-24T01:58:16Z
0 likes, 0 repeats
I will be presenting "Two Ways to Trustworthy" at @SeaGL this year!It will be a comparison of #Debian and #Guix largely as they relate to #ReproducibleBuilds and #BootStrappableBuilds highlighting the differing strengths and challenges each project faces...#SeaGL2024
(DIR) Post #AutkO6w1xejeJ0IFPc by vagrantc@floss.social
2025-06-07T20:29:15Z
0 likes, 0 repeats
@tomjennings Maybe #FOSSY ?https://fossy.us