Just listened to #PlanetMoney episode about the #XZ security incident...
Includes a brief, seemingly accessible introduction to #OpenSource
Though they talked a lot about the weakness of relying on arbitrary overworked underappreciated maintainers basically keeping "The Internet" working...
They did not apparently point out that that same open model was part of what allowed the issue to be discovered in the first place...
Coming from Debian to Guix, having "everything" in a single repository is perhaps one of my favorite practical features.
Debian has no "central" location for VCS repositories, every single package defines a custom location, which could be entirely outside of Debian infrastructure, or no proper VCS at all!
Guix having everything in a monorepo enables searching for packages with "git grep" and also cargo-culting, er, borrowing from other packages much more easily.
Not able to use a typical AC-powered fan, used a 12V car/truck radiator fan, a DC17-55V to DC12V adapter, and a PWM motor module as both a power switch and speed regulator, 4 14x20 inch MERV13 filters and some old 2x2s to build the frame.
It moves a LOT of air at full power (~120W), but very much on the noisy side!
I am also pleased to say the official build servers for Debian produced a bit-for-bit identical .deb as my local build on bookworm amd64. Yay #ReproducibleBuilds yay!
Since the #PublicDomain has been getting new content for the last few years (e.g. 1928 and older) this provides fertile ground for things like the
Public Song Project:
So, Philipp Kern dropped by asking if we could do some #ReproducibleBuilds verifications of recent Debian Security updates, given, well the whole #xz mess... and that our build infrastructure may have run compromised code at some point...
So I did a quick pass at a handful of updates and everything verified ok so far, though I skipped some of the probably more juicy targets such as chromium and firefox:
I've been pondering why the word "technology" which, can be roughly literally translated as the study or knowledge of (ology) technique (technos?) ...
But in common everyday usage, the word "technology" often refers to the applied uses and the results of those applied uses, and even the objects and virtual objects themselves...
Have other "ology" words drifted meaning in similar ways?
Wow! These are the kind of specs that might make it worth upgrading!
Exactly the reason I actually got the MNT Reform in the first place, the possibility of modular upgrades and repair parts is real!
Especially using standard parts... I had one battery cell die the other day, and I swapped the battery cells out with ones I had on hand... (Had six unused compatible cells on hand, and pulled two out of flashlights).
I set up some shiny new virtual machines mostly for #ReproducibleBuilds on a #HoneyCombLX2 packed with 64GB of ram and 16 cores of modest ARM compute power...
only to be stumped on the networking.
The virtual machines were set up to use macvtap via virt-manager in the same way as several other machines... no network.
Today I tried using a USB ethernet adatper. Worked like a charm!
Been banging my head on the keyboard for a few days trying to set up a virtualized #kvm supporting a #debian#armhf system on an #arm64 host machine... I have several machines set up with this working.
Finally had a breakthrough...
Debian does not support #secureboot on armhf. Disabled secure boot and yay, it boots the debian-installer mini.iso just fine!
Now if I could just figure out why #macvtap does not work... it would be all set to crank through lots of builds!
It was well received, highlighting many historic #ReproducibleBuilds issues in firmware projects that I maintain in #Debian and touching on the hows and whys of Reproducible Builds.
Open Source Firmware can be a great example of 100% reproducibility, with a narrow scope of code, and is often a key part in early system boot!
I made attempts to make the actual slides I used reproducible, as well, although quirks in Debian packaging behavior and timestamps in debian/changelog from the future ... lead to the .deb not actually being reproducible. :(
The PDF file itself is still reproducible, which is the only meaningful artifact inside the .deb!
Thanks to @CyrilBrulebois for troubleshooting the issue with future timestamps!
Now that it is in the past, future rebuilds are reproducible!
After searching for tree collards for, let me count, 1... 2... 5... 7... 24 years now(!!!!), I finally have some purple tree collards in the ground! So excited!
It does not look like much yet, but it is entirely plausible to get as tall as one vagrant high, last many many years, and easy to propagate by cutting off branches and sticking them in the ground and watering them...
Also used a lot of really gorgeous compost prepared over the last year...
There are a handful of vendors in California and Oregon that I have found in the last year that carry tree collards... my partner was lucky enough to find one from a local vendor at a Portland farmer's market!
Incomplete source code that compiles and runs, but behaves differently in subtle ways depending on any number of non-deterministic factors... how does someone verify that? Or complete source code with compomised toolchain?
The promises of Free Software are a little empty if you cannot verify the results.
Weather it should be part of a Free Software definition, I don't know... that gets complicated!
The crux of my talk was that Reproducible Builds, Bootstrappable builds and Free Software may each be independently useful, but much stronger if you have all of them.
Reproducible Builds demonstrates a strong connection between the source code and the binaries to be run, modified or shared.
Bootstrappable Builds strengthens confidence in the toolchain.
Free Software makes it possible to verify the other two by independent third parties.
Verifying #ReproducibleBuilds of packages actually in #Debian ... is not exactly a new thing, but is harder than it ought to be, because you need to rebuild with the exact same packages that the original build was built with, and snapshot.debian.org is less than entirely reliable...
So I tried rebuilding packages recently built on buildd.debian.org and it was reasonably successful.
Long-term we will still need some sort of snapshot-like functionality...
I was excited to experiment with #rk2aw at first, which allows additional flexibility with low-level bootloader selection for several #RockChip systems...
... until I was disappointed to find out that while rk2aw is licensed under an MIT license, the developers choose not to distribute source code?
With a few small bumps, managed to get the #Librem5 booting into a #Mobian installer, and installed with an encrypted rootfs!
So far, only have #Dino configured, but that is enough for this to be a hugely useful communications device, especially with #JMPchat to connect up to telephony networks!
Love the kill switches for cellular modem, wifi/bluetooth and camera/mic!
This is my first #Debian#Trixie based computer, as there may be issues with the now-stable #Bookworm on this hardware.
'the main contractor on the project, Cubic — which also developed the MetroCard — “has not provided sufficient resources” to manage OMNY operations'....
'The 15-cent fare hike was supposed to kick in Aug. 20 but arrived early, the MTA said, because of “prematurely implemented software changes” by Cubic Transportation Systems, the contractor that developed the #OMNY fare-payment system.'