Did a short thing about [extrepo](https://packages.debian.org/extrepo) at the [DebConf23](https://debconf23.debconf.org) [lightning talks and demos](https://debconf23.debconf.org/talks/51-live-demos-lightning-talks/) slot, which I believe was well received. The video is already [out](https://meetings-archive.debian.net/pub/debian-meetings/2023/DebConf23/debconf23-369-live-demos-lightning-talks.av1.webm)!
@marcan @developing_agent fair enough. And I suppose they're also not going to sue if they have a week case and there is no money to grab. You're not a corporation with several millions in the bank.
@marcan
It means they have too much money and don't mind suing until you get tired if it and go 'fine, give me that paper', it run out of money, whichever comes first.
No, you should not give in. Yes, it does happen.
@developing_agent
It means they have too much money and don't mind suing until you get tired if it and go 'fine, give me that paper', it run out of money, whichever comes first.
No, you should not give in. Yes, it does happen.
@developing_agent
@raboof @ska @reproducible_builds Sure; I meant to say that you can detect trusting trust issues without bit-by-bit identical binaries. Having those makes the detection even easier, of course!
@ska @reproducible_builds Note that reproducible builds doesn't necessarily give you bit-for-bit identical binaries, and that's also not necessary. What they give you is a toolkit to figure out which changes are normal results of different build dependencies, and which ones aren't. Things like diffoscope, e.g.
@ska @reproducible_builds If I build a version of some reproducibly-built software using a compromised tool chain and you built it using a non compromised one, and you shared the relevant bits of the output with me, then we know that one of us has a fishy compiler and the trusting trust issues are discovered.
That still leaves figuring out what happened, of course, but you don't need to be an expert to get this far. With your method of auditing binaries, you do.
That still leaves figuring out what happened, of course, but you don't need to be an expert to get this far. With your method of auditing binaries, you do.
@autism101 @actuallyautistic Some (also spectrum) people find emails extremely difficult to deal with properly and prefer getting a phone call... ๐คท
Maybe better to discuss with the party involved and see what works for the both of you?
Maybe better to discuss with the party involved and see what works for the both of you?
@fsfe why is only the audio of your "What is Free Software" videos translated, and not the visuals? That seems suboptimal. https://media.fsfe.org/w/p/9gYSyoEYggsqBExLWjRejL
@ska
Only if the reproducer uses the same compromised tool chain. The whole point of reproducible builds is that you can in fact use your own version of the tool chain and still get the same result.
Cc @reproducible_builds
Only if the reproducer uses the same compromised tool chain. The whole point of reproducible builds is that you can in fact use your own version of the tool chain and still get the same result.
Cc @reproducible_builds