Hello and welcome to Sustain! Richard is in Portland at FOSSY, the Free and Open Source Software Yearly conference that is held by the Software Freedom Conservancy. In this episode, Richard invites guest Vagrant Cascadian to delve into the world of Reproducible Builds. Vagrant walks us through his role in the project where the aim is to ensure identical results in software builds across various machines and times, enhancing software security and creating a seamless developer experience. Discover how this mission, supported by the Software Freedom Conservancy and a broad community, is changing the face of Linux distros, Arch Linux, openSUSE, and F-Droid. They also explore the challenges of managing random elements in software, and Vagrant’s vision to make reproducible builds a standard best practice that will ideally become automatic for users. Vagrant shares his work in progress and their commitment to the “last mile problem.” Hit download now to hear more!
[00:00:47] Vagrant talks about their work at Reproducible Builds and details their responsibilities, including removing timestamps from Debian packages to enable reproducibility and maintaining infrastructure on ARM-based machines.
[00:02:25] Why do reproducible builds matter? Well, they allow verification that the source code matches the binary code that runs on a computer, enhancing security and preventing potential exploits. Also, they are important in scientific principles and for developers during code refactoring.
[00:03:41] The Reproducible Project is made up of a few developers under the Software Freedom Conservancy, but also includes a large community working on different projects. The project receives funding from various grants and sometimes corporate sponsors.
[00:05:56] We hear about the challenge of managing random elements in software to achieve reproducible builds. Vagrant talks about their goal to make reproducible builds a standard best proactive in the industry, benefitting software users.
[00:08:27] Vagrant shares their challenge in educating people about reproducible builds while also trying to make it a standard practice.
[00:09:09] How can open source projects help? They can help by setting up reproducibility testing in their continuous integration frameworks.
[00:10:24] Richard asks how large companies can benefit from and contribute to reproducible builds. Vagrant mentions how companies like Google find value in reproducible builds as it saves time, energy, and money by not having to rebuild things when they know they don’t have to.
[00:11:56] Vagrant mentions that they’re in the proof of concept phase of making Debian 96% reproducible, which includes over 30,000 source packages and over 50,000 binary packages. Richard asks about the project’s expected completion date, which Vagrant responds it’s his last mile problem to some degree, but they’re close.
[00:12:51] Find out where you can find Vagrant and Reproducible Builds on the internet.
- SustainOSS Twitter
- SustainOSS Discourse
- SustainOSS Mastodon
- Richard Littauer Twitter
- Software Freedom Conservancy
- Open OSS
- Vagrant Cascadian Mastodon
- Aikidev, LLC
- Reproducible Builds
- Produced by Richard Littauer
- Edited by Paul M. Bahr at Peachtree Sound
- Show notes by DeAnn Bahr Peachtree Sound