Episode 196: FOSSY 2023 with Vagrant Cascadian

Guest Vagrant Cascadian Panelist Richard Littauer Show Notes Hello
and welcome to Sustain! Richard is in Portland at FOSSY, the Free
and Open Source Software Yearly conference that is held by the
Software Freedom Conservancy. In this episode, Richard invites
guest Vagrant Cascadian to delve into the world of Reproducible
Builds. Vagrant walks us through his role in the project where the
aim is to ensure identical results in software builds across
various machines and times, enhancing software security and
creating a seamless developer experience. Discover how this
mission, supported by the Software Freedom Conservancy and a broad
community, is changing the face of Linux distros, Arch Linux,
openSUSE, and F-Droid. They also explore the challenges of managing
random elements in software, and Vagrant’s vision to make
reproducible builds a standard best practice that will ideally
become automatic for users. Vagrant shares his work in progress and
their commitment to the “last mile problem.” Hit download now to
hear more! [00:00:47] Vagrant talks about their work at
Reproducible Builds and details their responsibilities, including
removing timestamps from Debian packages to enable reproducibility
and maintaining infrastructure on ARM-based machines. [00:02:25]
Why do reproducible builds matter? Well, they allow verification
that the source code matches the binary code that runs on a
computer, enhancing security and preventing potential exploits.
Also, they are important in scientific principles and for
developers during code refactoring. [00:03:41] The Reproducible
Project is made up of a few developers under the Software Freedom
Conservancy, but also includes a large community working on
different projects. The project receives funding from various
grants and sometimes corporate sponsors. [00:05:56] We hear about
the challenge of managing random elements in software to achieve
reproducible builds. Vagrant talks about their goal to make
reproducible builds a standard best proactive in the industry,
benefitting software users. [00:08:27] Vagrant shares their
challenge in educating people about reproducible builds while also
trying to make it a standard practice. [00:09:09] How can open
source projects help? They can help by setting up reproducibility
testing in their continuous integration frameworks. [00:10:24]
Richard asks how large companies can benefit from and contribute to
reproducible builds. Vagrant mentions how companies like Google
find value in reproducible builds as it saves time, energy, and
money by not having to rebuild things when they know they don’t
have to. [00:11:56] Vagrant mentions that they’re in the proof of
concept phase of making Debian 96% reproducible, which includes
over 30,000 source packages and over 50,000 binary packages.
Richard asks about the project’s expected completion date, which
Vagrant responds it’s his last mile problem to some degree, but
they’re close. [00:12:51] Find out where you can find Vagrant and
Reproducible Builds on the internet. Links SustainOSS
(https://sustainoss.org/) SustainOSS Twitter
(https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
SustainOSS Discourse (https://discourse.sustainoss.org/)
podcast@sustainoss.org (mailto:podcast@sustainoss.org) SustainOSS
Mastodon (https://mastodon.social/tags/sustainoss) Richard Littauer
Twitter (https://twitter.com/richlitt?lang=en) Software Freedom
Conservancy (https://sfconservancy.org/) Open OSS
(https://openoss.sourceforge.net/) Vagrant Cascadian Mastodon
(https://floss.social/@vagrantc) Aikidev, LLC
(https://www.aikidev.net/about/story/) Reproducible Builds
(https://reproducible-builds.org/) Credits Produced by Richard
Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at
Peachtree Sound (https://www.peachtreesound.com/) Show notes by
DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/)
Special Guest: Vagrant Cascadian.