►
From YouTube: Securing Critical Projects (February 11, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
We
next
presentation
so
two
weeks
from
today,
somebody
offered
to
give
a
demo
on
tracy
if
that's
the
right
way
to
pronounce
it,
which
is
another
just
call
monitoring
system,
so
that'll
be
up
in
a
couple
weeks,
if
you
have
any
other
demos,
you'd
like
to
add,
throw
those
up
into
the
upcoming
or
next
section.
C
Okay,
so
upcoming
town
hall
february
22nd,
it's
one
to
two
p.m.
Eastern
time
adjust
to
whatever
your
time
zone
is.
Please
register,
there's
a
link
right
there,
and
it's
only
for
an
hour.
It's
basically
just
a
quick
summary
of
what
everybody
else
is
doing,
so
we
can
I'll
have
an
idea
of
what's
going
on.
So
thank
you
very
much.
A
All
right,
then,
do
you
want
to
jump
in
chris.
D
Sure,
but
I
guess
first
thing
I
want
to
say,
is
thank
you
very
much
for
inviting
me
along
thanks
for
derek
introduction.
I
recognize
a
few
faces
and
even
more
names.
D
So
if
we
talked
elsewhere
or
an
email
hey,
I
guess
a
little
brief
introduction
about
me
if
that's
really
helpful
at
all
so
chris
lam
I
live
in
cambridge
uk
and
I've
been
in
open
source
for
well
if
you
catch
a
university
like
mucking
around
with
it
maybe
15
years
but
like
to
professionally
for
10
years,
so
I'm
like
a
freelancer
working
with
various
companies,
doing
open
source
and
and
or
definitely
everything
using
open
source
frameworks,
and
things
like
that
I've
been
the.
D
I
was
the
debian
project
leader
from
2017
to
2019
and
I'm
currently
on
the
board
of
the
open
source
initiative.
So
that's
like
credentials
are
a
thing,
but
like
that's
that's
kind
of
thing
but
yeah.
So
I've
like
I've
been
in
open
source
space
for
a
while
things
like
that,
so
and
and
but
then
certainly
much
more
on,
say
like
the
like
the
community
distribution
kind
of
level.
Things
like
that.
C
You
can
blame
me,
but
others
can
chime
in.
Please
do
in
fact.
D
Oh,
that's
great
yeah
anyway
enough
about
me
so
reproducible
bills.
So
this
is
my
first
sorry,
my
pen
here.
This
is
my
first
appearance
in
your
your
working
group
meeting
and
I
I'm
guessing
you.
You
need
no
introduction
to
sort
of
software
supply
chains
and
things
like
that
and
how
these
are
like
extremely
critical,
and
you
know
basically
how
the
world
works
and
things
like
that
and
then
all
the
repercussions
from
that.
D
So
you
know
if
your
supply
chain
is
vulnerable,
then
you
know
you
are
vulnerable
and
things
like
that
in
ways
that
that
who
are
quite
clinicians
so
yeah
and
in
terms
of
reproducible
builds
specifically,
I
think,
if
you
come
away
from
this
with
like
one
takeaway
for
like
reproducible,
builds,
it's
like
a
terrible
name,
but
like
a
really
good
idea.
So
I
didn't
come
out
with
this
name,
but
like
the
idea
of
what
gets
hidden
in
in
the
slightly
confusing
name
like
no
one,
you
know.
D
No
one
really
cares
about.
Like
is
your
bill
repeats?
Who
cares
but
like
the
problem
that
it
solves,
is
really
big
and
like
it's
a
really
serious,
really
serious
issue.
We've
had
over
the
past
two
or
three
years,
I've
been
collecting
various
news
articles
about
the
various
supply
chain,
attacks
that
could
have
been
prevented
with
reproducible
builds
or
you
know,
detectors
detected
earlier.
We
can
at
least
say
that,
and
then
we
have
some
we
have
one
recently
in
december.
Apparently
there
was
lots
of
other
news
going
on
december.
D
I
don't
know
which
so
this
meant
that
the
the
big
one
the
solar
winds
attack.
Oh,
I
see
some
going
on
the
notes
here.
David
wrote,
a
really
good
post
about
solo,
wins
on
the
the
lf
blog
and
that
and
it's
you
know
all
around
it's
in
in
your
glossy
magazines
that
you
get
every
saturday
as
well,
so
yeah.
So
like
the
the
other
problem,
we're
trying
to
solve
here
in
the
supply
chain
like
in
put
it
this
way.
D
I
always
try
to
like
underline
the
serious
enough
this
and
you
can
go
through
like
bits
in
the
past,
try
and
show
how
different
these
kind
of
attacks
are
done
in
the
have
like
caused
serious
problems
in
the
past.
The
other
problem
with
reputability
most
people
may
have
a
sort
of
compromised
people
who
are
running
stacks
a
moment
might
have
a
compromise
system
already,
and
they
just
don't
know
it.
D
I
mean,
given
the
number
of
people
on
this
call
and
like
some
of
the
organizations
you're
in
it,
wouldn't
be
too
much
of
a
stretch
to
think
that
you've
been
compromised
already,
you
don't
really
know
and
bpd
school
girls
will
be
like
one
way
of
trying
to
work
out,
but
that's
actually
happened
how
to
prevent
it
and
how
to
get
it
out.
E
Hi
dave
stewart
I'm
at
intel.
We
actually
had
the
we've
had
a
number
of
conversations
about
this,
and
one
of
the
questions
that
I
asked
in
a
simple
sort
of
way
was:
you
know,
understanding
supply
chain
vulnerabilities.
E
It
seems
like
what
a
reproducible
build.
I
mean.
Let's
I
mean
I
I'm
looking
for
the
sort
of
small
kernel
of
of
truth
that
I
could
help
people
to
understand.
You
know
the
value
of
something
like
this,
because
there
is
work
to
get
there
right.
So
the
question
is
right:
if
somebody
has
has
created
a
binary
from
a
source
project
right
and
it
doesn't
match
up
with
the
sources
that
you
build,
then
it's
like.
Okay,
we've
got
a
problem.
Somebody's.
You
know
somebody's
adulterated,
the
binary
independent
from
the
sources.
E
So
that's
a
good
check,
but
if
somebody
has
adulterated
the
source,
then
reproducible
bills
just
say:
oh,
we
were
able
to
reproduce
the
adulterated
thing
right,
so
it
it's
important
to
understand
what
this
protects
us
for.
It
protects
us
from
somebody.
You
know
pirating
in
a
binary
right,
that
is,
that
is
adulterated,
but
if
you
go
and
adulterate
the
source,
so
if
your
source
supply
chain
is
not,
you
know
well
protected,
you
know
this
reproducible
bills
won't
help
you
is
it.
Do
I
have
that
right
right.
D
So
you're,
right,
dave
and
like
and
and
just
to
perhaps
we
should
go
from
the
top
down.
So
everyone's
definitely
on
the
same
page,
so
the
reaper
useful
builds
the
the
idea.
Basically,
is
that
we
so
we
you
can
always
view
the
source
code
for
like
malicious
flaws.
D
You
can
submit
it
to
external
third-party
validation
checks
that,
for
the
name
of
it
blanket
moment
sort
of
third-party
audits
you
can
in
audit
internally,
you
can
do
you
can
make
sure
that
your
so
your
source
code
is
passed
between
various
organizations
and
past
your
com,
your
your
build
processes
in
a
secure
way,
but
most
people
actually
end
up
ingesting
pre-packaged
or
pre-compiled
binaries
into
end-user
systems.
D
But
when
you
go
to
your
phone,
you
know
you
go
on
the
play,
store
or
even
the
f
droid
store,
and
you
just
say:
install
and
those
someone's
re
someone's
already
compiled
or
pre-packaged,
or
basically
you're,
trusting
them
to
have
taken
the
source
code
and
do
it
and
take
it
to
there
to
take
it
to
a
binary
and
the
idea
of
vpg
bills
is
to
be,
and
if
you
assume
that
that
person
is
untrusted
or
you
don't
necessarily
want
to
trust
them.
D
So
even
if
it's
you
that's
compiling
it,
but
you
can't
trust
that
those
machines
that
you're
using
are
haven't
been
compromised
without
without
your
knowledge
and
you,
you
basically
want
to
be
able
to
trust
that
process
that
you
go
go,
giving
away
to
the
end
like
being
able
to
trust
that
process
hasn't
been
compromised.
D
Yes,
so
so
dave
you're,
quite
right
like
if
you
do,
if
you
don't
have
trusted
source
code
to
begin
with
you,
you
can't
necessarily
end
up
with
a
with
the
buyer
at
the
end
so
yeah
we
do
have
this
kind
of,
like
I
forgot
for
the
word
in
philosophy,
but
it's
where
you
have
you
you
just
stop
at
that
point.
You
know
you
just
basically
assume
that
the
source
code
is
trusted,
which
is
obviously
a
complete
nonsense,
but
it's
just
out
of
scope
for
evidence.
E
Yeah,
no,
no,
that's
good.
I
mean
I
when
I
first
heard
the
concept
I
I
was
scratching
my
head,
because
mostly
I
was
thinking
about
upstream
stuff
like
like
securing
the
source
code
and
it's
like
you
know
all
not
only
just
the
source
repositories,
the
build
chains.
You
know
the
deployment,
you
know
all
of
those
other
things
right
and
then
it's
like,
oh
yeah,
that
I
mean
so
this
is
a
part
of
it.
So
I
I
think
I
get
it
now
and
it's
it's
a
hard
thing
just
to
get.
D
D
D
So
actually,
in
the
process
of
getting
a
bill
reproducible,
you
can
often
find
security
holes
in
the
original
source
code,
but
due
to
the
way
that
the
repeat
user
builds,
we
do
the
testing
and
things
like
that,
sometimes
when
it
can
display
two
differences
between
two
builds
or
if
it
shows
that
there
isn't
anyone,
there
should
be,
and
things
like
that
and
you
can
actually
infer
security
vulnerability
in
the
beginning.
So
I've
got
a
couple
of
cds
simply
from
doing
reproducibly,
testing,
reproducible
testing
and
it's
actually
been
like.
D
Oh
well,
I
shouldn't
be
getting
this
result,
come
a
long
story
short.
This
is
because
there's
actual
security
problem
in
to
begin
with
things
like
that,
so
yeah
or
I
can
yeah
anyway
I'll
just
leave
it
at
that
and
stop
stop
waffling
over
here.
C
Yeah,
so
I
I
think
what
I
I'm
hoping
most
people
from
that.
Just
brief
description.
You
know,
reproducible
builds,
you
can
reproduce
the
build
repeatedly
by
different
organizations
and
show
the
results
the
same.
C
I
guess
the
question
would
for
a
lot
of
folks
would
be
how
difficult
is
it
for
various
projects,
and
you
know
I'll
know
I'll
note
that
you,
the
reproducible,
builds,
has
had
great
success
in
reproducing
a
lot
of
things
individually,
but
those
things
aren't
necessarily
upstreamed
in
places
like
debbie
and
yet
so
it
might
be
helpful
to
get
an
understanding
of
how
hard
and
you
know
what
what's
hard,
what's
easy
because
I
realized
it's
how
hard
it
is
depends
on
the
program,
but
what
makes
it
easy?
What
makes
it
hard.
D
We
actually
write
to
spit
those
things
and
I
think
one
one
difference
you
did
make
implicitly
there
is
that
the
technical
and
the
social
changes
as
well.
So,
if
a
given
project
it's
whether
to
make
it,
reproducible
will
often
depend
on
what
sort
of
software
stack
they're
using
to
begin
with.
So
if
they
are,
if
they're,
quite
traditional
c
based
program
or
and
quite
small
as
well,
I
mean
size
is
a
big
thing.
D
It'll
be
fairly
easy
to
make
the
build
really
useful
in
a
technical
way
and
that's
completely
orthogonal
to
say
trying
to
get
those
changes
into
the
upstream
repository
and
if
the
upstream
developers
don't
consider
this
a
high
priority,
for
whatever
reason,
whether
that's
mind
share
they
in
extremely
rare
cases,
they
think
it's
a
silly
idea,
but
that's
ignoring
those
people,
a
lot
of
people
just
don't
really
see
it
or
they
can't
test
it
locally
on
their
own
machines,
so
they're
they're
unwilling
to
to
apply
patches
that
they
don't
see
any
benefit
to
them
immediately,
even
though
they
can
see
the
conceptual
benefit
of
okay
review.
D
Girls
are
really
nice
for
them
and
so
yeah,
but
then
often
like
the
tool
chains
themselves,
that
the
program
uses
will
often
dramatically
make
it
more
or
less
difficult
to
make
a
bill
be
reduceable,
so
I
mean
make
it
up
with
the
rust
having
currently
problems
right
now
in
the
in
the
rust
tool
chain
of
trying
to
get
it
to
generate
reproducible
worlds.
At
the
end,
it's
just
a
little
bit
of
a
problem
or
net.
If
you're
building
some
net
applications
on
on
linux,
they
they
contain
some
sort
of
randomness.
D
E
I
was
gonna
comment
about.
Some
projects
are
trying
to
help
the
overall
you
know
sort
of
upstream.
I
know
yocto
project
was
working
on,
reproducible
builds,
I
know
not.
Everybody
uses
that
you
know
outside
of
the
you
know
the
embedded
iot
space,
but
I
know
that
that's
been
a
big
effort.
There.
D
Yes,
the
octo
has
been
quite
good
yorkshire's,
particularly
good,
because
one
difficult
thing
is
to
make
an
entire
sort
of
ecosystem
reproducible
sort
of
in
itself.
So
david
is
right
to
imply
that
the
reputational
bruise
project
has
had
a
lot
of
successes
in
like
individual
projects
and
then
use
some
proportion
of
those
we've
managed
to
get
these
changes
in
into
incorporating
the
upstream
repository.
D
We
do
have
some
or
other
far
fewer
success
projects
about
entire.
What
would
you
call
them?
Sort
of
architectures
ecosystems,
one
in
particular
we
can
trumpet
is
the
tails
operating
system,
the
one?
That's
that's
like
it's
a
usb
based
operating
system
for
privacy,
things
like
that.
So
you
can
you
and
you
everything
that
you
do
under
this
thingy.
It
runs
under
tor.
D
It's
deliberately
designed
to
not
leak
any
information,
so
it
you
know
it
cuts
out
metadata
images
and
things
like
that.
It's
I
think,
most
famous,
because
it
was
the
one
snowden
used
to
talk
to
graham
glenn
greenwald,
and
things
like
that.
So
he's
got
a
bit
of
got
a
bit
of
a
news
written
about
it.
D
But
yes,
I
worked
with
the
tails
product
and
made
their
distribution
reproducible,
which
means
that
the
from
their
point
of
view,
it
means
that
they
feel
a
bit
more
trust
in
their
own,
build
servers
which
are
generating
these
images,
whichever
ones
are
running
and
relying
upon
it,
and
it
also
means
that
they,
as
developers
become
less
of
a
sort
of
directed
targets
because
they
felt
that
they
were
if
they
built
these
images
on
their
own
machines
and
they
were
being
run
by
you
know,
dissidents
in
wherever,
then
they
felt
that
they
could
become
subject
to
attack
by
you
know
even
nation
states,
and
things
like
that,
so
they
have
different
motivations
than
people
on
this
call
might
have,
but
like
it's
the
same
sort
of
thing
where
they
didn't
want
to
be
yeah
anyway.
F
Chris
is
there
a
place
where
we
can
point
projects
too,
that
want
to
make
themselves
become,
reproducible
in
some
senses
and
best
practices
they
should
follow.
D
There
is
the
reproducible
world's
main
website.
There
isn't
a
perfect
page
for
that
use
case
and
a
lot
of
it
is
also
is
it
just
in
in
project
per
project
feedback.
So
if
you
were
just
running
a
project,
it's
they
don't
often
know
whether
they
are
reproducible,
and
so
it's
not
it's
it.
D
You
know
they
could
make
some
of
the
changes
that
are
on
this
hypothetical
page,
but
they
wouldn't
know
whether
they
had
any
real
impact,
and
things
like
that
and
documentation
is
perhaps
one
of
our
and
documentation
and
mindshare
is
one
of
our
weaker
points
as
a
project
at
the
moment
always
trying
to
address
that
and
things
like
that.
So
but
that's
that's,
really
useful
information
that
you
release
from
data.
F
Point
yeah
like,
for
instance,
I
like
to
see
if
we
get
zephyr
in
the
stage
I'd
like
to
see
if
we
can
get
zephyr,
for
instance,
as
a
project
I
mean
it's
a
kernel:
it's
a
kernel:
okay,
except
for
sensors
actuators.
That
type
of
thing-
oh
right,
okay,
so
very,
very
small.
But
I
think
that
you
know
the
project
is
pretty
good
about
trying
to
do
the
best
practices
that
they
can
find,
and
so
I'd
be
sort
of
curious
to
see.
D
C
C
You
know
no
documentation
in
the
world
will
beat
the
actually
trying
and
second
get
it
in
your
ci
pipeline,
and
that
way
you
immediately
know
when
there's
a
regression.
D
Yes,
I
would
second
that
in
fact,
just
scrolling
back
to
what
I
said
about
tails,
that
was
the
way
we
ended
up,
doing
it,
adding
it
to
the
the
tails,
release
and
development
and
ci
platform.
So
we
caught
regressions
and
also
it
could
just
be
automatic.
It
didn't
require
any
real
extra
brain
cells
and
things
like
that
as
we
were,
as
we
were
going
along.
F
Yeah
no
zephyrus
got
a
ci
and
infrastructure
and
so
forth,
and
just
in
a
lot
of
practices
in
that
direction,
it's
just
a
question
of
where
can
I
other
than
the
top
level
website?
I'm
just
wondering.
Where
can
I
point
if
there's
other
places
I
should
be
able
to,
you
know,
come
up
with
a
checklist
and
then
possibly
contribute
back
into
the
you
know,
contribute
back
into
reproducible
builds,
you
know,
are
you
interested
in
you
know
things
like
that.
E
Yeah,
kate,
thanks.
Actually
the
question
that
raised
is
in
your
ci
infrastructure.
Are
you
saying
I
mean
typically
ci?
Will
you
know,
pull
in
all
the
sources
and
create
a
binary?
That's
a
simple!
You
know
oversimplified
definition
but
you're
saying
here
something
that
will
go
out
and
check
the
binary.
That's
been
deployed
against
the
sources,
whereas
I
think
typically
you
would
just
I
mean
I
don't
understand
how
this
exactly,
how
you
would
integrate
it
into
ci,
because
the
ci
purpose
is
to
take
the
sources
and
create
a
binary.
E
G
E
E
C
G
C
Know
you
know,
do
it
twice?
Maybe
I
better
add
that
to
the
notes
right
now,
do
it
twice
and
I
and
I
think
it's
remarkable
how
many
little
things
get
you.
My
experience
has
been
and-
and
please
I'd
love
to
hear
your
your
much
broader
experience
chris,
the
things
I've
gotten
bit
on.
You
know,
I
guess
I'm
gonna
list
as
challenges
are
time
stamps.
C
C
I
yank
it
in
I
don't
care
what
order
and
so
and-
and
none
of
these
are
impossible-
there's
a
a
spec
for
source
data,
epoch
environment
variables
to
deal
with
time
stamps.
You
can
force
just
any
arbitrary
sort
to
eliminate
randomness,
but
it's
just
finding
them
all
and
fixing
them
all.
That's
a
pain
in
the
butt
chris.
What
what?
What
do
you
find
to
be
the
most
common
challenges.
D
Oh
here's
we're
taking
in
dire
file
names
from
directory
which
aren't
sorted
by
by
convention
by
by
the
api,
and
things
like
that
and
time.
Stamps
are
a
really
big
issue
as
well.
So
yeah.
It's
that's.
Definitely
that's
definitely
the
main
problem
so
that
yeah.
B
Who
would
be
the
best
person
to
talk
to
when
it
comes
to
reproducible
builds
in
package
managers
like
wi-fi,
npm,
etc?
I'm
doing
a
lot
of
research
in
that
area
right
now,
so
I
would
hate
to
reinvent
the
wheel,
which
I'm
probably
already
doing
in
some
cases.
So
is
there
any
kind
of
person
in
that
community
that
I
could
talk
to
or.
D
In
terms
of
package
matter,
specifically,
I
don't
think
there's
someone
who
that
I
can
think
over
the
top
of
my
head,
that
is
sort
of
living
that
particular
area
and
a
lot
of
people
in
the
reputation
builds
project
coming
from
their
own
distribution.
So
I
came
to
this
vibe
for
a
debian
and
there's
a
whole
bunch
of
folks
from
say,
arch,
linux
and
souza
in
particular,
and
they
often
come
with
their
own.
You
know
old
history.
D
Universities
will
come
with
all
their
their
particular
packaging
archives
become
their
own
own
things,
so
there
isn't
one
doing
a
you
know:
cross
cross
ecosystem
package
managers
at
this
point.
So
a
lot
of
this
information
is
slightly
siloed
in
between
in
different
operating
systems
and
different
sort
of
pipe.
I
and
things
like
that,
including
things
that
aren't
just
necessary
distributions,
like
f
asteroids,
so
you
have
that's
probably
the
same
kind
of
problem
from
your
point
of
view,
so
yeah.
E
Well,
but
with
python,
aren't
you
maybe
I'm
mistaken,
I'm
just
sort
of
thinking
through
this.
If
you're
talking
about
the
script
itself
that
you
you
want
to
compare,
I
mean,
there's
not
really
a
build
right
or
maybe.
C
B
C
B
B
C
D
And
there's
many
types
of
packaging,
I
mean,
as
you
just
implied
that
then
even
javascript
nolan's
running
unminified
on
compressed
javascript,
because
it's
just
too
big
and
so
even
the
process
of
taking
the
you
know
the
120
kilobytes
of
jquery
and
turning
into
the
17
kilobyte
version.
That
is
essentially
a
compilation
process.
It's
not
from
a
c
point
of
view.
D
It's
not
turning
it
into
machine
code,
but
it
is
turning
it
into
something:
that's
not
the
original
source
code
and
if
you're
trusting
someone
else
to
that
minimization
or
compression,
then
you
need
to
be
able
to
trust
the
output
of
that,
because
otherwise
you
have
no
idea
what
you're
distributing
on
your
home
page,
which
is
here
that
could
be
a
problem.
So
yeah,
hey.
E
Hey
one
more
quick
question
chris,
while
I
I
am
thinking
about
it
so
for
linux,
I
know
the
colonel
is
wanting
to
create
some
randomness.
Between
of
you
know,
functions
right.
This
is
this
is
a
way
to
you
know,
try
to
discourage
people
from
being
able
to
know
where
the
address
of
things
right
now.
I
think
I
I
may
be
wrong,
but
I
think
this
is
like
has
to
do
with.
Is
that
a
load
time
issue
as
opposed
to
a
a
binary
issue?
E
D
D
Asl,
are
you
right?
Thank
you
very
much
and
that's
I'm
unless
I'm
completely
getting
completely
wrong.
That's
a
low
time
thing!
So
the
binaries,
if
you
have
an
aslr
binary,
can
be
the
same
thing.
You
you
it's
interesting.
You
choose
the
kernel
example
because
a
lot
of
kernels
touch
on
they
want
to
get
signed
binary.
So
you
have
this
sort
of
secure
boot
style
arrangement
where
you
have
to
think
of
that,
and
that
involves
cryptographic
signatures
and
you
can't
necessarily
ship
the
private
keys
for
your
kernel
to
all
of
you.
D
You
know
you
can't
exactly
put
that
on
your
github,
because
you
know
it's
right
here.
So
yeah
there's
a
two
slightly
different
but
related
problems
to
do
with
kernels
and
things
like
that,
but
in
the
one
you're
thinking
in
terms
of
runtime
exploits
vulnerabilities,
not
having
predictable
memory
jumps
and
things
like
that,
and
that's
completely
fine.
That
should
be
a
completely
wrong
time
around
randomization
and
things
like
that.
So
yeah
thank.
C
You
there
is
a
related
issue,
but
it's
also
easily
solved
there's
a
some
stuff
called
preloading,
I'm
not
sure.
If
you're
familiar
with
this
fedora
uses
it-
and
I
think
all
the
red
hat
ones
do
where,
after
you
load
it,
they
will
occasionally
re-um
re-randomize
the
locations
of
the
layout,
and
this
is
basically
an
optimization.
C
Instead
of
trying
to
do
it
at
runtime,
they
try
to
do
it
ahead
of
time
a
little
bit,
but
this
is
not
really
a
problem,
because
you,
just
before
you
do
this
first
shifting
around
check
that
it's
the
file
that
you
downloaded
was
the
one
you
expected.
D
Another
very
related
problem,
and
perhaps
to
do
with
with
people,
is
profile,
guided
optimization.
So
that's
an
unresolved
issue,
so
program
profile,
guide,
optimization.
Is
that
when
you're
doing
the
you
know
very
highly
simplified
when
you're
doing
the
compilation
run,
you
also
run
the
program
at
the
same
time-
and
you
say:
oh,
the
these
particular
code
parts
are
the
most
common
used,
so
we'll
rearrange
the
binary.
D
So
when
we
actually
run
it
on
a
modern
architecture,
it's
very
fast
and
the
it
makes
it
difficult
to
reproduce
that
exact
compilation
phase
later,
because
the
the
decisions
made
based
on
the
profile
guidance
are
essentially
non-deterministic.
It
could
depend
on.
You
know
the
cpu
load
of
that
server
and
things
like
that.
E
I
think
with
pogo,
though,
that
those
those
sorts
of
things
are
stuff
that
you
would
typically
put
as
part
of
I
mean
you
do
right,
I
mean
usually
maybe
I'm.
E
F
Yeah,
there's
also,
I
believe
you
know,
there's
data
files
that
are
generated
as
the
monitoring
is
going
on
for
the
guiding
and
then
should
not
that
profile
yeah
from
the
profile
should
not.
That
information
then
be
fed
into
some
fit
into
a
subsequent
compilation,
but
should
not
that
type
of
information
be
able
to
be
logged
to
get
the
reproducibility.
E
D
Unfortunately,
that's
not
typically
the
common
way
people
are
using
it
right
now.
People
are
just
you
know.
Turning
on
the
ego,
slit
and
thingy,
so
yeah
you're
absolutely
right.
If
they
persist
that
the
organization
output,
then
yes,
you
can
combine
the
two
again
and
get
the
same
result
later
in
theory,
right.
F
F
No,
I'm
thinking
the
compilers
themselves
again,
turtles
all
the
way
down,
making
sure
that
we
have
the
full
reproducibility,
like
you
know,
there's
three
stages
to
actually
build
the
compiler
right.
I'm
just
wondering
you
know,
have
the
have
the
compilers
itself.
The
neutral
chain
itself
are
all
the
elements
of
that
considered.
Reproducible
at
this
point
well,
actually,.
D
C
Yeah
I
mean
this
is
an
area
where,
unfortunately,
I'm
trying
to
figure
out
how
to
speak
without
start
dumping
way
too
much
on
this
I
haven't
checked
recent
versions
of
gcc,
but
to
my
knowledge,
gcc
itself
reproduces
itself.
C
I
you
know
I
haven't
checked
the
latest
version
of
gcc,
but
certainly
I
I
have
in
the
past
been
able
to
get
gcc
to
reproduce
itself.
There
are
some
nits
with
when
you
deal
with
c,
plus
plus
there's
a
seed
parameter
where
it
will.
Normally,
you
know,
in
certain
cases
the
c
plus
compiler
will
do
things
randomly,
but
you
can
force
it
to
not
be
random,
so
that
that's
that,
so
I
I
believe
the
answer
is
yes,
I
haven't
checked
more
recent
versions,
you
know
there's
some
nits
involving
dash
dash
c.
C
All
right
so
now
there's
a
separate
issue
which,
and
somebody
mentioned
turtles
all
the
way
down.
You
always
worry
about
what
the
attacker
is
going
to
try
next,
you
know.
Clearly
things
like
solar
winds
have
shown
that
there's
a
tax
possible
on
build
systems
and
reproducible
builds
helps
with
that,
because
if
you
give
them
the
same
source
same
tools,
you
produce
the
same
results,
and
if
that
doesn't
happen,
then
you've
got
a
subverted
system.
C
There
is
an
attack
that
is,
as
famous
from
thompson's
reflections
on
trusting
trust
and
that's
if
the
tools
themselves
have
subverted.
So
this
is
a
whole
nother
layer.
You
know.
First,
is
the
source
code,
bad?
Okay,
if
the
source
code
is
okay,
maybe
the
build
is
subverted.
What,
if
the
tool?
That's
the
main
left,
the
build
process
is
okay,
but
the
tools
are
subverted.
C
That's
the
trusting
trust
attack.
I
actually
wrote
my
phd
on
this
topic
and
there
are
counter
measures
for
that.
The
two
count
best
known
countermeasures
are
bootstrappable,
builds
and
diverse,
double
compiling.
So
the
good
news
is,
if
you
get
down
to
that
level,
there
are
countermeasures.
C
There
are
bottom
turtles,
but
right
now
I
would
argue-
and
this
is
somebody
who
did
phd
work
on
ddc
right
now-
that's
not
our
primary
problem.
Our
primary
problem
is
that
we
can't
reproduce
the
basic
builds
and
if
somebody
subverts
any
build,
never
mind
the.
I
attack
the
compiler
to
attack
another
program
to
finally
get
it
out,
which
is
devastating,
but
a
much
harder
attack
to
pull
off.
I
I
don't
know
if
this
has
been
brought
up
yet,
but
there's
also
the
j
center,
like
the
jcenter
shutdown
issue.
I
don't
know
if
this
has
been
brought
up
earlier
today,
but
you
you
can
have
like
the
places
where
your
dependencies
are
coming
from
just
get
shut
down
and
like
you
know,
then
the
build
isn't
comple,
just
can't
be
repeated
reproduce
either.
D
Yeah,
I'm
gonna,
I'm
gonna
very
softly,
put
on
the
umbrella
of
we
should
be.
Reproducible
builds
having
a
good
idea,
but
a
kind
of
rubbish
name,
and
that's
one
of
the
problems
that
we
don't
necessarily
put
under
our
our
remit.
If
you're,
if
you
know,
if
you
just
denial
of
service
pipeline.org,
then
it's
not
it's
that's
a
slightly
different
problem
to
other
reproductive
builds
is
doing
it.
It's
a
huge
problem
and
there
was
a
big
and
there's
another
one.
D
Yesterday
about
sort
of
typo,
squatting
and
node
modules,
was
it
yesterday,
comma,
where
there's
not
a
big
one
in
the
news,
nobody
node
and
pip,
both
of
them?
Oh
really,
both
okay,
yeah
and
so
these?
Yes,
these
are
huge
issues
as
well.
Often
we
find
that
when
people
make
their
entire
tool
chain
reproducible
low
as
a
sort
of
side
effect
of
better
sort
of
software
hygiene,
you
get
a
bunch
of
them
extra
things,
I'm
not
going
to
say
for
free
and
you've
got
the
things
that
you
get
sort
of
slightly
automatically.
D
So,
for
example,
you
stop
pulling
down
things
from
random
things
on
the
internet
and
therefore
because
you
need
that
together,
reproducible
building
in
my
my
narrower
sense,
and
it
means
you
don't
end
up
downloading
something
internet
that
you
don't
necessarily
trust
and
so
that
problem
sort
of
fixes
itself
in
a
way,
but
just
as
a
helpful
side
effect
and
things
like
that,
and
it
can
also
that
has
other
it
has
other
side
effects
as
well.
D
So,
for
example,
you
have
a
much
better
idea
of
what's
in
your
software,
which
can
be
just
for
having
a
good
software
bill
of
materials
which
a
lot
of
people
care
about,
and
if
you,
if
you,
if
you're
just
doing
an
audit
of
what
software
your
build
price
is
ingesting,
you
can
also
find
you
know
you
could
be
violating
some
legal
agreement.
You
could
be.
You
know
using
some
proprietary
software
or
some
sort
of
gpl
compatibility
issue
as
well.
D
So
you
get
a
whole
bunch
of
stuff
as
a
result
of
getting
your
building
producible.
That's
not
necessarily
reproducibility
related,
but
it's
all
in
this
sort
of
software
integrity,
software
supply
chain
area
as
well.
So
yeah
but
you're
right
to
raise
all
these
these
other
platform
attacks
and
things
like
that.
Thank
you.
B
D
Yes,
and
in
fact
personally,
I
use
I
use
almost
use
that
almost
every
day
when
I'm
upgrading
various
bits
of
software,
I
do
some
security
releases.
You
know
I
I
do
some
security
updates
of
various
bits
of
software
and
so
well
I'll.
Take
upstream's
patch,
apply
it
to
the
piece
of
software
and
rebuild
it.
D
So
it's
hopefully
been,
you
know,
plugs
and
plug
the
security
hole
and
I'll
do
a
diffisco
on
the
pre
and
post
patch
versions,
and
I
check
that
the
only
changes
I've
accidentally
that
I've
made
don't
include
any
accidental
changes
and
only
include
you
know
the
change
of
the
if
the
change
of
the
the
adding
the
addition
of
the
bounds
check,
whatever,
whatever,
whatever
the
problem,
whatever
the
solution,
I'm
trying
to
add
to
the
piece
of
software,
I
just
make
sure
I
I'm
just
auditing
myself
on
things
like
that
in
terms
of
solar
winds
and
things
like
that.
D
I've
also
used
diffisco
to
to
get
when
I've
got
a
new
firmware,
for
I
think
it
was
one
of
these
old
routers.
You
have,
you
know
the
plastic
white
routers
and
they
provided
some
new
firmware.
I
was
like
well
what's
the
difference
between
these
two
I
wasn't
really
serious,
but
then
it
was
very
useful
to
to
run
it
on
this.
Just
you
know
this
dot
bin
file
entirely
binary
file
and
to
try
and
work
out.
D
It
was
really
good
at
showing
those
two
differences,
and
I
use
that
a
lot
when
doing
trying
to
do
fairly
fail,
safe
and
trying
to
put
more
trust
into
regular
upgrades
where
the
source
actually
has
changed.
So.
C
That
said,
I
mean
it
obviously
requires
not
just
running
a
tool,
but
someone
who
has
a
lot
of
enough
of
knowledge
of
what
you're
looking
at
so
I
I
well.
I
think
that
doing
the
comparison
is
valuable
for
important
software.
C
D
I
So
just
some
con,
so
I
work
for
gradle
in
the
greater
build
tool
and
the
greater
build
tools
used
to
build
gradle,
as
is
like
the
kotlin
compilers
used
to
build
kotlin
right,
like
you
know,
turtles
all
the
way
down.
We
do
some
interesting
things.
So
one
of
the
primary
focuses
that
gradle
actually
has
is
on
performance
for
people
and
performance
of
your
build
and
one
of
the
things
that
we
do
is
we
cache
intermediate
steps
of
your
build?
I
We
cache
intermittent
intermediate,
build
steps
like
the
java
compilers
output,
because
you
may
have
multiple
pro
sub
projects
in
your
much
larger
project,
and
so
each
one
of
those
definable
intermediate
units
like
the
compiler
run
the
tests
being
executed,
all
those
things
they
can
be
cached
as
individual
steps
and
then,
when
we
see
those
same
exact
like
you
know,
inputs
right.
So
we
we
try
to
cat.
We
cash,
we
hash.
All
of
your
inputs.
I
We
put
a
we,
we
upload
a
key
which
is
the
hash
of
all
your
inputs
to
the
value
which
is
the
output,
and
then,
when
we,
when
we
run
when
we
see
the
same
scenario,
the
same
input
again
instead
of
rerun
rerunning
the
compiler.
We
just
read
that
we
just
download
your
artifacts
from
that
build
cache,
and
so
I
I
have
talked
to
my
co-workers
about
okay,
like
if
we
wanted
to
prevent
the
solar
winds
attacking
against
the
great
algeria
build
like
what
would
you
need
to
do?
I
I
Two
builds
both
without
the
build
cash,
because,
if
you,
if
you
were
to
at
any
point,
use
the
build
cash
in
like
you
were
to
compare
the
one
that
the
build
cash
built
where
you
used
to
build
cash
and
the
one
that
you
didn't,
you
might
still
get
differences
because
of
like
we
intentionally
ignore
some
things
like
ordering
or
we
sort
things
when
we
do
the
cash
entry
just
to
like
make
it
so
that
we
get
more
cash
hits
to
like
you
know,
basically
make
it
more
user-friendly,
and
so
you
get
more
performance
if
you're
gonna
get
pretty
much
the
equivalent
thing.
I
So
it's
it's
a
like
not
it
doesn't
need
to
be
perfect.
It
can
be
good
enough,
because
that
gives
you
enough
performance,
but
it
doesn't
it
doesn't
it's
it's
not.
That's,
not
a
good
thing,
necessarily
when
you
need
these
like
guaranteed
reproducibility
requirements.
D
But
it's
really
interesting
that
you
is,
that
is
that
integrated
itself
or
it's
ignoring
the
ordering
and
things
like
that.
I
Yeah
yeah,
I
think
that
some
of
that
stuff
is
is
integrated
right,
like
one
of
the
examples
is
right.
The
order
in
which
you
pack
a
zip
is,
is
it
can
change
the
the
cache
right?
So
you,
if
you
don't
pre-sort
the
elements
that
you
shove
into
a
zip
file,
you
can
get.
You
know
different.
You
can
get
different.
You
know
hash
results
and
stuff
like
that,
so
that
that
you
know
it's
that
stuff
like
that.
C
Yeah,
so
so
chris
lamb,
so
I
have
a
magic
wand.
I
hand
it
off
to
you
and
you're
gonna
use
wave
the
wand
and
make
things
more
reproducible
just
what
would
be
necessary
to
make
far
more
things.
Reproducible
in
the
field,
but
you
know
I
mean,
is
it
money?
Is
it
do
x?
Is
it
you
know
some
declaration
on
high
that
everyone
agrees?
It
must
be
done.
I
mean
what
would
what
would
need
to
what
needs
to
change
to
get
more
of
this.
D
And
I
think
it
not
necessarily
mind
share.
I
think
people
who
anyone
who
hears
about
this
problem
and
hears
about
ramifications
knows
it's
a
problem
or
it's
just
a
so
I
don't
think
no.
I
wouldn't
wave
a
publicity
wand
and
I
wouldn't
necessarily
wade
in
particular
technical
ones,
but
I
would
basically
basically
have
tools
on
all
of
the
platforms.
D
All
of
you
know,
so
people
could
check
whether
their
own
software
is
reproducible,
because
I
think
I
think
I've
just
from
other
other
large
changes
in
software
engineering,
when
the
users
themselves
or
the
developers
themselves,
have
the
ability
to
check
something
or
are
basically
empowered
to
do
these
various
things.
Then
they
start
to
get
checked.
So
as
soon
as
you
had
fuzzing
tools
available
for
your
desktop-
and
it
wasn't
just
some
weird
thing
that
you
know
random
things
are
doing.
D
Then
people
started
to
file
their
own
software
once
you've
got
sort
of
static
analysis.
Software
on
your
own
machine.
You
didn't!
Oh,
you
didn't
offload
that
to
some
other
company
that
you
might
have
done
in
the
early
80s
and
things
like
that,
so
basically
having
these
tools.
So,
yes,
I
would
probably
you
know,
wear
the
magic
wand,
so
we'd
have
money,
so
everyone
could
have
these
tools
in
their
own
machines.
Things
like
that,
but
yes
having
having
it
in
all
the
big
ci
systems.
D
So
you
know
if,
if
gitlab
and
github
all
had
all
the
et
cetera
et
cetera
all
have
these
things
to
say.
Am
I
really
useful
or
not,
and
why
am
I
not
doing
things
like
that?
Just
knowing
yes
or
no
would
be
the
probably
the
biggest
single
magic
wand,
I'm
assuming
this
is
a
single
fire,
magic
bomb,
otherwise
I'll
just
wave
all
day
you
can.
You
can
fire
multiple
times.
I
Looking
for
the
priority
order,
I
mean
because
yeah
yeah
yeah
in
open
source,
though
you
you,
you
mean
throwing
money
at
not
not
just
throwing
around
money
randomly
at
the
problem,
but
like
a
financial
and
right
because,
like
I
remember
I,
I
I
had
a
couple
co-workers
when
the
when
the
google
blog
was
posted
and
like
a
couple
of
co-workers,
were
talking
about
some
twitter
conversations
in
french
about
that
blog
post
and
like
the
some
people
who
are
open,
source
containers
were
dishes.
I
Basically
saying,
like
you
know,
the
way
this
article
reads
is
like
google
expects
that
open
source
maintainers
will
invest
their
time
to
make
their
ci
pipelines
more
secure
right
like
without
putting
any
financial
backing
behind
it
right.
That's
like
not
a
good
way,
and
so,
if,
if
you
want
to
incentivize
right,
like
you
kind
of
need
to
find
you
need
to
finance
this
thing,
that's
not
a
core
feature,
but
it's
something
that
you
consider
valuable
for
your
security
right.
Your
organ!
I
If
your
organization
considers
this
to
be
something
that
that
is
important
for
your
security,
you
need
to
you
need
to
like
be
willing
to
put
money
in
front
of
that
goal,
and,
and
sometimes
that's
not
even
just
a
pull
request
right,
because
the
pull
requests
right
may
not
necessarily
the
knowledge
of
what
the
maintainers
actually
know
about
the
build,
and
so
like
that.
I
That
pull
request
may
take
a
lot
of
effort
and
resources
on
behalf
of
the
maintainers
to
like
even
get
merged,
and
so
I
think
that
a
financial
incentive
system,
both
on
behalf
of
the
people
that
are
going
to
be
fixing
the
thing
to
make
it
reproducible,
but
also
the
maintainers
who
are
accepting
this
into
their
build
to
be
like
we
will
financially
incentivize
you
to
to
not
just
have
it.
Your
builder
reproducible
maintain
it
to
be
reproducible
in
the
future
that
that
that
makes
you
that
makes
reproducible
builds
a
customer
of
that
project.
D
C
Oh,
oh,
you
mentioned
about
the
you
know,
making
it
easier
for
developers
to
figure
it
out.
One
thing
that
I
have
mooted
briefly
I'd
love
to
hear
your
thoughts
about
this
would
be
you
know
getting
into
the
various
packaging
repositories,
both
system
and
language
levels.
So
when
I
submit
a
new
package
to
pi
p,
I
I
go
ahead.
I
build
it.
C
I
C
I
I
well
a
whole
lot
of
them
do
already
so,
whether
you
like
it
or
not,
I
I
think
that
I
wanna
totally
separate
the
build
it
from
the
distribute
they
don't
even
have
to
be.
On
the
same
racks
I
mean
you
could
run
the
build,
the
the
rebuild
rechecker
on
aws
and
distribute
on
google,
because
all
you
care
about
is
run
a
build
and
give
me
a
cryptographic
hash.
That's
all
you
need
it
doesn't
matter
what
else
it
does.
C
I
I
can
see
if
I
can
talk
more
about
that,
if
I
can
get
their
approval
to
discuss
that,
but
there's
there's
an
effort
inside
of
google
to
try
to
get
more
to
get
more
of
the
java
ecosystem
to
do
that,
because
there
was
a
one
of
the.
I
think
that
one
of
the
things
that
scared
them
was
there
was
a
there's,
an
article
published
a
couple
of
years
ago
about
a
vulnerability.
It
was
if
you,
google,
a
confusing
dependency.
That's
the
term
a
confusing
dependency.
I
There
was
an
issue
with
the
gradle
build
where
you
had
two
repositories,
and
and
and
and
somebody
was
able
to
publish
something
malicious
in
the
right
place
in
the
right
order
of
the
repositories
that
you
resolve
your
components
from
and
as
a
result,
a
malicious
version
of
a
library
was
pulled
down
instead
of
the
one
that
they
intended
to
pull
down
and
that
freaked
out
from
people
when
it
when
when
it
was
discussed
originally.
So
I
can,
I
can
see
if
I
can
get
more
information
about
that.
C
C
No,
no
not
for
reproducible
builds,
I
think
closest
is
I
mean.
The
reproducible
builds
folks
have
managed
to
rebuild
the
the
vast
majority
of
the
debian
packages.
A
A
E
C
C
D
Well,
this
is
one
thing
we
aren't
doing.
This
is
another
magic
wand,
it's
sort
of
a
bit
of
a
bit
of
marketing
and
mind
sharing
things
like
that,
we're
a
fairly
fairly
pretty
sort
of
low,
we're
all
sort
of
volunteers,
and
things
like
that,
and
we
aren't
good
at
sort
of
making
a
splashy
website
and
we
don't
we're
not
very
good
at
trumpeting
our
work
and
things
like
that,
and
that's
certainly
one
thing:
I'd
love
to
do
more
of
because
a
lot
of
time
people
are
just
thinking.
D
We
don't
have
this
already
or
they
haven't
heard
of
us
or
they
haven't
yeah
things
like
that.
C
Yeah,
I
I
think
that's
actually
key
you're
saying
earlier.
You
weren't
sure
how
important
that
is,
but
actually
I've
now
talked
to
several
folks
who
basically
said
that
solarwinds
was
not,
but
it
was
never
possible
to
detect
it
and
they've
never
heard
of
the
tip
of
the
best
known
countermeasure.
Well,
they've
never
heard
of
this
countermeasure
because
no
one's
ever
heard
of
it.
J
Right,
I
also
think
it
shouldn't
be
understated
how
important
the
community
effort
and
the
impact
would
be
if
github
and
gitlab
were
to
signal.
This
is
important
developers
would
take
it
a
lot
more
seriously
if
there
was
some
sort
of
tag
on
there.
That
says
this
build
is
not
reproducible
or
this
build
is
reproducible
and
you
get
a
fancy
little
badge
or
something,
because
then
users
will
ask
questions.
You'll
start
seeing
people
talk
about
it
in
comments.
J
K
I
have
a
potentially
dumb
question
and
I'm
just
curious
if
anyone
has
any
thoughts
on
it,
which
is,
is
there
a
way
it
seems
like
the
only
sources
of
non-determinism
during
the
build
process
are
basically
coming
from
the
environment,
the
build
environment,
specifically
time
and
randomness,
which
would
be
both.
You
know
coming
from
the
kernel,
it's
probably
not
the
right
way
to
solve
this
problem,
but
has
anybody
tried
fixing
that
build
environment
like
say
having
like
a
container
that
will
always
return
the
same
times
when
called
in
a
certain
sequence
in
the
same
random
numbers.
D
I
B
Yes,
I
also
try
that,
as
I'm
building
the
system
for
checking
the
pipe
packages,
so
what
I'm
working
on
right
now
is
to
try
to
reuse
the
ci
pipeline.
For
that,
because
most
of
the
time
like,
for
example,
you
have
travis,
ci
and
ideal
use
case,
they
found
for
developer,
would
be
to
publish
the
packages
using
ci
is
that's
the
easiest
for
verification.
B
Of
course
you
can
modify
the
package
by
including
some
malicious
data
using
environment
variables.
You
then
take
go
inside
the
compiled
package,
but
you
can
independently
run
the
ci
pipeline
and
check
that
against
the
what
was
being
uploaded
to
bye,
bye
and
that
also
gets
you
the
same
environment,
because
I
found
out,
for
example,
like
it's,
not
very
easy.
If
you
want
to
reproduce
something,
sometimes
you
need
to
specify
some
compiler
flags
or
where
the
directories
with
the
shared
libraries
are
on
the
disk,
etc.
B
B
C
Looked
into
this
a
little
bit
in
on
on
unix
like
well
at
least
linux
systems,
there's
an
environment
variable
called
ld
preload
that
lets
you
intercept
not
just
system
calls,
but
library
calls
to
do
a
lot
of
things,
but
I
I
frankly
am
a
little
skeptical.
It's
not
just.
C
For
example,
if
you
always
return
the
same
date
date
time
value,
a
lot
of
build
systems
will
be
completely
screwed
because
they
expect
that
something
created
later
will
have
a
later
date
and
they
use
the
date
time
stamps
to
figure
out
what
should
be
should
happen
when
another
problem
is
that
it's
not
just
system
call
environment
variables.
A
lot
of
builds
nowadays
happen
in
parallel.
You
know.
If
you've
got
50
000
files
to
be
compiled,
you
could
do
them.
C
Yeah,
you've
got
hardwood,
non-determinism
and
so
and
and
it
it
doesn't
mean
you
can't
have,
reproducible
builds
trivial
solution
is,
for
example,
you
do
everything
in
parallel
and
then
you
sort
the
results
say
by
ascii
or
unicode
code.
Point
numbers:
it's
not
a
big
deal
to
overcome
it
within
the
build,
but
that
means
you're
modifying
the
build
script.
Instead
of
trying
to
make
this
universal
solution.
D
Yeah
mike,
certainly
not
a
dumb
question
at
all
about
very
early
on
in
reproductive
builds,
some
of
the
very
first
projects
that
were
reproducible,
bitcoin
and
the
tour
browser,
and
they
wanted
to
become
reproducible
because
they
didn't
want
to
become
targets
for
supply
chain
attacks
is
obviously,
if
you
back
door
a
fancy.
Bitcoin
wallet
should
become
incredibly
rich,
so
they
actually
had
it
in
rather
sort
of
keith,
robinson
contraption,
where
you
had
a
vm.
D
D
But
you
know
time
was
always
you
know
fixed
the
file
system
ordering
was
completely
fixed
and
things
like
that,
and
it
just
tried
to
remove
as
much
as
the
outside
environment
as
possible
and
obviously,
if
you're
doing
all
of
your
builds
under
a
very
fixed
pm
thing,
it
becomes
not
very
developer
friendly,
user-friendly
and
things
like
that
will
be
producible
friendly
and
so
from
all
from
that
extreme,
you
have
say:
there's
delhi
on
the
on
the
other
side
that
tries
to
specify
as
many
as
few
fixed
points
as
possible,
so
you'll
build
this
reproduced
bond
as
many
possible
real
world
environments
as
possible,
so
whether
you're
building
in
sort
of
the
new
zealand
time
zone
versus
specific
time
it
doesn't
make
any
difference
and
things
like
that,
whilst
other
distributions
in
the
middle,
I
think
souza,
for
example,
says:
oh
we're
always
going
to
build
in
utc.
D
If
you,
if
you
don't
build
in
utc,
then
you
can't
guarantee
you're
going
to
repeat
this
to
a
building
things
like
that
and
there's
all
manner
of
things
in
between
and
things
like
that,
so
it
sort
of
depends
where
what
kind
of
your
philosophy
looks
like
that
so
yeah
and
there's
actually
a
project
that
goes.
What's
the
even
more
extreme,
it's
called
d
trace,
it's
a
university.
D
I
think
it's,
I
think
it's
one
of
the
beijing
technology
universities-
and
this
was
basically
a
docker
crazy
thing
that
did
all
of
this
ld
preload
thing
it
basically
faked
a
bunch
of
non-ld
preloadable
syscalls
as
well,
and
it
could
actually
resolve
some
of
the
parallelism
problems
as
well.
That
david
touched
on
as
well,
and
but
this
is
a
quite
a
specialist
tool
that
we,
you
could
never
tell
you
know
the
entire
open
source
ecosystem
to
the
ide.
D
All
the
rebuilds
must
be
run
under
this
crazy,
but
cool
little
little
software
as
well
yeah.
So
it's
a
d
e
trace
and
things
like
that.
Well,
it's
not
that
there's
the
kernel,
probing
the
trace,
thingy
and
there's
that
yeah
I'll
fix
it.
A
Yes,
I've
gotta
jump
in
here
we're
a
minute
over
thanks
a
lot
for
the
awesome
discussion.
Chris
david.
I
think
it's
catching
up
with
linkedin
all
the
notes
here.
Thanks
for
taking
these
as
well
david,
we
were
going
to
talk
about
the
malware
thing,
but
jordan
actually
painted
in
slack
saying
he
couldn't
make
it
today
anyway.
So
I
think
we
handled
that
and
all
those
questions
in
slack
so
check
out
that
channel.
A
If
you
had
any
questions
about
that
and
yeah
next
week,
I'll
confirm,
but
we
do
have
a
demo
of
tracy
scheduled,
which
kind
of
ties
into
some
of
the
stuff
with
crazy
call
monitoring,
so
if
anybody's
interested
and
that
one
will
confirm
and
send
out
another
email
as
we
get
closer.
E
Hey
just
I,
I
kept
trying
to
add
myself
to
the
attendees
list
and
kept
requesting
access
to
the
file,
but
I've
never
been
able
to
edit
it.
So
someone
could
actually
add
me
or
just
add
me
to
the
attendees
list,
but
add
me
to
the
ability
to
you
know
edit.
The
file
would
be
super
cool,
I'm
not
I'm
the
other
steward.
Besides
kate
yeah.