[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
branch master updated: talks: Add slides for ‹Programming› conference.
|
From: |
Ludovic Courtès |
|
Subject: |
branch master updated: talks: Add slides for ‹Programming› conference. |
|
Date: |
Fri, 31 Mar 2023 09:03:09 -0400 |
This is an automated email from the git hooks/post-receive script.
civodul pushed a commit to branch master
in repository maintenance.
The following commit(s) were added to refs/heads/master by this push:
new 346675d talks: Add slides for ‹Programming› conference.
346675d is described below
commit 346675dba7bee96139ab2d72428cbc12b0624ae2
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Tue Mar 14 15:38:47 2023 +0100
talks: Add slides for ‹Programming› conference.
* talks/programming-2023: New directory.
---
talks/programming-2023/.gitignore | 3 +
...rland_-_Luzerner_Landbank_Grosswangen_seals.jpg | 1 +
talks/programming-2023/images/Guix-white.pdf | 1 +
...in_argento_famiglia_Ciciarelli_de_Cicerello.jpg | 1 +
talks/programming-2023/images/birthday-cake.jpg | 1 +
.../images/bootstrap-graph-reduced.dot | 1 +
talks/programming-2023/images/bootstrap-graph.dot | 1 +
talks/programming-2023/images/bootstrappable.pdf | 1 +
.../programming-2023/images/commit-graph-intro.dot | 1 +
.../commit-graph-with-authorizations-bad.dot | 1 +
.../images/commit-graph-with-authorizations.dot | 1 +
talks/programming-2023/images/commit-graph.dot | 1 +
.../images/github-verification-statuses.png | 1 +
talks/programming-2023/images/inria-white-2019.pdf | 1 +
.../images/nature-scientific-data-2022.png | Bin 0 -> 129503 bytes
.../programming-2023/images/programming-paper.pdf | 1 +
.../images/reflections-on-trusting-trust.png | 1 +
.../images/reproducible-builds.pdf | 1 +
talks/programming-2023/images/tuf.png | 1 +
talks/programming-2023/images/waving-hand.svg | 1 +
talks/programming-2023/rules.ini | 25 +
talks/programming-2023/talk.tex | 809 +++++++++++++++++++++
22 files changed, 855 insertions(+)
diff --git a/talks/programming-2023/.gitignore
b/talks/programming-2023/.gitignore
new file mode 100644
index 0000000..84bc4d3
--- /dev/null
+++ b/talks/programming-2023/.gitignore
@@ -0,0 +1,3 @@
+images/commit-*.pdf
+images/waving-hand.pdf
+images/bootstrap*.pdf
diff --git
a/talks/programming-2023/images/1951_Switzerland_-_Luzerner_Landbank_Grosswangen_seals.jpg
b/talks/programming-2023/images/1951_Switzerland_-_Luzerner_Landbank_Grosswangen_seals.jpg
new file mode 120000
index 0000000..55e982f
--- /dev/null
+++
b/talks/programming-2023/images/1951_Switzerland_-_Luzerner_Landbank_Grosswangen_seals.jpg
@@ -0,0 +1 @@
+../../fosdem-2023/security/images/1951_Switzerland_-_Luzerner_Landbank_Grosswangen_seals.jpg
\ No newline at end of file
diff --git a/talks/programming-2023/images/Guix-white.pdf
b/talks/programming-2023/images/Guix-white.pdf
new file mode 120000
index 0000000..a203556
--- /dev/null
+++ b/talks/programming-2023/images/Guix-white.pdf
@@ -0,0 +1 @@
+../../fosdem-2021/declaratively/images/Guix-white.pdf
\ No newline at end of file
diff --git
a/talks/programming-2023/images/Sigillo_in_argento_famiglia_Ciciarelli_de_Cicerello.jpg
b/talks/programming-2023/images/Sigillo_in_argento_famiglia_Ciciarelli_de_Cicerello.jpg
new file mode 120000
index 0000000..64599bf
--- /dev/null
+++
b/talks/programming-2023/images/Sigillo_in_argento_famiglia_Ciciarelli_de_Cicerello.jpg
@@ -0,0 +1 @@
+../../fosdem-2023/security/images/Sigillo_in_argento_famiglia_Ciciarelli_de_Cicerello.jpg
\ No newline at end of file
diff --git a/talks/programming-2023/images/birthday-cake.jpg
b/talks/programming-2023/images/birthday-cake.jpg
new file mode 120000
index 0000000..4695aa9
--- /dev/null
+++ b/talks/programming-2023/images/birthday-cake.jpg
@@ -0,0 +1 @@
+../../fosdem-2023/security/images/birthday-cake.jpg
\ No newline at end of file
diff --git a/talks/programming-2023/images/bootstrap-graph-reduced.dot
b/talks/programming-2023/images/bootstrap-graph-reduced.dot
new file mode 120000
index 0000000..9094d95
--- /dev/null
+++ b/talks/programming-2023/images/bootstrap-graph-reduced.dot
@@ -0,0 +1 @@
+../../fosdem-2020/containers/images/bootstrap-graph-reduced.dot
\ No newline at end of file
diff --git a/talks/programming-2023/images/bootstrap-graph.dot
b/talks/programming-2023/images/bootstrap-graph.dot
new file mode 120000
index 0000000..92236c8
--- /dev/null
+++ b/talks/programming-2023/images/bootstrap-graph.dot
@@ -0,0 +1 @@
+../../fosdem-2020/containers/images/bootstrap-graph.dot
\ No newline at end of file
diff --git a/talks/programming-2023/images/bootstrappable.pdf
b/talks/programming-2023/images/bootstrappable.pdf
new file mode 120000
index 0000000..8275d9e
--- /dev/null
+++ b/talks/programming-2023/images/bootstrappable.pdf
@@ -0,0 +1 @@
+../../fosdem-2020/containers/images/bootstrappable.pdf
\ No newline at end of file
diff --git a/talks/programming-2023/images/commit-graph-intro.dot
b/talks/programming-2023/images/commit-graph-intro.dot
new file mode 120000
index 0000000..cdbc26e
--- /dev/null
+++ b/talks/programming-2023/images/commit-graph-intro.dot
@@ -0,0 +1 @@
+../../fosdem-2023/security/images/commit-graph-intro.dot
\ No newline at end of file
diff --git
a/talks/programming-2023/images/commit-graph-with-authorizations-bad.dot
b/talks/programming-2023/images/commit-graph-with-authorizations-bad.dot
new file mode 120000
index 0000000..98ed7de
--- /dev/null
+++ b/talks/programming-2023/images/commit-graph-with-authorizations-bad.dot
@@ -0,0 +1 @@
+../../fosdem-2023/security/images/commit-graph-with-authorizations-bad.dot
\ No newline at end of file
diff --git a/talks/programming-2023/images/commit-graph-with-authorizations.dot
b/talks/programming-2023/images/commit-graph-with-authorizations.dot
new file mode 120000
index 0000000..3fd3cae
--- /dev/null
+++ b/talks/programming-2023/images/commit-graph-with-authorizations.dot
@@ -0,0 +1 @@
+../../fosdem-2023/security/images/commit-graph-with-authorizations.dot
\ No newline at end of file
diff --git a/talks/programming-2023/images/commit-graph.dot
b/talks/programming-2023/images/commit-graph.dot
new file mode 120000
index 0000000..5625e7b
--- /dev/null
+++ b/talks/programming-2023/images/commit-graph.dot
@@ -0,0 +1 @@
+../../fosdem-2023/security/images/commit-graph.dot
\ No newline at end of file
diff --git a/talks/programming-2023/images/github-verification-statuses.png
b/talks/programming-2023/images/github-verification-statuses.png
new file mode 120000
index 0000000..b1a0888
--- /dev/null
+++ b/talks/programming-2023/images/github-verification-statuses.png
@@ -0,0 +1 @@
+../../fosdem-2023/security/images/github-verification-statuses.png
\ No newline at end of file
diff --git a/talks/programming-2023/images/inria-white-2019.pdf
b/talks/programming-2023/images/inria-white-2019.pdf
new file mode 120000
index 0000000..856e9e8
--- /dev/null
+++ b/talks/programming-2023/images/inria-white-2019.pdf
@@ -0,0 +1 @@
+../../jcad-2021/images/inria-white-2019.pdf
\ No newline at end of file
diff --git a/talks/programming-2023/images/nature-scientific-data-2022.png
b/talks/programming-2023/images/nature-scientific-data-2022.png
new file mode 100644
index 0000000..ddfa90e
Binary files /dev/null and
b/talks/programming-2023/images/nature-scientific-data-2022.png differ
diff --git a/talks/programming-2023/images/programming-paper.pdf
b/talks/programming-2023/images/programming-paper.pdf
new file mode 120000
index 0000000..91113ad
--- /dev/null
+++ b/talks/programming-2023/images/programming-paper.pdf
@@ -0,0 +1 @@
+../../fosdem-2023/security/images/programming-paper.pdf
\ No newline at end of file
diff --git a/talks/programming-2023/images/reflections-on-trusting-trust.png
b/talks/programming-2023/images/reflections-on-trusting-trust.png
new file mode 120000
index 0000000..4bfd4f3
--- /dev/null
+++ b/talks/programming-2023/images/reflections-on-trusting-trust.png
@@ -0,0 +1 @@
+../../fosdem-2020/containers/images/reflections-on-trusting-trust.png
\ No newline at end of file
diff --git a/talks/programming-2023/images/reproducible-builds.pdf
b/talks/programming-2023/images/reproducible-builds.pdf
new file mode 120000
index 0000000..ba00ffd
--- /dev/null
+++ b/talks/programming-2023/images/reproducible-builds.pdf
@@ -0,0 +1 @@
+../../fosdem-2020/containers/images/reproducible-builds.pdf
\ No newline at end of file
diff --git a/talks/programming-2023/images/tuf.png
b/talks/programming-2023/images/tuf.png
new file mode 120000
index 0000000..43f5db6
--- /dev/null
+++ b/talks/programming-2023/images/tuf.png
@@ -0,0 +1 @@
+../../fosdem-2023/security/images/tuf.png
\ No newline at end of file
diff --git a/talks/programming-2023/images/waving-hand.svg
b/talks/programming-2023/images/waving-hand.svg
new file mode 120000
index 0000000..ffc9be0
--- /dev/null
+++ b/talks/programming-2023/images/waving-hand.svg
@@ -0,0 +1 @@
+../../fosdem-2023/security/images/waving-hand.svg
\ No newline at end of file
diff --git a/talks/programming-2023/rules.ini b/talks/programming-2023/rules.ini
new file mode 100644
index 0000000..2571a18
--- /dev/null
+++ b/talks/programming-2023/rules.ini
@@ -0,0 +1,25 @@
+;; Rules for Rubber.
+
+[dot-pdf]
+target = (.*)\.pdf
+source = \1.dot
+rule = shell
+cost = 0
+command = dot -Tpdf -Gratio=.45 -o $target $source
+message = rendering $source into $target
+
+[fdp-pdf]
+target = (.*)\.pdf
+source = \1.fdp
+rule = shell
+cost = 0
+command = fdp -Tpdf -Gratio=.78 -o $target $source
+message = rendering $source into $target (FDP)
+
+[svg-pdf]
+target = (.*)\.pdf
+source = \1.svg
+rule = shell
+cost = 1
+command = inkscape --export-pdf=$target $source
+message = converting $source to $target
diff --git a/talks/programming-2023/talk.tex b/talks/programming-2023/talk.tex
new file mode 100644
index 0000000..e1421ea
--- /dev/null
+++ b/talks/programming-2023/talk.tex
@@ -0,0 +1,809 @@
+% The comment below tells Rubber to compile the .dot files.
+%
+% rubber: module graphics
+% rubber: rules rules.ini
+
+% Make sure URLs are broken on hyphens.
+% See <https://tex.stackexchange.com/questions/3033/forcing-linebreaks-in-url>.
+\RequirePackage[hyphens]{url}
+
+\documentclass[aspectratio=169]{beamer}
+
+\usetheme{default}
+
+\usefonttheme{structurebold}
+
+% Nice sans-serif font.
+\usepackage[sfdefault,lining]{FiraSans} %% option 'sfdefault' activates Fira
Sans as the default text font
+\renewcommand*\oldstylenums[1]{{\firaoldstyle #1}}
+
+% Nice monospace font.
+\usepackage{inconsolata}
+
+\usepackage[utf8]{inputenc}
+\PassOptionsToPackage{hyphens}{url}\usepackage{hyperref,xspace,multicol}
+
+\usepackage[absolute,overlay]{textpos}
+\usepackage{tikz}
+\usetikzlibrary{arrows,shapes,trees,shadows,positioning,backgrounds}
+\usepackage{fancyvrb} % for '\Verb'
+\usepackage{xifthen} % for '\isempty'
+
+% Remember the position of every picture.
+\tikzstyle{every picture}+=[remember picture]
+
+\tikzset{onslide/.code args={<#1>#2}{%
+ \only<#1>{\pgfkeysalso{#2}} % \pgfkeysalso doesn't change the path
+}}
+
+% Colors.
+\definecolor{guixred1}{RGB}{226,0,38} % red P
+\definecolor{guixorange1}{RGB}{243,154,38} % guixorange P
+\definecolor{guixyellow}{RGB}{254,205,27} % guixyellow P
+\definecolor{guixred2}{RGB}{230,68,57} % red S
+\definecolor{guixred3}{RGB}{115,34,27} % dark red
+\definecolor{guixorange2}{RGB}{236,117,40} % guixorange S
+\definecolor{guixtaupe}{RGB}{134,113,127} % guixtaupe S
+\definecolor{guixgrey}{RGB}{91,94,111} % guixgrey S
+\definecolor{guixdarkgrey}{RGB}{46,47,55} % guixdarkgrey S
+\definecolor{guixblue1}{RGB}{38,109,131} % guixblue S
+\definecolor{guixblue2}{RGB}{10,50,80} % guixblue S
+\definecolor{guixgreen1}{RGB}{133,146,66} % guixgreen S
+\definecolor{guixgreen2}{RGB}{157,193,7} % guixgreen S
+
+\setbeamerfont{title}{size=\huge}
+\setbeamerfont{frametitle}{size=\huge}
+\setbeamerfont{normal text}{size=\Large}
+
+% White-on-black color theme.
+\setbeamercolor{structure}{fg=guixorange1,bg=black}
+\setbeamercolor{title}{fg=white,bg=black}
+\setbeamercolor{date}{fg=guixorange1,bg=black}
+\setbeamercolor{frametitle}{fg=white,bg=black}
+\setbeamercolor{titlelike}{fg=white,bg=black}
+\setbeamercolor{normal text}{fg=white,bg=black}
+\setbeamercolor{alerted text}{fg=guixyellow,bg=black}
+\setbeamercolor{section in toc}{fg=white,bg=black}
+\setbeamercolor{section in toc shaded}{fg=white,bg=black}
+\setbeamercolor{subsection in toc}{fg=guixorange1,bg=black}
+\setbeamercolor{subsection in toc shaded}{fg=white,bg=black}
+\setbeamercolor{subsubsection in toc}{fg=guixorange1,bg=black}
+\setbeamercolor{subsubsection in toc shaded}{fg=white,bg=black}
+\setbeamercolor{frametitle in toc}{fg=white,bg=black}
+\setbeamercolor{local structure}{fg=guixorange1,bg=black}
+
+\newcommand{\highlight}[1]{\alert{\textbf{#1}}}
+
+\title{Building a Secure Software Supply Chain with GNU Guix}
+
+\author{Ludovic Courtès}
+\date{15 March 2023}
+
+\setbeamertemplate{navigation symbols}{} % remove the navigation bar
+
+
+\newcommand{\screenshot}[2][width=\paperwidth]{
+ \begin{frame}[plain]
+ \begin{tikzpicture}[remember picture, overlay]
+ \node [at=(current page.center), inner sep=0pt]
+ {\includegraphics[{#1}]{#2}};
+ \end{tikzpicture}
+ \end{frame}
+}
+
+
+\begin{document}
+
+\begin{frame}[plain, fragile]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center)] {
+ %
https://fr.wikipedia.org/wiki/Sceau#/media/Fichier:Sigillo_in_argento_famiglia_Ciciarelli_de_Cicerello.jpg
+
\includegraphics[width=1.2\textwidth]{images/Sigillo_in_argento_famiglia_Ciciarelli_de_Cicerello.jpg}
+ };
+ \node [at=(current page.center), fill=black, opacity=.4,
+ text width=1.3\textwidth, text height=\textheight] {
+ };
+ \node [at=(current page.south east), anchor=south east, inner sep=5mm] {
+ {\includegraphics[width=0.2\paperwidth]{images/inria-white-2019}}
+ };
+ \end{tikzpicture}
+
+ \vspace{17mm}
+ \Huge{\textbf{Building a Secure\\
+ Software Supply Chain\\
+ with GNU Guix}}
+ \\[15mm]
+ \large{Ludovic Courtès}
+ \\[2mm]
+ \alert{\textbf{$\langle$Programming$\rangle$}, \oldstylenums{15 March 2023}}
+ \vfill{}
+
+\end{frame}
+
+
+\setbeamercolor{normal text}{bg=black}
+\begin{frame}[plain, fragile]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center), inner sep=0mm, rotate=-1] {
+ \includegraphics[width=1.02\paperwidth, trim=0 0 0
30mm]{images/birthday-cake}
+ };
+ \node [at=(current page.center), fill=black, opacity=.6,
+ text width=1.3\textwidth, text height=\textheight] {
+ };
+
+ \node [at=(current page.south), anchor=south, text=white, inner sep=15pt]
+ {\Large{\url{https://guix.gnu.org}}};
+ \end{tikzpicture}
+
+ \Large{
+ \begin{itemize}
+ \item Guix started in \textbf{2012}
+ \item tools for \textbf{reproducible software deployment}
+ \item runs standalone (Guix System) or atop a \textbf{GNU/Linux} distro
+ \item \highlight{$\approx$22,000 packages}, all free software
+ \item \highlight{$\approx$100 monthly contributors}
+ \end{itemize}
+ }
+\end{frame}
+\setbeamercolor{normal text}{fg=white,bg=black}
+
+\begin{frame}[fragile]
+ \begin{semiverbatim}
+ \LARGE{
+guix \alert{install} ocaml coq emacs
+
+guix \alert{install} rust vim
+
+guix package \alert{--roll-back}
+}
+ \end{semiverbatim}
+\end{frame}
+
+\begin{frame}[fragile]
+ \begin{semiverbatim}
+ \LARGE{
+guix shell \alert{--manifest}=manifest.scm --container
+}
+
+ \Large{
+ (\alert{specifications->manifest}
+ '("coreutils" "grep" "sed"
+ "ocaml" "guile" "guile-ocaml"))
+}
+ \end{semiverbatim}
+\end{frame}
+
+
+\setbeamercolor{normal text}{bg=guixdarkgrey}
+\begin{frame}[fragile]
+ \begin{semiverbatim}
+ \Large{
+bob@laptop$ guix shell \alert{--manifest}=manifest.scm
+bob@laptop$ guix \alert{describe}
+ guix cabba9e
+ repository URL: https://git.sv.gnu.org/git/guix.git
+ commit: cabba9e15900d20927c1f69c6c87d7d2a62040fe
+
+\pause
+
+
+alice@supercomp$ guix \alert{pull} --commit=cabba9e
+alice@supercomp$ guix shell \alert{--manifest}=manifest.scm
+}
+ \end{semiverbatim}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=white}
+\begin{frame}[fragile, plain]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center)] {
+
\includegraphics[width=0.8\paperwidth]{images/nature-scientific-data-2022}
+ };
+
+ \node [at=(current page.south), anchor=south, text=guixdarkgrey,
+ fill=white, opacity=.8, text opacity=1, inner sep=2mm] {
+ Nature Scientific Data, Oct. 2022,
+ \url{https://doi.org/10.1038/s41597-022-01720-9}
+ };
+ \end{tikzpicture}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixdarkgrey}
+\begin{frame}[plain, fragile]
+ \vspace{5mm}
+ \begin{semiverbatim}
+ \large{
+(\alert{define-public} hello
+ (\alert{package}
+ (name "hello")
+ (version "2.12.1")
+ (source (\alert{origin}
+ (method url-fetch)
+ (uri (string-append "mirror://gnu/hello/hello-"
+ version ".tar.gz"))
+ (sha256 (base32 "0wqd\textrm{...}dz6"))))
+ (build-system gnu-build-system)
+ (inputs (list gnu-gettext))
+ (synopsis "Greetings, Programming!")
+ (description "That's what a Guix package looks like.")
+ (home-page "https://gnu.org/s/hello";)
+ (license license:gpl3+)))
+}
+ \end{semiverbatim}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=black}
+\begin{frame}[fragile, plain]
+ %% \frametitle{Bit-Reproducible Builds$^*$}
+ %% \framesubtitle{$^*$ almost!}
+
+ \begin{semiverbatim}
+\Large{
+\$ guix build hello
+\uncover<2->{/gnu/store/\tikz[baseline]{\node[anchor=base](nixhash){\alert<2>{h2g4sf72\textrm{...}}};}-hello-2.12.1}
+
+\uncover<3->{\$ \alert<3>{guix gc -{-}references
/gnu/store/\textrm{...}-hello-2.12.1}
+/gnu/store/\textrm{...}-glibc-2.33
+/gnu/store/\textrm{...}-gcc-10.3.0-lib
+/gnu/store/\textrm{...}-hello-2.12.1
+}}
+ \end{semiverbatim}
+
+ \begin{tikzpicture}[overlay]
+ \node<1>(labelnixhash) [fill=white, text=black, inner sep=0.5cm,
+ rounded corners] at (current page.center) {%
+ \Large{\textbf{isolated build}: chroot, separate name spaces, etc.}
+ };
+
+ \node<2>(labelnixhash) [fill=white, text=black] at (4cm, 2cm) {%
+ hash of \textbf{all} the dependencies};
+ \path[->]<2>(labelnixhash.north) edge [bend left, in=180, out=-45]
(nixhash.south);
+
+ \draw<4-> (-10pt, 105pt) [very thick, color=guixorange2, rounded
corners=8pt]
+ arc (10:-50:-50pt and 110pt);
+ \node<4>[fill=white, text=black, text opacity=1, opacity=.7,
+ rounded corners=2mm, inner sep=5mm]
+ at (7, 2) {\textbf{\Large{(nearly) bit-identical for everyone}}};
+
+ \node<5> [at=(current page.center), fill=white, rounded corners=2mm,
+ inner sep=7mm, opacity=.7, text opacity=1] {
+ \includegraphics[width=.5\paperwidth]{images/reproducible-builds}
+ };
+ \node<5> [at=(current page.south), anchor=south, text opacity=.7] {
+ \url{https://reproducible-builds.org}
+ };
+ \end{tikzpicture}
+
+\end{frame}
+
+\setbeamercolor{normal text}{fg=black,bg=white}
+\begin{frame}[fragile]
+ \vspace{2.5cm}
+ \begin{tikzpicture}[remember picture, overlay]
+ \node [at=(current page.center), inner sep=0pt,
+ drop shadow={opacity=0.5}, draw, color=guixgrey, line width=1pt]
+
{\includegraphics[height=0.9\paperheight]{images/reflections-on-trusting-trust}};
+ \end{tikzpicture}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=white}
+\begin{frame}[fragile, plain]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center)]{
+ \includegraphics[width=.6\paperwidth]{images/bootstrappable}
+ };
+ \node [at=(current page.south), anchor=south, text=black, text opacity=.7]
{
+ \url{https://bootstrappable.org}
+ };
+ \node<1-> [at=(current page.north east), anchor=north east,
+ fill=white, text=guixdarkgrey, draw=guixblue1,
+ rounded corners=10pt, text width=8cm, fill=guixyellow,
+ inner sep=10pt, outer sep=3mm, opacity=.5, text opacity=1]
+
{\href{https://archive.fosdem.org/2021/schedule/event/gnumes/}{\large{$\rightarrow$
+ ``\textbf{GNU Mes---The Full-Source Bootstrap}'' Jan
Nieuwenhuizen, FOSDEM \oldstylenums{2021}}}};
+ \end{tikzpicture}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixdarkgrey}
+\begin{frame}[fragile]
+ \LARGE{
+ \begin{semiverbatim}
+$ \alert{guix pull}
+Updating channel 'guix' from Git repository...
+ \end{semiverbatim}
+ }
+\end{frame}
+
+\setbeamercolor{normal text}{bg=white}
+\begin{frame}[fragile]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center)] {
+ \includegraphics[width=\textwidth]{images/tuf}
+ };
+ \node [at=(current page.south), anchor=south, text=black, text opacity=.7]
{
+ \url{https://theupdateframework.org}
+ };
+ \node<2-> [at=(current page.center), fill=black,
+ text=guixorange1, opacity=.6, text opacity=1.,
+ shape=circle, inner sep=10pt] {
+ \Huge{\textbf{?}}
+ };
+ \end{tikzpicture}
+\end{frame}
+
+\begin{frame}[plain, fragile, t]
+ \vspace{5mm}
+ \large{
+ \begin{tikzpicture}[box/.style = {
+ rounded corners=2mm,
+ fill=white, text=black, text width=4.8cm,
+ inner sep=2mm
+ },
+ server/.style = {
+ text centered, rounded corners=2mm,
+ fill=guixorange1, text=black, text width=3.4cm,
+ inner sep=3mm
+ },
+ note/.style = {
+ rounded corners=4, text centered,
+ fill=guixorange1, text width=5.5cm,
+ inner sep=3mm, rotate=5, opacity=.75, text opacity=1,
+ drop shadow={opacity=0.5}
+ }]
+ \matrix[row sep=1.8cm, column sep=0.4cm] {
+%% \node(source)[box]{\texttt{http://\textrm{...}/Python-3.9.6.tar.gz}};
+%% & &
+%% \\
+
+ \node(def)[box]{\texttt{(define python\\
+ ~~~(package \textrm{...}))}};
+ & & \node<2->(user)[server]{user};
+ \\
+ \node(build)[box]{\texttt{guix build python}
+ \texttt{/gnu/store/\textrm{...}-python-3.9.6}};
+ & & \node<3->(hydra)[server]{build~farm};
+ \\
+ & \node(savannah)[server, draw=guixblue2, thick]{\textbf{Git
repository}}; &
+ \\
+ };
+
+%% \path[->, very thick, draw=guixblue2]
+%% (source) edge node[left]{download} node[right, text=guixblue2]{hash}
(def);
+ \path[->, very thick, draw=guixblue2]
+ (def) edge node[left, text=guixblue2]{test} (build);
+ \path[->, very thick, draw=guixblue2]
+ (build) edge[->, in=110, out=-70] node[above, sloped,
text=guixblue2]{\texttt{git push}}
+ (savannah);
+ \path<3->[<-, very thick, dashed, draw=guixblue2, text=guixblue2]
+ (user) edge node[right, text=guixblue2]{get binaries} (hydra);
+
+ \path<3->[<-, very thick, draw=guixblue2]
+ (hydra) edge[out=-90, in=0] node(farmpull)[right, text=guixblue2]{pull}
(savannah.east);
+ \path<2->[<-, very thick, draw=guixblue2]
+ (user.south west) edge[in=80, out=200] node(userpull)[above, sloped,
text=guixblue2]{\texttt{guix pull}}
+ (savannah);
+
+ \node<4> [at=(farmpull.center), shape=circle, inner sep=10mm,
+ fill=guixred2, opacity=0.3,
+ draw=guixred3, very thick] {};
+ \node<4> [at=(userpull.center), shape=circle, inner sep=10mm,
+ fill=guixred2, opacity=0.3,
+ draw=guixred3, very thick] {};
+
+ %% \node[note, rotate=3] at (2,1) {\Large{no ``maintainer uploads''}};
+ %% \node[note, rotate=-10] at (-2,-1) {\Large{no single point of trust}};
+ \end{tikzpicture}
+ }
+\end{frame}
+
+%% \definecolor{pieceofcakebg}{RGB}{230,223,179} %{90,87,70}
+%% \setbeamercolor{normal text}{bg=pieceofcakebg}
+%% \screenshot[width=0.8\textwidth]{images/piece-of-cake}
+
+\setbeamercolor{normal text}{bg=white}
+\begin{frame}[fragile, plain]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center)] {
+
\includegraphics[width=1.12\textwidth]{images/github-verification-statuses}
+ };
+ \node [at=(current page.south), anchor=south, text=black,
+ opacity=.7, inner sep=5mm] {
+
\url{https://docs.github.com/en/authentication/managing-commit-signature-verification}
+ };
+ \end{tikzpicture}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixred3}
+\begin{frame}[fragile, plain]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center)] {
+ %
https://commons.wikimedia.org/wiki/File:1951_Switzerland_-_Luzerner_Landbank_Grosswangen_seals.jpg?uselang=fr
+
\includegraphics[width=1.25\textwidth]{images/1951_Switzerland_-_Luzerner_Landbank_Grosswangen_seals}
+ };
+ \node [at=(current page.center), fill=black, opacity=.3,
+ text width=1.3\textwidth, text height=\textheight] {
+ };
+ \end{tikzpicture}
+
+ \huge{
+ \begin{quotation}
+ \begin{flushright}
+ \textbf{authenticate}: \textit{establish the authenticity~of~something}
+ \\[4mm]
+ \textbf{authenticity}: \textit{undisputed credibility}
+ \end{flushright}
+ \end{quotation}
+ }
+ \hfill{\large{--- WordNet}}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixblue1}
+\begin{frame}[fragile]
+ \LARGE{
+ \begin{itemize}
+ \item assume \textbf{attacker might gain access to the repo}
+ \item protect against \textbf{malicious changes}
+ \item ... including \textbf{downgrade attacks}
+ \item<2-> support \textbf{off-line authentication}
+ \item<2-> support \textbf{changing authorizations}
+ \end{itemize}
+ }
+\end{frame}
+
+\setbeamercolor{normal text}{bg=white}
+\begin{frame}[fragile, plain]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center)]{
+ \includegraphics[height=\paperheight]{images/commit-graph}
+ };
+ \end{tikzpicture}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixdarkgrey}
+\begin{frame}[fragile, plain]
+ \begin{textblock}{12}(1,2)
+ \begin{semiverbatim}
+\Large{
+(\tikz[baseline]{\node[anchor=base](file){\alert{authorizations}};}
+ (version 0)
+
+ ;; Authorized committers OpenPGP fingerprints:
+ (("AD17 A21E F8AE D8F1 CC02 DBD9 F8AE D8F1 765C 61E3"
+ (name "alice"))
+ ("2A39 3FFF 68F4 EF7A 3D29 12AF 68F4 EF7A 22FB B2D5"
+ (name "bob"))
+ ("CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"
+ (name "charlie"))))
+}
+ \end{semiverbatim}
+ \end{textblock}
+
+ \begin{tikzpicture}[overlay]
+ \node<1> (filelabel) [at=(current page.north east),
+ anchor=north east, inner sep=4mm, outer sep=4mm, fill=white, opacity=.8,
+ text=black, rounded corners=2mm] {
+ \Large{The \texttt{.guix-authorizations} file}
+ };
+ \path<1> [->, very thick, draw=white]
+ (filelabel) edge [out=180, in=30] (file);
+ \end{tikzpicture}
+\end{frame}
+
+\begin{frame}[fragile, plain]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center), text width=\textwidth, rounded
+ corners=2mm, draw=guixorange1, very thick, inner sep=5mm] {
+ \Huge{Commit is authentic \textit{if and only if} \textbf{signed by
+ one of the keys} in the \texttt{.guix-authorizations} file of each
+ parent commit. \par}
+ };
+ \node [at=(current page.south), anchor=south, inner sep=10mm, text
opacity=.8] {
+ \Large{\textbf{the ``authorization invariant''}}
+ };
+ \end{tikzpicture}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=white}
+\begin{frame}[fragile, plain]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center)]{
+
\includegraphics[height=\paperheight]{images/commit-graph-with-authorizations}
+ };
+ \end{tikzpicture}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=white}
+\begin{frame}[fragile, plain]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center)]{
+
\includegraphics[height=\paperheight]{images/commit-graph-with-authorizations-bad}
+ };
+ \end{tikzpicture}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixtaupe}
+\begin{frame}[fragile, plain]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center)]{
+ % https://commons.wikimedia.org/wiki/File:383-waving-hand-1.svg
+ \includegraphics[width=0.6\textwidth]{images/waving-hand}
+ };
+ \node [at=(current page.center), fill=white, opacity=.4,
+ text width=1.3\textwidth, text height=\textheight] {
+ };
+ \node [at=(current page.center), text=black] {
+ \Huge{\textbf{introducing a repository}}
+ };
+ \end{tikzpicture}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=white}
+\begin{frame}[fragile, plain]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center)]{
+ \includegraphics[height=\paperheight]{images/commit-graph-intro}
+ };
+ \end{tikzpicture}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixdarkgrey}
+\begin{frame}[fragile, plain]
+ \hspace{1mm}
+ \begin{semiverbatim}
+ \Large{
+(\alert{channel}
+ (name 'my-channel)
+ (url "https://example.org/my-channel.git";)
+ (introduction
+ (\alert{make-channel-introduction}
+ "6f0d8cc0d88abb59c324b2990bfee2876016bb86"
+ (openpgp-fingerprint
+ "CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"))))
+}
+ \end{semiverbatim}
+\end{frame}
+
+\begin{frame}[fragile, plain, t]
+ \vspace{20mm}
+ \Large{
+ \begin{semiverbatim}
+$ \alert<1>{guix pull}
\only<2>{\alert{-{-}url=https://example.org/mirror.git}}\uncover<3>{\alert{-{-}url=https://example.org/evil.git}}
+Updating channel 'guix' from Git repository...
+\textbf<1>{Authenticating channel 'guix'}, 329 new commits...
+\only<2>{\highlight{warning:} using a mirror, which might be
stale}\uncover<3->{\highlight{error:} commit c4bba93 not signed by an
authorized key}
+ \end{semiverbatim}
+ }
+\end{frame}
+
+\begin{frame}[fragile, plain]
+ \begin{semiverbatim}
+\Large{
+$ \alert{guix git authenticate} \\
+ 6f0d8cc0d88abb59c324b2990bfee2876016bb86 \\
+ "CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"\uncover<2->{ \\
+ \alert{-{-}keyring}=\textit{my-keyring-branch}}
+}
+ \end{semiverbatim}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixred3}
+\begin{frame}[fragile]
+ \vfill{\Huge{\textbf{What about downgrade attacks?}}}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixdarkgrey}
+\begin{frame}[fragile]
+ \begin{semiverbatim}
+ \Large{
+$ guix \alert{describe}
+ guix cabba9e
+ repository URL: https://git.sv.gnu.org/git/guix.git
+ commit: cabba9e15900d20927c1f69c6c87d7d2a62040fe
+\pause
+$ guix \alert{pull}
+Updating channel 'guix' from Git repository...
+\highlight{error:} \textbf{commit c0ff33e is not a descendant of cabba9e}
+}
+ \end{semiverbatim}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixgrey}
+\begin{frame}[fragile, plain]
+ \begin{semiverbatim}
+ \Large{
+\$ guix system \alert{describe}
+ file name: /var/guix/profiles/system-126-link
+ label: GNU with Linux-Libre 5.4.15
+ bootloader: grub-efi
+ \alert{channels}:
+ guix:
+ repository URL: https://git.savannah.gnu.org/\textsf{\dots{}}
+ commit: 93f4511eb0c9b33f5083c2a04f4148e0a494059c
+ \alert{configuration file}: /gnu/store/\textsf{\dots{}}-configuration.scm
+\pause
+\$ guix system \alert{reconfigure} /etc/config.scm
+\highlight{error:} \textbf{commit c4bba93 is not a descendant of 93f451}
+ }
+ \end{semiverbatim}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixgreen2}
+\begin{frame}[plain]
+ \vfill{\Huge{\textbf{Wrap-up \& outlook.}}}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixblue2}
+\begin{frame}[plain]
+ \LARGE{
+ \begin{itemize}
+ \item \textbf{authenticated Git checkouts}\\ $\rightarrow$ safe Guix
updates!
+ \item \textbf{in-band, off-line}: authentication + authorization data
+ is in Git
+ \item<2-> protection against \textbf{downgrade attacks}
+ \item<2-> deployed in Guix \textbf{since mid-2020}
+ \end{itemize}
+ }
+ \begin{tikzpicture}[overlay]
+ \node<1> at (9,1) [text width=50mm,
+ align=center, inner sep=5mm, rotate=10, rounded corners=2mm,
+ fill=guixorange1, text=white] {
+ \LARGE{\textbf{You can use it on your Git repo!}}
+ };
+ \end{tikzpicture}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=white}
+\begin{frame}[plain, fragile]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center), inner sep=0pt] {
+ \includegraphics[width=0.9\paperwidth, trim=0 400px 0
0]{images/programming-paper}
+ };
+
+ \node [at=(current page.north), anchor=north, inner sep=10px,
text=guixdarkgrey] {
+ \url{https://doi.org/10.22152/programming-journal.org/2023/7/1}
+ };
+ \end{tikzpicture}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixblue1}
+\begin{frame}[plain, fragile]
+ \LARGE{\textbf{Unified deployment toolbox vs. patchwork}}
+ \\[7mm]
+ \Large{
+ \begin{itemize}
+ \item \highlight{end-to-end integration} vs. ``artifact flow''
+ \item \highlight{verifiability} vs. attestation
+ \item \highlight{commit graph} vs. version strings
+%% \item \highlight{commit IDs} vs. SBOMs as name/version pairs
+ \item ...
+ \end{itemize}
+ }
+\end{frame}
+
+\setbeamercolor{normal text}{bg=white}
+\begin{frame}[fragile, plain]
+ \begin{tikzpicture}[overlay]
+ \node [at=(current page.center), text=black, text
+ width=0.8\textwidth, align=flush left] {
+ \Huge{From source code\\ to deployed binaries:\\
+ \textbf{provenance tracking\\ \& verifiability are the key.} \par}
+ };
+ \end{tikzpicture}
+\end{frame}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\setbeamercolor{normal text}{bg=black}
+\begin{frame}[plain]
+
+\vfill{
+ \vspace{1.5cm}
+ \center{\includegraphics[width=0.3\textwidth]{images/Guix-white}}\\[1.0cm]
+ {\alert{\url{https://guix.gnu.org/}}}\hfill{
+ \texttt{ludo@gnu.org |} @civodul@toot.aquilenet.fr}
+}
+
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixred2}
+\begin{frame}
+ \Huge{\textbf{Bonus slides!}}
+\end{frame}
+
+\setbeamercolor{normal text}{bg=guixgrey}
+\begin{frame}[fragile]
+ \LARGE\textbf{Reproducible environments: 2 files, 2 commands}
+ \\[2cm]
+ \LARGE{
+ \begin{enumerate}
+ \item \texttt{guix describe -f channels > \highlight{channels.scm}}
+ \item{ \begin{semiverbatim}
+guix time-machine -C \highlight{channels.scm} -- \\
+ shell -m \highlight{manifest.scm}
+ \end{semiverbatim}}
+ \end{enumerate}
+ }
+\end{frame}
+
+\setbeamercolor{normal text}{bg=white}
+\begin{frame}[plain]
+ \begin{tikzpicture}[remember picture, overlay]
+ \node [at=(current page.center), inner sep=0pt]
+ {\includegraphics[height=.8\paperheight]{images/bootstrap-graph}};
+ \node<2-> [at=(current page.center), anchor=north, inner sep=20pt,
text=guixgrey]
+ {\Large{\textbf{250 MiB of binary blobs}}};
+ \end{tikzpicture}
+\end{frame}
+\begin{frame}[plain]
+ \begin{tikzpicture}[remember picture, overlay]
+ \node [at=(current page.center), inner sep=0pt]
+
{\includegraphics[height=.8\paperheight]{images/bootstrap-graph-reduced}};
+ \node<2-> [at=(current page.center), fill=guixorange1, rounded
corners=10pt,
+ inner sep=10pt, opacity=.8, text opacity=1]
+ {\Large{\textbf{250 MiB $\rightarrow$ 130 MiB of binary blobs}}};
+ \node<2-> [at=(current page.south), anchor=south,
+ inner sep=2mm, outer sep=3mm, rounded corners,
+ fill=white, opacity=.7, text opacity=1, text=black]
+
{\url{https://guix.gnu.org/blog/2019/guix-reduces-bootstrap-seed-by-50/}};
+ \end{tikzpicture}
+\end{frame}
+
+
+\setbeamercolor{normal text}{bg=black}
+\begin{frame}{}
+ \begin{textblock}{12}(2, 5)
+ \tiny{
+ Copyright \copyright{} 2012--2023 Ludovic Courtès
\texttt{ludo@gnu.org}.\\[3.0mm]
+ GNU Guix logo by Luis Felipe, CC-BY-SA 4.0,
+ \url{https://guix.gnu.org/en/graphics/}. \\
+ Reproducible Builds logo under CC-BY 3.0,
+
\url{https://uracreative.github.io/reproducible-builds-styleguide/visuals/}. \\
+ Bootstrappable Builds logo by Ricardo Wurmus,
+ \url{https://bootstrappable.org}.
+ \\[1.5mm]
+ Picture of silver seal by Cicerellus, CC-BY-SA 4.0,
+
\url{https://commons.wikimedia.org/wiki/File:Sigillo_in_argento_famiglia_Ciciarelli_de_Cicerello.jpg}.
+ \\
+ Picture of Guix birthday cake by Christopher Baines, CC0,
+ \url{https://10years.guix.gnu.org/photos}.
+ \\
+ Picture of letter with wax seals by Arno-nl, CC-BY-SA 3.0,
+
\url{https://commons.wikimedia.org/wiki/File:1951_Switzerland_-_Luzerner_Landbank_Grosswangen_seals.jpg}.
+ \\
+ Waving hand by webalys, CC-BY-SA 4.0,
+ \url{https://commons.wikimedia.org/wiki/File:383-waving-hand-1.svg}.
+ \\[1.5mm]
+ Copyright of other images included in this document is held by
+ their respective owners.
+ \\[3.0mm]
+ This work is licensed under the \alert{Creative Commons
+ Attribution-Share Alike 3.0} License. To view a copy of this
+ license, visit
+ \url{https://creativecommons.org/licenses/by-sa/3.0/} or send a
+ letter to Creative Commons, 171 Second Street, Suite 300, San
+ Francisco, California, 94105, USA.
+ \\[2.0mm]
+ At your option, you may instead copy, distribute and/or modify
+ this document under the terms of the \alert{GNU Free Documentation
+ License, Version 1.3 or any later version} published by the Free
+ Software Foundation; with no Invariant Sections, no Front-Cover
+ Texts, and no Back-Cover Texts. A copy of the license is
+ available at \url{https://www.gnu.org/licenses/gfdl.html}.
+ \\[2.0mm]
+ % Give a link to the 'Transparent Copy', as per Section 3 of the GFDL.
+ The source of this document is available from
+ \url{https://git.sv.gnu.org/cgit/guix/maintenance.git}.
+ }
+ \end{textblock}
+\end{frame}
+
+\end{document}
+
+% Local Variables:
+% coding: utf-8
+% comment-start: "%"
+% comment-end: ""
+% ispell-local-dictionary: "francais"
+% compile-command: "guix shell -m ../beamer-manifest.scm -- rubber --pdf
talk.tex"
+% End:
+
+%% LocalWords: Reproducibility
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- branch master updated: talks: Add slides for ‹Programming› conference.,
Ludovic Courtès <=