{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2026.1.1"}, "schedule": {"url": "https://pretalx.com/packagingcon-2021/schedule/", "version": "1.11", "base_url": "https://pretalx.com", "conference": {"acronym": "packagingcon-2021", "title": "PackagingCon", "start": "2021-11-09", "end": "2021-11-10", "daysCount": 2, "timeslot_duration": "00:05", "time_zone_name": "UTC", "colors": {"primary": "#7716BA"}, "rooms": [{"name": "Plenaries", "slug": "993-plenaries", "guid": "7c5c52a9-704d-5bcf-9b56-f071113bb569", "description": null, "capacity": null}, {"name": "Room I", "slug": "970-room-i", "guid": "ff833d89-326c-5c66-9cfb-b31d93f75e52", "description": null, "capacity": null}, {"name": "Room 2", "slug": "989-room-2", "guid": "dc04a6dd-50d2-544b-9be7-924cdeafbeab", "description": null, "capacity": null}, {"name": "Room 3", "slug": "990-room-3", "guid": "22f17c67-4b0a-5404-8bb1-52a9f6ccf98e", "description": null, "capacity": null}, {"name": "Room 4", "slug": "994-room-4", "guid": "271b3bd3-f919-5bc0-bd27-ec7d498786ca", "description": null, "capacity": null}], "tracks": [{"name": "Supply Chain Security", "slug": "2623-supply-chain-security", "color": "#0020FF"}, {"name": "Registries", "slug": "2625-registries", "color": "#000000"}, {"name": "Metadata & Building things", "slug": "2626-metadata-building-things", "color": "#FF0000"}, {"name": "Solvers", "slug": "2624-solvers", "color": "#C23DB9"}, {"name": "ABI & Static Analysis", "slug": "2627-abi-static-analysis", "color": "#09C22D"}, {"name": "Deep Dives", "slug": "2628-deep-dives", "color": "#4611DF"}], "days": [{"index": 1, "date": "2021-11-09", "day_start": "2021-11-09T04:00:00+00:00", "day_end": "2021-11-10T03:59:00+00:00", "rooms": {"Plenaries": [{"guid": "5c252b22-0437-5948-a4b4-ac25a9ac5d09", "code": "HPHEMU", "id": 13642, "logo": "https://pretalx.com/media/packagingcon-2021/submissions/HPHEMU/hex_NfKAeIe.jpeg", "date": "2021-11-09T21:15:00+00:00", "start": "21:15", "duration": "00:02", "room": "Plenaries", "slug": "packagingcon-2021-13642-a-practical-and-modern-approach-to-python-packaging", "url": "https://pretalx.com/packagingcon-2021/talk/HPHEMU/", "title": "A practical and modern approach to Python packaging", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "Python packages are the fundamental units of shareable code in Python. Packages make it easy to organize, reuse, and maintain your code, as well as share it between projects, with your colleagues, and with the wider Python community. Despite their importance, Python packages can be difficult to understand and cumbersome to create for beginners and seasoned developers alike.\r\n\r\nFortunately, packaging tools exists to streamline the packaging process. This lightening talk discusses an accessible and practical approach to creating packages using modern and mature tools such as poetry, cookiecutter, pytest, sphinx, GitHub, and GitHub Actions!", "description": "Disclaimer: this talk is a 2-minute abridged version of our open-source book _Python Packages_ (https://py-pkgs.org).", "recording_license": "", "do_not_record": false, "persons": [{"code": "7RHAUW", "name": "Tomas Beuzen", "avatar": "https://pretalx.com/media/avatars/7RHAUW_HlqUtBn.webp", "biography": "Tomas Beuzen is a data scientist and educator based in Sydney, Australia. He has a background in coastal engineering and climate science and was a teaching fellow in the Master of Data Science program (Vancouver Option) at the University of British Columbia. Tomas currently works as a data scientist in the renewable energy sector and enjoys spending his free time developing open-source, educational data science material, and using data science to solve problems in the natural and engineered world.", "public_name": "Tomas Beuzen", "guid": "65682fa8-a356-5867-823f-27a271a47eca", "url": "https://pretalx.com/packagingcon-2021/speaker/7RHAUW/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/HPHEMU/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/HPHEMU/", "attachments": []}, {"guid": "bcf84b95-9f80-55f8-910c-ff17e730e818", "code": "S78FQA", "id": 12140, "logo": null, "date": "2021-11-09T21:20:00+00:00", "start": "21:20", "duration": "00:02", "room": "Plenaries", "slug": "packagingcon-2021-12140-alire-the-ada-package-manager", "url": "https://pretalx.com/packagingcon-2021/talk/S78FQA/", "title": "Alire, the Ada Package Manager", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "Ada is a venerable language with a long and proven trajectory mainly in embedded and critical systems. With a small but close-knit Open Source community, Ada has lacked a package manager until recently. Alire (Ada Library Repository, https://alire.ada.dev/) is a package manager for the language that supports the GNAT Ada compiler, available through the FSF as a GCC frontend.\r\n\r\nThis lighting talk aims to introduce Alire to the family of package managers and give a few highlights of its characteristics.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "MUWEMM", "name": "Alejandro R. Mosteo", "avatar": "https://pretalx.com/media/avatars/MUWEMM_dbhqI5f.webp", "biography": "Alejandro R. Mosteo is a professor at Centro Universitario de la Defensa, Zaragoza, Spain, since 2011. He received the Ph.D. in 2010 from the Universidad de Zaragoza, Spain. He has been a postgraduate researcher at Laboratoire d'Analyse et d'Architecture des Syst\u00e8mes (LAAS), Toulouse, France. He is a member of the Robotics, Perception, and Real\u2010Time group at Instituto de Investigaci\u00f3n en Ingenier\u00eda de Arag\u00f3n. He became a member of the steering committee of the Technical Committee on Multi\u2010Robot Systems of the IEEE Robotics and Automation Society in 2015. His Ada advocacy career dates back to 2006 with his affiliation to the Ada\u2010Spain society for the promotion of the Ada language. Recently, he has joined the editorial board of the quarterly Ada User Journal as News Editor in 2019. In 2020 he has been appointed coordinator of the Ada working group within the Spanish standardization body (UNE). His research pursuits include multi\u2010robot cooperation, decentralized algorithms, and autonomous air vehicles.", "public_name": "Alejandro R. Mosteo", "guid": "995cd0b7-bd87-50b5-ae3c-c934f491e852", "url": "https://pretalx.com/packagingcon-2021/speaker/MUWEMM/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/S78FQA/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/S78FQA/", "attachments": []}, {"guid": "c1414722-87ec-51b1-8ec4-569f0b3a3324", "code": "J9SYFM", "id": 12362, "logo": null, "date": "2021-11-09T21:25:00+00:00", "start": "21:25", "duration": "00:02", "room": "Plenaries", "slug": "packagingcon-2021-12362-bash-comprehensive-dependency-management", "url": "https://pretalx.com/packagingcon-2021/talk/J9SYFM/", "title": "Bash: Comprehensive Dependency Management", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "Bash is known for being a quirky language, mainly used to glue different programs together in small scripts. As a result of this perception (and partly due to a lack of language features), Bash has a weak library ecosystem. All things considered, this makes it difficult to find and integrate Bash code that is both robust and devoid of platform-specific hacks.\r\n\r\nI wish to solve this predicament by proposing a Bash package manager called [Basalt](https://github.com/hyperupcall/basalt). It standardizes and substantially simplifies the problem of code reuse across Bash projects. Basalt is defining what it means to create a \u201cBash library\u201d and a \u201cBash application\u201d; it is also enabling the emergence of cutting-edge Bash libraries, such as complete TOML parsers.", "description": "Basalt is a Bash package manager that makes it dead simple to download and reuse shell scripts and Bash libraries. It can resolve dependencies for a particular Bash project, or globally for a particular user. Its CLI and configuration interface is inspired by both Yarn and Cargo. Basalt is breaking the mold of what it means to create a Bash application. Not only is it enabling the emergence of TOML parsers written in pure Bash, but it is also making it straightforward to improve performance by making dynamically loadable custom builtins a first-class feature.\r\n\r\nIn this lightning talk, I quickly explain the problems of code reuse in Bash projects, and explain how Basalt solves various use cases. Then, I provide a birds-eye view on the internals of Basalt and wrap up the talk by mentioning what\u2019s next on the roadmap.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KMBCLW", "name": "Edwin Kofler", "avatar": "https://pretalx.com/media/avatars/KMBCLW_2Ox1r48.webp", "biography": "A college student with ambitions. Lately, I've been writing Bash and Go with the goals of improving tooling across linux distributions and languages.", "public_name": "Edwin Kofler", "guid": "9d6a1f25-826a-5323-a3c3-b0e951137a1d", "url": "https://pretalx.com/packagingcon-2021/speaker/KMBCLW/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/J9SYFM/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/J9SYFM/", "attachments": []}, {"guid": "799a5733-7d13-5959-92f1-996e7e5e7ed0", "code": "MTQARP", "id": 12122, "logo": null, "date": "2021-11-09T21:30:00+00:00", "start": "21:30", "duration": "00:02", "room": "Plenaries", "slug": "packagingcon-2021-12122-github-advisory-database-the-database-backing-dependabot", "url": "https://pretalx.com/packagingcon-2021/talk/MTQARP/", "title": "Github Advisory Database. The database backing dependabot", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "An brief intro to the data behind github's dependabot tool and how it may be useful to package maintainers.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "3W9LWP", "name": "Jon", "avatar": null, "biography": "Security analyst working at github on the advisory database", "public_name": "Jon", "guid": "32d0d914-110f-574f-b2f3-238fdee7a06c", "url": "https://pretalx.com/packagingcon-2021/speaker/3W9LWP/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/MTQARP/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/MTQARP/", "attachments": []}, {"guid": "7361efb7-9348-5f40-a782-692ce382a382", "code": "FRJACA", "id": 13118, "logo": null, "date": "2021-11-09T21:35:00+00:00", "start": "21:35", "duration": "00:02", "room": "Plenaries", "slug": "packagingcon-2021-13118-kickstart-your-journey-into-the-conda-packaging-world-with-grayskull", "url": "https://pretalx.com/packagingcon-2021/talk/FRJACA/", "title": "Kickstart Your Journey into The Conda Packaging World with Grayskull", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "To a newbie in the packaging world, writing recipes could seem quite intimidating. Even people who are not so new would agree that writing package recipes is tiresome, not to say highly errorprone. Example recipes and templates help, but one would rather their package recipe was generated automatically and was perfectlyconcise. \r\nOf course, Anaconda provides Conda Skeleton. Although Conda Skeleton is a helpful tool, it falls short of being the perfect recipe generator for several reasons: it's slow in generating recipes, cannot be deployed on systems without conda, andhas a huge number of dependencies. The recipes itgenerates are also not always concise. \r\n\r\nGrayskull solves all these problems. \r\nGrayskull is an automatic conda recipe generator. It generates concise conda recipes for Python packages available on PyPI specially customized for (but not limited to) the conda-forge ecosystem.\r\nGrayskull significantly improves upon existing recipe generators in terms of speed, conciseness of the recipes, packaging environment specificity, and memory usage. \r\nGrayskull has proved to be an extremely useful tool for the packaging ecosystem by generating accurate recipes quickly. \r\nGrayskull, by making it possible to generate conda recipes for PyPI packages, brings PyPI closer to the Conda and reduces fragmentation inthe packaging ecosystem.", "description": "After introducing Grayskull, I will talk in detail about some of its inner workings that make it faster and more efficient than existing recipe generators:\r\n\r\n- Grayskull generates recipes taking in consideration the platform, Python version available, selectors, compilers (Fortran, C and C++), package constraints, license type etc.\r\n\r\n- It uses metadata available from multiple sources to create the best recipe possible. \r\n\r\n- In the case of noarch: python, Grayskull is smart enough to detect when the recipe supports it, which is not done by Skeleton. It is important to highlight that Skeleton does not detect compilers either. Whereas Grayskull always tries to detect them.\r\n\r\n- The dependencies of Grayskull are quite reduced when compared to Conda Skeleton. Conda Skeleton relies on conda which is a huge project, therefore Conda Skeleton has a lot of dependencies. \r\nGrayskull is a standalone application which does not rely on conda. It can be easily deployed on systems without conda. It is pip installable.\r\n\r\n- Conda Skeleton creates a separate conda environment when it tries to generate the recipe and it takes a lot of time because it also runs the solver. \r\nGrayskull, on the other hand, creates a small and temporary virtual environment to simulate the installation of the package using the source tarball for Python projects. \r\n\r\n- Conda Skeleton sometimes mixes some dependencies and generates a quite \"fat\" recipe. Grayskull does not.\r\n\r\n\r\n\r\nI will demonstrate live how easy it is to generate recipes with Grayskull (really, it\u2019s just a single command: `grayskull pypi <package-name>` ). \r\nI will also demonstrate how to use the online version of Grayskull.\r\n\r\nAfter the live demonstration, I will talk about the features that Grayskull is presently missing; the addition of which will make Grayskull an even more versatile tool for recipe generation. I will also discuss the work I have been doing on Grayskull via my internship at Quansight Labs under the mentorship of Jaime Rodr\u00edguez-Guerra and Vinicius D. Cerutti: \r\n- Presently Grayskull generates recipes for Python packages available on PyPI.  I am  working on adding more package origins to Grayskull; ability to generate recipes for packages available only as Github, Gitlab repositories, ability to generate recipes for PyProject packages. \r\n\r\n- The next version of Grayskull could have the ability to generate recipes for R packages available on CRAN. \r\n\r\n- And the next could have the ability to generate recipes for C++ packages. \r\n\r\nIt also has an online version: https://www.marcelotrevisani.com/grayskull", "recording_license": "", "do_not_record": false, "persons": [{"code": "GY9UGD", "name": "Mahe Iram Khan", "avatar": "https://pretalx.com/media/avatars/GY9UGD_fNKT9F4.webp", "biography": "Mahe is a Computer Engineering undergrad student from India. She codes in Python and C++ and is a Packaging fan. \r\nShe is an intern at conda-forge, helping writing the conda-forge documentation. She is also an intern at Quansight Labs where she is adding new cool features to Grayskull. \r\nHer hobbies are reading novels and eating tasty food.", "public_name": "Mahe Iram Khan", "guid": "708604fa-1d83-5e45-b85b-f62be2dfd286", "url": "https://pretalx.com/packagingcon-2021/speaker/GY9UGD/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/FRJACA/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/FRJACA/", "attachments": []}, {"guid": "59f63de9-c175-5635-9607-f3b32268f25d", "code": "AWN3MG", "id": 12102, "logo": null, "date": "2021-11-09T21:40:00+00:00", "start": "21:40", "duration": "00:02", "room": "Plenaries", "slug": "packagingcon-2021-12102-python-packaging-and-publishing-carpentries-incubator-lesson", "url": "https://pretalx.com/packagingcon-2021/talk/AWN3MG/", "title": "Python Packaging and Publishing - Carpentries Incubator lesson", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "Packaging and publishing software remains a challenge for many researchers. Here, we present the \"[Packaging and Publishing with Python](https://carpentries-incubator.github.io/python-packaging-publishing/)\" lesson from the [Carpentries Incubator](https://carpentries-incubator.org/). The Carpentries Incubator is a [The Carpentries](https://carpentries.org/) initiative for community-developed lessons. Lessons can be taught in workshops in both online and in-person formats, and can also be used for self-guided study. In this lightning talk, we are going to go over what the lesson covers, how you can teach it and how to contribute to it. Finally, we are going to demonstrate how learning to package software is a useful skill for researchers, and how this lesson supports that.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "FJBFML", "name": "Vin\u00edcius Salazar", "avatar": "https://pretalx.com/media/avatars/FJBFML_sZT1cxo.webp", "biography": "PhD student at The University of Melbourne and Python developer.", "public_name": "Vin\u00edcius Salazar", "guid": "6255f3c6-f0d9-5c07-822a-be51a07827da", "url": "https://pretalx.com/packagingcon-2021/speaker/FJBFML/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/AWN3MG/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/AWN3MG/", "attachments": []}, {"guid": "00f906f5-2ffc-5ddf-b4c6-42f555d0f1f1", "code": "E3M8HG", "id": 12671, "logo": null, "date": "2021-11-09T21:45:00+00:00", "start": "21:45", "duration": "00:02", "room": "Plenaries", "slug": "packagingcon-2021-12671-stage0-bootstrapping-trust", "url": "https://pretalx.com/packagingcon-2021/talk/E3M8HG/", "title": "Stage0 bootstrapping trust", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "An introduction to the current state of software bootstrapping and defenses against the trusting trust attack.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "JR8SKU", "name": "Jeremiah Orians", "avatar": null, "biography": "Software bootstrapper who is willing to get his hands dirty with all the bits in software bootstrap chains that scare other people off.", "public_name": "Jeremiah Orians", "guid": "2875cbc0-ba4e-5c68-926b-b24dee595ede", "url": "https://pretalx.com/packagingcon-2021/speaker/JR8SKU/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/E3M8HG/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/E3M8HG/", "attachments": []}, {"guid": "e160f8c8-a2de-5b54-a1af-5c95e0a62ef9", "code": "ZFJUEJ", "id": 13293, "logo": "https://pretalx.com/media/packagingcon-2021/submissions/ZFJUEJ/kitten_JeoW98j.jpg", "date": "2021-11-09T21:50:00+00:00", "start": "21:50", "duration": "00:02", "room": "Plenaries", "slug": "packagingcon-2021-13293-the-rise-of-mostly-universal-package-managers", "url": "https://pretalx.com/packagingcon-2021/talk/ZFJUEJ/", "title": "The rise of mostly universal package managers", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "Every project has installation instructions describing system requirements as a list of system and other packages to install.  It is time to get rid of this README section! Let's look at the rise of universal package management where one tool and one unified spec can rule them all.", "description": "Because **no tech stack is an island** with a single programming language and packaging ecosystem, universal package management tools that abstract the kinks and subtle differences between package ecosystems are emerging to solve a practical problem all package authors and users are facing. Let's look at what they are, and what they could become, and why you need one.", "recording_license": "", "do_not_record": false, "persons": [{"code": "JLACEF", "name": "Philippe Ombredanne", "avatar": "https://pretalx.com/media/avatars/JLACEF_BXUgb9X.webp", "biography": "Philippe Ombredanne is a passionate FOSS hacker, lead maintainer of ScanCode, creator of Package URL, co-founder of SDPDX and ClearlyDefined. He is on a mission to enable easier and safer to reuse FOSS code with best in class open source Software Composition Analysis tools  and data for open source discovery, license & security compliance at https://aboutcode.org", "public_name": "Philippe Ombredanne", "guid": "4fe0852e-a90d-5870-950f-b5551d1261fc", "url": "https://pretalx.com/packagingcon-2021/speaker/JLACEF/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/ZFJUEJ/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/ZFJUEJ/", "attachments": []}, {"guid": "88542af3-6f01-58f2-b628-a1f3a40aea96", "code": "QL7K9K", "id": 13634, "logo": null, "date": "2021-11-09T21:55:00+00:00", "start": "21:55", "duration": "00:02", "room": "Plenaries", "slug": "packagingcon-2021-13634-turing-jl-an-overview", "url": "https://pretalx.com/packagingcon-2021/talk/QL7K9K/", "title": "Turing.jl: An Overview", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "[Turing.jl](https://github.com/TuringLang/Turing.jl) is a Julia library focusing on Bayesian inference with probabilistic programming. It has a special focus on modularity, and it decouples the modelling language and inference methods. This talk highlights the features of Turing.jl. Furthermore, references are provided to tutorials for working with Turing.\r\nSlides of this talk are available at [bit.ly/turing-an-overview](https://docs.google.com/presentation/d/e/2PACX-1vQ5WvGcgLnkiNh004BWGtbUeNnV54vQ4ypFpsD7DJfm9eX6jrFyf5EIPAPB-0ZdorSt9-I6OdNx5GKF/pub?start=false&loop=false&delayms=3000&slide=id.p) and also available on the [GitHub repository](https://github.com/SaranjeetKaur/PackagingCon2021_Slides_Lightning_Talk/).", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "MCGB3X", "name": "Saranjeet Kaur Bhogal", "avatar": "https://pretalx.com/media/avatars/MCGB3X_JQj0a6l.webp", "biography": "Saranjeet Kaur Bhogal is a Statistician by training. She has completed the Google Summer of Code 2020 with the Turing team of the Julia language organisation. Her recent most open source project is the \u201cR Development Guide\u201d which she has written with a funding support from the R Foundation. She has presented her open source work at useR! 2021 - The R Conference and at JuliaCon 2021.", "public_name": "Saranjeet Kaur Bhogal", "guid": "b7e16fcf-7a49-580e-b0c8-71276dcb94da", "url": "https://pretalx.com/packagingcon-2021/speaker/MCGB3X/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/QL7K9K/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/QL7K9K/", "attachments": [{"title": "Slides", "url": "/media/packagingcon-2021/submissions/QL7K9K/resources/PackagingCon_2021__Turing.jl_--_An_Overv_TwB1Sso.pptx", "type": "related"}]}, {"guid": "79621a04-d7cc-5e61-9477-a7a057646663", "code": "JLXJBV", "id": 12412, "logo": null, "date": "2021-11-09T22:00:00+00:00", "start": "22:00", "duration": "00:02", "room": "Plenaries", "slug": "packagingcon-2021-12412-unifying-update-channels-and-dependency-resolution", "url": "https://pretalx.com/packagingcon-2021/talk/JLXJBV/", "title": "Unifying update channels and dependency resolution", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "There are two predominant models for software updates: the package management approach, which resolves new sets of compatible software to install together and respects dependency declarations, and the \"update channel\" approach, where an installed software component subscribes itself to updates via a stream of external metadata (i.e. Google Chrome's update model).\r\n\r\nThe Operator Lifecycle Manager for Kubernetes combines both approaches: software packagers can provide valid update graphs for their components in addition to dependency information, and the on-line solver considers both when selecting and installing packages.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "TQ37PN", "name": "Evan Cordell", "avatar": "https://pretalx.com/media/avatars/TQ37PN_nXWO2Ss.webp", "biography": "Evan Cordell is an engineer at Authzed. Maintainer of Operator Lifecycle Manager. Formerly at Red Hat, CoreOS.", "public_name": "Evan Cordell", "guid": "ef46a56c-814d-5c30-b1c6-d7c58738d656", "url": "https://pretalx.com/packagingcon-2021/speaker/TQ37PN/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/JLXJBV/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/JLXJBV/", "attachments": []}], "Room I": [{"guid": "1df358cf-0e3e-50bd-853c-fdbda8d6b176", "code": "KUFQGD", "id": 13657, "logo": null, "date": "2021-11-09T16:00:00+00:00", "start": "16:00", "duration": "00:50", "room": "Room I", "slug": "packagingcon-2021-13657-welcome-keynote", "url": "https://pretalx.com/packagingcon-2021/talk/KUFQGD/", "title": "Welcome + Keynote", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Wolf will welcome everyone and say a couple of words about PackagingCon and how we are going and how the virutal conference is going to work\r\n\r\n## Keynote\r\n\r\nTodd Gamblin, Steven! Ragnar\u00f6k and Matthias Meschede are going to talk about \"The Taxonomy of Package Managers\" \u2013 expect a fun talk about the history of package management and an overview of the different species of package managers out there", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "M7CWJZ", "name": "Wolf Vollprecht", "avatar": "https://pretalx.com/media/avatars/M7CWJZ_k9nxqOS.webp", "biography": "Wolf Vollprecht is a Technical Director at QuantStack. QuantStack is a small open source software consulting company that mostly works on scientific open source software.\r\nWolf spends most of his time working on the mamba package manager, and as part of the conda-forge core team. Mamba is a fast, cross-platform and language agnostic package manager that works with conda packages.", "public_name": "Wolf Vollprecht", "guid": "c1a59892-19f6-59e5-bdfd-e50a1ff815c3", "url": "https://pretalx.com/packagingcon-2021/speaker/M7CWJZ/"}, {"code": "RD7SJX", "name": "Todd Gamblin", "avatar": "https://pretalx.com/media/avatars/RD7SJX_QZJnZHZ.webp", "biography": "Todd Gamblin is a Senior Principal MTS in Livermore Computing's Advanced Technology Office at Lawrence Livermore National Laboratory. He created Spack, a popular open source HPC package management tool with a rapidly growing community of contributors. He leads the Packaging Technologies Project in the U.S. Exascale Computing Project, LLNL's DevRAMP project on developer productivity, and an LLNL Strategic Research Initiative on software integration and dependency management. His research interests include dependency management, software engineering, parallel computing, performance measurement, and performance analysis.", "public_name": "Todd Gamblin", "guid": "efd6f68f-b8d2-5c01-b4c6-e35b4ae0b5b0", "url": "https://pretalx.com/packagingcon-2021/speaker/RD7SJX/"}, {"code": "8MJPFR", "name": "Steven! Ragnaro\u0308k", "avatar": "https://pretalx.com/media/avatars/8MJPFR_rWsLjG5.webp", "biography": "Steven! is a software developer and Linux system administrator who has been steadfastly running Linux through his computer science and mathematics education, web development career, and now as a Software Engineer leading the computer infrastructure team at Open Robotics. Steven!'s experience with Linux began on Slackware 9, where package management was a feature conspicuously absent from the installed system.", "public_name": "Steven! Ragnaro\u0308k", "guid": "1258dcc8-a59e-5fed-be87-cb8ad42142f8", "url": "https://pretalx.com/packagingcon-2021/speaker/8MJPFR/"}, {"code": "9NEBEY", "name": "Matthias Meschede", "avatar": null, "biography": null, "public_name": "Matthias Meschede", "guid": "7b3715df-a1f9-5b33-9001-e19063efb11d", "url": "https://pretalx.com/packagingcon-2021/speaker/9NEBEY/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/KUFQGD/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/KUFQGD/", "attachments": []}, {"guid": "b10c0f8f-79e2-543e-aa5e-cde792709046", "code": "K7LDFB", "id": 12131, "logo": null, "date": "2021-11-09T17:00:00+00:00", "start": "17:00", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12131-automated-packaging-for-multiple-platforms-successes-and-lessons-learned-while-packaging-ros", "url": "https://pretalx.com/packagingcon-2021/talk/K7LDFB/", "title": "Automated packaging for multiple platforms: Successes and lessons learned while packaging ROS", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "We have developed a system which will automatically generate packages for deb based packaging systems such as Debian and Ubuntu, RPM based packaging systems such as Fedora and RHEL, as well as source based packaging/distribution systems such as Gentoo or OpenEmbedded. This talk will delve into how and why we\u2019ve done it. We will cover lessons learned over the course of more than ten years of experience and then discuss where we\u2019re going next and what tools and approaches we\u2019ve developed that others may find useful.", "description": "The ROS project has been generating packages for several platforms for over 10 years. The toolchain continues to grow and evolve. We currently have support for Debian, Ubuntu, Fedora, RHEL, OpenEmbedded, Gentoo, as well as are working on Conda, there are other community based efforts ongoing. We have targeted amd64, i386, armhf, arm64 architectures. \r\n\r\n\r\nWe\u2019ve operated 17 distributions with which target between 3 and 5 platforms officially. The 5 currently active distributions contain 6241 packages of which 3057 are unique by package name. 1132 people have contributed to our release repository including dependency data and there are 687 unique maintainer emails in our publicly listed source packages. And all these packages are downloaded many millions of times per month. \r\n\r\nThere\u2019s many moving parts and many different communities to bring together to make all this happen regularly. Our needs and goals are sometimes at odds with upstream policies but we still have found ways to work together. This talk will be an overview of where we\u2019re coming from with our needs and requirements, followed by how we\u2019re achieving that. We\u2019ll talk about existing tools and processes that we\u2019re following from existing projects, and then also about how we\u2019ve chosen to diverge and why we chose to do so as well. And provide a quick overview of the various tools that we\u2019ve developed, focusing on those that are potentially reusable outside the ROS context.", "recording_license": "", "do_not_record": false, "persons": [{"code": "8MJPFR", "name": "Steven! Ragnaro\u0308k", "avatar": "https://pretalx.com/media/avatars/8MJPFR_rWsLjG5.webp", "biography": "Steven! is a software developer and Linux system administrator who has been steadfastly running Linux through his computer science and mathematics education, web development career, and now as a Software Engineer leading the computer infrastructure team at Open Robotics. Steven!'s experience with Linux began on Slackware 9, where package management was a feature conspicuously absent from the installed system.", "public_name": "Steven! Ragnaro\u0308k", "guid": "1258dcc8-a59e-5fed-be87-cb8ad42142f8", "url": "https://pretalx.com/packagingcon-2021/speaker/8MJPFR/"}, {"code": "E7QRNP", "name": "Tully Foote", "avatar": null, "biography": "Tully Foote is the Community and Business Development Manager at Open Robotics. He started his career working on autonomous cars for the DARPA Grand Challenges. From there he worked on ROS at Willow Garage and later Open Robotics in many different roles including active development of the ROS buildfarm. He has worked on a large variety of systems for indoor, outdoor, marine, aviation, and space. Two creations he\u2019s known for are the tf transform library and the TurtleBot.", "public_name": "Tully Foote", "guid": "7232c69f-7c68-5017-80a2-c3833b8fe059", "url": "https://pretalx.com/packagingcon-2021/speaker/E7QRNP/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/K7LDFB/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/K7LDFB/", "attachments": []}, {"guid": "c7a8fb3a-bea4-592d-bd8d-182831877ce7", "code": "GY99JV", "id": 12191, "logo": "https://pretalx.com/media/packagingcon-2021/submissions/GY99JV/logo-square-small-borders_E0qgtqQ.jpg", "date": "2021-11-09T17:25:00+00:00", "start": "17:25", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12191-integrating-upstream-projects-to-fedora-linux", "url": "https://pretalx.com/packagingcon-2021/talk/GY99JV/", "title": "Integrating upstream projects to Fedora Linux", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "We are offering Packit, a free GitHub app and GitLab integration which enables you to build and test your upstream project on an RPM-based Linux distribution like Fedora Linux, CentOS Stream, Mageia or openSUSE. Once you get RPM builds of your project, you can be pretty sure that your project will work once released and delivered via the downstream distribution. The core functionality of Packit is built around pull requests (as a standard CI system) and releases (bring the release to Fedora rawhide). You can read more about Packit at https://packit.dev/\r\n\r\nIn this session, Franta and Tomas will describe the Packit project, Fedora\u2019s packaging workflow, showcase some of the well-known projects which use Packit and offer a brief perspective on what it\u2019s like to develop and maintain the integration service.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "WR9GC9", "name": "Franti\u0161ek Lachman", "avatar": "https://pretalx.com/media/avatars/WR9GC9_4wV19Hw.webp", "biography": "Software engineer at Red Hat; Project owner in the Packit team; teacher at Faculty of Informatics, Masaryk University, Brno; member of the Scout Movement and Python enthusiast.", "public_name": "Franti\u0161ek Lachman", "guid": "c68bbf80-3bb2-55b8-98cd-ae28a26a3feb", "url": "https://pretalx.com/packagingcon-2021/speaker/WR9GC9/"}, {"code": "MQMWJG", "name": "Tomas Tomecek", "avatar": "https://pretalx.com/media/avatars/MQMWJG_A3I69Pn.webp", "biography": "packaging and integration wizardry", "public_name": "Tomas Tomecek", "guid": "e7dc2a32-2d8e-5e04-860b-d16151da4227", "url": "https://pretalx.com/packagingcon-2021/speaker/MQMWJG/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/GY99JV/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/GY99JV/", "attachments": [{"title": "Slides", "url": "/media/packagingcon-2021/submissions/GY99JV/resources/PackagingCon__Packit_dGMaA16.pdf", "type": "related"}]}, {"guid": "9e049034-86c7-5b4a-a028-8ac43dc9ced3", "code": "NRGCVG", "id": 12158, "logo": null, "date": "2021-11-09T17:50:00+00:00", "start": "17:50", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12158-force-multipliers-in-package-management-how-homebrew-maintainers-keep-up-with-10-000-packages", "url": "https://pretalx.com/packagingcon-2021/talk/NRGCVG/", "title": "Force Multipliers in Package Management: How Homebrew Maintainers Keep Up With 10,000+ Packages", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "An overview of the policies, design choices, and tooling that allow a team to maintain the Homebrew ecosystem, enabling timely delivery of updates while minimizing regressions in packages and dependency trees.", "description": "In this talk, we'll explore some of the things that allow the Homebrew maintainer team to tackle day-to-day maintenance tasks, leaving time and energy to address bigger things. We'll visit some of the technical aspects of the Homebrew ecosystem that make this possible as well as some of the policies and culture that help prevent maintainer burnout.", "recording_license": "", "do_not_record": false, "persons": [{"code": "QRWU3D", "name": "Caleb Xu", "avatar": null, "biography": "Caleb lives in the Raleigh-Durham metropolitan area in North Carolina, USA. He graduated in 2021 from the University of North Carolina at Chapel Hill with a B.S. Computer Science.\r\n\r\nHe first got involved in package management in 2014 with contributions to Homebrew Cask, an extension on the [Homebrew](https://brew.sh) package manager that manages the installation of GUI apps on macOS. After Homebrew Cask was eventually merged into Homebrew itself in 2018, he started to participate in maintaining Homebrew's [core packages](https://github.com/Homebrew/homebrew-core).\r\n\r\nIn his spare time, you may find him taking a screen break with a walk on one of the Raleigh-Durham area's many greenways and trails, having a stab at a new recipe in the kitchen, or fine-tuning a traffic light cycle in _[Cities: Skylines](https://www.citiesskylines.com/)_.", "public_name": "Caleb Xu", "guid": "df850a80-5e7e-5303-8267-b7c110386826", "url": "https://pretalx.com/packagingcon-2021/speaker/QRWU3D/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/NRGCVG/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/NRGCVG/", "attachments": []}, {"guid": "2531bfcf-e53d-55c5-984f-14ef1d6a9700", "code": "7MQPPU", "id": 12114, "logo": null, "date": "2021-11-09T18:15:00+00:00", "start": "18:15", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12114-bitnami-15-years-bringing-open-source-to-the-masses", "url": "https://pretalx.com/packagingcon-2021/talk/7MQPPU/", "title": "Bitnami: 15 years bringing open source to the masses", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Bitnami is an application packaging and publishing startup that was acquired by VMware in 2019. It is a leading provider of prepackaged open source software that runs natively in environments where a large portion of developers and other users want to build or deploy applications in the major public clouds, on laptops, and on Kubernetes. Over the last few years with the increased popularity of containers and platforms like Kubernetes, Bitnami's growth has raised exponentially and several of its containerised applications are now well over +1B downloads each.\r\n\r\nThe secret sauce for Bitnami success has always been trying to make Open Source safe and easy to use. Sounds simple, but it is actually very challenging. A robust pipeline must be able to build many different flavours of open source software targeting many different operating systems and clouds, and it has to be simple. Abstracting users from complexity. Additionally, Bitnami focuses on making Open Source safer by having those application packages running within a continuous update loop taking care of releasing updates when new vulnerabilities or attacks are found.\r\n\r\nIn this talk we would like to go over how we have made this possible over the last 15 years.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "KCKTX3", "name": "Martin Perez, Beltr\u00e1n Rueda", "avatar": null, "biography": "Martin is a Senior Staff Engineer and Beltr\u00e1n is a Senior Engineering Manager at VMware both with more than 20 years of experience in complex and large distributed software systems.", "public_name": "Martin Perez, Beltr\u00e1n Rueda", "guid": "7c2307ff-aab5-5e26-af11-baa0c05f9336", "url": "https://pretalx.com/packagingcon-2021/speaker/KCKTX3/"}, {"code": "CPKKAV", "name": "Beltr\u00e1n Rueda", "avatar": null, "biography": null, "public_name": "Beltr\u00e1n Rueda", "guid": "55291739-2f21-5722-996a-5fe77be12707", "url": "https://pretalx.com/packagingcon-2021/speaker/CPKKAV/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/7MQPPU/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/7MQPPU/", "attachments": []}, {"guid": "25c5b255-c4bb-5181-b169-81f7de02dce3", "code": "K8GPRA", "id": 12018, "logo": "https://pretalx.com/media/packagingcon-2021/submissions/K8GPRA/19329590_sAUg9JO.jpg", "date": "2021-11-09T19:00:00+00:00", "start": "19:00", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12018-julia-s-pkg-design-rationale", "url": "https://pretalx.com/packagingcon-2021/talk/K8GPRA/", "title": "Julia's Pkg \u2013 Design & Rationale", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "The Julia programming language features a built-in package manager commonly referred to as \"Pkg\".  It's actually the third iteration of package manager for the language, code-named Pkg3 while in development. The previous iterations were quite traditional, inspired by Perl's CPAN and RubyGems. Pkg3 is *different*. This talk explores how it differs from its predecessors and other package managers and what lessons we've learned while developing it and scaling up its usage.", "description": "Some salient features of Julia's Pkg that will be covered in this talk:\r\n\r\n- Packages are identified by globally unique UUID, not just name. This allows different packages with the same name to co-exist in the dependency graph of a project. Names used in source code are mapped to UUIDs in a project-local `Project.toml` file which also contains other project metadata.\r\n\r\n- Code loading works by looking up the cryptographic hash of the source tree of a specific version of a package in a project-local `Manifest.toml` file. This source hash is used to look up the path where the code should be loaded from. Since each package version is identified and found by tree hash, its content can always be checked for correctness and caches never need to be invalidated. Manifest files can be tracked in version control providing perfect reproducibility by default.\r\n\r\n- It's completely normal for mulitple versions of the same package to be installed at the same time, used by different projects. This is kind of like Python virtual environments but built into the language, with common versions shared, and without requiring any environment variable tricks. Pkg has a `gc` command that searches through known manifest files and garbage collects (i.e. deletes) any package versions that are no longer in use anywhere.\r\n\r\n- It's not just Julia source packages that are immutable and content-addressed: Pkg also installs libraries and other binary dependencies as immutable, content-addressed tarballs of pre-compiled, system-specific file trees. The right variant for a given operating system / libc version / libc++ version (etc.) is chosen and installed, but that combination is pre-built and simply needs to be downloaded and put in the right place. This makes installing binary dependencies incredibly fast and reliable. It also provides tremendous benefits for reproducibility since all of this is cryptographically hashed, content-addressed, immutable, tracked in project-local version control, and persisted forever by the global network of package servers.\r\n\r\n- Pkg has a federated package registry system. There is a general public registry that Julia clients get their packages from by default, but other registries can be added and used alongside it. It is common for companies and research labs to have their own private and/or public registries of packages. The use of UUIDs to identify packages even makes transitioning a package from private to public extremely smooth. It's even possible for some versions of a package to be public while others\u2014older or newer\u2014remain private.\r\n\r\n- UUIDs provide some protection from [dependency confusion attacks](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610), but this depends on UUIDs remaining secret which they are not designed to be. The same features that facilitate migrating a package from private to public inadvertently allow dependency confusion attacks. The General registry allows submission of lists of private UUIDs to block from registration, but this is a stopgap measure at best. Better solutions to this common packaging ecosystems problem are sought.", "recording_license": "", "do_not_record": false, "persons": [{"code": "9NNRE7", "name": "Stefan Karpinski", "avatar": "https://pretalx.com/media/avatars/9NNRE7_UASzy0Z.webp", "biography": "Co-creator of Julia & co-founder of Julia Computing (https://juliahub.com).", "public_name": "Stefan Karpinski", "guid": "be636734-ac6a-5aa2-b2f8-e9283d6f5139", "url": "https://pretalx.com/packagingcon-2021/speaker/9NNRE7/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/K8GPRA/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/K8GPRA/", "attachments": []}, {"guid": "c6e42d48-9379-5887-a592-6e70644939e2", "code": "KTNQRB", "id": 12121, "logo": null, "date": "2021-11-09T19:25:00+00:00", "start": "19:25", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12121-homebrew-improved-linux-support-and-a-historical-review-of-our-linux-ci", "url": "https://pretalx.com/packagingcon-2021/talk/KTNQRB/", "title": "Homebrew: improved Linux support (and a historical review of our Linux CI)", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Homebrew is a free and open-source package manager, initially written for macOS. Linuxbrew, a fork of Homebrew for Linux, was created in 2012. In 2019, we announced the official support for Linux and Windows 10 (with Windows Subsystem for Linux). The Linux-specific code of the package manager was back-ported from Linuxbrew to the main Brew repository in 2018/2019.\r\n\r\nBut the story did not end there. The Linux packages were still living in a separate repository: linuxbrew-core. We had to migrate all the changes from the Linux repository to the main repository (homebrew-core). There were more than 5000 lines of code to be back-ported. We also started building Linux packages in homebrew-core, so we had to set up Linux CI along the existing macOS one. As this task is now almost completed and we will soon decommission linuxbrew-core, I would like to come back on the details of this epic migration. This talk will make a small retrospective on why it took us almost 2 years to finish the migration. I will also take the opportunity to discuss the setup of our Linux CI, and the issues we faced while doing so.", "description": "The talk will focus on a few topics related to the migration from linuxbrew-core to homebrew-core.  \r\n\r\nI will go through the way the linuxbrew-core repository co-existed with homebrew-core repository over the years, and why we needed to decommission linuxbrew-core. Keeping linuxbrew-core in sync with homebrew-core has drained a lot of energy out of multiple maintainers, and had become too complex. The current workflow also often broke packages for our Linux users, which was not acceptable. Ending the migration will give us time to finally focus on more interesting tasks and new features, help triage more issues and help our users more effectively.\r\n\r\nI will also discuss different CI solutions we have used over the years to build binary packages: Docker hub, Travis, Circle.ci, Azure pipelines and finally GitHub Actions. As we initially did not have any funding for CI, we had to rely on free tiers, which caused a higher workload for maintainers, as a lot of manual intervention was needed. We even built some packages with our personal hardware when necessary.\r\n\r\nOne last topic I want to discuss is open source maintainer bandwidth, and why it took us two years to finalise the linuxbrew-core to homebrew-core migration. The number of packages to maintain, the number of maintainers, and more importantly the number of maintainers willing to do ops and fix things in the package manager itself will be discussed. Also, I will have a quick look at the financial aspect when it comes to setup CI for a project as big as Homebrew.", "recording_license": "", "do_not_record": false, "persons": [{"code": "YDADBN", "name": "Michka Popoff", "avatar": "https://pretalx.com/media/avatars/YDADBN_1kMHE2E.webp", "biography": "I am a Python developer with more than 9 years of experience. I also have 3 years of experience in Java programming.\r\n\r\nI am an open-source enthusiast. I am part of Homebrew's technical committee (the missing package manager for Mac (or Linux)): https://github.com/Homebrew/brew. I am also the lead maintainer of the Linuxbrew/homebrew-core project, and of the pygccxml Python library. Check out my GitHub account: https://github.com/iMichka.\r\n\r\nI have a PhD in Physics from the University of Lille 1 (France). I speak French, German, English and Luxembourgish. I regularly run marathons (and sometimes even longer distances than that).", "public_name": "Michka Popoff", "guid": "83fdf13f-e44f-5d77-a21d-5111b5812a45", "url": "https://pretalx.com/packagingcon-2021/speaker/YDADBN/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/KTNQRB/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/KTNQRB/", "attachments": []}, {"guid": "96857006-2d75-5754-8407-02d50d5412b8", "code": "YQSMZQ", "id": 12060, "logo": null, "date": "2021-11-09T19:50:00+00:00", "start": "19:50", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12060-putting-concepts-into-boxes-a-survey-of-packaging-systems-and-patterns-of-code-reuse", "url": "https://pretalx.com/packagingcon-2021/talk/YQSMZQ/", "title": "Putting Concepts Into Boxes: A Survey of Packaging Systems and Patterns of Code Reuse", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "In the past 30 years or so of widespread code reuse, programming language communities have come up with various approaches to solving problems of code reuse. These efforts are often developed in isolation, leading to a divergence in concepts and terminology. What can we learn from one another? And how can we use this understanding to make better tools for managing software dependencies?", "description": "A native speaker of a language can communicate automatically without giving a second thought about how they do it. Likewise, a software developer who works exclusively in an ecosystem can be quite productive without really understanding how their code gets turned into programs.\r\n\r\nWhen you learn another language, you gain completely different kind of understanding. You start to reason about concepts formally rather than intuitively. You discover that ideas that you took for granted in one may be radically different (or missing entirely) in another. You come away with knowledge of the new, a new perspective of the familiar, and an appreciation for the unknown. \r\n\r\nIn this talk, we'll take a look at the landscape of packaging systems. We'll attempt to identify and formalize concepts they share in common, and distinguish the incidental and inherent differences among them. By doing so, we hope to provide useful models for building tools within and across software ecosystems.", "recording_license": "", "do_not_record": true, "persons": [{"code": "GX99HG", "name": "Mattt", "avatar": "https://pretalx.com/media/avatars/GX99HG_E4FSxAC.webp", "biography": "[Mattt](https://github.com/mattt) is a software engineer at GitHub working on the Swift package registry. He's the founder of [NSHipster](https://nshipster.com), a journal of the overlooked bits in Objective-C, Swift, and Cocoa. Previously, he worked at Apple as a technical writer, contributing to The Swift Programming Language, Swift Package Manager, and Swift.org.", "public_name": "Mattt", "guid": "bcac2a39-95da-5e80-8695-6d2320058885", "url": "https://pretalx.com/packagingcon-2021/speaker/GX99HG/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/YQSMZQ/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/YQSMZQ/", "attachments": []}, {"guid": "45a19f85-a723-5dc7-8579-c428f70d9905", "code": "ZCRDEQ", "id": 11953, "logo": null, "date": "2021-11-09T20:15:00+00:00", "start": "20:15", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-11953-oci-artifacts-using-container-registries-for-any-cloud-native-artifact", "url": "https://pretalx.com/packagingcon-2021/talk/ZCRDEQ/", "title": "OCI Artifacts: Using Container Registries for Any Cloud Native Artifact", "subtitle": "", "track": "Registries", "type": "Talk", "language": "en", "abstract": "If you're managing cloud native applications, you already have a reliable, secured, performant container registry across your development to production environments. Where will you store your Helm charts, OPA Bundles, WASM, SBOMs, Scan Results, GitOps/RegOps  and deployment artifacts? Do you really want to stand up and manage Yet Another Storage Solution (YASS)? Should you pull your developer focused Git infra into production? OCI Artifacts expands container registries to store any artifact. Artifacts are now adding Reference Types to store a graph of objects, including SBOMs, Signatures, Security Scan Results. We'll review the journey for OCI Artifacts and how you can build a new cloud native thing, without having to build and maintain YASS.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "KGYJQP", "name": "Steve Lasker", "avatar": "https://pretalx.com/media/avatars/KGYJQP_cBQ3fDb.webp", "biography": "Steve is a PM Architect for Registries at Microsoft, an OCI TOB member and OCI Artifacts maintainer. Prior to joining Microsoft, Steve worked in software consulting and broadcast engineering, where he learned the balance of designing reliable, performant, available, secure and usable systems.\r\nSteve can be found on Twitter @SteveLasker and his blog @ https://stevelasker.blog", "public_name": "Steve Lasker", "guid": "ef7fd511-9e36-5402-86af-d24cd08d63b1", "url": "https://pretalx.com/packagingcon-2021/speaker/KGYJQP/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/ZCRDEQ/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/ZCRDEQ/", "attachments": []}, {"guid": "a26bf268-39fd-5e35-bad8-bd25a8611378", "code": "QNJEMW", "id": 12111, "logo": null, "date": "2021-11-09T20:40:00+00:00", "start": "20:40", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12111-package-registries-for-the-julia-package-manager", "url": "https://pretalx.com/packagingcon-2021/talk/QNJEMW/", "title": "Package registries for the Julia package manager", "subtitle": "", "track": "Registries", "type": "Talk", "language": "en", "abstract": "This talk discusses the current implementation of package registries for the Julia package manager and some of the lessons learned along the way.", "description": "A package registry is a collection of metadata for a set of packages.\r\nAmong other things, this includes:\r\n- what versions are available for each package\r\n- what dependencies each package version\r\n- what package versions are compatible with other package versions\r\n\r\nThis information is used by the Julia Package manager's \"resolver\" when a package operation is performed (e.g. adding/updating packages). The task of the resolver is to return a set of package versions with \"as high version as possible\" under the constraints that all those versions are compatible with each other.\r\n\r\nThis talk discusses some of the lessons we have learned about package registries from\r\nour experiences in developing the Julia package manager over many years.\r\nThis includes considerations like:\r\n\r\n- what file format to use\r\n- support for multiple registries\r\n- how to download/update the registry\r\n- performance considerations w.r.t the size of the registry/number of files", "recording_license": "", "do_not_record": false, "persons": [{"code": "AS3MKE", "name": "Kristoffer Carlsson", "avatar": "https://pretalx.com/media/avatars/AS3MKE_SxjKovB.webp", "biography": "I'm a long-time contributor to the Julia language and its surrounding ecosystem (including its package manager).", "public_name": "Kristoffer Carlsson", "guid": "53ae67fb-1a32-5b38-bde1-9fbdf24048bd", "url": "https://pretalx.com/packagingcon-2021/speaker/AS3MKE/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/QNJEMW/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/QNJEMW/", "attachments": []}], "Room 2": [{"guid": "2a9d74ee-8b96-54e7-890d-8780de562d9a", "code": "JPXYSD", "id": 12009, "logo": null, "date": "2021-11-09T17:00:00+00:00", "start": "17:00", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-12009-homebrew-a-packagers-deep-dive", "url": "https://pretalx.com/packagingcon-2021/talk/JPXYSD/", "title": "Homebrew: A Packagers Deep Dive", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "A deep-dive on the interesting (both good and bad) aspects of the Homebrew package manager that will be interesting to other package manager maintainers or enthusiasts.", "description": "Based on my experience as a user (and very sporadic packager) of other OS system and language package managers I'll detail the things I feel that Homebrew does well, badly and what we plan on changing and what we cannot.", "recording_license": "", "do_not_record": false, "persons": [{"code": "XPJMHN", "name": "Mike McQuaid", "avatar": "https://pretalx.com/media/avatars/XPJMHN_WOmklQf.webp", "biography": "Mike McQuaid is the Project Leader and maintainer for over a decade of the Homebrew macOS (and Linux) packager manager. For work, Mike is at Staff Engineer at GitHub on the Communities team.", "public_name": "Mike McQuaid", "guid": "03703230-5d6e-5a5f-941b-354bbd81a789", "url": "https://pretalx.com/packagingcon-2021/speaker/XPJMHN/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/JPXYSD/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/JPXYSD/", "attachments": []}, {"guid": "44018607-0d91-59bd-b621-f70a93e77e45", "code": "YWRVCT", "id": 12120, "logo": null, "date": "2021-11-09T17:25:00+00:00", "start": "17:25", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-12120-combining-cvmfs-nix-or-gentoo-prefix-lmod-and-easybuild-at-compute-canada", "url": "https://pretalx.com/packagingcon-2021/talk/YWRVCT/", "title": "Combining CVMFS, Nix or Gentoo Prefix, Lmod, and EasyBuild at Compute Canada", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "One of the challenges in HPC is to deliver a consistent software stack that balances the needs of the system administrators with the needs of the users. This means running recent software on enterprise Linux distributions that ship older software. Traditionally this is accomplished using environment modules, that change environment variables such as $PATH to point to the software that is needed. At Compute Canada we have taken this further by distributing a complete user-level software stack, including all needed libraries including the GNU C library (Glibc), but excluding any privileged components. Our setup combined Nix, and now combines Gentoo Prefix for the bottom layer of base components, EasyBuild for the top layer of more scientifically inclined components, Lmod to implement environment modules, and the CernVM File System (CVMFS) to distribute it to Canadian supercomputers and anyone else who is interested. This approach has gained interest in other places, most notably with the EESSI project that originated in Europe.\r\n\r\nI will describe our setup and discuss the pros and cons of Nix versus Gentoo Prefix, and the challenges that come with using glibc in a non-standard location.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "T8BR7D", "name": "Bart Oldeman", "avatar": null, "biography": "Bart Oldeman (Ph.D., Engineering Mathematics, University of Bristol) works for McGill University in Montr\u00e9al, Canada as a Scientific Computing Analyst, within the Calcul Qu\u00e9bec and Compute Canada umbrella organizations. He is a Software Installation Coordinator for the Research Support National Team within Compute Canada.", "public_name": "Bart Oldeman", "guid": "2e15476c-8e85-5832-980a-8714df0c45ab", "url": "https://pretalx.com/packagingcon-2021/speaker/T8BR7D/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/YWRVCT/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/YWRVCT/", "attachments": []}, {"guid": "b64cc8d5-f64a-5784-91ca-3715a86b0781", "code": "LMNF3H", "id": 12194, "logo": null, "date": "2021-11-09T17:50:00+00:00", "start": "17:50", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-12194-what-is-chocolatey-the-package-manager-for-windows", "url": "https://pretalx.com/packagingcon-2021/talk/LMNF3H/", "title": "What is Chocolatey, The Package Manager for Windows?", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "Nix has awesome packing tools. Many of them. Windows was always the landscape of Next -> Next -> Next.\r\n\r\nEver wished you could take all of those Windows applications you run, install them, and not have to click anything? Easily keep them up to date and not click anything? And in WINDOWS?\r\n\r\nCome with me on this journey, and you\u2019ll see a world of Windows Automation, Package Management and a thriving Community.", "description": "When we think about package management we always think about nix - apt, yum, dnf etc. Widnows doesn't really come to mind.\r\n\r\nI want to introduce the audience to the package manager for Windows; Chocolatey. Chocolatey has been around since 2011 and has a Community Package repository of over 800 unique packages, 100K+ package versions and in excess of 1B package downloads.", "recording_license": "", "do_not_record": false, "persons": [{"code": "DFPH3V", "name": "Paul Broadwith", "avatar": "https://pretalx.com/media/avatars/DFPH3V_BwPDHI7.webp", "biography": "Paul is a Engineer at heart with a love of PowerShell, Automation, Chocolatey, Scottish single malt whisky and wireless earphones. He has given workshops and spoken at different events across the UK, Europe and the US. He has a real passion for passing on knowledge and loves to talk with aspiring techies.\r\n\r\nHe is a Microsoft MVP and MCT, is Lead Engineer on the Boxstarter and DSC cChoco Chocolatey projects and is an organiser of the DATA:Scotland event. His career has seen him work in many sectors for over 25 years. As somebody kindly put it, he's been about a bit.\r\n\r\nIn his spare time, he usually continues to stare at computer screens and works on his own or Chocolatey projects. But on those rare occasions, when he is not staring at computer screens and listening to a strange mix of music on his wireless earphones, you can find him relaxing with a nice single malt whisky and reading ... usually technical books.", "public_name": "Paul Broadwith", "guid": "377cb767-91e7-571a-b47d-2c9de51fcc6c", "url": "https://pretalx.com/packagingcon-2021/speaker/DFPH3V/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/LMNF3H/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/LMNF3H/", "attachments": []}, {"guid": "20bca262-5f9d-526e-ac22-2341d2a44c57", "code": "QQEVAK", "id": 12265, "logo": null, "date": "2021-11-09T18:15:00+00:00", "start": "18:15", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-12265-vcpkg-asset-caching-solving-the-air-gap", "url": "https://pretalx.com/packagingcon-2021/talk/QQEVAK/", "title": "Vcpkg Asset Caching: Solving the Air Gap", "subtitle": "", "track": "Registries", "type": "Talk", "language": "en", "abstract": "Package management is the vital tool enabling reuse of other's code from around the world. However, this dream quickly collides with business fundamentals such as security, reliability, and authenticity. In this talk, we'll discuss vcpkg's new asset caching capabilities and how they enable enterprises to participate in the open source community without compromising essential objectives -- especially for secured networks without internet access.", "description": "This presentation will cover the asset caching functionality in vcpkg which enables uniform mirroring of external assets including sources and prebuilt tools. We'll cover how this system works in conjunction with vcpkg's registry, port, and binary caching systems to enable offline and disconnected systems to still take full advantage of open source projects and recipes without modification.", "recording_license": "", "do_not_record": false, "persons": [{"code": "TSS7XJ", "name": "Robert Schumacher", "avatar": "https://pretalx.com/media/avatars/TSS7XJ_q5b55ud.webp", "biography": "Senior Software Developer at Microsoft working on Visual C++ Acquisition, Install, and Release. Lead Architect of vcpkg.", "public_name": "Robert Schumacher", "guid": "7163a654-416b-5d4c-b5a0-b5764e1367f3", "url": "https://pretalx.com/packagingcon-2021/speaker/TSS7XJ/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/QQEVAK/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/QQEVAK/", "attachments": []}, {"guid": "243fdf06-63bb-5ca6-bbea-6de9eae32a13", "code": "K8C9HR", "id": 12257, "logo": null, "date": "2021-11-09T19:00:00+00:00", "start": "19:00", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-12257-minnpm-customizable-optimizing-dependency-resolution", "url": "https://pretalx.com/packagingcon-2021/talk/K8C9HR/", "title": "MinNPM: Customizable Optimizing Dependency Resolution", "subtitle": "", "track": "Solvers", "type": "Talk", "language": "en", "abstract": "When performing dependency resolution, \r\na package manager makes choices about which versions\r\nof packages to install. These choices impact the final bundled application\r\nin a variety of ways, such as: \r\ncorrectness, code size, performance and security vulnerabilities.\r\nDifferent production package managers (such NPM, Pip and Cargo)\r\ncan produce very different results when resolving identical lists of dependencies,\r\nwhich can lead to users being confounded and having little choice over\r\ndependency resolution behavior. \r\nWe address this by developing a unifying formal model of the semantics\r\nof dependency resolution, and show that this model can encompass and highlight\r\nthe key differences between NPM, Pip and Cargo.\r\nFurther, our formal model delineates a design space of hypothetical package\r\nmanagers, which popular package managers only inhabit a part of.\r\nWe enable empirical exploration of this design space by implementing MinNPM,\r\na drop-in replacement for NPM which allows for user-specified\r\ncustomization of the dependency resolution semantics.\r\nUsing MinNPM we explore the empirical differences within the design space,\r\nboth among existing package managers' semantics, and with novel semantics\r\nwhich allow us to directly minimize arbitrary optimization objectives.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "BU7PPZ", "name": "Donald Pinckney", "avatar": "https://pretalx.com/media/avatars/BU7PPZ_8xMN3NG.webp", "biography": "I enjoy working on formalizing semantics of systems so as to uncover surprising behavior, and fix related bugs. Recently I'm working on understanding the semantics of package managers.", "public_name": "Donald Pinckney", "guid": "d286330b-bbfb-5be7-8076-112bf6111339", "url": "https://pretalx.com/packagingcon-2021/speaker/BU7PPZ/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/K8C9HR/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/K8C9HR/", "attachments": []}, {"guid": "669ca913-53d2-52be-82b9-e730772d6bc2", "code": "LJ9HJK", "id": 12184, "logo": null, "date": "2021-11-09T19:25:00+00:00", "start": "19:25", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-12184-beyond-version-solving-implementing-general-package-solvers-with-answer-set-programming", "url": "https://pretalx.com/packagingcon-2021/talk/LJ9HJK/", "title": "Beyond version solving: implementing general package solvers with Answer Set Programming", "subtitle": "", "track": "Solvers", "type": "Talk", "language": "en", "abstract": "Most package managers need a dependency solver, but dependency solving is an NP-hard problem, and writing a correct solver from scratch is difficult to do correctly, let alone a fast solver. Simply understanding the solution space is a challenge, from simple SAT solvers, to specialized solutions like PubGrub and libsolv, to Satisfiabilty Modulo Theories (SMT) and Answer Set Programming (ASP) solvers. Solvers may need to optimize for multiple objectives -- preferring the most recent versions of dependencies is common, but multi-valued build options, optional dependencies, virtual dependencies, and build options like compilers, architectures, and ABI compatibility can also factor into a solve.\r\n\r\nWe have recently shipped a new solver in the Spack package manager that relies on the `clingo` Answer Set Programming (ASP) framework to accomplish many of these goals. We'll talk about how we handle complex features like optional dependencies, generalized conditions, virtual dependencies (interfaces), compiler selection, ABI options, and multiple optimization criteria in around 500 lines of declarative code. We'll talk about some of the semantics of ASP that lend themselves to very general package solving (vs other models like SMT). Finally, we'll show some performance numbers with large package repositories.", "description": "Spack recently gutted its package solver and replcaed it with a very general solver\r\nbased on ASP. ASP is a logic programming framework that borrows Prolog's syntax for\r\nfirst-order logic, but boils it down to SAT underneath. Over the past 25 years or so,\r\nASP has made great strides in solver performance by borrowing from industrial SAT\r\nsolvers and optimization tools, and ASP frameworks are able to solve much larger and\r\nmore complex problems than most in the packaging domain.\r\n\r\nSpack's dependnecy model is targeted *both* at configuring from-source builds and at\r\nreusing optimized binary packages, but doing both of these things requires a much more\r\ngeneral solver framework that is offered by most systems. In particular, the type of\r\ndecisions handled by systems like PubGrub typically extends only to version selection,\r\nbut to enable solvers to deal with build-time parameters requires much deeper package\r\nparameterization. In particular, Spack packages can depend on particular build options,\r\ncompilers, compiler flags, and ABI options. The solver will reuse a binary *if* it meets\r\nparticular build criteria, but it will decide instead to build a new version from\r\nscratch if it can't find a suitable binary. Builds can thus be \"configured\" by the\r\nsolver for compatibility with selected binaries. Most package ecosystems and\r\ndistributions enforce consistent ABI choices (like compiler and package ABI versions) --\r\nour goal is to avoid these restrictions and allow users to write very general packages\r\nthat can more easily build new stacks in exotic environments (like HPC machines).\r\n\r\nThe talk will give an overview of Spack's dependency model, and we'll show how ASP and\r\nmultiple optimization criteria are *needed* to implement these more general semantics.\r\nWe'll compare to other package solvers like PubGrub and show how features of ASP solvers\r\n(like unsatisfiable cores) can be used to construct meaningful error messages even with\r\ncomplex solves. We'll also show the maintenance benefits of relying on an established\r\nsolver framework -- the core logic of the solve can be implemented in around 500 lines\r\nof declarative code, which makes it much more maintainable than a custom,\r\ndomain-specific solution.", "recording_license": "", "do_not_record": false, "persons": [{"code": "RD7SJX", "name": "Todd Gamblin", "avatar": "https://pretalx.com/media/avatars/RD7SJX_QZJnZHZ.webp", "biography": "Todd Gamblin is a Senior Principal MTS in Livermore Computing's Advanced Technology Office at Lawrence Livermore National Laboratory. He created Spack, a popular open source HPC package management tool with a rapidly growing community of contributors. He leads the Packaging Technologies Project in the U.S. Exascale Computing Project, LLNL's DevRAMP project on developer productivity, and an LLNL Strategic Research Initiative on software integration and dependency management. His research interests include dependency management, software engineering, parallel computing, performance measurement, and performance analysis.", "public_name": "Todd Gamblin", "guid": "efd6f68f-b8d2-5c01-b4c6-e35b4ae0b5b0", "url": "https://pretalx.com/packagingcon-2021/speaker/RD7SJX/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/LJ9HJK/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/LJ9HJK/", "attachments": []}, {"guid": "3cd4d1f5-9e1b-5fa3-b5be-76cccccc153e", "code": "MXVTEA", "id": 11955, "logo": null, "date": "2021-11-09T19:50:00+00:00", "start": "19:50", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-11955-building-a-flexible-dependency-solver-in-rust", "url": "https://pretalx.com/packagingcon-2021/talk/MXVTEA/", "title": "Building a flexible dependency solver in Rust", "subtitle": "", "track": "Solvers", "type": "Talk", "language": "en", "abstract": "Dependency solving is a hard problem, especially when mixed with additional features such as optional dependencies, multiple versions or availability of pre-releases. We present a rewrite from scratch of a recent algorithm called PubGrub, as a Rust library aiming at great performance and flexibility for reuse. We will dive into its core mechanisms, its high-level usage, as well as our new ideas enabling behavioral extensions such as optional dependencies, entirely in user space without changing the library API.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "M8KJGY", "name": "Matthieu Pizenberg", "avatar": null, "biography": "I'm a computer vision researcher with a passion for open source and functional programming. Last year I made a deep dive into dependency resolution which was needed for my Elm test runner.", "public_name": "Matthieu Pizenberg", "guid": "ce47a819-b3f2-5708-aed4-97db026bc82d", "url": "https://pretalx.com/packagingcon-2021/speaker/M8KJGY/"}, {"code": "JVMKTN", "name": "Jacob Finkelman", "avatar": null, "biography": "I am on the Cargo Team helping to maintain Rusts package manager. \r\nI work on the CodeArtifact project for AWS.", "public_name": "Jacob Finkelman", "guid": "c3898ac8-1708-5f18-913e-cdad7133a260", "url": "https://pretalx.com/packagingcon-2021/speaker/JVMKTN/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/MXVTEA/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/MXVTEA/", "attachments": [{"title": "slides of the talk", "url": "/media/packagingcon-2021/submissions/MXVTEA/resources/pubgrub-rs-packaging-con-2021_7gsJi7v.pdf", "type": "related"}]}, {"guid": "e3a18d7a-c3ec-59ed-a282-a9c3395ae9cf", "code": "PCC9GD", "id": 11918, "logo": null, "date": "2021-11-09T20:15:00+00:00", "start": "20:15", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-11918-an-invitation-to-order-theoretic-models-of-package-dependencies", "url": "https://pretalx.com/packagingcon-2021/talk/PCC9GD/", "title": "An Invitation to Order-Theoretic Models of Package Dependencies", "subtitle": "", "track": "Solvers", "type": "Talk", "language": "en", "abstract": "This talk will introduce some elements of ongoing research in the mathematical structure of package dependencies. This work helps to explain how to think about dependencies, how to compare expressiveness of dependency systems (and strength of solvers), and also how to model an algebra of operations of package repositories.", "description": "This will be an accessible talk introducing and motivating some of the more basic mathematical constructions in \"The Semantics of Package Management via Event Structures\" (https://arxiv.org/abs/2107.01542) and \"The Topological and Logical Structure of Concurrency and Dependency via Distributive Lattices\" (https://arxiv.org/abs/2004.05688). Among other things it will explain how the underappreciated Bruns-Lakser completion gives insight into nix-style package management, and how models of package repositories can draw on tools developed for the semantics of concurrent programs.\r\n\r\nThis work both draws on modern mathematical techniques and also hands-on experience as a contributor and advisor to the Cabal package system in Haskell, as well as a maintainer of the Hackage repository of Haskell packages.", "recording_license": "", "do_not_record": false, "persons": [{"code": "7AGV9U", "name": "Gershom Bazerman", "avatar": "https://pretalx.com/media/avatars/7AGV9U_s0p3AnY.webp", "biography": "Gershom Bazerman is a longtime contributor to the Haskell ecosystem. He is a maintainer of the Hackage package repository, and contributor to the Cabal package management system. He also served on the Haskell.org committee for five years, and is a co-founder of both the NY Haskell Users Group and the NY Homotopy and Type Theory reading group. He currently works as a senior software engineer at Awake Security.", "public_name": "Gershom Bazerman", "guid": "5be2e3c4-585c-5a3f-bf24-d4323ad5dfc6", "url": "https://pretalx.com/packagingcon-2021/speaker/7AGV9U/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/PCC9GD/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/PCC9GD/", "attachments": []}, {"guid": "697f1767-4759-5b70-8381-e687f03473ea", "code": "YX8QCA", "id": 11956, "logo": "https://pretalx.com/media/packagingcon-2021/submissions/YX8QCA/conan_OnWMD1x.jpeg", "date": "2021-11-09T20:40:00+00:00", "start": "20:40", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-11956-the-riddle-of-package-managers-solved-by-conan", "url": "https://pretalx.com/packagingcon-2021/talk/YX8QCA/", "title": "The Riddle of Package Managers\u2026 Solved by Conan", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "As a C and C++ developer how do you choose the right package management system for your code? There are a ton of questions that you should be asking yourself: does it have integrations, do we need end-to-end binary management, can it work with different software systems, will it provide consistency to my CI/CD workflow? Fortunately we have an open source solution that solves the riddle of package managers\u2026 Conan! \r\n\r\nConan the Barbarian is forced to solve \u201cThe riddle\u2026 of steel,\u201d so that he can reach his end goal of resting in eternity in Valhalla. To a somewhat lesser degree we want to make our users happy and solve the riddle of package managers and for us that is Conan with Artifactory. In this session we will talk about how C and C++ developers that are having issues when trying to create a repository system for their packages can solve this complex problem with Conan. Conan abstracts away build systems, defines a \u201cProject API\u201d for C++ project, provides a repository system for multi-binary packages, and serves as a building block for Continuous Integration workflows.", "description": "In this session we will talk about how C and C++ developers that having some issues when trying to create a repository system for their packages while focusing on the open source project called Conan, Conan abstracts away build systems, defines a \u201cProject API\u201d for C++ project, provides a repository system for multi-binary packages, and serves as a building block for Continuous Integration workflows.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CNNR83", "name": "Batel Zohar", "avatar": "https://pretalx.com/media/avatars/CNNR83_92nputU.webp", "biography": "Batel Zohar is a Developer Advocate for JFrog and has a background in DevOps support engineering, web development, and embedded software engineering. Prior to this, Batel served as an Enterprise Solutions Lead on a dedicated team that accompanies and assists large customers through the architectural implementation of the JFrog platform. She loves her dogs, plays guitar, and is a fan of Marvel\u2019s movies", "public_name": "Batel Zohar", "guid": "4b877ec3-ad9a-5b5c-b393-ba2c3053a4db", "url": "https://pretalx.com/packagingcon-2021/speaker/CNNR83/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/YX8QCA/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/YX8QCA/", "attachments": []}], "Room 3": [{"guid": "f95c447c-d194-5fa6-b990-33a85fbcf1d7", "code": "YRTFG9", "id": 12034, "logo": null, "date": "2021-11-09T17:00:00+00:00", "start": "17:00", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12034-defending-against-attacks-on-package-managers", "url": "https://pretalx.com/packagingcon-2021/talk/YRTFG9/", "title": "Defending against attacks on package managers", "subtitle": "", "track": "Supply Chain Security", "type": "Talk", "language": "en", "abstract": "In this talk, Joshua Lock and Marina Moore will discuss common attacks on package managers, and the kinds of threats that package managers face as part of the software supply chain. They will then present The Update Framework (TUF), a mechanism for securing package managers against these threats in a simple, resilient way that will protect users against even nation state attacks. Package managers can adopt all features of TUF wholesale, or start with the subset that will be most helpful for their users. This talk will conclude with a demonstration of TUF\u2019s versatility; explaining how TUF has been adopted by the Python Packaging Index (PyPI) to provide end-to-end protection of packages from the developer to the end user, and how this adoption can be used as a model for other package managers looking to improve software distribution and update security.", "description": "The Update Framework (TUF) is a CNCF graduated project that provides a specification and reference implementation for securing software update systems and other types of content repository. It is used in practice by a diverse range of applications; from single application updaters, through operating systems to automotive firmware update systems and package managers like pip and Composer (for Drupal). TUF was designed to specifically counter previous attacks on software update systems and to create a simple, compromise-resilient framework that will make supply chain attacks on software update systems much harder.\r\n\r\nThis talk will be valuable to maintainers of package managers that support software updates. It will provide information about attacks that package managers may be vulnerable to, as well as tools to prevent these attacks. The audience will come away with a practical understanding of TUF that they can bring back to their projects to improve security either by implementing TUF directly, or by applying some of the principles to make modular improvements to security.", "recording_license": "", "do_not_record": false, "persons": [{"code": "BSMMBJ", "name": "Joshua Lock", "avatar": "https://pretalx.com/media/avatars/BSMMBJ_f2nzOkL.webp", "biography": "Joshua is a collaborator and maintainer on The Update Framework (TUF) and Supply-chain Levels for Software Artifacts (SLSA) projects. He is fortunate enough to work on these projects, and others, at VMware in their Open Source Technology Center. In a past life he spent many years working on and with the Yocto Project. Joshua has spoken at several events including Linux Security Summit, Embedded Linux Conference, and KubeCon + CloudNativeCon.", "public_name": "Joshua Lock", "guid": "0e41b0b9-adce-5bf0-845f-4a4b89592a83", "url": "https://pretalx.com/packagingcon-2021/speaker/BSMMBJ/"}, {"code": "ETFNEA", "name": "Marina Moore", "avatar": "https://pretalx.com/media/avatars/ETFNEA_U3stk4C.webp", "biography": "Marina Moore is a PhD student at NYU Tandon\u2019s Secure Systems Lab focusing on secure software updates and supply chain security. While at NYU she has worked primarily on research and development for The Update Framework (TUF), Uptaneand Notary.", "public_name": "Marina Moore", "guid": "5b49284e-87e0-52ea-966e-28fbd9577dd7", "url": "https://pretalx.com/packagingcon-2021/speaker/ETFNEA/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/YRTFG9/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/YRTFG9/", "attachments": []}, {"guid": "a634d2b5-0c4c-5a56-aef7-5ab2a2501329", "code": "7L88W8", "id": 12173, "logo": null, "date": "2021-11-09T17:25:00+00:00", "start": "17:25", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12173-mitigating-open-source-software-supply-chain-attacks-with-ossibot", "url": "https://pretalx.com/packagingcon-2021/talk/7L88W8/", "title": "Mitigating Open-source Software Supply Chain Attacks With OSSIBOT", "subtitle": "", "track": "Supply Chain Security", "type": "Talk", "language": "en", "abstract": "Software package managers have become a vital part of the modern software development process. They allow developers to easily adopt third-party software and streamline the development process. However, bad actors today reportedly leverage highly sophisticated techniques such as typo-squattng and social engineering to \u201csupply\u201d purposefully harmful code (malware) and carry out software supply chain attacks. For example, eslint-scope, a NPM package with millions of weekly downloads, was compromised to steal credentials from developers. \r\n\r\nWe are building a large-scale automated vetting infrastructure to analyze millions of published software packages and provide actionable insights into their composition and security posture. In this presentation, we will cover the technical details of our system and introduce a free tool for developers to detect accidental installation of \u201crisky\u201d packages and mitigate software supply chain attacks. We have already detected a number of abandoned, typo-squatting, and malicious packages. We will present our findings, highlight different types of attacks and measures that developers  can take to thwart such attacks. With our work, we hope to enhance productivity of the developer community by exposing undesired behavior in untrusted third-party code, maintaining developer trust and reputation, and enforcing security of package managers.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "MHWXGD", "name": "Ashish Bijlani", "avatar": "https://pretalx.com/media/avatars/MHWXGD_W5XuUiS.webp", "biography": "Ashish holds a Ph.D. in Computer Science from Georgia Institute of Technology. He has over 8 years of industry experience, from working at startups as well as the Fortune 100 technology companies. Currently, Ashish leads the research and development at Ossillate, a cybersecurity startup that he founded during as a graduate student. He has a record of highly visible research, including 4 software patents and 8 peer-reviewed academic papers in top-tier Computer Science conferences. He has also presented his work at premier industry conferences, such as Open Source Summit and Linux Plumbers Conference.", "public_name": "Ashish Bijlani", "guid": "acb80e9c-6049-5290-9883-1b80c59fb142", "url": "https://pretalx.com/packagingcon-2021/speaker/MHWXGD/"}, {"code": "3HHFC7", "name": "Ajinkya Rajput", "avatar": null, "biography": null, "public_name": "Ajinkya Rajput", "guid": "5cf98eba-f317-5896-a5f7-0361904a2830", "url": "https://pretalx.com/packagingcon-2021/speaker/3HHFC7/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/7L88W8/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/7L88W8/", "attachments": []}, {"guid": "05c752aa-a196-58b9-b2b6-a2b713ebb171", "code": "ETZHPY", "id": 12010, "logo": null, "date": "2021-11-09T17:50:00+00:00", "start": "17:50", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12010-hello-world-a-survey-of-trust-based-code-reuse", "url": "https://pretalx.com/packagingcon-2021/talk/ETZHPY/", "title": "HELLO WORLD: A Survey of Trust-Based Code Reuse", "subtitle": "", "track": "Supply Chain Security", "type": "Talk", "language": "en", "abstract": "Open source software communities rely heavily on user trust. However, typosquatting, watering hole attacks, and developer infrastructure exploits can easily undermine the same honor system that enables easy software package reuse. To better understand trust-based code reuse within language-based ecosystems like npm and Python Package Index (PyPI), IQT Labs recently surveyed 150 software engineers, data scientists, and web developers. Despite high levels of educational attainment, the majority of survey takers agreed with the statement \u201cI wish I knew more about security vulnerabilities associated with code reuse.\u201d When asked who is responsible for keeping code safe, more than half of respondents indicated security is a responsibility individual developers share with package registries. However, this diffusion of responsibility and assumption that package registries have adequate resources to address today's shared code vulnerabilities can lead to developer complacency, particularly since many participants admitted they \u201cdo not engage in pre-install code vetting.\u201d In addition to discussing the value of more training, clearer policies, and more robust organizational support, this talk explores the importance of package manager usability.", "description": "* Original survey instrument: https://www.surveymonkey.com/r/codereuse\r\n* Summary of the work: https://www.iqt.org/code-reuse-holy-grail-or-poisoned-chalice/\r\n* Data and visualizations: https://www.howdoyou.dev/", "recording_license": "", "do_not_record": true, "persons": [{"code": "JWRLUF", "name": "George P. Sieniawski", "avatar": null, "biography": "As Senior Technologist at IQT Labs, George P. Sieniawski leads research, prototyping, and digital ethnography projects in a wide range of settings. These incl. a multi-year, pre-COVID-19 collaboration with the CDC/NCIRD focused on visualizing uncertainty within infectious disease forecast data. A more recent six-month effort, called PCAPviz, involved developing and delivering new network traffic exploration capabilities to security administrators.", "public_name": "George P. Sieniawski", "guid": "be710ec0-3acc-5caf-b1a6-d7bcb5d5b7b4", "url": "https://pretalx.com/packagingcon-2021/speaker/JWRLUF/"}, {"code": "VV78YV", "name": "John Speed Meyers", "avatar": "https://pretalx.com/media/avatars/VV78YV_LVtBlIZ.webp", "biography": "John Speed Meyers is an engineer in IQT Labs. His R&D work focuses on open source software, especially productivity benefits, security risks, and analysis of open source software ecosystems.", "public_name": "John Speed Meyers", "guid": "ab77f9f9-b23b-5dbe-9ebd-ec5c5cc3d187", "url": "https://pretalx.com/packagingcon-2021/speaker/VV78YV/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/ETZHPY/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/ETZHPY/", "attachments": []}, {"guid": "b3f7b080-16c0-575e-87bb-81ced66d976c", "code": "H8FDJL", "id": 12181, "logo": null, "date": "2021-11-09T18:15:00+00:00", "start": "18:15", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12181-trustix-a-new-model-for-trust-in-binary-software-distribution", "url": "https://pretalx.com/packagingcon-2021/talk/H8FDJL/", "title": "Trustix - A new model for trust in binary software distribution", "subtitle": "", "track": "Supply Chain Security", "type": "Talk", "language": "en", "abstract": "We often use pre-built software binaries and trust that they correspond to the program we want.\r\nBut nothing assures that these binaries were really built from the program's sources and a set of reasonable build instructions.\r\n\r\nCommon, costly supply chain attacks exploit this to distribute malicious software, which is one reason why most software is delivered through centralized, highly secured providers.\r\nTrustix, our reference implementation of a new concept we like to call \"build transparency\", solves this in an entirely different, decentralized manner.\r\n\r\nWe can accomplish this by leveraging the transparency properties of purely functional package managers such as Nix and coupling this with transparency logs that can be cross compared across multiple independent trust roots.\r\n\r\nThis talk will guide you through the general ideas and concepts underlying this idea and the practical challenges in implementing such as system.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "7EMDJR", "name": "adisbladis", "avatar": "https://pretalx.com/media/avatars/7EMDJR_xwGYZGQ.webp", "biography": "Adam is a senior software engineer with Tweag I/O specialising in Nix and related technologies.", "public_name": "adisbladis", "guid": "3e08b4b9-4685-52ef-85a0-9a206c14c382", "url": "https://pretalx.com/packagingcon-2021/speaker/7EMDJR/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/H8FDJL/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/H8FDJL/", "attachments": []}, {"guid": "6c787858-f7ee-5724-b5f4-f247976f00bb", "code": "GVV7PU", "id": 12160, "logo": null, "date": "2021-11-09T19:00:00+00:00", "start": "19:00", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12160-pypi-supply-chain-security", "url": "https://pretalx.com/packagingcon-2021/talk/GVV7PU/", "title": "PyPI & Supply Chain Security", "subtitle": "", "track": "Supply Chain Security", "type": "Talk", "language": "en", "abstract": "The Python Package Index (PyPI) is one of the oldest software repositories for a language ecosystem and the canonical place to publish Python code. It serves more than 2 billion requests a day, and is almost entirely supported by volunteers and the non-profit Python Software Foundation. \r\n \r\nIn this talk, we'll review some recent supply-chain attacks and how they relate to PyPI specifically. In addition, we'll take a look at some in-progress projects to make PyPI more resilient, secure and sustainable.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "YRRKXN", "name": "Dustin Ingram", "avatar": "https://pretalx.com/media/avatars/YRRKXN_HRijtVC.webp", "biography": "Dustin Ingram is a director at the Python Software Foundation, a maintainer of the Python Package Index, and a Developer Advocate at Google.", "public_name": "Dustin Ingram", "guid": "c18f5588-9859-58f2-8b5e-866bbd02da2f", "url": "https://pretalx.com/packagingcon-2021/speaker/YRRKXN/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/GVV7PU/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/GVV7PU/", "attachments": []}, {"guid": "6484a250-ffe0-5798-8afd-cb9474ec8273", "code": "BGXP3D", "id": 11965, "logo": "https://pretalx.com/media/packagingcon-2021/submissions/BGXP3D/logo-text_INoA75t.png", "date": "2021-11-09T19:25:00+00:00", "start": "19:25", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-11965-why-everyone-should-do-reproducible-builds", "url": "https://pretalx.com/packagingcon-2021/talk/BGXP3D/", "title": "Why everyone should do reproducible builds", "subtitle": "", "track": "Supply Chain Security", "type": "Talk", "language": "en", "abstract": "Why everyone should do reproducible builds and how can package managers help in getting there.", "description": "Distributors and users alike are worried these days about supply chain attacks as those on SolarWinds. \r\n\r\nFor FLOSS developers, reproducible-builds is an easy way to let people verify that the published packages indeed correspond to their public sources.\r\n\r\nThis presentation will answer the Why? What? and How?", "recording_license": "", "do_not_record": false, "persons": [{"code": "Z7LKWZ", "name": "Bernhard M. Wiedemann", "avatar": "https://pretalx.com/media/avatars/Z7LKWZ_O1TyXo2.webp", "biography": "Bernhard M. Wiedemann is a software developer and sysadmin, since 2016 working at SUSE on reproducible builds. He wrote over 600 patches for various projects, including rpm and python setuptools.\r\n\r\nIn earlier times he managed OpenStack clouds, wrote the openQA OS-testing tool and the long obsolete `translucency` filesystem overlay for Linux-2.4", "public_name": "Bernhard M. Wiedemann", "guid": "08e6057f-2117-5358-ae0d-361f480188c8", "url": "https://pretalx.com/packagingcon-2021/speaker/Z7LKWZ/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/BGXP3D/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/BGXP3D/", "attachments": [{"title": "Slides", "url": "/media/packagingcon-2021/submissions/BGXP3D/resources/reproducible_tAPXqFV.pdf", "type": "related"}]}, {"guid": "c8e6ea2a-01a7-56ad-b9dd-702a1533bc0a", "code": "X7U9LU", "id": 11963, "logo": null, "date": "2021-11-09T19:50:00+00:00", "start": "19:50", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-11963-go-mod-s-lesser-known-features-for-supply-chain-security", "url": "https://pretalx.com/packagingcon-2021/talk/X7U9LU/", "title": "Go mod's lesser known features for supply chain security", "subtitle": "", "track": "Supply Chain Security", "type": "Talk", "language": "en", "abstract": "Golangs module and dependency system addresses more than version management. This talk will explore the lesser known features which support security in the software supply chain.", "description": "Golang uses the Minimum Version Selection (MVS) to select module versions. This deterministic algorithm has nice properties for reproducible builds and avoids the NP-complete runtime complexity. However, when one digs into the details, they find an array of features and techniques which also support security in the supply chain. The holistic approach from algorithms to tooling demonstrates the experience and expertise that went into designing Go's dependency management system.", "recording_license": "", "do_not_record": false, "persons": [{"code": "R3FZPN", "name": "Tony Worm", "avatar": null, "biography": "https://www.linkedin.com/in/dr-tony-worm/\r\n\r\nhttps://github.com/verdverm\r\n\r\nhttps://github.com/hofstadter-io", "public_name": "Tony Worm", "guid": "634634a0-0f6c-574b-a73f-17e1392476b2", "url": "https://pretalx.com/packagingcon-2021/speaker/R3FZPN/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/X7U9LU/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/X7U9LU/", "attachments": []}, {"guid": "a76b23ab-b2d5-5f8d-8c57-aa1a6867a06d", "code": "XM3MAB", "id": 12262, "logo": "https://pretalx.com/media/packagingcon-2021/submissions/XM3MAB/slsa-dancing-goose-logo_UycXL8P.jpg", "date": "2021-11-09T20:15:00+00:00", "start": "20:15", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12262-securing-the-supply-chain-with-slsa", "url": "https://pretalx.com/packagingcon-2021/talk/XM3MAB/", "title": "Securing the Supply Chain with SLSA", "subtitle": "", "track": "Supply Chain Security", "type": "Talk", "language": "en", "abstract": "Package Managers are an increasingly popular target of attack.\r\nTheir near-ubiquity in many software ecosystems places developers and end-users at risk while their critical supply chain role makes code execution a frequent consequence of compromise.\r\n\r\nHowever with this centralized risk, there is centralized opportunity: Even modest process and policy changes stand to markedly improve each package manager's respective ecosystem.\r\nThe limited resources available to maintainers should be spent where they can deliver the greatest security benefit.\r\nTo this end, we present high-value interventions that apply standardized tools and frameworks like Supply-chain Levels for Software Artifacts (SLSA) to the generalized package management domain.", "description": "It's an old refrain that the security ideal is for your code to run nowhere and do nothing.\r\nTherein lies the original sin of software packaging: It helps software run anywhere and do anything.\r\nWhat's worse, most of it is _other people's software_.\r\n\r\nFundamentally, package managers facilitate reuse with the aim of making developers more productive.\r\nCommon abstractions or tools need only be written and packaged a handful of times to serve an entire ecosystem.\r\nThis incentive structure often leads package managers to prioritize flexibility, stability, and ease-of-use over security and authenticity.\r\nBut even if these priorities could be inverted, code reuse is simply too valuable and too widespread to give up. If anything, we can expect a relentless increase in the depth and breadth of package dependency graphs.\r\nFrom this somewhat gloomy premise, how do we manage this growing complexity?\r\n\r\nWe posit that the only scalable, generalized option to address these supply chain security concerns is automated dependency graph analysis.\r\nGraph analysis can utilize metadata like author identity, source origin, and packaging procedure to track packages' security posture, vulnerability status, etc. in an ecosystem-agnostic fashion.\r\nBut for this sort of analysis to provide any security value, we need to have trustworthy metadata in standard data formats.\r\n\r\nSupply-chain Levels for Software Artifacts (SLSA) provides a suitable framework for both standardized data formats and tracking progressive compliance.\r\nAnd instead of rooting trust in elaborate public key infrastructure, we propose bootstrapping it off of existing, durable developer identities.\r\n\r\nFinally, ecosystem change is never easy, perhaps least of all when it involves new security controls.\r\nAs such, these building blocks are purposely easy to deploy, adaptable to various ecosystems, and provide sufficient incentive to make implementation worthwhile.", "recording_license": "", "do_not_record": false, "persons": [{"code": "QKZDVS", "name": "Matthew Suozzo", "avatar": "https://pretalx.com/media/avatars/QKZDVS_HRoqELc.webp", "biography": "Matthew works on Supply Chain Security at Google.", "public_name": "Matthew Suozzo", "guid": "87901ea8-2c43-51f6-b4cb-40d535e392eb", "url": "https://pretalx.com/packagingcon-2021/speaker/QKZDVS/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/XM3MAB/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/XM3MAB/", "attachments": []}], "Room 4": [{"guid": "3430176b-1b22-5dca-a63d-5d1cb1a0fb86", "code": "ZWAPSZ", "id": 12062, "logo": null, "date": "2021-11-09T17:00:00+00:00", "start": "17:00", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-12062-building-flatpak-apps-without-flatpak-builder", "url": "https://pretalx.com/packagingcon-2021/talk/ZWAPSZ/", "title": "Building Flatpak apps without flatpak-builder", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Flatpak-builder is a wrapper around various Flatpak commands to simplify packaging software including, but not limited to, from source. But what if your application is already built as part of CI/CD pipeline, or the host Linux distribution has user namespaces disallowed? Let's have a look at what flatpak-builder actually does and how to flatpak software from scratch.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "GCWSXB", "name": "Bart\u0142omiej Piotrowski", "avatar": "https://pretalx.com/media/avatars/GCWSXB_8XWtrJ3.webp", "biography": "Maintainer of Flathub, app store and build service for Flatpak, member of GNOME Foundation, Site Reliability Engineer by trade. Spent the last 10 years maintaining packages for Arch Linux.", "public_name": "Bart\u0142omiej Piotrowski", "guid": "09c47087-35ed-51e2-867f-fd70ed3bc740", "url": "https://pretalx.com/packagingcon-2021/speaker/GCWSXB/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/ZWAPSZ/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/ZWAPSZ/", "attachments": [{"title": "Slides", "url": "/media/packagingcon-2021/submissions/ZWAPSZ/resources/packagingcon2021_wblsQ4r.pdf", "type": "related"}]}, {"guid": "d7947496-5d67-583a-8a05-585a8993f394", "code": "VPV999", "id": 12079, "logo": null, "date": "2021-11-09T17:25:00+00:00", "start": "17:25", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-12079-streamlining-vmware-s-open-source-licensing-compliance-with-bazel", "url": "https://pretalx.com/packagingcon-2021/talk/VPV999/", "title": "Streamlining VMware's Open Source Licensing Compliance With Bazel", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "With hundreds of thousands of open source software (OSS) projects to choose from, OSS is a vital component of almost any codebase. However, with over a thousand unique licenses to comply with, complexity of managing OSS use cannot be overlooked. Identifying and tracking OSS to comply with license requirements adds friction to the development process and can result in product-release delays. At VMware, developers must run a scanner to identify a Bill of Material (BOM) of what OSS is being used. This extra step adds toil and leaves room for error. Some scanners are imprecise, compounding these issues. \r\n\r\nWe solve this problem using Bazel to create an accurate BOM containing OSS and third-party packages during a build. To do this, we made a Bazel aspect that analyzes the dependency graph and collects information about each package from VMware's internal Artifactory. Additionally, it consumes a list of approved and denied OSS from VMware's legal team. By moving OSS validation to build time, OSS decisions are made earlier in the development and review process, making them less costly.", "description": "Our Bazel aspect outputs two files. First, it creates a BOM yaml file, which includes information on each OSS dependency. Second, it creates a BOM-issues file, containing a subset of OSS dependencies that have been denied for use by the legal team or that are still waiting for approval. A Jenkins server uses the BOM to file legal-review tickets for newly-added OSS. Release managers and developers can use the BOM-issues to identify problems, and the existence of issues can fail a build.  \r\n\r\nWe would like to present our work because we hope it will inform the design of general-purpose licensing infrastructure for the Bazel community.", "recording_license": "", "do_not_record": false, "persons": [{"code": "Z3EMXB", "name": "Daniel Machlab", "avatar": null, "biography": "A big fan of Open Source Software and an efficient development lifecycle, Daniel Machlab has dedicated his interests to making OSS license compliance seamless for his fellow VMware developers\u2014and the entire Bazel community. Daniel's passion and appreciation for the Open Source Community dates back to his high school days when used OSS in his first apps. He had no idea that years later he would contribute a solution back to the community to make OSS easier to use.", "public_name": "Daniel Machlab", "guid": "51bdc13a-a1b4-5b5e-b3a6-c6fc443c3ec1", "url": "https://pretalx.com/packagingcon-2021/speaker/Z3EMXB/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/VPV999/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/VPV999/", "attachments": []}, {"guid": "a9f7e383-d532-5cb9-8f71-a31b7c5eee33", "code": "YZFJDR", "id": 12128, "logo": null, "date": "2021-11-09T17:50:00+00:00", "start": "17:50", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-12128-containers-what-s-package-management-got-to-do-with-it", "url": "https://pretalx.com/packagingcon-2021/talk/YZFJDR/", "title": "Containers: What's package management got to do with it?", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Containers and software packages share many traits, but there are also many key attributes lacking in the container management ecosystem that are otherwise present in the package management ecosystem. The popular thinking is that containers do not need package management as those tasks either don\u2019t apply or can be delegated to a higher level orchestrator. The consequence of missing patterns from the packaging community is a less robust and less consistent user experience in distributed cloud compared to what we experience in other domains. This talk will discuss similarities (eg: state management, configuration, and organization of packages into meta-packages) and differences (eg: weak versioning, metadata inclusion, and build determinism) in the container ecosystem compared with familiar package management ecosystems and propose potential improvements to container management inspired by learnings from the package management space.", "description": "The container build and distribution ecosystem is the foundation for cloud native applications. Containers are built in the same way that one would configure their desktop to run an application, ie: There isn\u2019t much thought given to the packaging aspects of the container ecosystem such as build repeatability, dependency management, and compatibility solving. These topics are \u201cmanaged by the orchestrator\u201d, but this is actually implemented with arcane layers of multiple nested orchestrators in control loops, with nesting config and config file generators. This is complicated, indirect, and brittle.\r\nPackage management patterns exist today and already solve most of the problems containers are facing. The patterns may need to be applied slightly differently of course as containers are a new type of package. As noted in the abstract this talk will discuss key attributes from the state of the art of packaging and package management systems which are present in the containers ecosystem and other missing attributes. Finally, we explore some opportunities present in the gap between the current container build and distribution ecosystem and the state of the art in packaging, and how bridging this gap will result in a more coherent user experience at the orchestration level and beyond.", "recording_license": "", "do_not_record": false, "persons": [{"code": "X7SWJQ", "name": "Nisha Kumar", "avatar": "https://pretalx.com/media/avatars/X7SWJQ_1Vj8b4I.webp", "biography": "Nisha is a Senior Open Source Engineer at VMware. She works on tools to improve the container build and distribution ecosystem. You can follow her on Twitter @nishakmr.", "public_name": "Nisha Kumar", "guid": "47ee97e6-5817-52d5-a412-35d9f7b820eb", "url": "https://pretalx.com/packagingcon-2021/speaker/X7SWJQ/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/YZFJDR/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/YZFJDR/", "attachments": []}, {"guid": "9fa7dcb4-a3a3-58e0-9bae-5fbed72915a6", "code": "9LSDES", "id": 12047, "logo": null, "date": "2021-11-09T18:15:00+00:00", "start": "18:15", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-12047-how-helm-the-package-manager-for-kubernetes-works", "url": "https://pretalx.com/packagingcon-2021/talk/9LSDES/", "title": "How Helm, The Package Manager For Kubernetes, Works", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "Helm is the long standing package manager for Kubernetes. Helm packages, called charts, are installed from distributed repositories. In this session you'll learn how Helm came to be, how Helm works, and why it was designed this way. This will include how Helm handles dependencies, how charts are created, signing and verification, and more.", "description": "Helm has been the package manager for Kubernetes since near the beginning. Development on Helm began shortly after Kubernetes 1.0 was released. Since then, Helm has grown in use and popularity.\r\n\r\nKubernetes is different from an operating system, like Linux, or a programming language. Helm handles package management in a Kubernetes native manner while building on lessons learned from other package managers.\r\n\r\nIn this session you will learn a little about how Kubernetes works, how Helm leverages Kubernetes, how Helm handles typical package management features, and where Helm can continue to improve.", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZWTEFM", "name": "Matt Farina", "avatar": "https://pretalx.com/media/avatars/ZWTEFM_Lze7VOY.webp", "biography": "Matt is a Software Architect at SUSE who works on the development of new container tools. He is currently a maintainer of Helm and Artifact Hub and an emeritus chair of Kubernetes SIG Apps and Architecture. Matt is the author of the books _Go in Practice_ and _Learning Helm_.\r\n\r\nYou can learn more about Matt at [mattfarina.com](https://mattfarina.com)", "public_name": "Matt Farina", "guid": "615da8b6-6b7b-57dc-8181-2f5b0294d572", "url": "https://pretalx.com/packagingcon-2021/speaker/ZWTEFM/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/9LSDES/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/9LSDES/", "attachments": []}, {"guid": "34bdc17c-32dd-5e78-a276-6cff8fac6bd3", "code": "GUBVGF", "id": 12001, "logo": null, "date": "2021-11-09T19:00:00+00:00", "start": "19:00", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-12001-unraveling-the-magic-behind-buildpacks", "url": "https://pretalx.com/packagingcon-2021/talk/GUBVGF/", "title": "Unraveling the magic behind Buildpacks", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Cloud Native Buildpacks makes building container images a breeze. It comes with out-of-the-box support for rebasing, reproducibility, multiple entrypoints and more! In this talk we\u2019ll uncover the magic that the lifecycle - the binary at the heart of CNB - uses to convert source code into OCI images.", "description": "Cloud Native Buildpacks transform your application source code into runnable images - without Dockerfiles. \r\n\r\n## Why is this helpful?\r\n\r\n\r\n- It allows application developers to focus on what they\u2019re building, and not on how to support it in production \r\n- It gives operators precise control over what build inputs are permitted and how builds are executed\r\n- Lastly operations like rebase that allow mass-patching the base image can have dramatic consequences for large-scale reactions to OS vulnerabilities\r\n\r\n## Takeaways \r\n\r\n\r\nIn this talk we will explore how lifecycle - the binary at the heart of buildpacks - makes all this possible. We will be going through the 5 different stages that the lifecycle executes - detect, analyze, restore, build and finally export and how it stitches up the final OCI image.", "recording_license": "", "do_not_record": false, "persons": [{"code": "RPJYFT", "name": "Sambhav Kothari", "avatar": "https://pretalx.com/media/avatars/RPJYFT_kEpWh2y.webp", "biography": "Sambhav Kothari is an ML Engineer in the Data Science Platform team at Bloomberg, focusing on building better container integrations for machine learning workflows. He is one of the maintainers for the Cloud Native Buildpacks project.", "public_name": "Sambhav Kothari", "guid": "c1fa7112-d192-5071-a65d-def163c24cb7", "url": "https://pretalx.com/packagingcon-2021/speaker/RPJYFT/"}, {"code": "U8DHA8", "name": "Natalie Arellano", "avatar": null, "biography": "Natalie is a software engineer at VMware. She is currently a maintainer for the Cloud Native Buildpacks project.", "public_name": "Natalie Arellano", "guid": "75efdd46-42e7-56e9-9924-7b7da80796aa", "url": "https://pretalx.com/packagingcon-2021/speaker/U8DHA8/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/GUBVGF/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/GUBVGF/", "attachments": []}, {"guid": "f9a36398-69fc-5b06-aac2-f11a65027bed", "code": "SHNDF3", "id": 11961, "logo": null, "date": "2021-11-09T19:25:00+00:00", "start": "19:25", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-11961-creating-open-source-unikernel-packages", "url": "https://pretalx.com/packagingcon-2021/talk/SHNDF3/", "title": "Creating Open Source Unikernel Packages", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Unikernels are a new way of deploying individual applications as virtual machines in the cloud that can run linux applications faster and safer than linux. Since unikernels are deployed as virtual machines, packaging allows end-users to run common software without compiling it themselves in a cross-platform and cross-architecture way.", "description": "Participants will learn about how unikernel packages are made for the open-source Nanos unikernel and OPS tooling. They'll also learn basic unikernel concepts and how packages provide a base for end-users to run common software such as language interpreters and databases. Users will learn how to convert docker containers into unikernel packages quickly and easily. We'll show how to debug when package creation goes wrong and show how unikernel packaging stops many software supply chain attacks.", "recording_license": "", "do_not_record": false, "persons": [{"code": "8CGWB7", "name": "Ian Eyberg", "avatar": null, "biography": "Ian Eyberg is the founder of NanoVMs, the maintainer of the open source Nanos unikernel and associated toolchain. Ian has a long background in open source starting with Slackware floppies in the mid-90s and is a noted authority on unikernels.", "public_name": "Ian Eyberg", "guid": "f1951cea-b32c-59db-8306-d4b550d0238a", "url": "https://pretalx.com/packagingcon-2021/speaker/8CGWB7/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/SHNDF3/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/SHNDF3/", "attachments": []}, {"guid": "45dcb28d-c6db-536f-93dc-5a36a356bfaf", "code": "TVTEDP", "id": 12042, "logo": null, "date": "2021-11-09T19:50:00+00:00", "start": "19:50", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-12042-sbom-packaging-and-vulnerabilities", "url": "https://pretalx.com/packagingcon-2021/talk/TVTEDP/", "title": "SBOM, Packaging, and Vulnerabilities", "subtitle": "", "track": "Supply Chain Security", "type": "Talk", "language": "en", "abstract": "Three years of community-oriented software bill of materials (SBOM) work under NTIA has lead to (among other things):\r\n\r\n* Framing of a model, architecture, and requirements for SBOMs, data, and processes\r\n* Formats that satisfy the framing constraints: SPDX, CycloneDX, SWID\r\n\r\nTo scale, and really to function at all, SBOM production needs to happen during software development phases such as build, *packaging*, and deployment.\r\n\r\nWe informally reviewed a handful of package management systems to look for commonality, differences, and alignment with the NTIA SBOM effort. One clearly identified SBOM use case, vulnerability management, stands to benefit from more and higher quality SBOM and inventory information.\r\n\r\nWhat kinds of data does vulnerability management need from SBOM? To what extent do package management systems provide this data? What are the common elements that package management systems already provide?", "description": "We are looking for informed input and potential collaboration to help establish:\r\n1. How widely does package management metadata vary across ecosystems?\r\n2. How well does available metadata during packaging meet SBOM and vulnerability management needs?", "recording_license": "", "do_not_record": false, "persons": [{"code": "RNFW3S", "name": "Kate Stewart", "avatar": null, "biography": null, "public_name": "Kate Stewart", "guid": "9242a871-4540-5b83-8cc0-c3623d52fa42", "url": "https://pretalx.com/packagingcon-2021/speaker/RNFW3S/"}, {"code": "TWSAGA", "name": "Art Manion", "avatar": "https://pretalx.com/media/avatars/TWSAGA_qemnVYg.webp", "biography": "Art Manion is a Principal Engineer and the Vulnerability Analysis Technical Manager at the CERT Coordination Center (CERT/CC), part of the Software Engineering Institute at Carnegie Mellon University. He and his team coordinate complex vulnerability disclosures, perform in-depth technical analysis, and influence practice, standards, and policy. Art co-chairs the Framing working group of the U.S. NTIA Software Component Transparency (SBOM) multistakeholder effort.", "public_name": "Art Manion", "guid": "315cddac-43a5-5231-944e-9c458aeeb532", "url": "https://pretalx.com/packagingcon-2021/speaker/TWSAGA/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/TVTEDP/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/TVTEDP/", "attachments": []}, {"guid": "fdf1e4a2-0585-51a1-866b-c15086223d73", "code": "JZVZWN", "id": 12108, "logo": null, "date": "2021-11-09T20:15:00+00:00", "start": "20:15", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-12108-packaging-llvm", "url": "https://pretalx.com/packagingcon-2021/talk/JZVZWN/", "title": "Packaging LLVM", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "The LLVM project encompasses the LLVM core libraries, clang, lld, lldb, \r\ncompiler-rt, flang and many other projects that gravitates around the use of theLLVM compiler infrastructure. As a whole, they aim at providing a complete tool\r\nchain, and its modular structure as led to the developement of many third-party\r\npackages such as the Zig language or the Source Trail code explorer.\r\n\r\nPackaging LLVM leads to numerous choices, from configuration to build,\r\ntest, installation and granularity point of view. This talk discusses some of \r\nthese choices in the context of the Fedora distribution.", "description": "This talk is very likely to discuss the following topics :\r\n- Why and how do we ship independent packages while LLVM uses a mono repo upstream\r\n- Which versioning policy when upstream ships every 6 months?\r\n- Building with Clang or with GCC?\r\n- It's a compiler... Any bootstraping issue?\r\n- How do we cope with the lack of ABI stability between majr version upstream\r\n- What is the impact of shipping core components as shared libraries while upstream defaults to static libraries\r\n- Any tip to deal with long build time, swapping during linkage and/or package size for large C++ libraries like libLLVM.so?\r\n- How do we ensure decent (unit / integration) testing?", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZJ3KYE", "name": "Serge \u00ab sans \u00bb Paille", "avatar": null, "biography": "Sometimes a compiler engineer, sometimes a Fedora packager, sometimes a wood chopper", "public_name": "Serge \u00ab sans \u00bb Paille", "guid": "918cbed7-1ba5-5f20-b737-b25b45ac2ca7", "url": "https://pretalx.com/packagingcon-2021/speaker/ZJ3KYE/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/JZVZWN/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/JZVZWN/", "attachments": []}]}}, {"index": 2, "date": "2021-11-10", "day_start": "2021-11-10T04:00:00+00:00", "day_end": "2021-11-11T03:59:00+00:00", "rooms": {"Plenaries": [{"guid": "d2c55185-25f4-550f-a18e-361ded55202b", "code": "LHFKYW", "id": 13671, "logo": null, "date": "2021-11-10T21:15:00+00:00", "start": "21:15", "duration": "00:02", "room": "Plenaries", "slug": "packagingcon-2021-13671-rcc-open-source-tool-to-setup-cache-and-maintain-isolated-and-repeatable-environments-for-the-end-users-and-cloud", "url": "https://pretalx.com/packagingcon-2021/talk/LHFKYW/", "title": "RCC - Open-source tool to setup, cache and maintain isolated and repeatable environments for the end-users and cloud", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "In order to run Robotic Process Automation (RPA) robots, we need Python environments, but we need to set them up cross-platform, isolated, repeatable and fast.\r\n\r\nRCC enables us to do this based on the conda.yaml config file and by leveraging micromamba, conda-forge and pip.", "description": "Video presentation:\r\n* https://drive.google.com/file/d/1snLdbJzB-uyyMjCoCOhXhIzo0nH3NabO/view?usp=sharing\r\n\r\nLinks:\r\n* https://github.com/robocorp/rcc#readme\r\n* https://github.com/robocorp/rcc/blob/master/docs/environment-caching.md", "recording_license": "", "do_not_record": false, "persons": [{"code": "JFN9BG", "name": "Kari Harju", "avatar": "https://pretalx.com/media/avatars/JFN9BG_OgiZtdI.webp", "biography": "Engineering Director at [Robocorp](https://robocorp.com) managing the development of development tools around RPA.\r\nSome 20 years of background in the software world on all sorts of platforms.\r\nFrom Symbian to AWS DynamoDB and from dog tracking collars to tools building Python environments.", "public_name": "Kari Harju", "guid": "34378510-06a9-599f-aaea-a674700cc16e", "url": "https://pretalx.com/packagingcon-2021/speaker/JFN9BG/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/LHFKYW/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/LHFKYW/", "attachments": []}, {"guid": "25d7f5dd-e0e5-574b-8726-9da100a3b938", "code": "EWEWNJ", "id": 13666, "logo": null, "date": "2021-11-10T21:20:00+00:00", "start": "21:20", "duration": "00:02", "room": "Plenaries", "slug": "packagingcon-2021-13666-how-we-rebuilt-all-160k-gems-from-rubygems-org-as-rpm-packages", "url": "https://pretalx.com/packagingcon-2021/talk/EWEWNJ/", "title": "How we rebuilt all 160k gems from rubygems.org as RPM packages", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "Lighting talk about the mass rebuild in Copr.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "L7ACZJ", "name": "Miroslav Suchy", "avatar": "https://pretalx.com/media/avatars/L7ACZJ_F9ixB1j.webp", "biography": "In Red Hat, I work on packaging tools for the community. More about me at http://miroslav.suchy.cz/", "public_name": "Miroslav Suchy", "guid": "795d7b12-966a-5f43-8f5e-b79b631ccef1", "url": "https://pretalx.com/packagingcon-2021/speaker/L7ACZJ/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/EWEWNJ/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/EWEWNJ/", "attachments": []}, {"guid": "f4c52627-f96c-5b5b-8f77-0f5cf4819644", "code": "TYEFV3", "id": 13674, "logo": null, "date": "2021-11-10T21:25:00+00:00", "start": "21:25", "duration": "00:02", "room": "Plenaries", "slug": "packagingcon-2021-13674-what-is-a-package-manager", "url": "https://pretalx.com/packagingcon-2021/talk/TYEFV3/", "title": "What is a Package Manager?", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "This lightning talk will offer an answer to the question: What is a Package Manager?\r\n\r\nThe talk will feature slides that were removed from my Lxroot presentation due to time constraints.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "XTJYK8", "name": "Parke Bostrom", "avatar": null, "biography": "Parke Bostrom started writing computer programs in the 1980s.  He lives in California.  He believes a computer can only truly be \"personal\" if the user, and not the package manager, controls how software is installed, and how software runs.", "public_name": "Parke Bostrom", "guid": "ef6517f3-9a13-553e-b532-ae5356769f4d", "url": "https://pretalx.com/packagingcon-2021/speaker/XTJYK8/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/TYEFV3/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/TYEFV3/", "attachments": []}], "Room I": [{"guid": "f36ebb46-fb97-5c18-9000-2f02a85e0b27", "code": "TFA8SB", "id": 13658, "logo": null, "date": "2021-11-10T16:00:00+00:00", "start": "16:00", "duration": "00:45", "room": "Room I", "slug": "packagingcon-2021-13658-panel-package-manager-convergence-what-stands-in-the-way", "url": "https://pretalx.com/packagingcon-2021/talk/TFA8SB/", "title": "Panel: Package Manager Convergence: What Stands in the Way?", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "We\u2019ve managed to bring all of you together from different package manager communities, but can we also bring the package managers you work on together? Is there room for one package manager to rule them all, or will package management always be a very domain-centric activity? If it does, is that good or bad?", "description": "We\u2019ve brought together a panel of experts to hash this out! Please welcome:\r\n\r\n- Wolf Vollprecht (QuantStack, Mamba project, Condaforge)\r\n- Joshua Lock (VMWare, The Update Framework)\r\n- Ludovic Court\u00e8s (Inria, Guix project)\r\n- Andrew Nesbitt (Octobox, manifest.fm)\r\n\r\nTodd Gamblin (LLNL, Spack project) will moderate.\r\n\r\nEach panelist will briefly give us their take on the following charge questions, followed by a lively discussion and questions from the audience.\r\n\r\n- Do you think there are too many package managers? Why or why not?\r\n- What parts of packaging could eventually be automated or replaced by infrastructure?\r\n- What parts of package managers do you think could be shared as common components? What would it take to make that happen?\r\n- If not through common components, what other ways could the many different packaging communities come together in the future?\r\n- What do we need to do to get people outside the packaging community to better understand these challenges?", "recording_license": "", "do_not_record": false, "persons": [{"code": "M7CWJZ", "name": "Wolf Vollprecht", "avatar": "https://pretalx.com/media/avatars/M7CWJZ_k9nxqOS.webp", "biography": "Wolf Vollprecht is a Technical Director at QuantStack. QuantStack is a small open source software consulting company that mostly works on scientific open source software.\r\nWolf spends most of his time working on the mamba package manager, and as part of the conda-forge core team. Mamba is a fast, cross-platform and language agnostic package manager that works with conda packages.", "public_name": "Wolf Vollprecht", "guid": "c1a59892-19f6-59e5-bdfd-e50a1ff815c3", "url": "https://pretalx.com/packagingcon-2021/speaker/M7CWJZ/"}, {"code": "RD7SJX", "name": "Todd Gamblin", "avatar": "https://pretalx.com/media/avatars/RD7SJX_QZJnZHZ.webp", "biography": "Todd Gamblin is a Senior Principal MTS in Livermore Computing's Advanced Technology Office at Lawrence Livermore National Laboratory. He created Spack, a popular open source HPC package management tool with a rapidly growing community of contributors. He leads the Packaging Technologies Project in the U.S. Exascale Computing Project, LLNL's DevRAMP project on developer productivity, and an LLNL Strategic Research Initiative on software integration and dependency management. His research interests include dependency management, software engineering, parallel computing, performance measurement, and performance analysis.", "public_name": "Todd Gamblin", "guid": "efd6f68f-b8d2-5c01-b4c6-e35b4ae0b5b0", "url": "https://pretalx.com/packagingcon-2021/speaker/RD7SJX/"}, {"code": "PVAZUZ", "name": "Ludovic Court\u00e8s", "avatar": null, "biography": "Almost yen years ago, Ludovic started work on [GNU Guix](https://guix.gnu.org).  It has since become the home of a vibrant community encompassing free software enthusiasts, principled developers, and [scientists in search of reproducibility](https://hpc.guix.info).\r\n\r\nBefore that, Ludovic was already a co-maintainer of GNU Guile, an implementation of the Scheme functional programming language, and a contributor to Nix, Nixpkgs, and NixOS\u2014the beginning of a delightful journey at the crossroads of functional deployment and embedded domain-specific languages.", "public_name": "Ludovic Court\u00e8s", "guid": "3f66afe9-8ef7-59cf-ba4a-cf294bbf6fed", "url": "https://pretalx.com/packagingcon-2021/speaker/PVAZUZ/"}, {"code": "BSMMBJ", "name": "Joshua Lock", "avatar": "https://pretalx.com/media/avatars/BSMMBJ_f2nzOkL.webp", "biography": "Joshua is a collaborator and maintainer on The Update Framework (TUF) and Supply-chain Levels for Software Artifacts (SLSA) projects. He is fortunate enough to work on these projects, and others, at VMware in their Open Source Technology Center. In a past life he spent many years working on and with the Yocto Project. Joshua has spoken at several events including Linux Security Summit, Embedded Linux Conference, and KubeCon + CloudNativeCon.", "public_name": "Joshua Lock", "guid": "0e41b0b9-adce-5bf0-845f-4a4b89592a83", "url": "https://pretalx.com/packagingcon-2021/speaker/BSMMBJ/"}, {"code": "UUZKDT", "name": "Andrew Nesbitt", "avatar": "https://pretalx.com/media/avatars/UUZKDT_Doiw5cN.webp", "biography": "Creator of Libraries.io, host of package management podcast The Manifest and software developer", "public_name": "Andrew Nesbitt", "guid": "d9c39003-8762-5179-9260-8db0c98d582a", "url": "https://pretalx.com/packagingcon-2021/speaker/UUZKDT/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/TFA8SB/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/TFA8SB/", "attachments": []}, {"guid": "e1d83301-dede-5daf-966e-5955584748f6", "code": "HWRHTX", "id": 12209, "logo": null, "date": "2021-11-10T17:00:00+00:00", "start": "17:00", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12209-islands-of-compatibility", "url": "https://pretalx.com/packagingcon-2021/talk/HWRHTX/", "title": "Islands of compatibility", "subtitle": "", "track": "ABI & Static Analysis", "type": "Talk", "language": "en", "abstract": "Ray Donnelly liked to say that software collections were defined by \"islands of compatibility\" - sets of software where the API and ABI requirements line up. Each package ecosystem defines their island differently, and each approach has advantages and disadvantages. This talk will compare the approaches of operating system maintainers, the greater conda ecosystem, and the somewhat ad-hoc status quo of the R world, in the hopes of making implicit assumptions and consequences explicit.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "WPNEXG", "name": "Michael Sarahan", "avatar": "https://pretalx.com/media/avatars/WPNEXG_116rvBi.webp", "biography": "Michael started out in science, using Python and C++ for driving electron microscope equipment and analyzing data. This was in the bad old days of mostly needing to compile your own software to use the latest and greatest packages. He took his skills for building packages to Continuum Analytics (now Anaconda), where he maintained conda-build, conda, and many conda recipes for several years. There he also steered Continuum towards opening up their recipes and contributing to Conda-Forge. Lately he works at RStudio, where he fumbles with Go, SQL and Javascript in efforts to facilitate managing R and Python together.", "public_name": "Michael Sarahan", "guid": "d9c70e2a-84eb-5dcb-ac2b-62aa86a8a3ec", "url": "https://pretalx.com/packagingcon-2021/speaker/WPNEXG/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/HWRHTX/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/HWRHTX/", "attachments": []}, {"guid": "bc2c4fa1-c4d9-5d66-9f80-f6715e7764f8", "code": "AVRPRC", "id": 11951, "logo": null, "date": "2021-11-10T17:25:00+00:00", "start": "17:25", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-11951-package-information-on-elf-objects", "url": "https://pretalx.com/packagingcon-2021/talk/AVRPRC/", "title": "Package information on ELF objects", "subtitle": "", "track": "ABI & Static Analysis", "type": "Talk", "language": "en", "abstract": "Programs crash. And when they do, they dump core, and we want to tell the user which package, including the version, caused the failure. This talk describes a compact JSON-based format that is embedded directly in the binaries as an ELF note. By embedding the this information directly in the binary object, package information is immediately available from a core dump, independently of any external packaging metadata. This is a cross-distro collaboration, with the eventual goal of having the same metadata automatically added by all distributions.", "description": "The general idea is to add a terse JSON note as `.note.package` ELF note. This note identifies who and where built the binary: the distro or vendor, distro version, package version, architecture, etc. This is useful when programs compiled for different distributions are mixed (e.g. Debian container running on Fedora), when non-distribution programs are used with a distro (e.g. a private program), when distribution metadata has been stripped (e.g. an initrd image), or when only offline access is possible.\r\n\r\nThis metadata can cooexist with the existing `.note.gnu.build-id` ELF notes. Those are added by most distributions, but they only provide a build-id hash. To resolve this hash to an actual package name and version, some additional query is required.\r\n\r\nLinks:\r\n- https://systemd.io/COREDUMP_PACKAGE_METADATA/\r\n- https://github.com/systemd/package-notes\r\n- https://fedoraproject.org/wiki/Changes/Package_information_on_ELF_objects", "recording_license": "", "do_not_record": false, "persons": [{"code": "33LYX7", "name": "Zbigniew J\u0119drzejewski-Szmek", "avatar": "https://pretalx.com/media/avatars/33LYX7_BU4AyUq.webp", "biography": "python, systemd, fedora linux", "public_name": "Zbigniew J\u0119drzejewski-Szmek", "guid": "f5635b2f-b6bb-5200-a191-0dbfc34a87a9", "url": "https://pretalx.com/packagingcon-2021/speaker/33LYX7/"}, {"code": "CBHZBE", "name": "Luca Boccassi", "avatar": "https://pretalx.com/media/avatars/CBHZBE_fHy4wtp.webp", "biography": "Debian Developer, member of maintainers teams of DPDK/systemd/ZeroMQ, Software Engineer at Microsoft", "public_name": "Luca Boccassi", "guid": "2ea9e6ea-f3fe-57f9-ba65-cb121d9d9586", "url": "https://pretalx.com/packagingcon-2021/speaker/CBHZBE/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/AVRPRC/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/AVRPRC/", "attachments": []}, {"guid": "6d8cb558-83c8-53bd-a903-6c5bdc410351", "code": "M9YCL3", "id": 12094, "logo": null, "date": "2021-11-10T17:50:00+00:00", "start": "17:50", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12094-are-project-tests-enough-for-automated-dependency-updates-a-case-study-of-262-java-projects-on-github", "url": "https://pretalx.com/packagingcon-2021/talk/M9YCL3/", "title": "Are Project Tests Enough for Automated Dependency Updates? A Case Study of 262 Java Projects on Github", "subtitle": "", "track": "ABI & Static Analysis", "type": "Talk", "language": "en", "abstract": "Updating to a new version of a third-party library is traditionally not a trivial task. Github's dependabot, Renovate, and similar services automatically create a new branch with the latest version of a library dependency and then execute project tests to detect any breaking changes. While such services are gaining a lot of traction, no study looks into whether test suites of average Github Projects have sufficient coverage and are adequate to detect incompatible library changes. \r\n\r\nTo better understand the state of test coverage and effectiveness of project test suites for detecting incompatible library changes, I will, in this talk, present a study comprising 262 Java projects on Github. By artificially injecting faulty changes in library dependencies, we identify that test suites on average have coverage of 58% of their direct dependencies and 20% of their transitive dependencies. The average test suite effectively detects 47% of faulty updates in direct dependencies and 35% in transitive dependencies. Based on our findings, I will explain a set of recommendations for both developers and toolmakers that could potentially improve the reliability and expectations of automated dependency updating.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "YET8GT", "name": "Joseph Hejderup", "avatar": null, "biography": "Joseph Hejderup is a Ph.D. student at the Delft University of Technology, The Netherlands. His research interests include Dependency Management, Program Analysis & Ecosystem Analytics.", "public_name": "Joseph Hejderup", "guid": "7a0c02c9-8588-5291-8009-ce7ca2a1a466", "url": "https://pretalx.com/packagingcon-2021/speaker/YET8GT/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/M9YCL3/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/M9YCL3/", "attachments": []}, {"guid": "87648130-8089-501a-b74c-799d91148be0", "code": "ASAJQY", "id": 12093, "logo": null, "date": "2021-11-10T18:20:00+00:00", "start": "18:20", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12093-the-promises-and-perils-of-adopting-static-analysis-in-dependency-analyzers", "url": "https://pretalx.com/packagingcon-2021/talk/ASAJQY/", "title": "The Promises and Perils of Adopting Static Analysis in Dependency Analyzers", "subtitle": "", "track": "ABI & Static Analysis", "type": "Talk", "language": "en", "abstract": "`npm audit`, `cargo audit`, `dependabot`, and similar analyzers have one thing in common: they provide feedback by only analyzing project manifests. I have one big problem with this: we are generalizing how projects use dependencies through metadata analysis! Without looking into how projects \"actually\" use dependencies, we deprive developers of insightful feedback that could save development time and effort. In this talk, I will discuss the differences and similarities between metadata-level versus code-level (i.e., static analysis) dependency analyses. Specifically, I will explain scenarios that are sufficient to use metadata analysis and when it is not. Moreover, I will also discuss the general applicability and challenges of adopting static analysis in dependency analyzers.\r\n\r\nThe talk is based on my research paper: \"Pr\u00e4zi: From Package-based to Call-based Dependency Networks\" You can find the paper here: https://arxiv.org/abs/2101.09563", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "YET8GT", "name": "Joseph Hejderup", "avatar": null, "biography": "Joseph Hejderup is a Ph.D. student at the Delft University of Technology, The Netherlands. His research interests include Dependency Management, Program Analysis & Ecosystem Analytics.", "public_name": "Joseph Hejderup", "guid": "7a0c02c9-8588-5291-8009-ce7ca2a1a466", "url": "https://pretalx.com/packagingcon-2021/speaker/YET8GT/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/ASAJQY/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/ASAJQY/", "attachments": []}, {"guid": "f14bd2df-2678-5e1b-89b0-9a785bd2021b", "code": "P3983F", "id": 12156, "logo": null, "date": "2021-11-10T18:45:00+00:00", "start": "18:45", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12156-will-the-real-slugify-please-stand-up-adventures-in-api-mapping-and-dependency-discovery", "url": "https://pretalx.com/packagingcon-2021/talk/P3983F/", "title": "Will the Real Slugify Please Stand Up: Adventures in API Mapping and Dependency Discovery", "subtitle": "", "track": "ABI & Static Analysis", "type": "Talk", "language": "en", "abstract": "Defining dependency relationships is a fraught but integral part of the packaging process. Incorrect dependency definitions can have catastrophic consequences for users and the broader ecosystem. One of the reasons that specifying dependencies is so difficult is because version numbers are very loosely related to the actual property developers care about, the API and ABI. Software doesn\u2019t break if any API changed in a dependency, they only break if the API it relied on changed. Most version number do not capture this, providing a global view of a local problem. To address this, the symbol-management project has begun to catalog as many symbols as possible in the python ecosystem. While this was initially aimed at enhancing conda-forge\u2019s dependency metadata, the implications of the database are much greater. In addition to providing version constraint suggestions on dependencies, the project also enables the creation of version numbers based on changes in the project\u2019s symbols and determination of if a code-base is compatible with a given environment. In this talk I\u2019ll discuss the structure and motivations of the symbol-management project, some examples of how to use the project, and the future of the project.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "LA7WJC", "name": "CJ Wright", "avatar": "https://pretalx.com/media/avatars/LA7WJC_IWpUdNV.webp", "biography": "Christopher J. \u2018CJ\u2019 Wright is a member of the HPC team at Citadel. Previously CJ worked at Lab49 as a consultant and software engineer helping to advise clients in capital markets on strategic technology goals and build state of the art systems. Prior to his work at Lab49, CJ earned his PhD, MPhil and MS in Materials Science and Engineering from Columbia University, specializing in streaming data processing, data provenance, and x-ray scattering simulations. His work has spanned from crystal growth characterization to NASA Mars mission tomography to software support for complex experiments. CJ also holds a MS in Chemical Engineering from the University of South Carolina and a BS with honors in Chemical Physics from Brown University.\r\nCJ holds various prominent positions in the open source software community, including a seat on the Conda-Forge core developer team, chair of the Conda-Forge Bot and Finance sub-teams and is a member of various other Conda-Forge sub-teams. CJ\u2019s work on Conda-Forge helps deliver high quality software packages to the broader community and has earned him an award from the NUMFOCUS organization for his contributions. CJ is also a contributor to other important libraries in the Python and data science communities, including the regro project, streamz, and xonsh, among others.\r\nCJ grew up in Rockville Centre, New York and currently lives in New York City. In his free time CJ develops for open source projects, plays woodwind instruments, and works out by playing squash and sailing.", "public_name": "CJ Wright", "guid": "f64ab929-7c3e-5dd3-b4c8-664cd27135ff", "url": "https://pretalx.com/packagingcon-2021/speaker/LA7WJC/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/P3983F/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/P3983F/", "attachments": []}, {"guid": "a7be9111-d232-5ceb-b68d-0e156bc1a4f3", "code": "SDEMUJ", "id": 12052, "logo": "https://pretalx.com/media/packagingcon-2021/submissions/SDEMUJ/build_all_the_things_HUxqyF9_tyfXVfz.jpg", "date": "2021-11-10T19:30:00+00:00", "start": "19:30", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12052-binarybuilder-jl-using-julia-s-pkg-to-deliver-binary-libraries", "url": "https://pretalx.com/packagingcon-2021/talk/SDEMUJ/", "title": "BinaryBuilder.jl \u2014 Using Julia's Pkg to deliver binary libraries", "subtitle": "", "track": "ABI & Static Analysis", "type": "Talk", "language": "en", "abstract": "[`BinaryBuilder.jl`](https://binarybuilder.org/) is a framework that allows you to compile binaries for an ever-growing set of platforms (16 currently): Linux, FreeBSD, macOS and Windows on various architectures.  While `BinaryBuilder.jl` is mainly employed to build libraries and programs used in packages for the [Julia programming language](https://julialang.org/), it is completely general and anyone can install and use on their system the binaries it produces.", "description": "The Julia programming languages promises to solve the so-called \"two-language problem\", so that users don't need to rewrite code in other languages to achieve better performance.  However, we don't live in a Julia-only world, and many high-quality libraries  that we don't want to miss out have been already written in other languages.  We then must jump through hoops to ensure that code written in other languages is easily accessible from Julia. `BinaryBuilder.jl` allows you to take software written in compiled languages such as C, C++, Fortran, Go or Rust, and build precompiled binaries for a plethora of different platforms that can be used from Julia packages, but not only.\r\n\r\nAutomatically generated thin wrappers, called JJLs, allow users to seamlessly install binaries just like regular Julia packages, and the other Julia packages can depend on JLLs.  Additionally, Julia's package manger records JLLs in the manifest file capturing the content of an environment for reproducibility, so that not only does it record Julia packages, but also binary libraries in other languages.\r\n\r\n`BinaryBuilder.jl` cross-compiles binaries for all target platforms in a single sandbox environment, using consistent toolchains.  Built binaries are relocatable and packaged into reproducible tarballs.  `BinaryBuilder.jl` also takes into account different ABIs ([libstdc++ dual ABI](https://gcc.gnu.org/onlinedocs/libstdc++/manual/using_dual_abi.html) and different libgfortran versions), and all binaries are audited to automatically fix common errors (e.g., check correct ISA and OS ABI for the target platform, set rpaths, etc...).\r\n\r\nIn this talk we will describe the architecture of `BinaryBuilder.jl`, and how it piggybacks Julia's package manager and the Artifacts system to safely deliver the binaries to the end users.", "recording_license": "", "do_not_record": false, "persons": [{"code": "B98NWS", "name": "Elliot Saba", "avatar": "https://pretalx.com/media/avatars/B98NWS_tEK7CH0.webp", "biography": null, "public_name": "Elliot Saba", "guid": "922c7984-f3e3-58ea-82a5-a37f598b09db", "url": "https://pretalx.com/packagingcon-2021/speaker/B98NWS/"}, {"code": "ST7KZT", "name": "Mos\u00e8 Giordano", "avatar": "https://pretalx.com/media/avatars/ST7KZT_3IdkVo1.webp", "biography": "Research Software Developer at UCL during the day, binary builder during the night.", "public_name": "Mos\u00e8 Giordano", "guid": "0bdcf3dd-f493-5992-a04c-54716e0accef", "url": "https://pretalx.com/packagingcon-2021/speaker/ST7KZT/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/SDEMUJ/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/SDEMUJ/", "attachments": []}, {"guid": "28e9db1e-82e2-5ca9-92be-66a1b947fd1a", "code": "JHYQRP", "id": 12183, "logo": "https://pretalx.com/media/packagingcon-2021/submissions/JHYQRP/Versioning_for_User-Facing_Changes_vs_API_Breakages_cxKRDBj.png", "date": "2021-11-10T19:55:00+00:00", "start": "19:55", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12183-versioning-for-user-facing-changes-vs-api-breakages", "url": "https://pretalx.com/packagingcon-2021/talk/JHYQRP/", "title": "Versioning for User-Facing Changes vs API Breakages", "subtitle": "", "track": "ABI & Static Analysis", "type": "Talk", "language": "en", "abstract": "Semantic Versioning (`MAJOR.MINOR.PATCH`) is a common approach to versioning\r\nlibraries that separates changes into fixes (`PATCH`), additions (`MINOR`), and\r\nbreakages (`MAJOR`). Though simple, SemVer has two primary limitations that can\r\nmake it difficult for developers to work with:\r\n\r\n 1. User-facing changes, such as new features or redesigns, are not separated\r\n    from API breakages. Therefore, the compatibility between versions is harder\r\n    for maintainers to understand as the impact of MAJOR updates can vary\r\n    significantly (ex. Python `1->2` vs `2->3`). In consequence, some projects\r\n    now use year-based versioning or 'ZeroVer' (where `MAJOR` is always `0`),\r\n    thus avoiding  the question of API compatibility entirely.\r\n\r\n 2. API breakages are always represented by the `MAJOR` version and do not take\r\n    into account different types of breakages, such as source vs binary\r\n    compatibility. Additionally, tooling can be used to repair many common types\r\n    of breakages (such as renaming) which do not have significant impact on how\r\n    the library is used.\r\n\r\nThe purpose of this talk is to raise awareness of these limitations, demonstrate\r\nthe use cases for having multiple levels of API versioning, and propose\r\nalternative versioning methods that can incorporate different types of API\r\nbreakages.", "description": "- [YouTube Recording](https://www.youtube.com/watch?v=otomn9veySQ)\r\n - [Slide Deck](https://docs.google.com/presentation/d/1CO08MZPEhREuLODZ-rr_2aGAYEls6Ti3pkulNn8cFjM) (sources & additional resources in speaker notes)\r\n\r\nSemantic Versioning (`MAJOR.MINOR.PATCH`) is a common approach to versioning\r\nlibraries that separates changes into fixes (`PATCH`), additions (`MINOR`), and\r\nbreakages (`MAJOR`). Though simple, SemVer has two primary limitations that can\r\nmake it difficult for developers to work with.\r\n\r\nThe first limitation is that user-facing changes (such as new features or\r\nredesigns) are not separated from API breakages, which itself causes two issues:\r\n\r\n 1. Compatibility between versions is harder for maintainers to understand as\r\n    the impact of MAJOR updates can vary significantly (ex. Python `1->2` vs\r\n    `2->3`). Some release may cause breaking changes even though the overall\r\n    library works the same, while others may maintain backwards compatibility\r\n    but offer new (ideally better) features (ex. Java 8, which added lambdas\r\n    introducing new options for API design).\r\n\r\n 2. Developers hesitate to make the `1.0.0` release (and other major releases)\r\n    for reasons related to the above as well as the effort involved in getting\r\n    key downstream dependencies to update to avoid compatibility issues. Some\r\n    projects now use year-based versioning or 'ZeroVer' (where `MAJOR` is always\r\n    `0`), thus avoiding the question of API compatibility entirely .\r\n\r\nSecond, not all API breakages are the same. The most common example of this is\r\nbinary breakages, where compiled output fails to with new versions but the\r\nsource itself remains compatible. Even at the source level, some types of\r\nbreakages like renaming are 'simple' and can be automatically repaired with the\r\nappropriate tooling, while others can require major refactors. There are also\r\nbreakages specific to the type of application - as a surprising example,\r\nMinecraft Forge (a Minecraft API for client-side mods) encourage mods to use\r\nseparate version for mod compatibility as certain types of changes may break\r\nplayer's worlds (effectively, data versioning).\r\n\r\nThere are a few potential solutions to this, and unfortunately all of them make\r\nversions just a bit more complicated. The most straightforward one is to\r\nmaintain two versions - a true semantic version for the project, and an API\r\ncompatibility version:\r\n\r\n - Project version: `PROJECT.FEATURE.PATCH`, which represents the high-level\r\n   changes to the project as it evolves.\r\n - API compatibility version: `PROJECT.SOURCE.BINARY`, which represents the API\r\n   breakages to the project. `SOURCE` and `BINARY` compatibilities work as\r\n   expected, but there is an additional `PROJECT` level for changes that have a\r\n   large impact to how the API can be used. This is currently heuristic, but the\r\n   inclusion of automated migrations may be able to formalize the idea of\r\n   'minor' breaking changes versus 'major' ones to provide strict validation.\r\n\r\nIn summary, software version needs to better account for the difference between\r\nuser-facing changes and API breakages, as well as account for different types\r\nof breakages. One potential solution is to maintain a separate version strictly\r\nfor API compatibility, coined `PROJECT.SOURCE.BINARY`, to help maintainers\r\nunderstand the potential impact of updating versions.", "recording_license": "", "do_not_record": false, "persons": [{"code": "RPCMET", "name": "Blake Anderson", "avatar": "https://pretalx.com/media/avatars/RPCMET_CzOq8n0.webp", "biography": "I'm a graduate student in Computer Science at the University of Florida researching programming language design. I currently work on [Rhovas](https://rhovas.dev), a programming language for API design and enforcement emphasizing software maintainability.\r\n\r\nAsk Me Anything: `WillBAnders@gmail.com`", "public_name": "Blake Anderson", "guid": "20b0db89-cfe1-5096-b1a8-2784487c4e68", "url": "https://pretalx.com/packagingcon-2021/speaker/RPCMET/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/JHYQRP/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/JHYQRP/", "attachments": [{"title": "Slide Deck (see Google Slides link in description for sources & additional readings in speaker notes)", "url": "/media/packagingcon-2021/submissions/JHYQRP/resources/Versioning_for_User-Facing_Changes_vs_API_SHHku8o.pdf", "type": "related"}]}, {"guid": "317c2b03-cefc-567d-b4a5-bc4b85952521", "code": "TCRVXX", "id": 12224, "logo": null, "date": "2021-11-10T20:15:00+00:00", "start": "20:15", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-12224-quantifying-outdatedness-using-the-technical-lag-measurement", "url": "https://pretalx.com/packagingcon-2021/talk/TCRVXX/", "title": "Quantifying Outdatedness Using the Technical Lag Measurement", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Frequently, reusable packages for major programming languages and operating systems are available in public package repositories where they are developed and evolved together within the same environment. Developers rely on package management tools to automate deployments, specifying which package releases satisfy the needs of their applications. However, these specifications may lead to deploying package releases that are outdated or undesirable because they do not include bug fixes, security fixes, or new functionality. In contrast, automatically updating to a more recent release may introduce incompatibility issues. Moreover, while this delicate problem is important at the level of individual packages, it becomes even more relevant at the level of large distributions of software packages where packages depend, directly or indirectly, on a large number of other packages.\r\nThe goal of this presentation is to show how to capture this delicate balance between the need of updating to the ideal release and the risk of having breaking changes by presenting the measurement of technical lag, a concept that quantifies to which extent a deployed collection of packages is outdated with respect to the ideal deployment. Then, we empirically analyze its evolution in npm.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "K9NQ3F", "name": "Ahmed Zerouali", "avatar": "https://pretalx.com/media/avatars/K9NQ3F_hqEYvPA.webp", "biography": "Ahmed Zerouali is a postdoctoral on the joint Belgian FNRS-FWO Excellence of Science project SECOASSIST and a research fellow at the Software Languages Lab of the Vrije Universiteit Brussel in Belgium. His research focuses mainly on empirical software engineering, in particular software evolution, mining software repositories and software analytics. He has authored and reviewed research papers published in top software engineering conferences as well as in major journals such as EMSE, TSE, JSEP, SCICO etc.", "public_name": "Ahmed Zerouali", "guid": "5f60b4aa-b56f-53e1-9462-84f9e7f98e84", "url": "https://pretalx.com/packagingcon-2021/speaker/K9NQ3F/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/TCRVXX/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/TCRVXX/", "attachments": []}, {"guid": "849b504b-5928-5aa8-abe0-a8dfb957d3ba", "code": "K3LBCL", "id": 11843, "logo": null, "date": "2021-11-10T20:40:00+00:00", "start": "20:40", "duration": "00:20", "room": "Room I", "slug": "packagingcon-2021-11843-comparing-semantic-versioning-practices-in-cargo-npm-packagist-and-rubygems", "url": "https://pretalx.com/packagingcon-2021/talk/K3LBCL/", "title": "Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Semantic versioning (semver) is a commonly accepted open source practice, used  by many package management systems to inform whether new package releases introduce possibly backward incompatible changes. Maintainers depending on such packages can use this practice to reduce the risk of breaking changes in their own packages by specifying version constraints on their dependencies. Depending on the amount of control a package maintainer desires to assert over her package dependencies, these constraints can range from very permissive to very restrictive.\r\nWe empirically compared the evolution of semver compliance in four package management systems: Cargo, npm, Packagist and Rubygems. We discuss to what extent ecosystem-specific characteristics influence the degree of semver compliance, and we suggest to develop tools adopting the wisdom of the crowds to help package maintainers decide which type of version constraints they should impose on their dependencies.\r\nWe also studied to which extent the packages distributed by these package managers are still using a 0.y.z release, suggesting less stable and immature packages. We explore the effect of such \"major zero\" packages on semantic versioning adoption.\r\nOur findings shed insight in some important differences between package managers with respect to package versioning policies.", "description": "The presenter is directing the Software Engineering Lab of the University of Mons in Belgium. The presented results have been published in IEEE Transactions on Software Engineering (https://doi.org/10.1109/TSE.2019.2918315) and Elsevier Science of Computer Programming (https://doi.org/10.1016/j.scico.2021.102656).\r\nSlideshare: https://www.slideshare.net/tommens/comparing-semantic-versioning-practices-in-cargo-npm-packagist-and-rubygems\r\nGoogle Scholar profile: https://scholar.google.com/citations?user=5RJe8dsAAAAJ&sortby=pubdate\r\nLinkedIn profile: https://www.linkedin.com/in/tommens\r\nTwitter handle: @tom_mens", "recording_license": "", "do_not_record": false, "persons": [{"code": "7VEMTT", "name": "Tom Mens", "avatar": "https://pretalx.com/media/avatars/7VEMTT_IjEYgDR.webp", "biography": "Prof. Dr. Tom Mens obtained a PhD in Science in 1999 at the Vrije Universiteit Brussel, Belgium. He is  full professor at the University of Mons in Belgium, where he  directs the Software Engineering Lab. His research interests include software evolution, quality and health management of software ecosystems, and open source software analytics. He published numerous highly-cited scientific articles in peer-reviewed international software engineering conferences and journals. He is project leader of the joint Belgian FNRS-FWO Excellence of Science project SECOAssist \u201cAutomated Assistance for Developing Software in Ecosystems of the Future\u201d.", "public_name": "Tom Mens", "guid": "bef45a4b-0283-5076-a19a-4e42dbce6d14", "url": "https://pretalx.com/packagingcon-2021/speaker/7VEMTT/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/K3LBCL/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/K3LBCL/", "attachments": [{"title": "Slides (in pdf format)", "url": "/media/packagingcon-2021/submissions/K3LBCL/resources/PackagingCon2021_uWRPmci.pdf", "type": "related"}]}], "Room 2": [{"guid": "a062b3af-b37c-561f-88e7-947697f4765c", "code": "R7EG83", "id": 11938, "logo": "https://pretalx.com/media/packagingcon-2021/submissions/R7EG83/guix_AjQAgVI.png", "date": "2021-11-10T17:00:00+00:00", "start": "17:00", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-11938-the-packaging-grail", "url": "https://pretalx.com/packagingcon-2021/talk/R7EG83/", "title": "The Packaging Grail", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "Package managers are so old that one may wonder why we are here\r\ndiscussing recent tools in this area.  What are we trying to achieve\r\nthat existing tools failed to provide?  And why-oh-why does so much\r\nenergy go into sidestepping package managers through \u201capplication\r\nbundles\u201d \u00e0 la Docker?\r\n\r\nIn this talk, I\u2019ll present the grail that GNU\u00a0Guix is after, taking\r\nexamples from core features and key packaging practices.  You may\r\nrecognize bits from other projects: the rigor of Debian, the functional\r\nparadigm of Nix, the flexibility of Spack.  You\u2019ll also see salient\r\ndifferences: Guix tries to go as far as possible in each of these\r\ndirections while remaining pragmatic.\r\n\r\nThere\u2019s a fine line between pragmatism and deception that Guix tries not\r\nto cross.  I\u2019ll explain what the project\u2019s \u201cred lines\u201d are and why we\r\nthink users and implementors should care.  I\u2019ll reflect on how we can\r\ncollectively shape a brighter future for software deployment.", "description": "I envision this as a bit of a \"soul searching\" kind of talk, with the goal of fostering discussion among implementors about what common denominator our tools and distributions should aim for, even when they initially have different goals.", "recording_license": "", "do_not_record": false, "persons": [{"code": "PVAZUZ", "name": "Ludovic Court\u00e8s", "avatar": null, "biography": "Almost yen years ago, Ludovic started work on [GNU Guix](https://guix.gnu.org).  It has since become the home of a vibrant community encompassing free software enthusiasts, principled developers, and [scientists in search of reproducibility](https://hpc.guix.info).\r\n\r\nBefore that, Ludovic was already a co-maintainer of GNU Guile, an implementation of the Scheme functional programming language, and a contributor to Nix, Nixpkgs, and NixOS\u2014the beginning of a delightful journey at the crossroads of functional deployment and embedded domain-specific languages.", "public_name": "Ludovic Court\u00e8s", "guid": "3f66afe9-8ef7-59cf-ba4a-cf294bbf6fed", "url": "https://pretalx.com/packagingcon-2021/speaker/PVAZUZ/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/R7EG83/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/R7EG83/", "attachments": [{"title": "slides", "url": "/media/packagingcon-2021/submissions/R7EG83/resources/talk.20211110_saUvxLW.pdf", "type": "related"}]}, {"guid": "3b9f146a-dd51-5cd6-a153-efd70cea2797", "code": "AFCUSQ", "id": 11964, "logo": null, "date": "2021-11-10T17:25:00+00:00", "start": "17:25", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-11964-how-nix-and-nixos-get-so-close-to-perfect", "url": "https://pretalx.com/packagingcon-2021/talk/AFCUSQ/", "title": "How Nix and NixOS Get So Close to Perfect", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "Nix, the package manager for the distribution NixOS, is a package manager built on top of functional programming principles. In this talk I'll discuss how they get close to what I'd consider perfect and what future improvements on the concept should learn from Nix and NixOS.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "3A7HHR", "name": "Xe", "avatar": "https://pretalx.com/media/avatars/3A7HHR_jlHhWQ8.webp", "biography": "The author of [christine.website](https://christine.website), Xe is the Archmage of Infrastructure at Tailscale. They have written many articles about Nix and NixOS at both beginner and expert levels. They are passionate about making computers understandable and have", "public_name": "Xe", "guid": "86e571a9-e66a-578f-b8b3-0dc56185764f", "url": "https://pretalx.com/packagingcon-2021/speaker/3A7HHR/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/AFCUSQ/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/AFCUSQ/", "attachments": []}, {"guid": "4379a01f-19ba-58c1-b92c-ad593ca3dc5f", "code": "BVMPCR", "id": 12517, "logo": null, "date": "2021-11-10T17:50:00+00:00", "start": "17:50", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-12517-conda-forge-lib-mamba-libsolv-universal-and-reusable-parts", "url": "https://pretalx.com/packagingcon-2021/talk/BVMPCR/", "title": "conda-forge, (lib)mamba & libsolv: universal and reusable parts", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "This talk introduces conda-forge (a community led collection of recipes for Windows, macOS and Linux), the mamba package manager which works cross-platform and independent of any language and the parts that make it up (libsolv and librepo). Furthermore, we will demonstrate how libmamba can be used to create bindings to mamba or specialized package managers, for example for plugin management in applications.", "description": "conda-forge is a community led collection of build-recipes for all major operating systems (Windows, macOS and Linux). It's a hybrid in a space between a classic \"Linux\"-distribution and PyPI/NPM style DIY distribution. It moves fast and packages a lot of bleeding edge scientific software. conda-forge is fully controlled by repositories on GitHub with humans and bots sharing the work of keeping packages up to date.\r\n\r\nMamba is a package manager that works natively with conda packages. It is written in C++ and runs on Windows, macOS and Linux. It also comes with a library (libmamba) and Python bindings (libmambapy) that can be utilized by other applications to manage software or software plugins. \r\n\r\nFurthermore, recently a new library (currently dubbed powerloader) has been developed that can down- and upload from package repositories. It supports parallel downloads, mirrors and automatic mirror selection as well as OCI registries and S3 storage. It is modeled after librepo but implemented in a more cross-platform compatible way.\r\n\r\nThis talk will introduce all these tools and show opportunities how they can be re-used for other applications.", "recording_license": "", "do_not_record": false, "persons": [{"code": "M7CWJZ", "name": "Wolf Vollprecht", "avatar": "https://pretalx.com/media/avatars/M7CWJZ_k9nxqOS.webp", "biography": "Wolf Vollprecht is a Technical Director at QuantStack. QuantStack is a small open source software consulting company that mostly works on scientific open source software.\r\nWolf spends most of his time working on the mamba package manager, and as part of the conda-forge core team. Mamba is a fast, cross-platform and language agnostic package manager that works with conda packages.", "public_name": "Wolf Vollprecht", "guid": "c1a59892-19f6-59e5-bdfd-e50a1ff815c3", "url": "https://pretalx.com/packagingcon-2021/speaker/M7CWJZ/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/BVMPCR/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/BVMPCR/", "attachments": []}, {"guid": "e8bcde91-8b15-5395-93a5-19fa1ee651f6", "code": "8MFYFW", "id": 12258, "logo": null, "date": "2021-11-10T18:20:00+00:00", "start": "18:20", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-12258-fortran-package-manager-toward-a-rich-ecosystem-of-fortran-packages", "url": "https://pretalx.com/packagingcon-2021/talk/8MFYFW/", "title": "Fortran Package Manager: Toward a rich ecosystem of Fortran packages", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "Fortran is the oldest programming language still in use today, targeting high-performance scientific and engineering applications.\r\nTraditionally, Fortran software has used build systems that are not portable or are difficult to use or extend.\r\nThis has presented a significant barrier to entry for users, and has made it difficult to use libraries as dependencies, or distribute your own library for use in other projects.\r\nFortran Package Manager (fpm) is a new language-specific package manager and build system.\r\nThe key goals are to improve the user experience and nurture the growth of a rich ecosystem of Fortran libraries.\r\n\r\nFpm assumes sane defaults so that most users can enjoy a zero-configuration experience, while providing options to customize behavior.\r\nFpm can scaffold a new Fortran project, fetch and build remote dependencies, and run tests and project executables.\r\nIt supports multiple compilers, runs on all major operating systems and can bootstrap itself.\r\nWhile new and rapidly developing, it is already used as a build system for large projects and has been met with an overwhelming response from the Fortran community.\r\nWe want to discuss technical challenges that are specific to building Fortran projects and further next steps.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "88ALZM", "name": "Sebastian Ehlert", "avatar": null, "biography": "Open source contributor to several Fortran projects, including the Fortran standard library and Fortran package manager.\r\nMaintains several Fortran and Fortran-related packages in the conda-forge distribution.\r\n\r\nFortran-lang introduction can be found [here](https://fortran-lang.discourse.group/t/joining-the-team/1626).", "public_name": "Sebastian Ehlert", "guid": "a4953398-4f26-553b-8434-cf08a50c1b15", "url": "https://pretalx.com/packagingcon-2021/speaker/88ALZM/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/8MFYFW/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/8MFYFW/", "attachments": []}, {"guid": "d929aadb-318f-5749-8818-791a4180c0dc", "code": "VUTGK3", "id": 11981, "logo": null, "date": "2021-11-10T19:30:00+00:00", "start": "19:30", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-11981-living-with-opam", "url": "https://pretalx.com/packagingcon-2021/talk/VUTGK3/", "title": "Living with OPAM", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "OPAM is the de facto standard package manager for the OCaml programming language. As a frequent contributor to its repository, I present an overview of its evolution, features, and recent ecosystem projects such as automated lower bounds checking, as well as my own experience with it.", "description": "OCaml was relatively late to receive a language-specific package manager and OPAM brought a big change to the ecosystem. The fact that it allows managing compiler installations together with packages and that OPAM can be installed _before_ the compiler was a rather novel feature at the time. The talk is focused on the following topics:\r\n\r\n* Features and packaging workflows.\r\n* Positive and negative effects of centralization (with specific examples)\r\n* Recent effort on automated lower bounds checking\r\n* Evolution, transition to OPAM 2.0 and how it was managed\r\n* Ecosystem challenges (Windows support, cross-compilation...)\r\n* My personal experience with OPAM and the ecosystem as a long-term contributor", "recording_license": "", "do_not_record": false, "persons": [{"code": "8KMLDE", "name": "Daniil Baturin", "avatar": "https://pretalx.com/media/avatars/8KMLDE_TtadEV7.webp", "biography": "Co-founder and maintainer of VyOS (vyos.net), functional programming enthusiast, frequent contributor to the OCaml ecosystem.", "public_name": "Daniil Baturin", "guid": "cf3761ce-1e07-57cd-a258-810352171434", "url": "https://pretalx.com/packagingcon-2021/speaker/8KMLDE/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/VUTGK3/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/VUTGK3/", "attachments": []}, {"guid": "23199d2f-5245-5e4e-a669-6e9b62567a18", "code": "J3CHVC", "id": 12068, "logo": null, "date": "2021-11-10T19:55:00+00:00", "start": "19:55", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-12068-distri-researching-fast-linux-package-management", "url": "https://pretalx.com/packagingcon-2021/talk/J3CHVC/", "title": "distri: researching fast Linux package management", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "Linux package managers are too slow; how could we make things better?", "description": "In my work on distri, I show that package managers can fill almost any line rate (1 Gbps, 10 Gbps, 100 Gbps) effortlessly with the right architecture.\r\n\r\nIn this talk, I will explain the key ideas in distri\u2019s architecture, and what impact they have on the resulting system. For example, packages are distributed as SquashFS images in distri, which makes their contents immutable and the overall system harder to break.", "recording_license": "", "do_not_record": false, "persons": [{"code": "GQFAQN", "name": "Michael Stapelberg", "avatar": null, "biography": "https://distr1.org/\r\n\r\nhttps://michael.stapelberg.ch/\r\n\r\nhttps://twitter.com/zekjur", "public_name": "Michael Stapelberg", "guid": "2d6fbfd5-42e7-5b10-a770-354ce8f21d40", "url": "https://pretalx.com/packagingcon-2021/speaker/GQFAQN/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/J3CHVC/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/J3CHVC/", "attachments": []}, {"guid": "13200e06-53a7-5473-ae7e-582ffc72d1ef", "code": "9V9YQK", "id": 12054, "logo": null, "date": "2021-11-10T20:15:00+00:00", "start": "20:15", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-12054-the-haiku-package-manager", "url": "https://pretalx.com/packagingcon-2021/talk/9V9YQK/", "title": "The Haiku Package manager", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "The Haiku operating system, which is a modern, open source re-implementation of BeOS from the 1990's, has an interesting software packaging system. Much like Debian's .deb or RedHat's .rpm files, Haiku's .hpkg files include the files, description of the software, and dependencies. Like it's Linux cousins, it also ensures that the dependencies are met, installing the dependencies if not already installed and available in the repository.\r\n\r\nWhat sets Haiku's package manager apart is two things: Each file in the package is mounted as a read-only file into the file system, which ensures security; and the boot manager is aware of the state of the packing system, allowing the user to reboot and start the operating system as it was in a prior state.\r\n\r\nSince each file is mounted from the package into the file system, it cannot be changed, either by the user (intentionally, or accidentally), or by a mis-behaving application. The only way to change the file is to install a different version, or to uninstall it completely. There is a downside to this though, it does make porting some applications tricky.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "UXJWVR", "name": "Richard Zak", "avatar": "https://pretalx.com/media/avatars/UXJWVR_x5wEcCz.webp", "biography": "Richard Zak is a machine learning researcher and software engineer for a large company, and part-time university lecturer.", "public_name": "Richard Zak", "guid": "9438b2d5-77a3-5715-902f-4b7d73633ccb", "url": "https://pretalx.com/packagingcon-2021/speaker/UXJWVR/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/9V9YQK/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/9V9YQK/", "attachments": []}, {"guid": "801b2648-9093-5238-a6b6-4f349555be3a", "code": "TJ7NJV", "id": 12031, "logo": null, "date": "2021-11-10T20:40:00+00:00", "start": "20:40", "duration": "00:20", "room": "Room 2", "slug": "packagingcon-2021-12031-packaging-tex-live-the-challenge-of-multi-platform-support", "url": "https://pretalx.com/packagingcon-2021/talk/TJ7NJV/", "title": "Packaging TeX Live - the challenge of multi-platform support", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "The TeX environment has grown slowly but steadily to a huge collection of programs, fonts, macros, support packages. Current TeX Live ships about 5Gb in more than 3500 different units. As teTeX stopped to be developed several years ago, TeX Live has taken over as the main TeX distribution in practical all areas, not only on Unix, but also Mac (MacTeX is based on TeX Live) and is also gaining on Windows (where MikTeX is still strong).\r\n\r\nIn this talk we recall shortly the history of TeX Live, its transition from CD/DVD based distribution to net based distribution, and the difficulties one faces when distributing a considerable piece of software to a variety of operating systems and hardware combinations (currently about 15 different arch-os combinations). Topics touched are cross-platform distribution, security, release management etc.\r\n\r\nFurthermore, we will discuss the topic of re-distributing TeX Live into Linux distributions like Debian, Red Hat. Integrating TeX Live into any distribution is a non-trivial task due to big amount of post installation steps. And although over the last years the quality of packages has improved, we still often get bug reports that stem from incorrect packaging.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "C7AFTJ", "name": "Norbert Preining", "avatar": "https://pretalx.com/media/avatars/C7AFTJ_BzKOk0M.webp", "biography": "Mathematician and Logician by education, Norbert is now working in Fujitsu Research. His core interests are mathematical logic, computer science, machine learning, AI, security, software verification and specification. He is also the co-head of the TeX Live development team, Debian Developer (KDE/Plasma, Cinnamon, TeX, ...) and likes to touch all kind of computing devices.", "public_name": "Norbert Preining", "guid": "a38e3396-d2e3-58de-b79d-de830ee0fd57", "url": "https://pretalx.com/packagingcon-2021/speaker/C7AFTJ/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/TJ7NJV/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/TJ7NJV/", "attachments": []}], "Room 3": [{"guid": "71706704-ce1e-57fe-a85c-03a672b01955", "code": "X8N8ME", "id": 12074, "logo": null, "date": "2021-11-10T17:00:00+00:00", "start": "17:00", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12074-python-packaging-why-don-t-you-just", "url": "https://pretalx.com/packagingcon-2021/talk/X8N8ME/", "title": "Python Packaging: Why Don\u2019t You Just\u2026?", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "Every packaging system has its specific way of doing things, but to an outsider. Python\u2019s seems to have a knack of finding the most non-straightforward and weird solution for every choice. This talk attempts to trace some of the peculiarities to find out the reasoning behind the decisions, and how they stand in the modern packaging landscape.", "description": "Python packaging has a long and winding history. When it startd out, few communities have good packaging offerings, and Python\u2019s was praised for being easy to be picked up and develop with. As time went on, many tried to bring in new ideas from relatively new packaging systems to \u201cmodernise\u201d Python packaging, but those suggestions are not always received favourably, and Python\u2019s packaging community is sometimes categorised as overly conservative, or even user-hostile due to this.\r\n\r\nIn most of such situations, however, the main problem is not that Python packaging is unwilling to change, but there are certain design decisions that affect how problems should be approached. While those characteristics may seem alien to newcomers, they are made to accomdate special needs in the Python community, and any changes to the packaging system need to take them into consideration. This sometimes require contributors to be more creative when putting together a new feature, but the Python community is only as valuable as its users, and new progress should avoid throwing away what enable Python to grow to what it is.", "recording_license": "", "do_not_record": false, "persons": [{"code": "XMQYJM", "name": "Tzu-ping Chung", "avatar": "https://pretalx.com/media/avatars/XMQYJM_0NAXHyq.webp", "biography": "Tzu-ping builds his career around open source software, and enjoys committing his efforts to help make the world better. He builds all kinds of software for a living, from embedded system to single-page web applications, and contributes to the community when he can.\r\n\r\nTP is currently employed by [Astronomer](https://www.astronomer.io/) to work on the Apache Airflow project. Most of his off-time is spent improving Python\u2019s packaging landscape, organising PyCon Taiwan, and building software with Python and other modern technologies. He loves (human) languages, and knows probably too much about linguistics and phonetics to make him welcome in parties.", "public_name": "Tzu-ping Chung", "guid": "c44cb83b-14b6-566c-b90e-adf8fdfde74f", "url": "https://pretalx.com/packagingcon-2021/speaker/XMQYJM/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/X8N8ME/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/X8N8ME/", "attachments": [{"title": "Slides (PDF)", "url": "/media/packagingcon-2021/submissions/X8N8ME/resources/python-packaging-why-dont-you-just_3gLSAiN.pdf", "type": "related"}, {"title": "Slides (Markdown with speaker notes)", "url": "/media/packagingcon-2021/submissions/X8N8ME/resources/python-packaging-why-dont-you-just_J4PhrN1.md", "type": "related"}]}, {"guid": "925e71db-3162-5504-92cd-2393b1e37ba4", "code": "RWR89G", "id": 12155, "logo": null, "date": "2021-11-10T17:25:00+00:00", "start": "17:25", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12155-ipfs-python-wheels-efficient-secure-and-reproducible-repository", "url": "https://pretalx.com/packagingcon-2021/talk/RWR89G/", "title": "IPFS \u2764 Python Wheels: Efficient, Secure and Reproducible Repository", "subtitle": "", "track": "Registries", "type": "Talk", "language": "en", "abstract": "Python wheel is a beautifully simple format for cross-platform binary distribution.  Combining it with the simple repository API, we have the Python Package Index (PyPI) tirelessly serving Pythonistas.  PyPI is great as a package index, but in certain ways it is unsuitable for end-user usages: it is subject to multiple supply chain attacks, its centralised nature leads to difficult mirroring while being a single point\r\nof failure, and expensive dependency resolution is left for client-side.\r\n\r\nThe interplanetary wheels (IPWHL) are platform-unique, singly-versioned Python binary distributions backed by IPFS.  It does not try to replace PyPI but aims to be a downstream wheel supplier in a fashion similar to GNU/Linux distributions, whilst take advantage of a content-addressing peer-to-peer network to provide a reproducible, easy-to-mirror source of packages.", "description": "This talk will first briefly discuss the wheel package format and the current state of PyPI in the Python packaging ecosystem, focusing on a few shortcoming and relevant recent efforts.  It will then introduce IPWHL from the motivating philosophy to real-world properties, before showing the current process and a demo usage.  As this happens, the upstream-downstream relationship in Python packaging will be analyzed, clarifying the role of each actor in the process.  After the talk, the audience will know how (and when) IPWHL can benefit them and the different ways they can directly and indirectly help the project.", "recording_license": "", "do_not_record": false, "persons": [{"code": "HVFTSZ", "name": "Nguy\u1ec5n Gia Phong", "avatar": "https://pretalx.com/media/avatars/HVFTSZ_k8XYRMR.webp", "biography": "On the Internet, I am more commonly known as McSinyx (or CnX for short), a Vietnamese free software enthusiast.  My areas of interest surround programming languages, concurrency, reproducibility and decentralization.", "public_name": "Nguy\u1ec5n Gia Phong", "guid": "2487c4a6-eee1-5335-b8fb-79ef7bc692dd", "url": "https://pretalx.com/packagingcon-2021/speaker/HVFTSZ/"}, {"code": "J9CTXV", "name": "Huy Ngo", "avatar": "https://pretalx.com/media/avatars/J9CTXV_y6nCmd4.webp", "biography": "Packager of IPWHL project", "public_name": "Huy Ngo", "guid": "9b50bfea-5a86-5d93-a968-ab2623891af1", "url": "https://pretalx.com/packagingcon-2021/speaker/J9CTXV/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/RWR89G/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/RWR89G/", "attachments": [{"title": "Slides", "url": "/media/packagingcon-2021/submissions/RWR89G/resources/handout_dH8pNM5.pdf", "type": "related"}]}, {"guid": "3342abf6-5cad-5500-87c0-7018470343f8", "code": "EP3ZLT", "id": 11991, "logo": "https://pretalx.com/media/packagingcon-2021/submissions/EP3ZLT/piwheels_logo_white_Gvyq7O7.jpg", "date": "2021-11-10T17:50:00+00:00", "start": "17:50", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-11991-running-a-python-package-index-for-raspberry-pi", "url": "https://pretalx.com/packagingcon-2021/talk/EP3ZLT/", "title": "Running a Python Package Index for Raspberry Pi", "subtitle": "", "track": "Registries", "type": "Talk", "language": "en", "abstract": "piwheels is a mirror of the Python Package Index, providing binary distributions compiled for the Raspberry Pi's Arm architecture.\r\n\r\nPackage maintainers usually provide wheels compiled for PC/Mac but not for the Arm architecture, so piwheels natively compiles all packages and makes them available to Raspberry Pi users, the regular way, using pip, without any change in behaviour required.\r\n\r\nProviding pre-compiled binary wheels saves users time and effort, reducing friction to getting started with Python projects on Raspberry Pi.", "description": "piwheels is a mirror of the Python Package Index, providing binary distributions compiled for the Raspberry Pi's Arm architecture.\r\n\r\nPackage maintainers usually provide wheels compiled for PC/Mac but not for the Arm architecture, so piwheels natively compiles all packages and makes them available to Raspberry Pi users, the regular way, using pip, without any change in behaviour required.\r\n\r\nProviding pre-compiled binary wheels saves users time and effort, reducing friction to getting started with Python projects on Raspberry Pi.\r\n\r\nWe serve over 2 million downloads each month and have saved Raspberry Pi users over 500 years of build time.\r\n\r\nIn this talk I'll explain:\r\n\r\n- how the build process works\r\n- what our infrastructure looks like\r\n- how we deal with keeping in sync with the upstream index\r\n- building for multiple OS versions and Python versions\r\n- compiling Python packages with C/C++/fortran/Golang/Rust/etc\r\n- how we make it easier for people to install packages and (apt) system dependencies", "recording_license": "", "do_not_record": false, "persons": [{"code": "EWRKHR", "name": "Ben Nuttall", "avatar": "https://pretalx.com/media/avatars/EWRKHR_Rhz4Y2X.webp", "biography": "Software engineer building prototypes at BBC News Labs. Formerly at the Raspberry Pi Foundation. Creator of gpiozero and piwheels. Into Python, Linux and all things open source.", "public_name": "Ben Nuttall", "guid": "d303f50c-470c-520b-bb36-53d892efd20b", "url": "https://pretalx.com/packagingcon-2021/speaker/EWRKHR/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/EP3ZLT/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/EP3ZLT/", "attachments": []}, {"guid": "20278a68-1309-5391-9539-667a26f102fb", "code": "9MKDF3", "id": 12085, "logo": null, "date": "2021-11-10T18:20:00+00:00", "start": "18:20", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12085-micro-packaging-reusable-data-science-pipelines-in-python", "url": "https://pretalx.com/packagingcon-2021/talk/9MKDF3/", "title": "Micro-packaging reusable data science pipelines in Python", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "We believe that sharing and reusing data science code is the future for scaling machine learning across the world because it allows us to work more efficiently. To achieve this grand vision, we had to look at how micro-packaging could be done in Python, the language of choice for most data scientists. Micro-packaging is a widely debated topic in the npm world, and it hasn't taken off in the Python packaging ecosystem.\r\n\r\nThis talk will present the journey that brought us to this point, the challenges we've faced implementing this functionality and the solution we created in Kedro, an open-source Python framework for data science. Whether you're a data practitioner or a software engineer curious to reuse code between projects, you can draw some inspiration from this talk.", "description": "We have used Kedro to build reusable code stores, similar to how React is used to create design systems. Kedro is an open-source Python framework for creating reproducible, maintainable and modular data science code. While Kedro did lift many barriers, our users found that they still needed a way to easily share code snippets and parts of their data science pipelines between projects. Furthermore, they wanted to consume business logic as *source code*, and possibly extend it, rather than as a *library*.\r\n\r\nThis prompted my team to think about ways to enable a more seamless experience of sharing data science code in ways that didn't confuse our beginner users or force data scientists to take a bunch of software engineering classes to use the feature.\r\n\r\nThus micro-packaging was born: packaging (and consuming) submodules using simple CLI commands and a manifest file (pyproject.toml).\r\n\r\nIn this talk, we cover:\r\n\r\n- Setting the stage - introducing the main pain points we needed to address\r\n- How the Kedro solution works\r\n- What's under the hood\r\n- Reflections & future thinking", "recording_license": "", "do_not_record": false, "persons": [{"code": "CYS9Y7", "name": "Lorena Balan", "avatar": null, "biography": "I'm Software Engineer & Pythonista since 2017, currently working on QuantumBlack's and McKinsey's first open source project. In my spare time you can find me on a volleyball court, in an art gallery, or (in non-pandemic times) on a plane for a city-break.", "public_name": "Lorena Balan", "guid": "841529c3-04a5-580c-9277-b0e0b4af8f46", "url": "https://pretalx.com/packagingcon-2021/speaker/CYS9Y7/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/9MKDF3/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/9MKDF3/", "attachments": []}, {"guid": "d7f31cbd-83fa-5d5f-bebc-f19e5a3b38c5", "code": "GYGHXX", "id": 12247, "logo": "https://pretalx.com/media/packagingcon-2021/submissions/GYGHXX/fedoralovespython_HqDWOIS.jpg", "date": "2021-11-10T18:45:00+00:00", "start": "18:45", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12247-python-in-fedora-integrating-a-language-ecosystem-in-a-distro", "url": "https://pretalx.com/packagingcon-2021/talk/GYGHXX/", "title": "Python in Fedora: Integrating a language ecosystem in a distro", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "The Fedora Python SIG and the Python maintenance team at Red Hat\r\nare systems integrators who work at the intersection of two worlds:\r\na cross-platform ecosystem and a platform open to all kinds of software.\r\n\r\nThis talk introduces both Python packaging and RPM,\r\nexplains why we go through the trouble to repackage Python projects in RPM,\r\nand covers some of the issues we're solving.", "description": "Python packaging is evolving quickly over the past few years,\r\nwith a focus on standards that allow cooperation between different tools.\r\nThe \u201ctraditional\u201d way to package projects \u2013 setuptools \u2013 is still dominant,\r\nbut its new aim is to be just one way to do things, so better competitors\r\nare able to overtake it.\r\n\r\nThe Python ecosystem is centered on PyPI, the Package Index:\r\na place where anyone can share their project with the world.\r\nThe usual way to install from PyPI is into *virtual environments*,\r\nsemi-isolated environments that\r\ndon't conflict with each other or the base system (when used well).\r\nPackages from PyPI are generally easy to install on any platform.\r\n\r\nRPM is a package format for building a *distro*: collection of packages\r\nthat's coherent (designed to work together) and complete\r\n(with everything from the kernel to the GUI apps).\r\nIt's used for packaging software written in any language, although\r\nit does have a historical bias for C projects and the Autotools\r\n*configure-make-install* paradigm, and works much better in ecosystems that\r\ncare for *distro*-style integration (as opposed to *monorepos*).\r\n\r\nRPM (and system packages in general) have several advantages over\r\nPython (and language ecosystems in general): tighter integration with the\r\nsystem, and common tools for handling packages \u2013 installation\r\n(so a non-Pythonista can easily get a Python-based tool/dependency),\r\nauditing delivery pipelines, system integration and integration testing,\r\nand so on.\r\nThat makes it worth the time to repackage projects from PyPI as RPMs.\r\n\r\nPython packaging's focus on cooperation between different tools\r\nand RPM's focus on combining language ecosystems play together nicely,\r\nwith opportinities for collaboration and improvements in both ecosystems.\r\nOur goal in Fedora is to make repackaging a Python project as RPM as\r\neasy as possible. New Python packaging macros and guidelines released\r\nin June 2021 reuse metadata from upstream, leaving packagers to focus on\r\nsystem integration: applying necessary changes (hopefully ones\r\nthat will make it back to the project), running tests (and convincing\r\npeople that it's nice to have tests pass in environment other than the\r\nproject's CI), integrating non-Python software, and so on.\r\n\r\nWhen bridging the two world, we run into issues with naming, versioning,\r\nlicenses, testing, documentation, optional dependencies. Some of which\r\nare solved easily, some of them need more work and discussion.\r\n\r\nWe hope that the long run, making Fedora and Python work together\r\nhelps other distros and language ecosystems as well.", "recording_license": "", "do_not_record": false, "persons": [{"code": "SCAGQW", "name": "Petr Viktorin", "avatar": "https://pretalx.com/media/avatars/SCAGQW_gVfuTj1.webp", "biography": "Petr is a Python core developer and Fedora packager. He works in the Python maintenance team at Red Hat.", "public_name": "Petr Viktorin", "guid": "6cf72eda-9293-5fe9-9d29-a56ead87f692", "url": "https://pretalx.com/packagingcon-2021/speaker/SCAGQW/"}, {"code": "TARERD", "name": "Miro Hron\u010dok", "avatar": "https://pretalx.com/media/avatars/TARERD_kYYxKD9.webp", "biography": "I am a member of the [Fedora](https://getfedora.org/)'s [Python SIG](https://fedoraproject.org/wiki/SIGs/Python).\r\n\r\nAs a Linux distribution packager and packager mentor, I\u2019ve seen hundreds of upstream projects and hundreds of distro packages. I help design packaging upstream and downstream.\r\n\r\nI work at [Red Hat](http://www.redhat.com) Czech in the *Python Maintenance* team. I teach advanced Python (and Python packaging) at the [Czech Technical University](https://www.cvut.cz/) and I teach beginners in the Czech [PyLadies beginners courses](https://pyladies.cz/). I\u2019m a contributing member of the [Python Software Foundation](https://www.python.org/psf/) and a member of the [Fedora Engineering Steering Committee](https://fedoraproject.org/wiki/Development/SteeringCommittee) and the [Fedora Packaging Committee](https://fedoraproject.org/wiki/Packaging_Committee), where I represent the technical and packaging leadership in Fedora.", "public_name": "Miro Hron\u010dok", "guid": "9b031870-45a3-550c-a080-defce80d867c", "url": "https://pretalx.com/packagingcon-2021/speaker/TARERD/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/GYGHXX/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/GYGHXX/", "attachments": []}, {"guid": "eac38893-f117-5fb7-9db4-01db1e4efaf4", "code": "SPQKAL", "id": 12061, "logo": null, "date": "2021-11-10T19:30:00+00:00", "start": "19:30", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12061-changes-in-python-packaging-what-downstream-packagers-need-to-know", "url": "https://pretalx.com/packagingcon-2021/talk/SPQKAL/", "title": "Changes in Python packaging \u2013 what downstream packagers need to know", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Python packaging has changed a lot in the last few years. New tools such as Poetry and Flit allow creating packages without the traditional `setup.py` file, and new standards mean that `pyproject.toml` files are now the linchpin for building and installing Python modules. The wheel package format, which is somewhat older, has also gained a more central role.\r\n\r\nI\u2019ll explain what has changed, including a brief summary of what motivated these changes. Then I\u2019ll discuss how you can use the new standard interfaces and formats, with a focus on people re-packaging Python packages into other distribution systems such as Conda, Spack, or Linux distribution repositories. I\u2019ll introduce the low-level \u2018build\u2019 and \u2018installer\u2019 tools, and compare them to the more widely used \u2018pip install\u2019.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "3CLNKX", "name": "Thomas Kluyver", "avatar": null, "biography": "Thomas has worked on Python packaging tools, including creating [Flit](https://flit.readthedocs.io/en/latest/), and been involved in discussions to establish interoperability standards such as [PEP 517](https://www.python.org/dev/peps/pep-0517/).", "public_name": "Thomas Kluyver", "guid": "b9815007-4d02-5d6c-bf04-7d7da2a9808c", "url": "https://pretalx.com/packagingcon-2021/speaker/3CLNKX/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/SPQKAL/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/SPQKAL/", "attachments": []}, {"guid": "23850601-e5af-517c-b343-d1e4d05ef7c6", "code": "FGVPWP", "id": 12255, "logo": null, "date": "2021-11-10T19:55:00+00:00", "start": "19:55", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12255-serving-and-managing-reproducible-conda-environments-via-conda-store", "url": "https://pretalx.com/packagingcon-2021/talk/FGVPWP/", "title": "Serving and Managing Reproducible Conda Environments via Conda-Store", "subtitle": "", "track": "Registries", "type": "Talk", "language": "en", "abstract": "End users think in terms of environments not packages. The core philosophy of conda-store is to serve reproducible conda environments in as many ways as possible to users and services. Conda-store was developed due to a significant need we found in enterprise architectures. There are many ways to serve environments and each plays an important role. Thus conda-store serves the same environment via a filesystem, lockfile, pinned yaml specification, conda pack archive, and docker image. This logic could easily be extended to also support the creation of VM iso's and singularity containers \r\n\r\nDuring this talk I will highlight some common problems with environments we have seen while consulting and show how conda-store aims to solve them:\r\n - Friction between IT and end users in controlled environments where new packages are needed\r\n - Enabling a given notebook developed within jupyterlab to be reproducibly run in workflows reliably for years to come\r\n - Helping to removing the need for specially crafted docker containers\r\n\r\nThis talk will be full of demos along with a site that everyone in the talk can try out.", "description": "End users think in terms of environments not packages. The core philosophy of conda-store is to serve identical conda environments in as many ways as possible. Conda Store controls the environment lifecycle: management, builds, and serving of environments.\r\n\r\nIt **manages** conda environments by:\r\n - watching specific files or directories for changes in environment filename specifications\r\n - provides a REST api for managing environments\r\n - provides a command line utility for interacting with conda-store conda-store env [create, list]\r\n - provides a web ui to take advantage of many of conda-store's advanced capabilities\r\n\r\nIt **builds** conda specifications in a scalable manner using N workers communicating via Celery to keep track of queued environment builds.\r\n\r\nIt **serves** conda environments via a filesystem, lockfiles, tarballs, and soon a docker registry. Tarballs and docker images can carry a lot of bandwidth which is why conda-store integrates optionally with s3 to actually serve the blobs.\r\n\r\n\r\nBelow are highlighted some common problems with environments we have seen while consulting and show how conda-store aims to solve them.\r\n## IT and End User Friction\r\n\r\nWe saw tension between the IT/sysadmins and end users who use the environments that they build. When IT gets a request for a new package in an environment, they need to rebuild the environments and check that the package satisfies their constraints. This process may take several days and at best will not be immediate. While developers need packages in their environments as soon as possible to do interesting new research. This situation often led to a lot of frustration on both sides for good reason. Conda-store aims to address this by allowing users to control a set of environments in their namespace while allowing IT to having all environments under their control.\r\n\r\n## Reproducibly Productionizing Environments\r\n\r\nAnother issue we saw was the need to quickly productionize workflows and ensure that they may run for many years to come. Often times developers will experiment with a given environment and create a notebook to run a given workflow. They will want to \u201csubmit\u201d this notebook with the given environment and run it on a cron job. The only problem is that this creates a huge burden on IT. How is IT supposed to ensure that the environment that that notebook ran with is preserved indefinitely? Conda-store addresses this by building all environment separately(including updates). There is a unique key that identifies any given environment. Furthermore this environment is available in many different forms: yaml, lockfile, conda tarball, and docker image. The advantage here is that the workflow orchestration framework may run significantly different from the developer environment and we need a way to ensure that environments are the same.\r\n\r\n - Documentation: https://conda-store.readthedocs.io\r\n - Repository: github.com/quansight/conda-store", "recording_license": "", "do_not_record": false, "persons": [{"code": "E3CWKW", "name": "Christopher Ostrouchov", "avatar": "https://pretalx.com/media/avatars/E3CWKW_mzt4yef.webp", "biography": "Scientific Software developer at Quansight.", "public_name": "Christopher Ostrouchov", "guid": "bcfb10bb-3669-5ff9-a5aa-ddb721f39488", "url": "https://pretalx.com/packagingcon-2021/speaker/E3CWKW/"}, {"code": "LSHGBM", "name": "Jaime Rodr\u00edguez-Guerra", "avatar": null, "biography": "Devops curious scientific software developer, now focusing on Python packaging.", "public_name": "Jaime Rodr\u00edguez-Guerra", "guid": "f4dc3c0a-893a-5826-89fb-9527f5ae9c01", "url": "https://pretalx.com/packagingcon-2021/speaker/LSHGBM/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/FGVPWP/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/FGVPWP/", "attachments": []}, {"guid": "f5f83567-a509-5ce6-a91c-b28d16be6804", "code": "XTAJ7Z", "id": 12115, "logo": null, "date": "2021-11-10T20:15:00+00:00", "start": "20:15", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12115-tools-for-packaging-and-using-portable-tex-documents", "url": "https://pretalx.com/packagingcon-2021/talk/XTAJ7Z/", "title": "Tools for packaging and using Portable TeX Documents", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "Both software and documents have dependencies. This talk focuses on managing document dependencies, to reduce both network and computation latency, and to ensure reproducible build (or typesetting) behaviour. Web development has a strong focus on reducing user experienced latency, as does serverless cloud computing.\r\n\r\nAt present human activity and large downloads are required to achieve these goals for TeX documents.  To improve matters the speaker has introduced the concept of Portable TeX Documents (PTD).  The PTD concept is intended to bring to source documents and the TeX community benefits similar to the benefits Portable Document Format (PDF) brought to Word users and Adobe.\r\n\r\nThe concepts and tools underlying PTD, particularly mounting git as a read-only file system, and the use of git backing stores (alternate object databases) are likely to be useful elsewhere. This is particularly true when most of the variability of a system lies in a small folder of text files (which is the case for TeX's typesetting inputs).", "description": "Adobe's Portable Document Format (PDF) stores the output of a typesetting process. It includes a structured storage system for storing dependencies such as fonts, graphics, multimedia objects and other resources. The speaker is creating similar tools and standards for the inputs to a typesetting process. It will allow authors and others to collaborate using Portable TeX Documents (PDT).\r\n\r\nA key technology will be git used with a backing store (ie alternate object database). Each PDT will be a git tree containing all typesetting inputs. Shared resources such as fonts and style files will be placed in the backing store. Being able to mount a git repository as a read-only file system would be very helpful. Use of PTD will greatly reduce the human, bandwidth and storage cost of typesetting a new TeX document in your inbox. It will also greatly increase the sender's confidence that your output will be identical to theirs.\r\n\r\nThe basic idea of PDT is to use git with a backing store. This technology and associated tools will be most helpful when most of the variability of the system lies in a small folder of text files (which is the case for TeX's typesetting inputs). For more information see [video discussion of Portable TeX Documents](https://www.youtube.com/playlist?list=PLw1FZfIX1w7gcm6b4MzRKDIlW7xV4yFnd).\r\n\r\n* [Slides for my talk](https://www.slideshare.net/jonathanfine/portable-tex-documents-ptd-packagingcon-2021)\r\n* [Video of my talk (21min)](https://www.youtube.com/watch?v=oDoQ2G48aqM&t=12039)\r\n* Development will take place at https://github.com/arxtex/ptd.", "recording_license": "", "do_not_record": false, "persons": [{"code": "FM3GTC", "name": "Jonathan Fine", "avatar": "https://pretalx.com/media/avatars/FM3GTC_11TzRtT.webp", "biography": "I'm a long-term user and developer of TeX. I'm now retired from the Open University in the UK, where I was the LaTeX officer. My talk on Portable TeX Documents is based on my experience of problems in packaging TeX, informed by my knowledge of Python, Elm and Debian.\r\n\r\nhttps://jfine2358.github.io/", "public_name": "Jonathan Fine", "guid": "07551d91-6864-53da-a4bd-094d5a4a07fc", "url": "https://pretalx.com/packagingcon-2021/speaker/FM3GTC/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/XTAJ7Z/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/XTAJ7Z/", "attachments": [{"title": "SLIDES for this talk (PDF).", "url": "/media/packagingcon-2021/submissions/XTAJ7Z/resources/packagingcon-2021_N1yHKix.pdf", "type": "related"}]}, {"guid": "e359632c-671e-5593-ba56-63da3d7f7c8b", "code": "CEVLC3", "id": 12299, "logo": null, "date": "2021-11-10T20:40:00+00:00", "start": "20:40", "duration": "00:20", "room": "Room 3", "slug": "packagingcon-2021-12299-the-quirks-and-challenges-of-pip-s-test-suite-and-ci", "url": "https://pretalx.com/packagingcon-2021/talk/CEVLC3/", "title": "The quirks and challenges of pip's test suite and CI", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "`pip`, Python's package manager, is developed independently from the Python language by a fairly independent team. It has an extensive test suite, with significant complexity and computational requirements. A mix of I/O heavy tests and CPU heavy tests, combined with the wide matrix of supported platforms and Python versions, introduce some interesting challenges when needing to run an overall CI workflow in a reasonable amount of time. This talk goes into the trials and tribulations of getting the CI for pip to run in less than 30 minutes.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "RAU38R", "name": "Pradyun Gedam", "avatar": "https://pretalx.com/media/avatars/RAU38R_5CHmXsN.webp", "biography": "Maintainer of pip, packaging and various other tools for Python Packaging. Maintainer of TOML. Moderator on PyPI. Member of the Python Security Response Team. Member of the Python Packaging Authority. Maintainer of various Sphinx-related tools. Member of Executable Books project.\r\n\r\nAt his day job, Pradyun is a part of Bloomberg Engineering\u2019s London Python Infrastructure team, and works to make it easier for software developers to write software in Python.", "public_name": "Pradyun Gedam", "guid": "2126939a-6259-5cd6-990d-761b17c1c8a6", "url": "https://pretalx.com/packagingcon-2021/speaker/RAU38R/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/CEVLC3/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/CEVLC3/", "attachments": []}], "Room 4": [{"guid": "4a5aa86d-b2c2-5ccd-a2f6-f4f76d88a734", "code": "LVPMSN", "id": 11990, "logo": null, "date": "2021-11-10T17:00:00+00:00", "start": "17:00", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-11990-adventures-in-packaging-rust-programs", "url": "https://pretalx.com/packagingcon-2021/talk/LVPMSN/", "title": "Adventures in packaging rust programs", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Rust has been around as a language for about 10 years now and a necessary part of distribution packaging for at least the last 4 with Firefox depending on it. In Guix we've been struggling to have a sane way to package rust applications and all their dependencies while trying to keep a handle on visualizing build chains and an ever expanding package set.", "description": "Installing rust programs from the command line using cargo is straightforward, but what happens when distributions get involved and try to package them? With every input coming from the distribution, how can we make sure to track package dependencies when a package depends on the sources of other packages and not their compiled outputs?\r\nIn Guix we've been packaging all the input crates and using their sources. However, the standard build chain assumes compiled packages as build-time inputs for the next package, and this collapses when we only need the source of the input package.\r\nDon't forget the next step! Users of the distributions are supposed to be able to get their development environment from the distribution too! So... how do we give them all these crates in a useful manner?", "recording_license": "", "do_not_record": false, "persons": [{"code": "EBYFCQ", "name": "Efraim Flashner", "avatar": "https://pretalx.com/media/avatars/EBYFCQ_CY4mIbK.webp", "biography": "Efraim has been a contributor to GNU Guix since 2015 and apparently likes porting Guix to new architectures, having contributed to at least the aarch64, powerpc, and riscv64 ports. He can regularly be found using IRC from his phone to answer questions and has yet to learn Emacs.\r\nWhen asked, he says watching all the compiling in the terminal window is soothing, with intermittent bouts of shouting 'NO' at the screen. He lives in Northern Israel with his family.", "public_name": "Efraim Flashner", "guid": "3d453f94-3ed8-5edc-ab9c-6602c3287e33", "url": "https://pretalx.com/packagingcon-2021/speaker/EBYFCQ/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/LVPMSN/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/LVPMSN/", "attachments": [{"title": "slides in rst format", "url": "/media/packagingcon-2021/submissions/LVPMSN/resources/AdventuresInPackagingRustPrograms_GGiLpKn.rst", "type": "related"}]}, {"guid": "e1c8d318-e0a1-58e9-b468-15c756a640ba", "code": "AMEDRN", "id": 12203, "logo": null, "date": "2021-11-10T17:25:00+00:00", "start": "17:25", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-12203-generating-different-base-systems-from-the-same-inputs-in-freedesktop-sdk", "url": "https://pretalx.com/packagingcon-2021/talk/AMEDRN/", "title": "Generating different base systems from the same inputs in Freedesktop SDK", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "The Freedesktop SDK began life providing a runtime for the Flatpak app distribution tool. Now Freedesktop SDK generates a variety of base reference systems, including common libraries and utilities for other projects to build on top of. It's not easy to do this reliably, so let's talk about the tools and processes that make this possible.", "description": "This talk will focus on how the Freedesktop SDK project:\r\n\r\n* Controls the entire delivery pipeline to continuously build, test and integrate, keeping the main branch constantly green\r\n* Uses BuildStream and plugins to generate Flatpak runtimes,  OS images and containers\r\n* Guarantees ABI stability\r\n* Aims for reproducible builds", "recording_license": "", "do_not_record": false, "persons": [{"code": "HFVMNT", "name": "Sam Thursfield", "avatar": "https://pretalx.com/media/avatars/HFVMNT_qEBRymR.webp", "biography": "Sam Thursfield is a long time operating systems developer and GNOME Foundation member. He currently works for Codethink Ltd.\r\n\r\nHis interests include music making and rock climbing. He continues to learn from his old mistakes while also making new ones.", "public_name": "Sam Thursfield", "guid": "bd26914d-e0ac-5ce6-a0a4-da38018cbcf8", "url": "https://pretalx.com/packagingcon-2021/speaker/HFVMNT/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/AMEDRN/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/AMEDRN/", "attachments": []}, {"guid": "abf17dc8-1756-5000-9f53-68cd30c123d6", "code": "88VTJZ", "id": 11984, "logo": null, "date": "2021-11-10T17:50:00+00:00", "start": "17:50", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-11984-triforce-repository-management", "url": "https://pretalx.com/packagingcon-2021/talk/88VTJZ/", "title": "Triforce: repository management", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "As repositories grow in size with packages, the time complexity starts to become O(n*log(n)) to keep the metadata up-to-date, because retaining the history requires re-parsing published packages and those must be available locally.\r\n\r\nAt NVIDIA, the Triforce repository management system handles the release process in O(n). To re-generate the metadata, one or more product release candidates are merged together using OverlayFS, on top of the public repository; this avoids the need for copying hundreds of gigabytes of existing packages, significantly reducing the I/O and storage usage.\r\n\r\nAnother consideration is how long it takes to build the metadata, by default generated from scratch each time. For RPM repositories, createrepo_c has the flag --update which skips over existing packages that have not changed. However for Debian repositories, existing tools such as apt-ftparchive lack such functionality. Comparing the filenames and file sizes is a good enough indicator if the package can be skipped. Parsing dpkg --info, it is possible to form the fields in a deterministic order for each block. From there it is as simple as appending the new metadata to the existing Packages.gz and regenerating the Release file.", "description": "Package repositories are a core component of most Linux distributions, providing a mechanism for installing and updating various software components. Package managers require an entry point such as repomd.xml (RPM) or Release (Debian) to discover software available in a repository and using properties stored in a manifest file, like *-primary.xml.gz (RPM) or Packages.gz (Debian) such as version, dependencies, and conflicts to build a transaction to execute.\r\n\r\nFor the CUDA repository, on a per distro / arch basis, everything is stored into one package repository. This is compounded as release candidates for independent products are validated in parallel, where product A may ship before product B, vice versa, or simultaneously. To handle these different scenarios, a train model is implemented in which one or more \u201cpassenger\u201d RCs may be released during a given slot.\r\n\r\nThis talk will describe some of the challenges of releasing deliverables on a fast cadence, lessons learned, and finally provide examples of code used in production.", "recording_license": "", "do_not_record": false, "persons": [{"code": "GVPUYH", "name": "Kevin Mittman", "avatar": "https://pretalx.com/media/avatars/GVPUYH_VxqdmjN.webp", "biography": "Kevin Mittman is a GNU/Linux enthusiast with a passion for automation. He is a system software engineer at NVIDIA, with a focus on the installer packaging and release process for CUDA, the NVIDIA driver, and other CUDA-X products. Before joining NVIDIA, Kevin began his career in the open source community, maintaining Debian packages for Maemo and later an ArchLinux-based kiosk Linux LiveUSB distro.", "public_name": "Kevin Mittman", "guid": "9fc4dce7-6459-52cf-8c48-c2aecad3acd8", "url": "https://pretalx.com/packagingcon-2021/speaker/GVPUYH/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/88VTJZ/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/88VTJZ/", "attachments": [{"title": "Slides", "url": "/media/packagingcon-2021/submissions/88VTJZ/resources/Repository-Management_PackagingCon_uRvBEKW.pdf", "type": "related"}]}, {"guid": "6ab6a6b1-373c-5904-b191-5da858519fef", "code": "NFEWWA", "id": 11972, "logo": null, "date": "2021-11-10T18:20:00+00:00", "start": "18:20", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-11972-challenges-with-java-in-a-hermetic-world", "url": "https://pretalx.com/packagingcon-2021/talk/NFEWWA/", "title": "Challenges with Java in a hermetic world", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Nix and similar tools (Spack) promise a reproduciblity story for packages (from source or bitwise).\r\nSpecifically within Nix, several languages have successfully integrated into the ecosystem but some such as Java are oddly absent given their popularity.\r\n\r\nIn a search for how to better integrate Java into a Nix-centric workflow, we go over some current challenges with the fractured Java ecosystem and how the appeal of a federated artifact store has led to sharp edges.", "description": "- Go over high level basics for what a good integration story into Nix would be for a language\r\n- Things that make Java particularly hard:\r\n      - JARs are ZIP so inherently not reproducible.\r\n      - Maven artifactories don't enforce a cryptographic hash. Different artifactories can have different content for the same version.\r\n      - Fractured dependency management software (Gradle, Ivy, Ant, Maven)\r\n      - Lack of lock file and version ranges (or SNAPSHOT) cause projects to drift over time", "recording_license": "", "do_not_record": false, "persons": [{"code": "SQ8XGC", "name": "Farid Zakaria", "avatar": "https://pretalx.com/media/avatars/SQ8XGC_d56z0aK.webp", "biography": "I'm a software engineer, father and wishful amateur surfer.\r\nI have over a decade of experience writing software and am currently employed by Google.\r\nMy prior experience has largely centered around building public cloud infrastructure for AWS & Oracle.\r\nI am deeply passionate about reproducibility, developer tooling & ergonomics.\r\n\r\nhttps://fzakaria.com/\r\nhttps://www.linkedin.com/in/fmzakari/", "public_name": "Farid Zakaria", "guid": "c58ef054-db7f-581c-a255-da68db2006ac", "url": "https://pretalx.com/packagingcon-2021/speaker/SQ8XGC/"}, {"code": "TUBF3G", "name": "Carlos Maltzahn", "avatar": null, "biography": null, "public_name": "Carlos Maltzahn", "guid": "3ee83b68-cd63-5095-9897-7b3333ec4535", "url": "https://pretalx.com/packagingcon-2021/speaker/TUBF3G/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/NFEWWA/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/NFEWWA/", "attachments": []}, {"guid": "1db96914-698d-5a48-a00e-4c51f2b03fb9", "code": "AHVELM", "id": 12286, "logo": null, "date": "2021-11-10T18:45:00+00:00", "start": "18:45", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-12286-building-debian-packages-the-rpm-way-with-debbuild", "url": "https://pretalx.com/packagingcon-2021/talk/AHVELM/", "title": "Building Debian packages the RPM way with debbuild", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Traditionally, building Debian packages is quite complicated. With the \"debian\" folder that needs to be merged into the source tree with all the various files, the various mechanisms of automagic that you may need to figure out in case it goes sideways, and the hugely over-descriptive yet difficult to understand Debian Policy Manual, it's no surprise that people get it wrong so often! But what if there was a simpler path to making (mostly) conformant Debian package? Enter debbuild, a tool that lets you use the simpler RPM spec file format to build a Debian package. With debbuild, it's possible to easily make portable packaging across all major distributions with very little pain! Come and see how debbuild can help make it easier to ship Linux software the right way!", "description": "This talk introduces debbuild (https://github.com/debbuild/debbuild) and talks about the history and motivation behind the creation of the tool. Additionally, it introduces debbuild-macros (https://github.com/debbuild/debbuild-macros) and walks through how to use both to create RPM spec files that build either RPM packages or Debian packages, with example packages noted.", "recording_license": "", "do_not_record": false, "persons": [{"code": "GSJ7WA", "name": "Neal Gompa", "avatar": "https://pretalx.com/media/avatars/GSJ7WA_vwcvc5B.webp", "biography": "Senior DevOps Engineer by day, Linux systems aficionado and developer by night! Neal is a developer and contributor in Fedora, Mageia, and openSUSE, focusing primarily on the base Linux system components, such as package and software management. He's a big believer in \"upstream first\", which has led him all over the open source world.", "public_name": "Neal Gompa", "guid": "82c6dfd8-0b89-5879-b252-127dd9394958", "url": "https://pretalx.com/packagingcon-2021/speaker/GSJ7WA/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/AHVELM/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/AHVELM/", "attachments": []}, {"guid": "038e0893-fe5f-5a62-aa2c-8de56a2e06dd", "code": "ZHG88M", "id": 12264, "logo": null, "date": "2021-11-10T19:30:00+00:00", "start": "19:30", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-12264-package-management-for-devops", "url": "https://pretalx.com/packagingcon-2021/talk/ZHG88M/", "title": "Package Management for DevOps", "subtitle": "", "track": "Deep Dives", "type": "Talk", "language": "en", "abstract": "Multi-cloud and microservices are making us redefine the meaning of a \"package.\" Modern applications span languages, operating systems, networks, and machines. To deploy a whole service, you need binaries, configuration files, environment variables, host metadata, and services must be connected and secured at runtime. For a developer, it becomes a best practice to save the entire runtime of a service as deployment configuration in version control. Deployment configurations, combined with powerful workload orchestrators, make it easy to guarantee reproducible runtime, but managing these configurations with version control and open-source dependencies starts to resemble package management. For system operators, ensuring that the computing clusters have relevant software packages installed for successful deployments can also be a challenge, as the application package landscape changes rapidly and manual provisioning slows development. \r\n\r\nTo make it easier for developers and operators to embrace DevOps, we built a package manager for deployments running on Nomad, a distributed workload orchestrator. This talk will cover a range of topics related to package management and DevOps workflows, including the best practices we learned while building a package manager to guide users on their journey to multi-cloud.", "description": "This talk will cover a range of topics related to package management and DevOps workflows including:\r\n- versioning for the cloud\r\n- monorepo versus multisource\r\n- building a package ecosystem\r\n- metaprogramming and dependency injection\r\n- DevOps best practices\r\n\r\nNomad is a distributed workload orchestrator built at HashiCorp. Nomad is a unique orchestrator because it is workload-agnostic, which means it can run many different types of runtime artifacts on your clusters. It can run any workload that is supported as a Nomad task driver, including Java JARs, QEMU virtual machines, Firecracker microvms, or any raw executable binary. It is also system-aware with Nomad device plugins, allowing you to run your workloads on machines with available devices such as GPUs.", "recording_license": "", "do_not_record": false, "persons": [{"code": "B9NLTG", "name": "Jasmine Dahilig", "avatar": "https://pretalx.com/media/avatars/B9NLTG_I7tvKDU.webp", "biography": "Jasmine is a software engineer at HashiCorp. She is an operating systems enthusiast and an avid fan of kitty caf\u00e9 themed games.", "public_name": "Jasmine Dahilig", "guid": "0abdbad1-cf53-51b3-b91f-af89420e5507", "url": "https://pretalx.com/packagingcon-2021/speaker/B9NLTG/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/ZHG88M/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/ZHG88M/", "attachments": []}, {"guid": "ae79c1af-3bc2-509d-aca1-dc587d502116", "code": "ZLJFCU", "id": 12026, "logo": null, "date": "2021-11-10T19:55:00+00:00", "start": "19:55", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-12026-dh-dist-zilla-from-dist-zilla-s-dist-ini-to-debian-s-deb-in-one-go", "url": "https://pretalx.com/packagingcon-2021/talk/ZLJFCU/", "title": "dh-dist-zilla: From Dist::Zilla's dist.ini to Debian's .deb in one go", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Building proper Debian packages from Dist::Zilla maintained Perl modules, especially from git checkouts without having a Dist::Zilla generated tar ball yet.", "description": "[dh-dist-zilla](https://github.com/elmar/dh-dist-zilla) is a [debhelper](https://tracker.debian.org/pkg/debhelper) sequence plugin to be used in the `debian/rules` file of a Debian source package.\r\n\r\nThe intention is to be able to build Debian binary packages (`.deb` files) directly from a Dist::Zilla based Perl package or even git checkout without manually calling \"dzil build\" to generate the CPAN-wanted files (`META.yml`, `README`, etc.) or even `Makefile.PL` first. It is analogous to using `autoreconf` to generate the configure script.\r\n\r\nOne use case (and the initial motivation for dh-dist-zilla) is internal Perl modules which need to be deployed as Debian binary package and won't be uploaded to CPAN ever. Another use case is to be able to build `.deb` packages directly from git checkouts or tar-balls downloaded from GitHub, i.e. of not-yet released snapshots of a project.\r\n\r\nSlides at https://noone.org/talks/pkg-perl/dh-dist-zilla-packagingcon2021.html", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZJ9TRD", "name": "Axel Beckert", "avatar": null, "biography": "Sysadmin by day, [Debian Developer](https://people.debian.org/~abe/) by night; maintaining a lot of packaging-related Debian packages like [aptitude](https://tracker.debian.org/pkg/aptitude), [aptitude-robot](https://tracker.debian.org/pkg/aptitude-robot), [debsums](https://tracker.debian.org/pkg/debsums), [dh-dist-zilla](https://tracker.debian.org/pkg/dh-dist-zilla), [equivs](https://tracker.debian.org/pkg/equivs) and [debian-goodies](https://tracker.debian.org/pkg/debian-goodies), but also maintainer of other popular packages like [zsh](https://tracker.debian.org/pkg/zsh), [screen](https://tracker.debian.org/pkg/screen) and [lynx](https://tracker.debian.org/pkg/lynx), also a top 5 contributor to [debhelper](https://tracker.debian.org/pkg/debhelper) and top 15 contributor to [lintian](https://tracker.debian.org/pkg/lintian); sysadmin of the [primary Swiss Debian mirror](http://ftp.ch.debian.org/).", "public_name": "Axel Beckert", "guid": "124d88d7-09de-5f4d-9204-55566648a722", "url": "https://pretalx.com/packagingcon-2021/speaker/ZJ9TRD/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/ZLJFCU/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/ZLJFCU/", "attachments": []}, {"guid": "47abe040-04ec-558e-bcdd-340e7a92525b", "code": "PMPUSW", "id": 11993, "logo": "https://pretalx.com/media/packagingcon-2021/submissions/PMPUSW/20210929_Lxroot_kBUsrjT.png", "date": "2021-11-10T20:15:00+00:00", "start": "20:15", "duration": "00:20", "room": "Room 4", "slug": "packagingcon-2021-11993-lxroot-run-develop-and-test-packages-and-package-managers-in-a-lightweight-virtual-environment", "url": "https://pretalx.com/packagingcon-2021/talk/PMPUSW/", "title": "Lxroot - Run, develop, and test packages and package managers in a lightweight virtual environment.", "subtitle": "", "track": "Metadata & Building things", "type": "Talk", "language": "en", "abstract": "Lxroot is a lightweight software virtualization tool (for Linux).  With Lxroot, a non-root user can safely and easily install, run, develop, and test both packages and package managers.  Compared with other virtualization tools, Lxroot is safer, smaller, conceptually simpler, and arguably more flexible (within the limits of what is possible as a non-root user).\r\n\r\nLxroot allows a non-root user to create chroot-style virtual environments via Linux namespaces.  Lxroot simply creates and configures these chroot-namespaces, and then runs programs inside them.  All the virtualization work is done directly by the Linux kernel itself, via its namespace capabilities.\r\n\r\nLxroot allows the simultaneous use of multiple package managers, both system package managers (such as pacman, apk, xbps, etc.), and non-system package managers (such as pip, npm, Flatpak, conda, mamba, Spack, etc.).\r\n\r\nLxroot allows a non-root user, on a single host kernel, to easily mix-and-match packages, userlands, and package-managers from multiple sources, including from multiple different Linux distributions.\r\n\r\nDue to its simple and flexible nature, Lxroot has a variety of use cases related to the development, testing, and use of packages and package managers.\r\n\r\nMore information here:  \r\nhttps://github.com/parke/lxroot", "description": "This talk is an introduction to basic and intermediate use of Lxroot, with a special focus on topics related to packages and package managers.\r\n\r\nTopics covered:\r\n\r\n1.  About Lxroot\r\n  -  introduction & goals\r\n  -  related tools\r\n  -  Linux namespaces & performance\r\n  -  lightweight virtualization\r\n  -  limitations\r\n2.  Three demos\r\n   -  install a guest userland\r\n   -  demo of non-distro package managers: pip, npm, Spack, Nix, Flatpak\r\n   -  build an Alpine Linux package\r\n3.  Discuss\r\n   -  compatibility with distro package managers\r\n   -  Lxroot's command line interface\r\n   -  use cases vis-a-vis building, testing and installing packages\r\n   -  unexplored territory\r\n4.  Conclusion\r\n\r\nMore information here:  \r\nhttps://github.com/parke/lxroot", "recording_license": "", "do_not_record": false, "persons": [{"code": "XTJYK8", "name": "Parke Bostrom", "avatar": null, "biography": "Parke Bostrom started writing computer programs in the 1980s.  He lives in California.  He believes a computer can only truly be \"personal\" if the user, and not the package manager, controls how software is installed, and how software runs.", "public_name": "Parke Bostrom", "guid": "ef6517f3-9a13-553e-b532-ae5356769f4d", "url": "https://pretalx.com/packagingcon-2021/speaker/XTJYK8/"}], "links": [], "feedback_url": "https://pretalx.com/packagingcon-2021/talk/PMPUSW/feedback/", "origin_url": "https://pretalx.com/packagingcon-2021/talk/PMPUSW/", "attachments": [{"title": "Lxroot presentation slides", "url": "/media/packagingcon-2021/submissions/PMPUSW/resources/20211110_Lxroot_7ILURuB.pdf", "type": "related"}]}]}}]}}}