 So, I want to introduce you Ludovic Cortez, sorry for my pronunciation, if it's wrong, and he have a talk about the geeks in the container age, system managing, yeah, welcome. Thank you for the introduction, all right, good evening everyone, so indeed I'm going to talk about new geeks and I mean containers, track containers and security, I think it's called, so I'm a bit of an outlier because I'm going to talk about geeks which is in part about containers but you know it's mostly about deployments in general and it's a bit also about distours, so yeah, I'm an outlier. So before I start talking about geeks itself, let me just do a brief introduction to talk about distours and the state of distributions. So if you were already in this room early in the afternoon like at 2pm I think, there was a talk and the abstract for the talk had these lines which is you know the Linux distribution as we know it is coming to an end and it's being replaced roughly by containers. So I suppose that many people in the audience are pretty much in two containers and using Docker and this kind of tools, so perhaps you can feel that there is some truth in that statement and I do feel that there is some truth in that statement, right? We're all using containers more and more yet I would like to challenge that idea that you know this is the future, this is the only way we can move forward. Actually last year at Fosdome I was giving a talk in the distributions dev room and so I wanted to look at the history of distributions with respect to other tools and yeah like I said last year we were in a you know so the distributions dev room was much smaller than this one and that was mostly distribution developers and I had the impression that it was actually the desperate distribution developers dev room in a way because you know distributions are not so much in fashion these days. That's my impression, perhaps you would agree. But back when I started with free software we had these distributions for example Slackware, Debian and the Red Hat distribution and they were pretty much at the center of the stage for free software. Like they were the gateway to free software you had I mean that was really high technology in a way. It allowed you to deploy software in a way that was pretty much new like proprietary software didn't have anything equivalent and you could quickly run, get install blah and you get your application plus all its dependencies you don't have to compile it it's just you know high tech right. So there was I think there was a lot of activity around distributions and there at the center of the stage right that was the golden age of distributions. But then started becoming cloudy people started to realize there are some shortcomings in distributions as we know them so for example I happen to work with people who do high-performance computing HPC so they are using clusters with lots of users and obviously you're not going to run sudo apt-get install on the cluster right I mean some people do but not every user it's only sysadmins. So you need to find a way to allow scientists to deploy their software stack and for that well you can just let them compile everything by hand or you can use one of the tools that have been developed over time. So for example one of the most common one is called modules I don't know if you've heard about that one it's extremely common on HPC clusters it basically allows you to define your programming environment so you can say model load up an MPI model load GCC blah blah blah and every user can define their environment independently of other users so you get a lot of flexibility but of course the downside is that HPC sysadmins end up creating a distribution on their own just for their own cluster and so there is a lot of duplicated work it's not you know it's not exactly efficient I would say but yeah modules is pretty much like virtual and so we've probably heard about virtual and for Python modules is somehow more generic but it doesn't take care of actually building the software so you still need to do it by hand and then there are tools like Spark or easy build that actually take care of automating builds like running configure make make install for each of your packages roughly these are package managers layered on top of the distribution that's running in the system so in a way we're already layering additional package managers on top of the distribution just because the distribution has limitations right that doesn't feel so great and then you have deployment tools like Ansible, Puppet, Propler, Chef all these tools so these are not package managers right so it's kind of a different category but still I think you know deploying software in general is kind of the distribution's job right typically when you deploy systems using Ansible you fiddle with the configuration of the system you install packages and things like that it's sort of the distribution's job just apply to a bunch of machine instead of just a single machine roughly so it tells something that we have to yet add another layer of tools on top of the distribution just to you know address that use case well it can still get worse I'm sure you're familiar with all the you know language specific package managers they are wonderful tools for you know people who develop programming languages you know it's it's a very easy way to allow your users to get started and use libraries in your language that's great from that point of view but you know it adds another layer of software deployment on top of all these tools and it becomes a little bit messy when I mean in practice many people end up using you know like five of these tools maybe on a daily basis because they want to deploy Titan code maybe you know Rust code maybe Haskell code and so you have lots of different tools depending on the kind of code that you're deploying doesn't feel great and lastly well that's the thunder containers right so it's become so complex to manage all these software stack that you need to have a way to say all right I'm just giving up I managed to get something that works right I managed to get to a state that's actually usable I have all my software installed for my application this perfect I don't want to touch it anymore so I'm just going to freeze it in an image a darker image for example and then I can carry the bits of my system to another machine for example and I can run my application again without having to fiddle with peep cargo at get blah blah blah it does solve problems practical problems for people but still it doesn't feel right to me right we're sort of giving up on deployment right it's too complex let's just freeze we get an image and then we use it and we don't bother anymore then feel right so my question last year in that distributions dev room was artist was doomed well maybe maybe not the good news for distributions is you know well we had people saying Debian and other distributions are going to be that thing you run Docker on and little more you know it's the end but the good news is it's also that thing you run inside Docker because that's how you deploy software right so that's that the on cloud Docker file for example how to deploy their dependencies well first I start by running up gate and that's it so that tells something and to me it means that perhaps we should pay attention yeah going back to that Docker file is great it does a job but it lacks transparency so if we look at the first line the first line of the Docker file says okay I'm going to start with that big blob that contains you know a whole distribution and from there I'm going to run a bunch of commands to modify the state of my container image to install additional software and so on and so forth and so the end result of that is that containers are like smoothies so that's a phrase I borrowed from Ricardo Vermus another geeks hacker a container is like a smoothie in the sense that you can taste it right you can say whether you like it or not whether it's to your taste but it's really hard to say what's inside that smoothie right it's like yeah it's right but what's in there I don't really know and it lacks transparency and usually when we say that people come to us and say well look come on you're exaggerating we have a Docker file so it's entirely transparent we know what's inside well do we I mean if we go back to that Docker file can someone really tell me what software packages are in there I'm not sure you know we're just if you run that Docker file we're going to get different results every time you run it because the first command that we run in there is update update right so if I run it today I'm going to get you know specific versions of the packages but if I run it in two months I'm going to get different versions so that's not great plus if you look at that form line up there it doesn't tell us what's in there so the abstraction level is the wrong one we'd like to think in terms of packages that are available and what we have instead is something pretty opaque so I believe we should not throw out the baby with the bathwater oh I took this picture from Wikipedia and I learned that it's actually a German saying from the 16th century yeah keep learning things while you're procrastinating anyway so probably there are still valuable things we can learn from distributions and maybe we should try to design systems not by piling tools and patches upon patches but instead by addressing the weaknesses that make those patches appear necessary I'm paraphrasing a sentence that some of you have probably heard before it's not for me we'll get to that later so that brings me to Geeks how many people here have heard are familiar with the Geeks I should say well that's like half of the audience I would say alright so you're if you're familiar with Geeks I guess you're allowed to take a five minute nap because I'm going to introduce it that's fine and don't forget to wake up afterwards we'll get there so Geeks what is Geeks about so we tend to view it as a distribution or as a package manager but it's really more than that it's it's more like you could say it's a toolbox for software deployment in general and that includes package management in the traditional meaning of the word but also environment management container provisioning and operating system management so complete operating systems so I give you a feel of what it is to use Geeks to get started with Geeks of what it's like I started with a quick demo just to give you a feel alright so I guess the first the way you would get started with Geeks is by using you know the traditional Geeks install commands so you would say Geeks install Kauseh Python for example and it does what you would expect right it installs packages alright so from there I can say equal high pipe Kauseh so it seems you have to use Kauseh in demo so I thought I would do the same as everyone else that's why I have Kauseh and alright now I have Kauseh if we look up there at this message it's telling me something about environment variables right and typically when you install software very often you have to you know set environment variables so that it works just fine and that's typically the kind of thing I tend to forget so here Geeks takes care of telling you while there is a file that will set those environment variables for you so you can just source that file which is what I'm going to do here and that file if we if we look at that file that lives here well it's telling me in particular about Python path because I installed Python so if I want to be able to use Python then I'd better set Python path correctly so that it can find its libraries right so I've installed Kauseh Python let's say I can install Geil the programming language alright so at this point I have Python 3 I have Geil I have Kauseh it's all working fine but let's say after a while I realize that Geil is such a great programming language I no longer need Python that can happen so I can simply remove Python the usual thing it looks boring at this point but you'll see we're getting to the interesting bit alright so I've done a bunch of operations on my system I've installed software you know several times removed software and this is where we get to the interesting bits which is that this was all transactional actually and the history of my profile which means the set of packages that I installed was entirely recorded so I can just say can you list generations of my profiles so basically every time I made a transaction I created a new generation that's the way we call it and here we see those three generation so generation one is when I type KEEX install geil so that added geil to my set of install packages which is why we see a plus there it's like a diff and generation three is when I removed Python from my profile and this is why we see a minus there it's again like a diff the cool thing here is that you can actually roll back alright so I can actually roll back so I can actually roll back and then I can if I have second thoughts and well I still need Python after all then I can say let's roll back okay I'm going back to generation two and at that point if I run geeks list generations again then I see that I'm back to generation two that makes sense yeah so to me this is in itself a good enough reason to use geeks because as a user it gives peace of mind like you know you cannot break your system because if you run an upgrade just before your talk and something breaks that's fine you can just roll back right so that's cool alright so so far from so much for package management the other cool thing is that so here I've been using a sequence of geeks install geeks remove commands but I can just as well use directly a file where I declare the packages that I want to have in my profile my set of install packages so let's say I want gcc, emacs, guile and gazer then I can just create a file that contains that and pass it to geeks package dash dash manifest yeah so I have an example here so I pass that file to geeks package and then what happens is that those three packages maybe we're not going to wait because wifi is not so fast but those three packages are going to be downloaded if they're not available yet and then eventually I will end up with a profile that contains precisely those three packages this is it right so no need to type a sequence of install remove upgrade commands that's pretty cool because it means that you can have that file under version control for example you can share it with other people with colleagues or whatever or if you're developers then you can you know have it as part of your project repository it makes it it makes it very easy to deploy a set of packages but if you look at that manifest here I'm I'm just saying gcc toolchain for example I'm not specifying any version so if I really want to enable someone else to reproduce the same environment as I have here then I need an extra bit of information because for example gcc today is perhaps version nine but in three months it might be version ten and so if I run if I use that file in three months then I'm not going to get the same environment as right now I'm going to get a newer version of gcc so how do we address that well that extra bit of information that we need to know exactly what how to reproduce the same environment is given by a command that's called gigs describe and so you've probably seen git describe before and gigs describe is very similar it just tells you which revision of gigs you're currently using so I have a commit ID here and with that information I have Bob Bob on his laptop running gigs describe that gives us a commit ID and then I can have Alice on a completely different machine maybe at a different point in time and Alice can just say gigs pool that commit and then gigs package dash dash manifest and then Alice will get exactly the same environment as Bob same versions same packages everything is the same that's big deal in some cases I mean anytime you want to have precise reproducibility and in particular in reproducible science for example people are very keen on that kind of feature and so the summary that you can travel in space and time with is pretty cool it's actually so cool that someone ended up adding a time machine command so we're very much into that spirit so time machine does pretty much like pool followed by install in that case so if I say time machine that commit install hello then I'm installing the hello package from gigs at that commit right so another way to use gigs is to set up development environments or one of environments in general so for example if I want to use Python well I can type gigs install Python blah but I can also use that gigs environment command and what is going to do in this case is to set up a one of environment that contains precisely those packages that I asked for Python and PyPy so this is what it looks like so the dash dash ad hoc option says I want precisely those packages pie and I'm going to run the Python three command directly in that environment and so from there if I do import a pie it works right so I have a shell where Python's available NumPy is available and Python path is set correctly so that Python can find Python and find NumPy all right and on top of that you can actually say for example let's say I want karaoke hills I can add the dash dash container option and what the dash dash container option is does is the same as gigs environment but in addition to that it creates a container so using the Linux and privilege username space feature a container that contains only the packages I asked for plus the current directory so for example if I do ls slash home in there there's not much in that directory and my home is actually empty because it's not mapped from the outside of the container right so it's a very good way to you know to get in a very isolated environment where you can do your development and all that so I said I would talk a bit about containers right it turns out that sometimes you have to deal with machines that do not run gigs right so how do you go from a machine that runs gigs where you have all your favorite software packages to a machine that unfortunately does not yet run gigs but still you want to be able to run your packages there so how do you do that well we need some sort of an interoperability bridge and this is what Geekspack does so Geekspack the way it works you give it a number a list of packages and it will create by default it will create a table that contains those packages and all their dependencies that's it so in this case I'm getting a table that contains Python, NumPy but also Lipsy because Python depends on Lipsy and perhaps a couple of other libraries it becomes really cool when you add the dash dash relocatable option so if you add that option you get a table that contains again Python and NumPy but in addition to that Python the Python executable is wrapped in a way that allows it to just run from anywhere so in other words you can unpack that table anywhere on your file system like in your home directory and from there you can type dot slash bin slash Python and it just works right so that relies on either on again a non-privileged username spaces on Linux or on P-root which is another tool that allows you to virtualize the file system and things like that but of course if you insist on using Docker because Docker is everywhere anyway so if you want to transfer the bits of your packages to a Docker powered machine then you can always create a Docker image using the dash dash format equals to Docker option and you get your Docker image you can say Docker load, Docker run it just runs it's great so it may sound a bit ironic because I just said before that containers are bad okay but don't get me wrong I mean containers are really two things there is the packaging part and the runtime part so the packaging part is the Docker file and this is what I'm criticizing but the runtime part is just fine and so here the advantage when you create a Docker image with Geekspack is that you get a reproducible image right so it's not like when you use a Docker file you're pretty sure that the image is not going to be reproducible it's going to depend on the time at which you run it for example it's going to depend on the availability of a number of things on the network but here you know it's going to be reproducible right Geekspack Python is always going to give you the same image that makes a difference all right so far so good so I've been talking about package management environment management containers now I need to talk a bit about operating systems this is the next level so the rate works oh this is a conversation I captured on IRC a couple of days ago and I found it a good summary of the story so the story here when you use Geeks system which is a standalone distribution the story is that you just you tell it what you want right you describe what you want in your operating system and then you give it to Geeks and it just puts everything in place you just need to speak its language of course but like I said it's such a fine language anyway so let me show you how that works so this is an operating system declaration hope you can read it yeah so in that single configuration file you would actually describe all the details about your operating system right so that includes like the hostname the time zone the local file systems user accounts services everything and so the services here we just we're just asking for not much actually we're just asking for a DHCP client service and for open SSH with the just the default configuration options don't be scared you don't have to learn that right from the start so typically when you get started with Geeks system you will download the ISO installation image and the ISO installation image contains a menu based installer pretty much like that of Debian where you can choose you know all the parameters of your system and generate that file for you so that's how you would get started with Geeks system the thing here is once you have this file ready you can pass it to the Geeks system command and do a number of interesting things so for example you can say Geeks system VM that config file and it will create a script that spawns a VM running the system or you can say Geeks system Docker image and creates a Docker image for that system or you can say Geeks system container and it creates a script to spawn a container on your machine and lastly but importantly you can say Geeks system reconfigure in that case you just reconfigure your machine on the bare metal so that well you just instantiate that configuration right so you no longer have to fiddle with configuration bits everywhere on your system right it's entirely declarative you say how on this service in these user accounts you say then you type reconfigure and you get what you asked for it's as simple as this and the good thing is that again you can well you can first test your system in a VM you can run Geeks system VM on that config and see how well it looks like right if it runs the way you expect and once you're happy with the result at that point you can run Geeks system reconfigure and if there is still for some reason a problem at that point for the configuration you can always wall back the whole system configuration okay so again it's super safe like as a user you can go ahead reconfigure no worries if something goes wrong you just wall back and everything is fine so of course people have been wanting to take it to the next level and you know try to deploy in a bunch of machines at once and so this is this a brand new feature actually it's it's from a Google summer of code internship that was super productive super efficient and the thing we're doing here that we define a function up here that says alright given the machine number n here is the operating system configuration so essentially it's just producing a different horse name and then here I have a bit of code that maps over a list of numbers one two three four five and for each number it returns a well a configuration for a machine that you did that operating system and says the machine's available over SSH and that's it and if you pass that configuration file to the new Geeks deploy command then it will actually deploy the system on all these five machines over SSH and that's it and this is pretty cool I think so this is for a machine that are accessible over SSH but there's another backend currently that's the digital ocean VPS so if you want to deploy to digital ocean it should work like this this is still very much better at this point like we are aware of some shortcomings but that's I think it pays away to a very convenient way to deploy over a number of machines in a reproducible way alright I've been talking a lot about features but it feels like to use Geeks I hope you now have a better idea of what it's like what you can do with it but I think it's also important to talk about other properties of Geeks as a distributions it turns out that Geeks is very much about source code so it's a GNU package so it will come as no surprise if I tell you that we're concerned about making sure that users have the freedom to actually you know see what software they're running for example modify it easily deploy it easily and all that and it turns out that Geeks is pretty much a source-based distribution so like I explained before in practice you get binary packages most of the time that's what we're aiming for because you don't want to wait for LibreOffice to build on your laptop right but Geeks knows about you know the source code that leads to a given binary artifact that's the thing so for example if we look at the package definition for audacity it looks like this you know you have the usual pieces of metadata and in particular we have the github githrepo url and specify the commit that we want to build from so far so great so far so good but I mean if you've been following along I told you about that that wonderful time machine command before this is great but what if I you know I go back to the future and somehow for some reason that gith repository disappeared in the meantime we have a problem right we can no longer reproduce the binary package because we actually lost the source and this is where software heritage comes in so have you heard about software heritage yeah all right so software heritage is is just an archival source code so they are trying to basically archive all the source code that's out there forever that's that's the idea and it comes in very handy for free software in general and for Geeks and other distributions because it means we can just fall back to software heritage whenever we want to access source code that has disappeared from its upstream location and this is great so we have tooling in Geeks that allows us to verify whether a given repo is available in software heritage and if it's not we can say all right please archive this githrepo and on top of that there is work ongoing work by NixOS people to provide additional information to software heritage so that they can we can make sure they archive every source table that our distributions NixOS and Geeks refer to so eventually the goal is that for every package available in Geeks and NixOS well software heritage will have the source code archive so we'll be safe that's one thing about source code the other thing about source code is reproducible builds you've probably heard about that effort that was started by Debian developers some six years ago I think it's a very important effort because the idea here is to make sure that we have a verifiable path from source code to binaries and if we don't have that verifiable path rent rubbles because how can I make sure that the software I'm running on my laptop really corresponds to what it's supposed to correspond to right how can I make sure that my emacs executable really comes from that emacs table and that's where reproducible builds come in this is crucial from a user freedom perspective but also from a security perspective obviously so how do we do that in Geeks well here is standing on the shoulders of Nix because we're using a functional approach meaning that we consider each build process of a package as a pure function in the mathematical sense so for example if I take emacs we consider that the emacs binary is the result of applying the function f to GTK GCC and all the dependencies of emacs right where f is roughly the function that runs configure make make install that the high-level view and then of course it's recursive like GTK itself is a result of applying a function to a bunch of inputs and so on and so forth and so that's a great way to reason about reproducible builds because in practice when we build the package like if I run Geeks build hello well either I'm going to download a pre-built binary or I'm going to build it locally in an isolated environment CH route separate namespaces and so on and so forth and because it's an isolated environment it's a very good context to you know to maximize the chances of having a reproducible build it does not guarantee that the build is going to be reproducible because for instance if that hello package is going to store a timestamp in the binary then obviously it's not reproducible bit by bit right but it creates the condition that make it more likely that builds are reproducible and so if we look at the result well the result of a build is stored in that directory ignore store and it has the big hash that is a hash of all the dependencies which uniquely identify this particular build and if the build is already available in store we're not going to build it again and all this is nearly bit identical for everyone nearly because when it's not bit identical it means we have a bug like maybe timestamps are being stored somewhere and so we want users to be able to take advantage of that property and for that we have a Geeks challenge command that allows users to say well you know I know of two different servers that provide pre-built binaries for Geeks I have ci.geeks.new.org which is the official build form and I have something that example.org can I really trust these two guys right like do they get the same build results as I do I want to know so if I run that command I give the urns of those servers then it's going to report about discrepancies so for example here it's telling me that OpenSSL differs like I have a local build that has a certain hash but the build provided by ci.geeks has a different hash and the one by example.org has yet another hash so there must be something wrong right perhaps it's just a timestamp issue but perhaps it's a torsion horse right so that needs investigation and at this point you would run a default scope or some kind of tool to see what the differences are so far for reproducible builds this is great but then perhaps you've heard about that reflections on trusting trust paper from 1983 I think well in that paper kentamson shows that in fact it's possible to modify a compiler like a c compiler in a way that will allow it to insert backdoors in the programs it compiles and in addition to that it will allow it to insert to reproduce itself in a way that is basically impossible to diagnose right it makes it impossible to see that the compiler itself is backdoor that's a problem also and in general in geeks we want to build everything from source right so we have that situation where every time we have just a binary and no source that's a problem and that's where boot swappable builds come in so it's sort of you could see it as a continuation to reproducible builds in a way it's all about making sure we build everything from source and if we go to the bottom of the dependency graph of packages and geeks well you'll find out that not long ago at the bottom of the dependency graph we had these five things and these five things are just pre-built binaries that we built some day some years ago that contains GCC, G-Lipsy, lots of software so it's like 250 megabytes of binary blobs that are unauditable and it doesn't feel right right there could be a torsion horse in there that replicates itself and we just don't see it that's kind of a problem so a bunch of crazy people some of which standing in this room decided to fix it and what's the way to fix it well you need to build everything from source right so you need to take this guy here this GCC and somehow find the way to get to build GCC from source how do you do that well it becomes a bit more complex right so we still have this GNU make build up there but before we get to build GNU make and before we build to we get to be GCC itself while we first build a very simple C compiler that in turns can be the more complex C compiler tiny CC which in turn can be the first GCC and then a more complex GCC that's roughly the story but it means that we have smaller bootstrap blobs binary blobs at the bottom of the graph and so we went from 250 megabytes to 130 or 140 megabytes of binary blobs which is already a great improvement I think it's not black and white you know it's not zero bite that's not possible but we're making progress and I really invite you to go tomorrow at 11 50 a.m. to the minimalist language dev dev room if you want to learn more about this and what's coming next because we are going beyond well below 130 megabytes this is great I think it's crucial for free software in general and for security too we have the same bootstrapping problem at the level of every language roughly every time you have a programming language compiler you have that sort of problem and for example Rust is one of them you know the instructions to build Rust normally is just to grab a pre-built binary of the latest Rust and then you build the next version from that that's not great but again we had someone also sitting in this room somewhere here who worked on this and now in Geeks we're able to build everything from source so we have reusing a C++ implementation of the Rust compiler to build well the actual Rust compiler and then a series of versions of Rust this is great and yeah there's talk tomorrow about Rust packaging in Geeks if you're into that all right one last thing about source code and provenance tracking so like I said we have a functional model where in effect when we deploy an operating system we apply a function Geeks system built to a configuration file and the result of that is a working system this is great but there are cases where you would like to go the other way around right you would like to have the inverse function like you have an already deployed system and you would like to see how it was deployed how you got to that binary artifact how do you do that well again another new feature that was recently added there's this Geeks system described command and basically every time you instantiate your configuration with Geeks system reconfigure it would also store provenance information along with your system and in particular it would store the configuration file itself as well as the commit that you use to you know to reconfigure your system and so from there you can actually map your system your binary artifact back to source code and this is again pretty cool because then you can like you can do things like bisecting your system if for example the problem was introduced you can say all right this was using that commit whereas the previous generation the one that worked was using this commit so I can yeah bisect the problem I think that's really nice I like that feature all right I think it's about time to wrap up so yeah there are actually many topics I did not include in this talk I'm already almost out of time there are many things going on in Geeks land like there are many people doing credit things so for example if you're into embedded systems you may be interested in going to the distribution step room tomorrow at 11 am right so I'm just like giving you a great program in case you don't already have one so yeah distribution step room is going to talk about cross compiling a complete operating system with Geeks so that you can build an image on a device for a specific embedded device I didn't really mention it much but you've probably seen all these parentheses and in fact Geeks relies heavily on embedded domain specific languages in guide scheme and there's a lot to talk about that and if you're into you know if you want to learn about the programming language technology that's just behind that and about guide there was a guide three released just a couple of weeks ago and it's great you need to learn about it you should go to the minimalist language step room tomorrow at 11 30 and last there's also ongoing work in HPC and reproducible science I'm going to give a lightning talk about Geeks Jupiter notebook integration tomorrow and a frame flashener is also going to give a talk about the use of containers in scientific workflows all right so join us now share the parents I invite you to install the thing you can actually install Geeks on top of your distribution or you can choose to go for the the one through way of installing Geeks system the standalone distribution but you really have the choice of using Geeks on your own distribution and just an additional package manager or going all the way to Geeks system and you can hack it and you can also join us we are offering an outreach into Chimp so if you want to join us maybe now is a good time to get into free software to hack on really nice things right so just to sum up we have Geeks it allows you to do package management environment management and a virtual and container provisioning with Geeks pack and operating system provisioning with Geeks system and Geeks deploy the take away message here that we've all migrated over the last decade maybe to distributed version control systems and we've learned to value you know when it brings us in terms of being able to have a track record of how we change our source code and being able to you know to reference a specific point of time of our source code right we have commit ideas we can we can be very precise about source code I think reproducible deployment is a logical next step and that's why I would encourage you to look into that technology this is it thank you thank you Ludovic for great talk now it's time for QA please stay silent and give the possibility only to ones who are asking questions and answering yeah the talk thanks for the talk first hand I you were mentioning reproducible builds and we're mentioning the reproducible builds in context of the of the system of the whole of the whole environment I do have to admit that I don't really care about that part because when I care about reproducibility I care about some specific aspects of it where I have a specific version that I need of that but there are other how would you how would you handle things like libraries that I want to have updated and have like I know OpenSSL where I don't care what version it is I want the latest one well so by default Geeks would give you the latest version of the package you asked for that's a story so it's like pretty much any package manager in that respect you just like with app for example you would run up get update and then up get install OpenSSL and presumably you get the latest version and with Geeks you would just run Geeks pool and then Geeks install OpenSSL and you get the latest version that that's a story so I'd answer your question but then there are few disability gets lost no it it doesn't because every time you you deploy software with Geeks you deploy it from a specific Geeks revision and so you can link that revision to a specific version of OpenSSL for example the question kind of relates to docker file which you best for being non descriptive right and the answer I guess was the last command you presented describe right or what it was Geeks describe this scenario what is cool about docker file is that you announced your intention I want to install package blah and you don't care about what is the hundred dependencies right when you call to describe most likely you're describing the whole environment which will lose this kind of intentional you know description what did they want to achieve for this environment is there any work to kind of embed that semantic which is somewhat inherited in the stages or what you call history of the environment which somewhat describes what it was made for right so how do you record what it is that you actually wanted to deploy right that's yeah so yeah there are really two pieces of information here so one is what you get with Geeks describe which tells you which Geeks revision you're using and then there is this manifest file where you specify that you want I don't know this package that package available for you and so I think the this manifest file that described the package that you want to have installed is kind of similar to what you would do in a docker file when you say I'd get install foo I'd get install bar this is where you say what you want to have deployed right yeah that answer your question sort of yes no docker file forces docker users to describe it with Geeks I could describe just by running the commands and kind of losing this forceful description right oh by running Geeks install you mean for right so yeah so Geeks supports really two modes of operation so one of them is to use the the manifest where you have to describe everything right you have to describe every package you want to deploy but it's also supports the interactive geeks install thing which is more freestyle I personally like it actually I think it's good to have something that resembles up get install for example but yeah I agree with you when you start using it then you kind of lose the the declarative way and so people have been complaining about it actually and there is there ongoing discussions that would allow us about tools that would allow us to export an existing profile with a set of install packages to a manifest that would be like the declarative thing that I showed so that you would have a bridge from the you know the imperative approach where you just type geeks install foo bar to the declarative thing that fire that says everything you want to have installed okay I hope that you can move also discussion somewhere online because time is over thank you Ludovic again for this great presentation