From 5e0d8cf779349458afd85faae825f8040f7390a0 Mon Sep 17 00:00:00 2001
From: Pavel Tisnovsky <ptisnovs@redhat.com>
Date: Tue, 17 Mar 2026 08:51:06 +0100
Subject: [PATCH] Hermetic build demo slides

---
 docs/demos/lcore/cve_hermetic_build.html | 35 +++++++++++++++
 docs/demos/lcore/cve_hermetic_build.md   | 54 ++++++++++++++++++++++++
 2 files changed, 89 insertions(+)
 create mode 100644 docs/demos/lcore/cve_hermetic_build.html
 create mode 100644 docs/demos/lcore/cve_hermetic_build.md

diff --git a/docs/demos/lcore/cve_hermetic_build.html b/docs/demos/lcore/cve_hermetic_build.html
new file mode 100644
index 000000000..af3a9183d
--- /dev/null
+++ b/docs/demos/lcore/cve_hermetic_build.html
@@ -0,0 +1,35 @@
+<!doctype html>
+<html>
+    <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
+        <title>Fixing CVEs in hermetic build environment</title>
+        <link rel="stylesheet" href="dist/reset.css">
+        <link rel="stylesheet" href="dist/reveal.css">
+        <link rel="stylesheet" href="dist/theme/simple.css">
+        <!--link rel="stylesheet" href="plugin/highlight/monokai.css"-->
+        <link rel="stylesheet" href="plugin/highlight/github.css">
+    </head>
+    <body>
+        <div class="reveal">
+            <div class="slides">
+                <section data-markdown="cve_hermetic_build.md">
+                </section>
+            </div>
+        </div>
+        <script type="application/javascript" src="dist/reveal.js"></script>
+        <script type="application/javascript" src="plugin/notes/notes.js"></script>
+        <script type="application/javascript" src="plugin/markdown/markdown.js"></script>
+        <script type="application/javascript" src="plugin/highlight/highlight.js"></script>
+        <script type="application/javascript">
+                    Reveal.initialize({
+                            controls: true,
+                            progress: true,
+                            history: true,
+                            center: true,
+                            plugins: [ RevealMarkdown, RevealHighlight ]
+                    });
+        </script>
+    </body>
+</html>
+
diff --git a/docs/demos/lcore/cve_hermetic_build.md b/docs/demos/lcore/cve_hermetic_build.md
new file mode 100644
index 000000000..26bd64130
--- /dev/null
+++ b/docs/demos/lcore/cve_hermetic_build.md
@@ -0,0 +1,54 @@
+# Lightspeed Core
+
+![LCORE](images/lcore.jpg)
+
+---
+
+# Fixing CVEs in hermetic build environment
+
+Pavel Tišnovský,
+ptisnovs@redhat.com
+
+---
+
+## Hermetic build
+
+* Downloads all sdists
+* Network is disabled
+* All packages are built w/o network access
+* Results will be added into the dest. image
+
+---
+
+## Types of packages
+
+* With sources (sdist)
+* With sources, but with time consuming build
+* Without sources (binary wheels)
+* `pip` is special a bit
+
+---
+
+## Solution proposed by RH
+
+* Standard Python registry
+* RH Python registry with pre-built packages
+
+---
+
+## How to fix CVE?
+
+* Package in PyPi?
+    - update lockfile + requirements file
+    - ETA - hours
+* Package in RH Python registry
+    - ask on forum-aipcc
+    - exact workflow to be defined + refined
+    - ETA - days (!!!)
+* `pip` package
+    - dunno ATM :(
+
+---
+
+## Thank you
+