Vagrant Cascadian wrote: > > Are the Debian install and live iso images deterministically reproducible? > > Unfortunately no. There has been some work in that direction, and it > would be a good thing to improve further!
On the installer images, I did a bunch of work on the Debian side and in the various upstream projects that it uses, and I believe they are actually reproducible. However, there are at least four issues until they can be generally advertised as such: First, we are not continually testing them. This is pending on (at least) [0] being merged, and there may be more issues or regressions that have come up since that was written. Second, the official images are not being built in "reproducible mode" and nobody has asked the Debian Installer team to do this yet. This is related to our third problem in that there is no build attestation document for a Debian installer image yet - a loose installer equivalent for a .buildinfo file. We would then need buy-in from the Installer team to add more steps to their release process to additionally validate and promise their builds are reproducible before publishing them, and to make sure the .buildinfo equivalent is signed and published, etc. etc. Live images are actually a significantly different problem space. This is due to what I call the "postinst problem". That is to say, "making a build reproducible" involves making the build system and build scripts deterministic. However, when you build a live image, you are actually running the installation scripts for these packages instead to construct that image -- they are being installed to your virtual .iso file, rather than being built from source. There are many of these scripts in Debian, but the main one is called the "postinst" script, hence my name. I make the distinction because outside of Tails, etc. there has been little to no sustained effort to make these installation scripts deterministic, and many of them are patently non-deterministic. I am therefore less optimistic about the timeline of this, especially given that (a) there has been little interest in my "vanilla" installation image work to begin with and (b) all of the policy work that I outlined above would also be required before Debian could say they had "reproducible live images". [0] https://salsa.debian.org/installer-team/debian-installer/-/merge_requests/13 Regards, -- o ⬋ ⬊ Chris Lamb o o reproducible-builds.org 💠 ⬊ ⬋ o _______________________________________________ Reproducible-builds mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/reproducible-builds
