[rb-general] Reproducible system images

Bernhard M. Wiedemann bernhardout at lsmod.de
Mon Dec 16 08:53:46 UTC 2019


On 15/12/2019 09.12, Lars Wirzenius wrote:
> Hi,
> 
> One of my hobby projects is vmdb2 (https://vmdb2.liw.fi/), which
> creates disk images with Debian installed. I was wondering whether it
> would be possible to generate system images reproducibly.
> 
> A quick experiment with debootstrap, which creates the initial
> directory tree from with my software produces the disk image, isn't
> reproducible. The main difference is the etc/machine-id file is
> generates, which contains randomly generated content. The other
> differences are log files, cache files, and file mtime timestamps. All
> of those would be possible to work on to make them reproducible.
> 
> vmdb2 could make machine-id be all zeroes, which would mean a new id
> gets generated upon first boot, and written to the file. I'm not
> entirely sure of the security and other implications this has.
> 
> What do others on the list think? Is reproducible system images a goal
> worth pursuing?

Others worked on this before:
https://wiki.debian.org/ReproducibleInstalls

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900918

and I looked into openSUSE's installation-images package, that has
similar problems.
There were also several post-install scripts creating files in
unreproducible ways. For normal packages that is not a problem, but for
images it is.

e.g.
https://gitlab.com/graphviz/graphviz/merge_requests/1290

and various acceleration caches.


More information about the rb-general mailing list