[rb-general] Reproducible system images
Bernhard M. Wiedemann
bernhardout at lsmod.de
Mon Dec 16 08:53:46 UTC 2019
On 15/12/2019 09.12, Lars Wirzenius wrote:
> Hi,
>
> One of my hobby projects is vmdb2 (https://vmdb2.liw.fi/), which
> creates disk images with Debian installed. I was wondering whether it
> would be possible to generate system images reproducibly.
>
> A quick experiment with debootstrap, which creates the initial
> directory tree from with my software produces the disk image, isn't
> reproducible. The main difference is the etc/machine-id file is
> generates, which contains randomly generated content. The other
> differences are log files, cache files, and file mtime timestamps. All
> of those would be possible to work on to make them reproducible.
>
> vmdb2 could make machine-id be all zeroes, which would mean a new id
> gets generated upon first boot, and written to the file. I'm not
> entirely sure of the security and other implications this has.
>
> What do others on the list think? Is reproducible system images a goal
> worth pursuing?
Others worked on this before:
https://wiki.debian.org/ReproducibleInstalls
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900918
and I looked into openSUSE's installation-images package, that has
similar problems.
There were also several post-install scripts creating files in
unreproducible ways. For normal packages that is not a problem, but for
images it is.
e.g.
https://gitlab.com/graphviz/graphviz/merge_requests/1290
and various acceleration caches.
More information about the rb-general
mailing list