Reproducible builds for Debian iso images?

Chris Lamb chris at
Tue Aug 11 12:02:03 UTC 2020

Vagrant Cascadian wrote:

> > Are the Debian install and live iso images deterministically reproducible?
> Unfortunately no. There has been some work in that direction, and it
> would be a good thing to improve further!

On the installer images, I did a bunch of work on the Debian side and
in the various upstream projects that it uses, and I believe they are
actually reproducible.

However, there are at least four issues until they can be generally
advertised as such:

First, we are not continually testing them. This is pending on (at
least) [0] being merged, and there may be more issues or regressions
that have come up since that was written. Second, the official images
are not being built in "reproducible mode" and nobody has asked the
Debian Installer team to do this yet. This is related to our third
problem in that there is no build attestation document for a Debian
installer image yet - a loose installer equivalent for a .buildinfo
file. We would then need buy-in from the Installer team to add more
steps to their release process to additionally validate and promise
their builds are reproducible before publishing them, and to make sure
the .buildinfo equivalent is signed and published, etc. etc.

Live images are actually a significantly different problem space. This
is due to what I call the "postinst problem". That is to say, "making
a build reproducible" involves making the build system and build
scripts deterministic. However, when you build a live image, you are
actually running the installation scripts for these packages instead
to construct that image -- they are being installed to your virtual
.iso file, rather than being built from source. There are many of
these scripts in Debian, but the main one is called the "postinst"
script, hence my name.

I make the distinction because outside of Tails, etc. there has been
little to no sustained effort to make these installation scripts
deterministic, and many of them are patently non-deterministic. I am
therefore less optimistic about the timeline of this, especially given
that (a) there has been little interest in my "vanilla" installation
image work to begin with and (b) all of the policy work that I
outlined above would also be required before Debian could say they had
"reproducible live images".



    ⬋   ⬊      Chris Lamb
   o     o 💠
    ⬊   ⬋

More information about the rb-general mailing list