[rb-general] Reproducible system images

Chris Lamb lamby at debian.org
Wed Jan 1 23:57:05 UTC 2020 

Hi all,

Apologies for the delayed response in responding to this thread until
now. Whilst I had already updated the website with a few links as
requested I had always intended to participate more but then the
holiday period and a few other celebrations caught up with me and my
overflowing inbox.

> One of my hobby projects is vmdb2 (https://vmdb2.liw.fi/), which
> creates disk images with Debian installed. I was wondering whether it
> would be possible to generate system images reproducibly.
[…]
> What do others on the list think? Is reproducible system images a goal
> worth pursuing?

As others have mentioned in outline I believe they are an important
and somewhat neglected part of following-through on the promise of
Reproducible Builds to end users.

For example, in the hypothethical scenario that building Debian
packages was always reproducible (and thus providing some assurance
about the ongoing security of your systems) if Eve could backdoor all
your initial installations of Debian this would all be for nothing.

One Debian bug you might wish to be glance through is #926242 [0]
which got somewhat stalled in the post-buster release relaxation
period; I will follow-up to this very now though and I thus thank
you for the reminder of sorts.

> Are you familiar with this project?
> https://github.com/debuerreotype/debuerreotype

Gosh, its somewhat odd to read your own name in other peoples' README
files. Whilst this was based on some work I did on debootstrap in 2015
[1] speaking in early 2020 (happy New Year all, by the way) I wonder
how much of this can or should be moved into upstream debootstrap
itself.

I mention this because in the time since I wrote the above, with the
rest of the Tails team I spent quite a bit of effort ensuring their
ISO images are reproducible and there are quite a few hacks that we do
there that should be abstracted or otherwise upstreamed/centralised
*somewhere*, although in many cases I'm not sure quite where they
would fit.

Just to take one example of many, Holger mentions that:

> apt installs packages in arbitrary order and then the postinst
> scripts eg create uids in a non-determistic way.)

… and Tails has a rather fragile hack to swap such IDs around post-
installation. (Musing out loud for a second, I wonder if APT's non-
deterministic choice of installation order could be seeded with
SOURCE_DATE_EPOCH... [2])

> https://github.com/debuerreotype/debuerreotype/blob/6b722a49935a94a9f718f07616f0863db6267023/scripts/debuerreotype-init#L176

(Just FYI I note that my patch to src:shadow [3] was merged and
released in version 4.5-1 which is now in stable and thus the above
hack could likely be removed.)

Anyway, mostly braindumping some stuff onto this thread so it's not
entirely in my head; hope it is of some help.

  [0] https://bugs.debian.org/926242
  [1] https://github.com/lamby/debootstrap/commit/66b15380814aa62ca4b5807270ac57a3c8a0558d
  [2] https://reproducible-builds.org/docs/source-date-epoch/
  [3] https://bugs.debian.org/857803


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org 🍥 chris-lamb.co.uk
       `-

More information about the rb-general mailing list