Re: Recoding the configuration for live-build images (Was: Third status update about reproducible live-build ISO images in Jenkins)

Chris Lamb chris at reproducible-builds.org
Tue Aug 31 13:53:23 UTC 2021 

Hi Roland,

> > One question actually — how might a third-party reproduce these
> > images? Or putting the same question in more technical terms — are you
> > generating some kind of .buildinfo file that contains (just for
> > example's sake) the value of SOURCE_DATE_EPOCH and any other relevant
> > inputs, as well as the resulting checksums?
>
> Good question. I was initially interested in getting a reproducible
> image, the next step would be record the required steps.
>
> The .buildinfo manpage [1] looks really tightly coupled to packages, so
> (in its present form) it cannot record the information needed for
> rebuilding a live-build ISO image.

Yes, you are absolutely right that the .buildinfo spec outlined in the
manpage you link is oriented towards packages and Debian packages in
particular.

But perhaps I should have been clearer: I was hypothesising about a
file that is *analogous* to that Debian .buildinfo format (aka. the
deb-buildinfo(5) spec), rather than using _that_ particular
specification. As in, some new file that encodes the inputs (that you
later list — thanks!) as well as the checksums of the outputs.

(I don't think the deb-buildinfo(5) spec could be hacked to fit here
tbh, although many things could obviously be inspired from it.)

> If desired, the full configuration for the lb commands could be
> embedded into the ISO image. Then you can, after obtaining a live
> image, use the config provided there to rebuild exactly the same
> image.

Including the full config inside the ISO definitely seems like a good
idea, especially as this config is both small and will be compressed.
Still, an external build attestation document will always be needed to
store the output checksums, so I wouldn't worry too much about trying
to include everything within the ISO itself. Indeed, needing to
extract parts of the ISO to recreate it is slightly sub-optimal, if
only because it would require someone to download it first before
attempting to recreate it (rather than just possessing the minuscule
.buildinfo file containing the inputs and output hashes).

Anyway, I *totally* ACK that you were getting this all working first
before moving on... and I hope didn't come across as "Never Satisfied
Mailing List Guy". Looking forward to seeing what you come up with. :)


Best wishes,

--
      o
    ⬋   ⬊      Chris Lamb
   o     o     reproducible-builds.org 💠
    ⬊   ⬋
      o

More information about the rb-general mailing list