Seventh status update about reproducible live-build ISO images in Jenkins

Roland Clobus rclobus at rclobus.nl
Tue Feb 22 10:16:17 UTC 2022 

Hello lists,

here is the seventh update of the status for reproducible live-build ISO 
images [1].

Reproducible status:
* All major desktops build reproducibly with bullseye, bookworm and sid ...
** ... except for Cinnamon on bookworm and sid

New and changed:
* live-build now reports a git hash number when a git version is used [2][3]
** Together with the timestamp of the (snapshot) repository, this 
generates a unique identifier for reproducing the ISO image
* First steps with openQA to walk through every single boot menu entry [4]
** This will test the functionality of the reproducible ISO images, and 
helps to find issues early
*** e.g. kernel module mismatch in the Debian Installer
** This procedure will be easily extended to other images, e.g. the 
netinst image
* Pending: Jenkins reports the sha256sum of the reproducible image [5]
** You will be able to verify whether a local build is identical to the 
build by Jenkins
* Question on the mailing list: Should the live images be generated 
again? [6]

Patch available but not released yet:
* libxmlb used a pointer address (%p) for a hash value. Upstream [7] has 
been fixed
* texlive-base: Reported differences in the generated ls-R [8]

Future plans/ideas:
* texlive-base: More sources for non-reproducibility are noted in the 
Wiki page [1]
** Only the Cinnamon desktop is affected, starting with bookworm
* Recording the configuration used by live-build
** Next step: test some scenarios and write a proposal
* Reprotest might be used instead of just 2 builds without a short time 
frame, to capture more variations
* Use disorderfs
* Long term: When live-build images are working fine, the work could be 
extended to other images, e.g. the netinst images or perhaps even Docker 
images
* Transfer the special features of the (now disabled) live-wrapper live 
images to live-build

With kind regards,
Roland Clobus

[1] https://wiki.debian.org/ReproducibleInstalls/LiveImages
[2] https://salsa.debian.org/live-team/live-build/-/merge_requests/273
[3] Pending merge for Jenkins: 45721776e008469b28ca4310b0cb6413466397c4
[4] 
https://salsa.debian.org/qa/openqa/openqa-tests-debian/-/merge_requests/2
[5] Pending merge for Jenkins: 071a80ff4f28e019e1067be72058106478ed4624
[6] https://lists.debian.org/debian-live/2022/02/msg00000.html
[7] https://github.com/hughsie/libxmlb/issues/110
[8] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003449
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20220222/f64d62d3/attachment.sig>

More information about the rb-general mailing list