Irregular status update about reproducible live-build ISO images

Roland Clobus rclobus at rclobus.nl
Wed Jul 5 10:22:06 UTC 2023


On 04/07/2023 22:32, Vagrant Cascadian wrote:
> On 2023-07-04, David A. Wheeler wrote:
>>> On Jul 2, 2023, at 11:37 AM, Roland Clobus <rclobus at rclobus.nl> wrote:
>>> Reproducible status:
>>> * All major desktops build reproducibly with bullseye, bookworm, trixie and sid

>> How close are things to having the *released* versions of the
>> Debian live images & (main) packages reproducible?
>> I can't tell if this means "it's possible to create reproducible builds" or
>> "the packages people are using are the reproducible builds".
>> Sorry if this is obvious to everyone else.
> 
> My understanding is the live images themselves are bit-for-bit
> reproducible, with the inputs being the actual .deb packages from the
> debian archive. The individual .deb packages might not neccesarily be
> independently reproducible when built from source.

Indeed.
The live ISO images are constructed two times within the same DAK run 
(which synchronises the Debian archive every six hours). The resulting 
ISO images are verified by Jenkins [1] to be bit-for-bit identical.
Even though the individual package might not be reproducible from 
source, the live images (which use the prebuilt packages) are.

Because the images are generated from the current state of the Debian 
archive, and not from a snapshotted state [2], I have a pending task to 
see how this can be mapped.

With kind regards,
Roland Clobus

[1] https://jenkins.debian.net/view/live/
[2] https://snapshot.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230705/a4b12c97/attachment.sig>


More information about the rb-general mailing list