Questions about report 22

Roland Clobus rclobus at rclobus.nl
Fri Feb 2 18:50:32 UTC 2024 

Reply to the lists (after confirmation that it's OK to do so)

On 29/01/2024 23:02, John Gilmore wrote:
> Hello Roland,
> 
> Congratulations on the amazing progress that you have made with the
> reproducibility of the Debian Live images.

Thanks! It has been a long road already :-)

> Two things for me are missing from your update.  One may just be
> improving a simple explanation.  Plus I have a question.
> 
> Roland Clobus <rclobus at rclobus.nl> wrote:
>> Reproducible status:
>> * All major desktops build reproducibly with bullseye, bookworm,
>> trixie and sid ...
>> ** ... provided they are built for a second time within the same DAK
>> run (i.e. 6 hours)
>> * All major desktops built reproducibly for the official Debian live
>> images for bookworm (12.4.0) at any later moment ...
>> ** ... except for KDE
> 
> When you say, "all major desktops build reproducibly", do you mean
> that the results are identical to the Debian Live builds that ordinary
> people are downloading to install Debian?  E.g. from:
> 
>    https://www.debian.org/CD/live/
> 
> Or do you mean that some unique Debian Live builds that you personally
> make, but that nobody else downloads, are reproducible when compared
> with themselves?

You can download the images from the official location
https://get.debian.org/images/release/current-live/amd64/iso-hybrid/

And then 7 out of 8 are reproducible. (Which leaves KDE at the moment)

Steps how to do so are documented in the Wiki page (link 1 on my 
original mail)
https://wiki.debian.org/ReproducibleInstalls/LiveImages

> If the actual end-user Debian Live builds have become (97.7%) reproducible,
> then this is much bigger and better news.  But you did not make this
> clear in your update.

Statistics are a lie :-)
97.7% of all images that I monitor are reproducible (when certain 
conditions are met)
87.5% (7 out of 8) of the officially released live images are 
reproducible when building from a Bookworm VM

> Second thing:  Can these Debian Live images be readily reproduced from
> their own bootable image plus their matching Source DVD images?
> Or, does reproducing them require access to some remote server(s)
> elsewhere on the Internet, which means they won't reproduce if that
> server is ever down, compromised, or its owners fail?

You'll need access to the Debian repository online. The sources for each 
Debian package are available, but as a source tarball, not as .deb files.

As an idea, it would be nice to have a tarball containing all .deb files 
(and related files), which could function as an offline local repository.
The configuration files for running the live-build script (which are 
generated on the fly by a shell script) are not published, but the shell 
script is.

> The gold standard for reproducible builds is that they are reproducible
> FROM THEIR OWN SOURCE RELEASE.  If your scripts test this, then anybody
> who downloads the full source release plus the matching Debian Live CD
> image can disconnect their machine from the Internet, install the Live
> CD image on bare hardware, and then do a full rebuild and re-verify, not
> depending on anything else in the universe except a bit of electricity.

At this moment, you'll need Internet access, pointing to static (at 
least until the next point release) files. However, I've taken care to 
do time-travelling in the git repositories containing the scripts, to 
ensure that you'll be using the same versions of the scripts at the time 
of the release of the images.

> If your scripts don't test for this, then the release is not fully
> reproducible, since it depends on external inputs that are not part of
> the source release.  (For example -- if your rebuild scripts and
> verification scripts are not actually in the source release and thus
> have to be downloaded from somewhere!)

Then I'll have a third metric:
0% of all live images are reproducible given these conditions

> Here's the bonus question:
> 
>> Functionality status:
>> * The sid images are affected by #1051607 (Calamares installation on
>> UEFI Secure Boot systems fails to boot after installation)
>> * The sid images occasionally report missing installation media, when
>> booting from USB in UEFI non-secure boot systems (#1054325)
>> * The testing images have an issue in the installer, it attempts to
>> use a static IP-address instead of using DHCP. MR is prepared [2]
> 
> Are you saying that the images that you are building are identical
> with the public, downloadable Debian Live images -- but the public,
> downloadable Debian Live images have these three problems?  If true,
> why do you bother noting it?  Every release has bugs, if you reproduce
> the release, the reproduced release will have bugs.

I'm cross-posting the reproducible builds mailing list and the live 
mailing list, since there is a huge overlap. By mentioning my progress 
for both types of work, I'm saving myself writing 2 mails which would be 
largely identical.

> If the problems you report are unique to your reproducible images, then
> I don't understand how your reproducible images could be identical to
> other images yet have different problems when booted.  Please explain
> better (in your public updates on your project).

The runtime environment (UEFI/BIOS) influences how the images are 
'executed', so I actually see different behaviour in openQA.
For my next report I'll try to elaborate a bit more.

> And -- congratulations again!
> 
> 	John Gilmore

With kind regards,
Roland Clobus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20240202/f57244b4/attachment.sig>

More information about the rb-general mailing list