Irregular status update about reproducible live-build ISO images

John Gilmore gnu at toad.com
Thu Feb 29 15:47:37 UTC 2024 

Roland, thank you for your ongoing work and reporting to make Debian reproducible!

One question:
> * Last month a question was raised, whether the distributed sources
> are sufficient to rebuild the images. The answer is: probably yes, but
> I haven't tried.
> The chain is: source code --compiler--> executable files --debian
> packaging--> .deb archives --live-build--> live images
> I've focused on the last section of this chain; the installation of
> the .deb archives into the live images.

Thank you for focusing on the last part of the chain.  You are very, very close
there!  I am wondering if there is any low-hanging fruit anywhere else in the
chain, that you may have the expertise and time to address.

For example, how does the live-build process decide which binary .deb
archives are selected for inclusion in the live image?  Are these lists
or criteria stored in the source code archives?  If not, can they be put
into the source code archives?

Similarly, are there any other inputs to the live-build process?  Perhaps a
template of a binary ISO image?  Or a binary program that creates a prototype ISO
image, which is run during the live-build process.  I note that when running
jigdo-lite to reproduce a live image, not only is there a set of .deb's that
are copied in, but also a .template file which has the portions of the image
that don't directly come from a .deb file.  Is there an equivalent template
in the live-build process, or where do these nonzero and non-.deb parts of the
resulting live-image come from?  Is there full source code for those?

Also, is there an easy way to start from the set of binary .deb files to
be included in an image, and from each one, produce a list of the source
files (.tar.gz's, Debian control files, patches, etc) that were used to
create it?  If so, you could create a master list of all the source files
that were used to create a particular live-image.  And an automated process
could compare that list of source files to the contents of the matching
"Sources" DVD image, to ensure that all of the required source files are
actually included in the "matching source" DVD.

When a rebuilt image differs in some small way from the original, what
tools do you use to determine what files the differences are in, and
why?  Are these tools to compare a live-image with a rebuilt-live-image
also in the Debian source tree and in the Debian source DVDs?

Being able to do any of these things, and correct any lapses now, before
the next official Debian release, will enable you or anyone to complete
the ultimate job of proving that a source DVD plus a live DVD can fully
reproduce the official live DVD, without access to any network
resources.  (And thus that a live DVD, a source DVD, plus a small set of
patches can verifiably produce a live DVD that includes only the changes
made in that set of patches, and no others.)

Thanks again!

	John

More information about the rb-general mailing list