Arch Linux minimal container userland 100% reproducible - now what?

John Gilmore gnu at toad.com
Fri Mar 29 05:48:32 UTC 2024 

John Gilmore <gnu at toad.com> wrote:
> It seems to me that the next step in making the Arch release ISOs
> reproducible is to have the Arch release engineering team create a
> source-code release ISO that matches each binary release ISO.  Then you
> (or anyone) could test the reproducibility of the release by having
> merely those two ISO images and a bare amd64 computer (without even an
> Internet connection).

kpcyrd <kpcyrd at archlinux.org> wrote:
> I think this falls under "bootstrappable builds", a bare amd64 computer 
> still needs something to boot into (a CD with only source code won't do 
> the trick).

Bootstrappable builds are a different thing.  Worthwhile, but not
what I was asking for.  I just wanted provable reproducibility from two
ISO images and nothing more.

I was asking that a bare amd64 be able to boot from an Arch Linux
*binary* ISO image.  And then be fed a matching Arch Linux *source* ISO
image.  And that the scripts in the source image would be able to
reproduce the binary image from its source code, running the binaries
(like the kernel, shell, and compiler) from the binary ISO image to do
the rebuilds (without Internet access).

This should be much simpler than doing a bootstrap from bare metal
*without* a binary ISO image.

And if your source/binary ISO images can do that, it's not just an
academic exercise in reproducibility.  It can also produce a new binary
ISO that is built from that source ISO plus a few patches (e.g. for
fixing security issues).  Or, it can "recompile-the-world" after you (or
any user) makes a small change to a kernel, include file, library, or
compiler -- and show exactly how many programs compile to something
*different* as a result.  Basically, that pair of ISOs becomes a seed
that can carry forward, or fork, the whole distribution.  For anybody
who receives them.  That is the promise of free software, but the
complexity of modern distros plus the convenience of ubiquitous
Internet have inadvertently tended to undermine that promise.  Until
the reproducible builds effort!

If someday an Electromagnetic Pulse weapon destroys all the running
computers, we'd like to bootstrap the whole industry up again, without
breadboarding 8-bit micros and manually toggling in programs.  Instead,
a chip foundry can take these two ISOs and a bare laptop out of a locked
fire-safe, reboot the (Arch Linux) world from them, and then use that
Linux machine to control the chip-making and chip-testing machines that
can make more high-function chips.  (This would depend on the
chip-makers keeping good offline fireproof backups of their own
application software -- but even if they had that, they can't reboot and
maintain the chip foundry without working source code for their
controller's OS.)

	John

More information about the rb-general mailing list