Irregular status update about reproducible Debian live ISO images -> v2

Sun Apr 6 14:26:06 UTC 2025

Hello list,

here is the 26th update of the status for reproducible Debian live ISO 
images [1], which is an addendum on the 25th update, which caused some 
discussion.

Single line summary: all live images build reproducibly from the online 
Debian archive

For a while it has been possible to have a reproducible build [1] of the 
unofficial live images for Debian [2]. With the point release of 
bookworm 12.10, the official live images [3] are reproducible as well.

This provides certainty that the official distributed live images are 
genuine and have not been tampered with.

Technical instructions about how to verify the images yourself are in 
the Debian Wiki [4].

Not only are the live images generated reproducibly, but their 
functionality is also tested regularly. Automated tests for sid [5], 
trixie [6] and bookworm [7] verify that the software inside the images 
is working as intended, and that the installers (plural!) result in a 
bootable system.

Over the course of many years, many issues were fixed:
* Many, many timestamps
* Embedded random numbers
* Random order within files due to e.g. hashes in Perl, Python, lua
* Unstable sorting due to too short sorting keys
* Order of files on the file system

Reproducible status:
* All major desktops build reproducibly with bullseye, bookworm, trixie ...
** ... provided they are built for a second time within the same archive 
synchronisation (i.e. 6 hours)
* All official Debian 12.10 bookworm live images build reproducibly ...
** ... provided they are built during the lifetime of 12.10 (after the 
point release 12.11 planned for 2025-05, they cannot be rebuilt any more 
with the current tooling)

According to the definition [8] the live images are reproducible, given 
that the author (me) states:
* The source: the online Debian archive consisting of .deb files and 
corresponding metadata
* The build environment: A Debian installation of either bookworm or 
testing with the rebuild.sh script from [9] matching the sha256sum of 
the official images (see their .disk/generator file) and the tool 
live-build installed
* The build instructions: See [4], i.e. using the same command line 
options to rebuild.sh as in .disk/generator
* The artifact: the ISO file

Note however, that the live images might contain:
* the content of .deb files that could be not built reproducibly themselves
* binary blobs with their source code missing (especially firmware)

Fixing that kind of content is out-of-scope for this endeavour.

Work to be done:
* See the TODO page [10]

With kind regards,
Roland Clobus

[1] https://reproducible-builds.org/
[2] https://jenkins.debian.net/view/live/
[3] 
https://cdimage.debian.org/cdimage/release/current-live/amd64/iso-hybrid/
[4] https://wiki.debian.org/ReproducibleInstalls/LiveImages
[5] https://openqa.debian.net/group_overview/17
[6] https://openqa.debian.net/group_overview/18
[7] https://openqa.debian.net/group_overview/19
[8] https://reproducible-builds.org/docs/definition/
[9] 
https://salsa.debian.org/live-team/live-build/-/tree/master/test?ref_type=heads
[10] https://wiki.debian.org/DebianLive/TODO
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250406/f9a6f919/attachment.sig>