Irregular status update about reproducible Debian live ISO images -> v2

[David A. Wheeler]

> On Apr 6, 2025, at 10:26 AM, Roland Clobus <rclobus at rclobus.nl> wrote:
> ...
> here is the 26th update of the status for reproducible Debian live ISO images [1], which is an addendum on the 25th update, which caused some discussion.
> 
> Single line summary: all live images build reproducibly from the online Debian archive
> ...
> Not only are the live images generated reproducibly, but their functionality is also tested regularly. Automated tests for sid [5], trixie [6] and bookworm [7] verify that the software inside the images is working as intended, and that the installers (plural!) result in a bootable system.

This is *truly* fantastic. While it's vaguely interesting to reproduce images that people don't actually use (as a lab experiment), what really matters is the sequence of bits that people *use*. Reproducing the live images from the online Debian archive, and even more importantly, using automated tests, is *fantastic*.

> Note however, that the live images might contain:
> * the content of .deb files that could be not built reproducibly themselves
> * binary blobs with their source code missing (especially firmware)

No one effort can do everything. What I'm hoping for is steady progress, and that's definitely the case here.

Is there at least one separate system that *verifies* the reproducible builds? (That is, independently generates the images & verifies that the results are the same.) In the end, what's important is *verified* reproducible builds.

Thanks so much for the delightful news.

--- David A. Wheeler