"Reproducible build" definition in OpenSSF glossary

Thomas Schmitt scdbackup at gmx.net
Wed Apr 23 11:17:56 UTC 2025 

Hi,

Samuel Tyler wrote:
> I'm uncertain that the definition as it stands provides any clarity around
> the work on the Debian ISO images in making them reproducible from binary
> packages

My 2 cents as developer of xorriso which packs up most of Debian's
ISOs.

xorriso supports reproducibility of its results by avoiding to produce
pseudo-random data or to use current time, if SOURCE_DATE_EPOCH is set.
As developer i have in mind that changing details of result generation
has an impact on reproducibility. So i don't make such changes
lightheartedly. Nevertheless, bug fixes and new features sometimes make
it inavoidable to break reproducibility of results towards a previous
version of xorriso.

I am currently not aware of changes which would affect a Debian ISO.
But there is a certain risk. Example:
Recently i fixed a problem with symbolic link targets which end by
a single slash. Such a link file in an ISO would cause reproducibility
problems between xorriso-1.5.6 and upcomming release 1.5.8.

So, as far as installation ISOs are concerned, they are surely
reproducible only if you use the same version of xorriso as was used
for the original ISO image. They may well be reproducible with older
or newer versions, but that is not guaranteed.

So the producers of reproducible ISOs should in any case record and
publish the exact version of xorriso and its underlying libraries
libburn, libisofs, and libisoburn.

-----------------------------------------------------------------------

Practical exercise:

"debian-cd" allows xorriso to advertise itself in Volume Descriptor
property "Preparer Id". Inquire it by xorriso command -pvd_info. E.g.:

  xorriso -indev debian-12.7.0-amd64-netinst.iso -pvd_info \
     2>&1 | grep XORRISO

to get e.g.:

   Preparer Id  : XORRISO-1.5.2 2019.10.26.180001, LIBISOBURN-1.5.2, LIBISOFS-1.5.2, LIBBURN-1.5.2

Now it would become complicated because you'd have to install
libburn.so, libisofs.so, libisoburn.so, and /usr/bin/xorriso from
e.g. Debian 11 to get this version.
But the GNU xorriso tarballs make it easier. Get the matching one from
a mirror like
  https://ftp.gnu.org/gnu/xorriso/
If there are multiple tarballs of the same version, like
  xorriso-1.5.4.tar.gz
  xorriso-1.5.4.pl01.tar.gz
  xorriso-1.5.4.pl02.tar.gz
then use the one with the highest .pl number.
The .so libraries used by the distros are supposed to be equivalent to
the tarball with highes .pl. (Patch levels are a result of my
clumsiness at release time or theoretically of severe bugs which need
to be fixed immediately. Hopefully i will remember to inform rb-general
if an in-release bug fix would ever affect reproducibility of ISOs.)

Well, release 1.5.2 was a lucky one. You would download
  https://ftp.gnu.org/gnu/xorriso/xorriso-1.5.2.tar.gz
and read its README file for the rather simple build instructions.
Installation is not necessary. Just use the binary
  "$unpack_directory"/xorriso-1.5.2/xorriso/xorriso
where unpack_directory is the directory where you unpacked the tarball.

(Building GNU is supposed to be reproducible itself, if the environment
does not cause unwanted changes.)

Of course many other factors influence the reproducible production
of a Debian ISO. One will have to get the appropriate versions of
packages "debian-cd" or "live-build" and their dependencies.

-----------------------------------------------------------------------

> clearly they have some status - but should they be called
> "reproducible", or something else?

For "live-build" there is
  https://wiki.debian.org/ReproducibleInstalls/LiveImages
saying:
  Status
  Bookworm: All official images are reproducible (the live-build stage)
  Trixie: All unofficial images are reproducible (the live-build stage) 

But the xorriso version is not recorded in "Preparer Id" or
alternatively in "Application Id" of
  debian-live-12.0.0-amd64-standard.iso
"live-build" puts its own version string into Preparer Id and the rather
redundant text "DEBIAN LIVE" into "Application Id".

One could replace Application Id "DEBIAN LIVE" by the xorriso version
by replacing in the -as mkisofs run of live-builder
  -A "Debian Live"
by
  -A '@xorriso@'

Or one could put the output of
  xorriso -version
into a file in the /.disk directory of the ISO.


Have a nice day :)

Thomas

More information about the rb-general mailing list