Irregular status update about reproducible Debian live ISO images
Ian Kelling
iank at fsf.org
Thu Mar 27 05:52:47 UTC 2025
On Wed, Mar 19, 2025 at 06:20:31PM +0100, Roland Clobus wrote:
> Single line summary: 100% reproducible live images for bookworm
Unfortunately, this isn't quite right. Currently, bookworm live images
contain 10 nonreproducible packages. The problem is that Debian
distributes binaries that it didn't build, and afaik it doesn't have a
copy of the source code required to build them. They are in the
non-free-firmware component of the Debian archive and are:
amd64-microcode
atmel-firmware
bluez-firmware
dahdi-firmware
firmware-ast
firmware-nonfree
firmware-sof
intel-microcode
rtl8723bt-firmware
zd1211-firmware
The obvious final step in order to create some 100% reproducible live
images is for Debian to build some live-images which don't include those
packages. It would also be worth contacting the original developers of
those binaries and asking for the source code on behalf of Debian.
Note: there might be less than 10 package for some architectures, I just
checked the source packages at
https://get.debian.org/images/release/current-live/source/tar/debian-live-12.10.0-source-standard.contents
against http://ftp.us.debian.org/debian/pool/non-free-firmware.
Note: for an example of Debian-based live-images where every package has
free corresponding source code, see Debian 11 and earlier images or
https://trisquel.info/.
Note: a relevant link is
https://reproducible-builds.org/docs/definition/ .
--
Ian Kelling | Senior Systems Administrator, Free Software Foundation
GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF
Support free software, support the FSF: https://donate.fsf.org
https://fsf.org | https://gnu.org
More information about the rb-general
mailing list