Irregular status update about reproducible Debian live ISO images
Vagrant Cascadian
vagrant at reproducible-builds.org
Thu Mar 27 17:50:29 UTC 2025
On 2025-03-27, Ian Kelling wrote:
> On Wed, Mar 19, 2025 at 06:20:31PM +0100, Roland Clobus wrote:
>> Single line summary: 100% reproducible live images for bookworm
>
> Unfortunately, this isn't quite right. Currently, bookworm live images
> contain 10 nonreproducible packages. The problem is that Debian
> distributes binaries that it didn't build, and afaik it doesn't have a
> copy of the source code required to build them.
As you point out, some of those .deb packages may not be buildable from
source(due to not having the source and/or permission to build from
source), and probably several other packages are not themselves
reproducible (though can be built from source, at least!):
https://tests.reproducible-builds.org/debian/unstable/amd64/pkg_set_gnome.html
https://tests.reproducible-builds.org/debian/unstable/amd64/pkg_set_kde.html
https://tests.reproducible-builds.org/debian/unstable/amd64/pkg_set_xfce.html
https://tests.reproducible-builds.org/debian/unstable/amd64/pkg_set_mate.html
Similarly, tails, which produces a debian-based live image has some
unreproducible packages:
https://tests.reproducible-builds.org/debian/unstable/amd64/pkg_set_tails.html
These are all showing about 94-95% reproducibility just now, so probably a
few other packages are also on the various live images that are not
reproducible.
So yes, the live images may not be reproducible builds all the way
down... but the live images are reproducible, in the sense that you can
build them from all of the various inputs which are .deb files.
Obviously, if all the .deb files themselves were built fully from source
and reproducible, this would be ideal. A much stronger foundation would
be to actually independently rebuild each and every package from source,
compare the checksums against the package in Debian proper, and then
build a live image from those packages.
A stronger foundation yet would be to independently bootstrap the entire
toolchain and bit-for-bit recursively (re)build every package in Debian
(have fun with recursive dependency loops!) producing a fork of Debian
as the packages would not be the same as Debian, so then you would have
to independently verify those results because Debian is no longer the
reference baseline... is it even free software if you cannot prove it,
after all... and build on independently verified and bootstrapped
hardware, while you are at it... which is to say, there is always
another layer...
Someone can check out the source code to build the live images, create a
sufficiently similar build environment(maybe needing to use
snapshot.debian.org to avoid package version drift), and follow the
instructions to get bit-for-bit identical live images, without
independently verifing every .deb contained in the image itself. Huzzah!
live well,
vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250327/efd3c43d/attachment.sig>
More information about the rb-general
mailing list