Irregular status update about reproducible Debian live ISO images

Simon Josefsson simon at josefsson.org
Thu Mar 27 19:41:10 UTC 2025 

Vagrant Cascadian <vagrant at reproducible-builds.org> writes:

> So yes, the live images may not be reproducible builds all the way
> down... but the live images are reproducible, in the sense that you can
> build them from all of the various inputs which are .deb files.

It is great that live images are reproducible from binary *.deb's!

I agree with Ian that claiming that the live images are 100%
reproducible is not describing the entire picture, as long as they
contain non-free firmware that we cannot rebuild from source code.

I believe the definition of Reproducible Builds has changed over time, I
believe it initially was about rebuilding bit-by-bit identical outputs
from freely licensed source code.  My perception is that some doesn't
care about that property any more, and are content with rebuilding from
source-like artifacts which may themselves be binaries.  Otherwise I
cannot explain why people go through such effort to rebuild binary
Debian packages based on other older binary packages [that nobody check
if they can be built reproducibly].

> Obviously, if all the .deb files themselves were built fully from source
> and reproducible, this would be ideal. A much stronger foundation would
> be to actually independently rebuild each and every package from source,
> compare the checksums against the package in Debian proper, and then
> build a live image from those packages.
>
> A stronger foundation yet would be to independently bootstrap the entire
> toolchain and bit-for-bit recursively (re)build every package in Debian
> (have fun with recursive dependency loops!) producing a fork of Debian
> as the packages would not be the same as Debian, so then you would have
> to independently verify those results because Debian is no longer the
> reference baseline... is it even free software if you cannot prove it,
> after all... and build on independently verified and bootstrapped
> hardware, while you are at it... which is to say, there is always
> another layer...
>
> Someone can check out the source code to build the live images, create a
> sufficiently similar build environment(maybe needing to use
> snapshot.debian.org to avoid package version drift), and follow the
> instructions to get bit-for-bit identical live images, without
> independently verifing every .deb contained in the image itself. Huzzah!

Yay!  I believe we need two steps:

1) Create an environment suitable for dpkg-buildpackage based on Guix
binaries.

2) Build Debian packages incrementally until we have rebuilt all of
them.

Compare each built Debian package with what's in the archive, publishing
diffoscope outputs along the way.

Because doing that takes time, I would divide it into two parallel
efforts:

1) Make sure the Debian archive can be idempotently rebuilt in a
bit-by-bit identical way.

2) Cross-build the smallest set of Debian packages (build-essential?)
needed to rebuild the rest, using binaries from Guix which I believe is
bootstrappable all the way down.

These two efforts also take time, but they are rather different.

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1251 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250327/893e6408/attachment.sig>

More information about the rb-general mailing list