Irregular status update about reproducible Debian live ISO images
Roland Clobus
rclobus at rclobus.nl
Thu Mar 27 22:25:10 UTC 2025
Hello Ian, list,
On 27/03/2025 06:52, Ian Kelling wrote:
>
> On Wed, Mar 19, 2025 at 06:20:31PM +0100, Roland Clobus wrote:
>> Single line summary: 100% reproducible live images for bookworm
>
> Unfortunately, this isn't quite right. Currently, bookworm live images
> contain 10 nonreproducible packages. The problem is that Debian
> distributes binaries that it didn't build, and afaik it doesn't have a
> copy of the source code required to build them. They are in the
> non-free-firmware component of the Debian archive and are:
...
> The obvious final step in order to create some 100% reproducible live
> images is for Debian to build some live-images which don't include those
> packages. It would also be worth contacting the original developers of
> those binaries and asking for the source code on behalf of Debian.
>
> Note: there might be less than 10 package for some architectures, I just
> checked the source packages at
> https://get.debian.org/images/release/current-live/source/tar/debian-live-12.10.0-source-standard.contents
> against http://ftp.us.debian.org/debian/pool/non-free-firmware.
>
> Note: for an example of Debian-based live-images where every package has
> free corresponding source code, see Debian 11 and earlier images or
> https://trisquel.info/.
>
> Note: a relevant link is
> https://reproducible-builds.org/docs/definition/ .
A similar question was raised about a year ago:
https://lists.reproducible-builds.org/pipermail/rb-general/2024-February/003251.html
--- Start quote ---
* Last month a question was raised, whether the distributed sources are
sufficient to rebuild the images. The answer is: probably yes, but I
haven't tried.
The chain is: source code --compiler--> executable files --debian
packaging--> .deb archives --live-build--> live images
I've focused on the last section of this chain; the installation of the
.deb archives into the live images.
--- End quote ---
So indeed, the live images are not reproducible from compiler source
code to ISO, but they are reproducible from _their_ source: the .deb
files on the Debian archive.
That is (as Vagrant also pointed out) matching the definition for
reproducible builds.
The current effort with e.g. the rebuilders tackles the first parts of
the chain (from source code to .deb archives), and my report tackles the
last part of the chain.
I understand that you are uncomfortable with the claim '100%
reproducible live images for bookworm', which could perhaps better be
rephrased to 'all live images for bookworm are reproducible from their
Debian packages'. This softens the '100%' claim (which might be
interpreted more broadly to encompass the full chain) to 'all live
images' and further limits the scope of the claim to the last part of
the building chain.
I agree that having the full chain reproducible would be a good goal.
However, given the need for non-free-firmware on many modern systems, I
see many hurdles to resolve that. A decision about non-free-firmware was
made some time ago in Debian and consequently the number of official
live images from Debian has halved, and the QA effort has improved a lot.
With kind regards,
Roland Clobus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250327/71796e45/attachment.sig>
More information about the rb-general
mailing list