HN

Need help?
<- Back
Debian bookworm live images now reproducible

Debian bookworm live images now reproducible

bertman

Comments (195)

  • jcmfernandes
    Insane effort. This sounded like a pipe dream just a couple of years ago. Congrats to everyone involved, especially to those who drove the effort.
  • imcritic
    I don't get how someone achieves reproducibility of builds: what about files metadata like creation/modification timestamps? Do they forge them? Or are these data treated as not important enough (like it 2 files with different metadata but identical contents should have the same checksum when hashed)?
  • kroeckx
    It's my understanding that is about generating the .iso file from the .deb files, not about generating the .deb files from source. Generating .deb from source in a reproducible way is still a work in progress.
  • abdullahkhalids
    Is the build infrastructure for Debian also reproducible? It seems like we if someone wants to inject malware in Debian package binaries (without injecting them into the source), they have to target the build infrastructure (compilers, linkers and whatever wrapper code is written around them).Also, is someone else also compiling these images, so we have evidence that the Debian compiling servers were not compromised?
  • geocrasher
    What is the significance of a reproducible build, and how is it different than a normal distribution?
  • moondev
    Do these live images come ready with cloud-init? A cloud-init in-memory live iso seems perfect for immutable infrastructure "anywhere"
  • zozbot234
    Nice, these live images could become the foundation for a Debian-based "immutable OS" workflow.
  • kragen
  • Cort3z
    I’m a noob to this subject. How can a build be non-reproducible? By that, I mean, what part of the build process could return non-deterministic output? Are people putting timestamps into the build and stuff like that?
  • yupyupyups
    This is amazing news. Well done!
  • nwellinghoff
    Does anyone have any information as to how they modified their C code such that the complier output was deterministic? I thought one of the hardest problems with a effort like this was writing your C such that the compiler would output everything in the same order (same bytes)? And I am not just talking about time stamps etc.
  • letters90
    the update is gold, original message: "They are reproduceable" updated message "lol actually not"
  • amelius
    How does that work with timestamps?
  • curtisszmania
    Pretty wild that we’re finally nailing reproducibility in Linux images after so many years—clearly a win for stability and consistency across the board.
  • selfhoster
    [flagged]
  • perdomon
    Can someone please ELI5? When I hear live images, I think of iOS videos that go along with pictures you take
  • c0l0
    I never really understood the hype around reproducible builds. It seems to mostly be a vehicle to enable tivoization[0] while keeping users sufficiently calm. With reproducible buiilds, a vendor can prove to users that they did build $binary from $someopensourceproject, and then digitally sign the result so that it - and only it - would load and execute on the vendor-provided and/or vendor-controlled platform. But that still kills effective software freedom as long as I, the user, cannot do the same thing with my own build (whether it is unmodified or not) of $someopensourceproject.Therefore, I side with Tavis Ormandy on this debate: https://web.archive.org/web/20210616083816/https://blog.cmpx...[0]: https://en.wikipedia.org/wiki/Tivoization