Re: Recoding the configuration for live-build images (Was: Third status update about reproducible live-build ISO images in Jenkins)
- To: General discussions about reproducible builds <rb-general@lists.reproducible-builds.org>, Debian-live mailing list <debian-live@lists.debian.org>
- Subject: Re: Recoding the configuration for live-build images (Was: Third status update about reproducible live-build ISO images in Jenkins)
- From: "Bernhard M. Wiedemann" <bernhardout@lsmod.de>
- Date: Wed, 1 Sep 2021 10:59:53 +0200
- Message-id: <[🔎] b300556d-2551-2cf6-8e8f-302be9d8b001@lsmod.de>
- In-reply-to: <3292a845-9ae9-4531-b4d6-a0ab781f6cf1@www.fastmail.com>
- References: <141b7fed-e54b-d520-9b0f-b1085639078f@rclobus.nl> <4f011c27-f636-414e-98f2-c21731298fd8@www.fastmail.com> <d3db940a-07b0-1ba7-b9e1-2ea6d3c2c824@rclobus.nl> <3292a845-9ae9-4531-b4d6-a0ab781f6cf1@www.fastmail.com>
On 31/08/2021 15.53, Chris Lamb wrote:
> Indeed, needing to
> extract parts of the ISO to recreate it is slightly sub-optimal, if
> only because it would require someone to download it first before
> attempting to recreate it (rather than just possessing the minuscule
> .buildinfo file containing the inputs and output hashes).
There are ways to read files off a remote iso without downloading the
whole thing:
https://github.com/bmwiedemann/curlwwwfs + fuseiso
or maybe
https://github.com/higlass/simple-httpfs
However, it would also be possible to place them as tarball next to it,
but then you add other challenges in toolchains and workflows, if you
think about the separate .buildinfo vs ArchLinux embeeded one.
How do you find the right buildinfo? What if someone only fetches the
binary?
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
Reply to: