On 04/07/2023 22:32, Vagrant Cascadian wrote:
On 2023-07-04, David A. Wheeler wrote:On Jul 2, 2023, at 11:37 AM, Roland Clobus <rclobus@rclobus.nl> wrote: Reproducible status: * All major desktops build reproducibly with bullseye, bookworm, trixie and sid
How close are things to having the *released* versions of the Debian live images & (main) packages reproducible? I can't tell if this means "it's possible to create reproducible builds" or "the packages people are using are the reproducible builds". Sorry if this is obvious to everyone else.My understanding is the live images themselves are bit-for-bit reproducible, with the inputs being the actual .deb packages from the debian archive. The individual .deb packages might not neccesarily be independently reproducible when built from source.
Indeed.The live ISO images are constructed two times within the same DAK run (which synchronises the Debian archive every six hours). The resulting ISO images are verified by Jenkins [1] to be bit-for-bit identical. Even though the individual package might not be reproducible from source, the live images (which use the prebuilt packages) are.
Because the images are generated from the current state of the Debian archive, and not from a snapshotted state [2], I have a pending task to see how this can be mapped.
With kind regards, Roland Clobus [1] https://jenkins.debian.net/view/live/ [2] https://snapshot.debian.org
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature