Reply to the lists (after confirmation that it's OK to do so) On 29/01/2024 23:02, John Gilmore wrote:
Hello Roland, Congratulations on the amazing progress that you have made with the reproducibility of the Debian Live images.
Thanks! It has been a long road already :-)
Two things for me are missing from your update. One may just be improving a simple explanation. Plus I have a question. Roland Clobus <rclobus@rclobus.nl> wrote:Reproducible status: * All major desktops build reproducibly with bullseye, bookworm, trixie and sid ... ** ... provided they are built for a second time within the same DAK run (i.e. 6 hours) * All major desktops built reproducibly for the official Debian live images for bookworm (12.4.0) at any later moment ... ** ... except for KDEWhen you say, "all major desktops build reproducibly", do you mean that the results are identical to the Debian Live builds that ordinary people are downloading to install Debian? E.g. from: https://www.debian.org/CD/live/ Or do you mean that some unique Debian Live builds that you personally make, but that nobody else downloads, are reproducible when compared with themselves?
You can download the images from the official location https://get.debian.org/images/release/current-live/amd64/iso-hybrid/ And then 7 out of 8 are reproducible. (Which leaves KDE at the moment)Steps how to do so are documented in the Wiki page (link 1 on my original mail)
https://wiki.debian.org/ReproducibleInstalls/LiveImages
If the actual end-user Debian Live builds have become (97.7%) reproducible, then this is much bigger and better news. But you did not make this clear in your update.
Statistics are a lie :-)97.7% of all images that I monitor are reproducible (when certain conditions are met) 87.5% (7 out of 8) of the officially released live images are reproducible when building from a Bookworm VM
Second thing: Can these Debian Live images be readily reproduced from their own bootable image plus their matching Source DVD images? Or, does reproducing them require access to some remote server(s) elsewhere on the Internet, which means they won't reproduce if that server is ever down, compromised, or its owners fail?
You'll need access to the Debian repository online. The sources for each Debian package are available, but as a source tarball, not as .deb files.
As an idea, it would be nice to have a tarball containing all .deb files (and related files), which could function as an offline local repository. The configuration files for running the live-build script (which are generated on the fly by a shell script) are not published, but the shell script is.
The gold standard for reproducible builds is that they are reproducible FROM THEIR OWN SOURCE RELEASE. If your scripts test this, then anybody who downloads the full source release plus the matching Debian Live CD image can disconnect their machine from the Internet, install the Live CD image on bare hardware, and then do a full rebuild and re-verify, not depending on anything else in the universe except a bit of electricity.
At this moment, you'll need Internet access, pointing to static (at least until the next point release) files. However, I've taken care to do time-travelling in the git repositories containing the scripts, to ensure that you'll be using the same versions of the scripts at the time of the release of the images.
If your scripts don't test for this, then the release is not fully reproducible, since it depends on external inputs that are not part of the source release. (For example -- if your rebuild scripts and verification scripts are not actually in the source release and thus have to be downloaded from somewhere!)
Then I'll have a third metric: 0% of all live images are reproducible given these conditions
Here's the bonus question:Functionality status: * The sid images are affected by #1051607 (Calamares installation on UEFI Secure Boot systems fails to boot after installation) * The sid images occasionally report missing installation media, when booting from USB in UEFI non-secure boot systems (#1054325) * The testing images have an issue in the installer, it attempts to use a static IP-address instead of using DHCP. MR is prepared [2]Are you saying that the images that you are building are identical with the public, downloadable Debian Live images -- but the public, downloadable Debian Live images have these three problems? If true, why do you bother noting it? Every release has bugs, if you reproduce the release, the reproduced release will have bugs.
I'm cross-posting the reproducible builds mailing list and the live mailing list, since there is a huge overlap. By mentioning my progress for both types of work, I'm saving myself writing 2 mails which would be largely identical.
If the problems you report are unique to your reproducible images, then I don't understand how your reproducible images could be identical to other images yet have different problems when booted. Please explain better (in your public updates on your project).
The runtime environment (UEFI/BIOS) influences how the images are 'executed', so I actually see different behaviour in openQA.
For my next report I'll try to elaborate a bit more.
And -- congratulations again! John Gilmore
With kind regards, Roland Clobus
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature