Insane effort. This sounded like a pipe dream just a couple of years ago. Congrats to everyone involved, especially to those who drove the effort. Show 1 reply

I don't get how someone achieves reproducibility of builds: what about files metadata like creation/modification timestamps? Do they forge them? Or are these data treated as not important enough (like it 2 files with different metadata but identical contents should have the same checksum when hashed)? Show 10 replies

It's my understanding that is about generating the .iso file from the .deb files, not about generating the .deb files from source. Generating .deb from source in a reproducible way is still a work in progress.

Is the build infrastructure for Debian also reproducible? It seems like we if someone wants to inject malware in Debian package binaries (without injecting them into the source), they have to target the build infrastructure (compilers, linkers and whatever wrapper code is written around them).

Also, is someone else also compiling these images, so we have evidence that the Debian compiling servers were not compromised?

Show 5 replies

What is the significance of a reproducible build, and how is it different than a normal distribution? Show 6 replies

Nice, these live images could become the foundation for a Debian-based "immutable OS" workflow. Show 1 reply

Do these live images come ready with cloud-init? A cloud-init in-memory live iso seems perfect for immutable infrastructure "anywhere" Show 1 reply

This is a huge milestone: https://lists.reproducible-builds.org/pipermail/rb-general/2...

I’m a noob to this subject. How can a build be non-reproducible? By that, I mean, what part of the build process could return non-deterministic output? Are people putting timestamps into the build and stuff like that? Show 2 replies

This is amazing news. Well done!

Does anyone have any information as to how they modified their C code such that the complier output was deterministic? I thought one of the hardest problems with a effort like this was writing your C such that the compiler would output everything in the same order (same bytes)? And I am not just talking about time stamps etc. Show 1 reply

the update is gold, original message: "They are reproduceable" updated message "lol actually not" Show 1 reply

How does that work with timestamps?

Pretty wild that we’re finally nailing reproducibility in Linux images after so many years—clearly a win for stability and consistency across the board.

Can someone please ELI5? When I hear live images, I think of iOS videos that go along with pictures you take Show 3 replies

I never really understood the hype around reproducible builds. It seems to mostly be a vehicle to enable tivoization[0] while keeping users sufficiently calm. With reproducible buiilds, a vendor can prove to users that they did build $binary from $someopensourceproject, and then digitally sign the result so that it - and only it - would load and execute on the vendor-provided and/or vendor-controlled platform. But that still kills effective software freedom as long as I, the user, cannot do the same thing with my own build (whether it is unmodified or not) of $someopensourceproject.

Therefore, I side with Tavis Ormandy on this debate: https://web.archive.org/web/20210616083816/https://blog.cmpx...

[0]: https://en.wikipedia.org/wiki/Tivoization

Show 12 replies