Hello Chris, On 30/08/2021 18:58, Chris Lamb wrote: > One question actually — how might a third-party reproduce these > images? Or putting the same question in more technical terms — are you > generating some kind of .buildinfo file that contains (just for > example's sake) the value of SOURCE_DATE_EPOCH and any other relevant > inputs, as well as the resulting checksums?
Good question. I was initially interested in getting a reproducible image, the next step would be record the required steps. The .buildinfo manpage [1] looks really tightly coupled to packages, so (in its present form) it cannot record the information needed for rebuilding a live-build ISO image. There are a few things required to reproduce the images: 1) The git hash for the live-config repository 2) The value of SOURCE_DATE_EPOCH 3) The command line of 'lb config' (which contains the path with timestamp to the snapshot server) 4) The list of additional packages (e.g. live-task-gnome) 5) The additional 'hacks' required 3, 4 and 5 can also be obtained from the config directory, which is generated by the 'lb config' command. If desired, the full configuration for the lb commands could be embedded into the ISO image. Then you can, after obtaining a live image, use the config provided there to rebuild exactly the same image. With kind regards, Roland Clobus [1] https://manpages.debian.org/bullseye/dpkg-dev/deb-buildinfo.5.en.html
OpenPGP_signature
Description: OpenPGP digital signature
