I'm very glad to see reproducible Debian releases being built!
Congratulations! Is this a feature that Debian values enough to put it
in its major releases, or is it an offshoot? 11.0.0 just came out this
month: was it reproducible? Or if not, perhaps 12 will be?
Chris Lamb <ch...@reproducible-builds.org> wrote:
> Including the full config inside the ISO definitely seems like a good
> idea, especially as this config is both small and will be compressed.
Please include the config seeds for each binary release, in the *source*
media. And the bootstrap script in both the source and binary media.
I have long had this idea that it should be possible to take an OS
release's live install media, and its matching source code media, and
take those two offline to any compatible computer, with no Internet
access. Boot the machine from the live install media, and run an
included script that will rebuild a copy of the live install media from
its own source code, using its own binaries to bootstrap it.
(With this setup, you would also be able to rebuild a copy of *slightly
modified* source media, e.g. with a few critical bug fixes patched.
This would let you, or anyone, determine exactly which bits in which
files in the resulting binary live install media were changed by those
patches, by diffoscoping with the original binary live install media.)
With such a bit of infrastructure, you could then make one of its target
builds a very minimal binary live medium (netinst sized or much smaller)
that would contain just the binaries needed to bootstrap all builds
creatable from that source tree. Those bootstrap binaries could
certainly rebuild their own bootstrap binary media (as above). But they
could also rebuild the main live x86 or x86 release install media, from
the config seed included in the source code media, without having any
copy of the target binary media accessible to it!
The size of this bootstrap ISO medium would show just how small the
must-be-trusted bootstrap binary code is for any given OS release. For
example, isn't the OS kernel the biggest remaining binary dependency?
Does the GNU Mes bootstrap-reducing team have a plan to replace Grub and
the Linux kernel and init (and perhaps a BIOS?) with something tiny that
runs on bare metal and implements a file system, the mount command, and
processes? Many realtime OS's are much smaller than Linux or BSD and
yet have those capabilities. eCos might be a great start, and is free,
highly portable, and includes a POSIX layer (and TCP/IP for debugging),
though it currently lacks fork/exec/wait. The original V7 UNIX kernel
would work, if process sizes and filename sizes are patched, and a few
device drivers written for modern disk and CDROM drives. Such a
bootstrap kernel would enable the Scheme bootstrap programs to run well
enough to build gcc, then use gcc to build the Linux kernel, then boot
it, and continue building.
John
