Seventh status update about reproducible live-build ISO images in Jenkins

Tue, 22 Feb 2022 02:16:42 -0800 

Hello lists,
here is the seventh update of the status for reproducible live-build ISO images [1]. 

Reproducible status:
* All major desktops build reproducibly with bullseye, bookworm and sid ...
** ... except for Cinnamon on bookworm and sid

New and changed:
* live-build now reports a git hash number when a git version is used [2][3]

** Together with the timestamp of the (snapshot) repository, this 
generates a unique identifier for reproducing the ISO image

* First steps with openQA to walk through every single boot menu entry [4]

** This will test the functionality of the reproducible ISO images, and 
helps to find issues early

*** e.g. kernel module mismatch in the Debian Installer

** This procedure will be easily extended to other images, e.g. the 
netinst image

* Pending: Jenkins reports the sha256sum of the reproducible image [5]

** You will be able to verify whether a local build is identical to the 
build by Jenkins
* Question on the mailing list: Should the live images be generated 
again? [6]


Patch available but not released yet:

* libxmlb used a pointer address (%p) for a hash value. Upstream [7] has 
been fixed

* texlive-base: Reported differences in the generated ls-R [8]

Future plans/ideas:

* texlive-base: More sources for non-reproducibility are noted in the 
Wiki page [1]

** Only the Cinnamon desktop is affected, starting with bookworm
* Recording the configuration used by live-build
** Next step: test some scenarios and write a proposal

* Reprotest might be used instead of just 2 builds without a short time 
frame, to capture more variations

* Use disorderfs

* Long term: When live-build images are working fine, the work could be 
extended to other images, e.g. the netinst images or perhaps even Docker 
images
* Transfer the special features of the (now disabled) live-wrapper live 
images to live-build


With kind regards,
Roland Clobus

[1] https://wiki.debian.org/ReproducibleInstalls/LiveImages
[2] https://salsa.debian.org/live-team/live-build/-/merge_requests/273
[3] Pending merge for Jenkins: 45721776e008469b28ca4310b0cb6413466397c4

[4] 
https://salsa.debian.org/qa/openqa/openqa-tests-debian/-/merge_requests/2

[5] Pending merge for Jenkins: 071a80ff4f28e019e1067be72058106478ed4624
[6] https://lists.debian.org/debian-live/2022/02/msg00000.html
[7] https://github.com/hughsie/libxmlb/issues/110
[8] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003449



Attachment:
OpenPGP_signature

Description: OpenPGP digital signature














    











					Reply via email to