Reproducible installation images

Mon, 11 Dec 2017 01:32:12 -0800 

Hi Mark,

Mark H Weaver <m...@netris.org> skribis:

> l...@gnu.org (Ludovic Courtès) writes:
>
>>   Here are the bootable USB installation images and their signatures[*]:
>>     https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.i686-linux.iso.xz
>>     
>> https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.i686-linux.iso.xz.sig
>>     https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.x86_64-linux.iso.xz
>>     
>> https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.x86_64-linux.iso.xz.sig
>>
>>   Here is the QCOW2 virtual machine (VM) image and its signature:
>>     https://alpha.gnu.org/gnu/guix/guixsd-vm-image-0.14.0.x86_64-linux.xz
>>     https://alpha.gnu.org/gnu/guix/guixsd-vm-image-0.14.0.x86_64-linux.xz.sig
>>
>>   Here are the binary tarballs and their signatures[*]:
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.i686-linux.tar.xz
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.i686-linux.tar.xz.sig
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar.xz
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar.xz.sig
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.armhf-linux.tar.xz
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.armhf-linux.tar.xz.sig
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.aarch64-linux.tar.xz
>>     
>> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.aarch64-linux.tar.xz.sig
>
> To enable independent verification of these installer images, it would
> be helpful to include the precise commands needed to reproduce these
> images, and the git commit to run them on.
>
> What do you think?

The manual already gives those commands:

  https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html 
(bottom)
  
https://www.gnu.org/software/guix/manual/html_node/Building-the-Installation-Image.html

Do you think we should show them more prominently?

However, disk images are likely not bit-reproducible currently,
primarily due to non-determinism in how file systems populate the disk.

They might be reproducible if ‘guix system’ always creates files in the
same order, which is something we could enforce (perhaps that’s already
the case).  If it’s not sufficient, then we should look at what others
in the reproducible-builds.org effort have been doing (Tails achieved
reproducible ISO images, for instance, and I think OpenWrt people were
looking at ext2 reproducibility.)

There may also be lingering non-reproducibility issues in some of the
packages included that need to be addressed.

It would be good to investigate!

Ludo’.

Reply via email to