[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-xorriso] generating reproducible ISOs with xorriso
From: |
Daniel Kahn Gillmor |
Subject: |
[Bug-xorriso] generating reproducible ISOs with xorriso |
Date: |
Thu, 04 Jun 2015 09:01:50 -0400 |
User-agent: |
Notmuch/0.20.1 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu) |
Hi libburnia/xorriso folks--
I participate in the Debian Reproducible Builds project [0] (cc'ed
here). Our goal is to ensure that free software can be built from
source in a way that the binary outcome is byte-for-byte identical, so
that compromised build infrastructure can be detected.
One of the things that introduces variation in binaries are packages
that build ISOs using xorriso. I wanted to see if xorriso would be
interested in offering a "reproducible" option during ISO creation.
The variation within an ISO can come from many places, probably
including:
* filesystem timestamps
* extent ordering/numbering (maybe derived from source filesystem
ordering)
* bootable metadata (Boot offsets? i don't know the jargon, but there
is a value reported by "isoinfo -d" called "Bootoff")
One example of a package that has unreproducible ISOs is grub:
https://reproducible.debian.net/rb-pkg/unstable/amd64/grub2.html
We can try to minimize the external variations before building an ISO
(e.g. by "touch"ing all the source files to a static timestamp, and
maybe by sorting the files before generating a manifest to send to
xorriso?), but it seems like it would be simpler if there were a way to
tell xorriso to just make an identical image with all metadata
standardized in some way.
This mode might imply:
* supplying a timestamp to be used for all imported files (like alter_date_r ?)
* sorting files included so that extent numbering is constant
* ... other things?
I don't know enough about how xorriso works to know what else would be
usefully standardized to make ISO creation byte-for-byte repeatable, but
I figure you do :)
Maybe this is actually already possible with xorriso, and i just need to
do add a few simple switches? If so, do you have suggestions?
Thanks for your work on libburnia!
Regards,
--dkg
[0] https://wiki.debian.org/ReproducibleBuilds/
- [Bug-xorriso] generating reproducible ISOs with xorriso,
Daniel Kahn Gillmor <=
- Re: [Bug-xorriso] generating reproducible ISOs with xorriso, Thomas Schmitt, 2015/06/04
- Re: [Bug-xorriso] generating reproducible ISOs with xorriso, Thomas Schmitt, 2015/06/04
- Re: [Bug-xorriso] [Reproducible-builds] generating reproducible ISOs with xorriso, Daniel Kahn Gillmor, 2015/06/04
- Re: [Bug-xorriso] generating reproducible ISOs with xorriso, Thomas Schmitt, 2015/06/04
- Re: [Bug-xorriso] generating reproducible ISOs with xorriso, Daniel Kahn Gillmor, 2015/06/04
- Re: [Bug-xorriso] generating reproducible ISOs with xorriso, Thomas Schmitt, 2015/06/04
- Re: [Bug-xorriso] generating reproducible ISOs with xorriso, Daniel Kahn Gillmor, 2015/06/04
- Re: [Bug-xorriso] generating reproducible ISOs with xorriso, Daniel Kahn Gillmor, 2015/06/05
- Re: [Bug-xorriso] generating reproducible ISOs with xorriso, Thomas Schmitt, 2015/06/05
- Re: [Bug-xorriso] generating reproducible ISOs with xorriso, Thomas Schmitt, 2015/06/05