Hi Roland, > > One question actually — how might a third-party reproduce these > > images? Or putting the same question in more technical terms — are you > > generating some kind of .buildinfo file that contains (just for > > example's sake) the value of SOURCE_DATE_EPOCH and any other relevant > > inputs, as well as the resulting checksums? > > Good question. I was initially interested in getting a reproducible > image, the next step would be record the required steps. > > The .buildinfo manpage [1] looks really tightly coupled to packages, so > (in its present form) it cannot record the information needed for > rebuilding a live-build ISO image.
Yes, you are absolutely right that the .buildinfo spec outlined in the manpage you link is oriented towards packages and Debian packages in particular. But perhaps I should have been clearer: I was hypothesising about a file that is *analogous* to that Debian .buildinfo format (aka. the deb-buildinfo(5) spec), rather than using _that_ particular specification. As in, some new file that encodes the inputs (that you later list — thanks!) as well as the checksums of the outputs. (I don't think the deb-buildinfo(5) spec could be hacked to fit here tbh, although many things could obviously be inspired from it.) > If desired, the full configuration for the lb commands could be > embedded into the ISO image. Then you can, after obtaining a live > image, use the config provided there to rebuild exactly the same > image. Including the full config inside the ISO definitely seems like a good idea, especially as this config is both small and will be compressed. Still, an external build attestation document will always be needed to store the output checksums, so I wouldn't worry too much about trying to include everything within the ISO itself. Indeed, needing to extract parts of the ISO to recreate it is slightly sub-optimal, if only because it would require someone to download it first before attempting to recreate it (rather than just possessing the minuscule .buildinfo file containing the inputs and output hashes). Anyway, I *totally* ACK that you were getting this all working first before moving on... and I hope didn't come across as "Never Satisfied Mailing List Guy". Looking forward to seeing what you come up with. :) Best wishes, -- o ⬋ ⬊ Chris Lamb o o reproducible-builds.org 💠 ⬊ ⬋ o