Hi libburnia/xorriso folks--

I participate in the Debian Reproducible Builds project [0] (cc'ed
here).  Our goal is to ensure that free software can be built from
source in a way that the binary outcome is byte-for-byte identical, so
that compromised build infrastructure can be detected.

One of the things that introduces variation in binaries are packages
that build ISOs using xorriso.  I wanted to see if xorriso would be
interested in offering a "reproducible" option during ISO creation.

The variation within an ISO can come from many places, probably

 * filesystem timestamps

 * extent ordering/numbering (maybe derived from source filesystem
 * bootable metadata (Boot offsets?  i don't know the jargon, but there
   is a value reported by "isoinfo -d" called "Bootoff")

One example of a package that has unreproducible ISOs is grub:


We can try to minimize the external variations before building an ISO
(e.g. by "touch"ing all the source files to a static timestamp, and
maybe by sorting the files before generating a manifest to send to
xorriso?), but it seems like it would be simpler if there were a way to
tell xorriso to just make an identical image with all metadata
standardized in some way.

This mode might imply:

 * supplying a timestamp to be used for all imported files (like alter_date_r ?)
 * sorting files included so that extent numbering is constant
 * ... other things?

I don't know enough about how xorriso works to know what else would be
usefully standardized to make ISO creation byte-for-byte repeatable, but
I figure you do :)

Maybe this is actually already possible with xorriso, and i just need to
do add a few simple switches?  If so, do you have suggestions?

Thanks for your work on libburnia!



[0] https://wiki.debian.org/ReproducibleBuilds/

Reproducible-builds mailing list

Reply via email to