Hi libburnia/xorriso folks--
I participate in the Debian Reproducible Builds project  (cc'ed
here). Our goal is to ensure that free software can be built from
source in a way that the binary outcome is byte-for-byte identical, so
that compromised build infrastructure can be detected.
One of the things that introduces variation in binaries are packages
that build ISOs using xorriso. I wanted to see if xorriso would be
interested in offering a "reproducible" option during ISO creation.
The variation within an ISO can come from many places, probably
* filesystem timestamps
* extent ordering/numbering (maybe derived from source filesystem
* bootable metadata (Boot offsets? i don't know the jargon, but there
is a value reported by "isoinfo -d" called "Bootoff")
One example of a package that has unreproducible ISOs is grub:
We can try to minimize the external variations before building an ISO
(e.g. by "touch"ing all the source files to a static timestamp, and
maybe by sorting the files before generating a manifest to send to
xorriso?), but it seems like it would be simpler if there were a way to
tell xorriso to just make an identical image with all metadata
standardized in some way.
This mode might imply:
* supplying a timestamp to be used for all imported files (like alter_date_r ?)
* sorting files included so that extent numbering is constant
* ... other things?
I don't know enough about how xorriso works to know what else would be
usefully standardized to make ISO creation byte-for-byte repeatable, but
I figure you do :)
Maybe this is actually already possible with xorriso, and i just need to
do add a few simple switches? If so, do you have suggestions?
Thanks for your work on libburnia!
Reproducible-builds mailing list