On Fri 2016-08-12 15:27:40 -0400, Thomas Schmitt wrote: > Although grub-mkrescue probably can live with poor GPT GUIDs, i meanwhile > found a use case in xorriso where user defined modification-date does not > express the desire for reproducibile GUIDs: xorriso command > -boot_image "any" "replay". > If xorriso modifies a bootable ISO made by grub-mkrescue, then it has > to maintain the modification date so that GRUB2 after waking up finds > the ISO. It is then inappropriate to keep GPT GUIDs, because the ISOs > are nevertheless not meant to be identical. > > So the default of new option --gpt_disk_guid is old behavior "random".
Would it possible to generate the GPT GUID based on a digest of the contents of the ISO itself? I don't understand well enough how GPT interacts with ISOs to be able to sketch out the details, but if there is a way to look at the rest of the generated filesystem *aside* from the GUID, then you could push all that data through a simple hash function, and then deterministically derive the GUID from the hash function. (what hash function to use? it probably doesn't even need to be cryptographically secure, but sha256 is cheap these days and it avoids any risk that someone could come up with a plausible attack based on forcing GUID collisions) That would give you identical GUIDs for identical ISOs, and distinct GUIDs for ISOs that vary in any way, without having to include any randomness or asking the user to do the work to select a non-random GUID (which they're probably not likely to do responsibly). Thanks for your work on this, Thomas! Let me know if this idea doesn't make sense for some reason, like if there are other bits in the ISO that themselves depend on the GUID. I'd be happy to brainstorm other approaches. --dkg
Description: PGP signature
_______________________________________________ Reproducible-builds mailing list Reproducibleemail@example.com http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds