Source: debian-installer Version: 20230607+deb12u4 Severity: wishlist User: reproducible-bui...@lists.alioth.debian.org Usertags: randomness X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org, rclo...@rclobus.nl, alpernebiya...@gmail.com
Dear Maintainer / Hi Cyril, I'm an occasional contributor to the Reproducible Builds[0] project, and recently noticed that the debian-installer package failed some automated reproducible build tests[1]. Analysis: In particular, the checksums (MD5SUMS and SHA256SUMS) for some of the firmware files provided for netboot and suffixed .img.gz are varying between builds. Reading the diffoscope output (which performs a diff within the decompressed contents) shows that the .img files tend to have eight bytes of randomized content shortly after hex address 000001b0 in each file. I'm reasonably confident that the eight-byte groups are FAT serial numbers (aka volume IDs), which mkfs.msdos (as used in the gen-hd-image[2][3]) will choose unless it is configured not to. Suggestions: Good news: there's a canonical fixed FAT32 volume-id already in use[4], with the value 'deb00001' (eight bytes hex) that we can reuse. So, adding '--invariant -i 0xDEB00001' or similar to the commandline for the mkfs.msdos calls should resolve the problem. Existing work: Please note that Alper (cc'd) has an existing merge request that addresses this and a few other reproducibility-related items: https://salsa.debian.org/installer-team/debian-installer/-/merge_requests/38 Regards, James [0] - https://www.reproducible-builds.org [1] - https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/arm64/diffoscope-results/debian-installer.html [2] - https://salsa.debian.org/installer-team/debian-installer/-/blob/20230607+deb12u4/build/config/arm64/netboot.cfg#L27 [3] - https://salsa.debian.org/installer-team/debian-installer/-/blob/20230607+deb12u4/build/util/gen-hd-image#L356 [4] - https://salsa.debian.org/installer-team/debian-installer/-/blob/20230607+deb12u4/build/util/efi-image#L200