←back to thread

Debian bookworm live images now reproducible

(lwn.net)
764 points bertman | 3 comments | 26 Mar 25 17:22 UTC | HN request time: 0.526s | source
1. Cort3z ◴[26 Mar 25 19:36 UTC] No.43486159[source]
I’m a noob to this subject. How can a build be non-reproducible? By that, I mean, what part of the build process could return non-deterministic output? Are people putting timestamps into the build and stuff like that?
replies(2): >>43486207 #>>43488169 #
2. r3trohack3r ◴[26 Mar 25 19:39 UTC] No.43486207[source]
File paths, timestamps, unstable ordering of inputs/outputs, locals, version info, variations in the build environment, etc.

This pages has a good write up

https://reproducible-builds.org/docs/

3. jcranmer ◴[26 Mar 25 22:26 UTC] No.43488169[source]
Timestamps, timestamps, absolute paths (i.e., differences between building /src versus /home/Cort3z/source), timestamps, file inode numbering ("for file in directory" defaults to inode order rather than alphabetical order in many languages, and that means it's effectively pseudorandom), more timestamps, using random data in your build process (e.g., embedding a generated private key, or signing something), timestamps, and accidental nondeterminism within the compiler.

By far the most prevalent source of nondeterminism is timestamps, especially since timestamps crop up in file formats you don't expect (e.g., running gzip stuffs a timestamp in its output for who knows what reason). After that, it's the two big filesystem issues (absolute paths and directory iteration nondeterminism), and then it's basically a long tail of individual issues that affect but one or two packages.