←back to thread

Debian bookworm live images now reproducible

(lwn.net)
764 points bertman | 3 comments | 26 Mar 25 17:22 UTC | HN request time: 0.226s | source
Show context
imcritic ◴[26 Mar 25 17:36 UTC] No.43484638[source]
I don't get how someone achieves reproducibility of builds: what about files metadata like creation/modification timestamps? Do they forge them? Or are these data treated as not important enough (like it 2 files with different metadata but identical contents should have the same checksum when hashed)?
replies(10): >>43484658 #>>43484661 #>>43484682 #>>43484689 #>>43484705 #>>43484760 #>>43485346 #>>43485379 #>>43486079 #>>43488794 #
1. TacticalCoder ◴[26 Mar 25 23:39 UTC] No.43488794[source]
> ... what about files metadata like creation/modification timestamps? Do they forge them?

The least difficult to solve for reproducible build but yes.

The real question is: why, in the past, was an entire ecosystem created where non-determinism was the norm and everybody thought it was somehow ok?

Instead of asking: "how one achieves reproducibility?" we may wonder "why did people got out of their way to make sure something as simple as a timestamp would screw determinism?".

For that's the anti-security mindset we have to fight. And Debian did.

replies(2): >>43490072 #>>43495889 #
2. BobbyTables2 ◴[27 Mar 25 03:17 UTC] No.43490072[source]
You’re forgetting that source control used to not be a mainstream practice…

Software was more artisanal in nature…

3. brohee ◴[27 Mar 25 17:35 UTC] No.43495889[source]
TBH security is someone the source of the issues, as it often involves adding randomness. For example, replacing deterministic hashes by keyed hashes to protect from hash flooding DoS led to deterministic output becoming nondeterministic (e.g. when displaying a hash table in its natural order).

Sorting had to be added to that kind of output.