Debian bookworm live images now reproducible

(lwn.net)

764 points bertman | 1 comments | 26 Mar 25 17:22 UTC | HN request time: 0.264s | source

Show context

imcritic ◴[26 Mar 25 17:36 UTC] No.43484638[source]▶

I don't get how someone achieves reproducibility of builds: what about files metadata like creation/modification timestamps? Do they forge them? Or are these data treated as not important enough (like it 2 files with different metadata but identical contents should have the same checksum when hashed)?

replies(10): >>43484658 #>>43484661 #>>43484682 #>>43484689 #>>43484705 #>>43484760 #>>43485346 #>>43485379 #>>43486079 #>>43488794 #

TacticalCoder ◴[26 Mar 25 23:39 UTC] No.43488794[source]▶

>>43484638 #

> ... what about files metadata like creation/modification timestamps? Do they forge them?

The least difficult to solve for reproducible build but yes.

The real question is: why, in the past, was an entire ecosystem created where non-determinism was the norm and everybody thought it was somehow ok?

Instead of asking: "how one achieves reproducibility?" we may wonder "why did people got out of their way to make sure something as simple as a timestamp would screw determinism?".

For that's the anti-security mindset we have to fight. And Debian did.

replies(2): >>43490072 #>>43495889 #

1. BobbyTables2 ◴[27 Mar 25 03:17 UTC] No.43490072[source]▶

>>43488794 #

You’re forgetting that source control used to not be a mainstream practice…

Software was more artisanal in nature…

↑