Bug#1059957: debian-installer: please make the netboot fw.img.gz files reproducible
James Addison
jay at jp-hosting.net
Thu Jan 4 03:36:35 GMT 2024
Source: debian-installer
Version: 20230607+deb12u4
Severity: wishlist
User: reproducible-builds at lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org, rclobus at rclobus.nl, alpernebiyasak at gmail.com
Dear Maintainer / Hi Cyril,
I'm an occasional contributor to the Reproducible Builds[0] project, and
recently noticed that the debian-installer package failed some automated
reproducible build tests[1].
Analysis:
In particular, the checksums (MD5SUMS and SHA256SUMS) for some of the firmware
files provided for netboot and suffixed .img.gz are varying between builds.
Reading the diffoscope output (which performs a diff within the decompressed
contents) shows that the .img files tend to have eight bytes of randomized
content shortly after hex address 000001b0 in each file.
I'm reasonably confident that the eight-byte groups are FAT serial numbers (aka
volume IDs), which mkfs.msdos (as used in the gen-hd-image[2][3]) will choose
unless it is configured not to.
Suggestions:
Good news: there's a canonical fixed FAT32 volume-id already in use[4], with
the value 'deb00001' (eight bytes hex) that we can reuse.
So, adding '--invariant -i 0xDEB00001' or similar to the commandline for the
mkfs.msdos calls should resolve the problem.
Existing work:
Please note that Alper (cc'd) has an existing merge request that addresses this
and a few other reproducibility-related items:
https://salsa.debian.org/installer-team/debian-installer/-/merge_requests/38
Regards,
James
[0] - https://www.reproducible-builds.org
[1] - https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/arm64/diffoscope-results/debian-installer.html
[2] - https://salsa.debian.org/installer-team/debian-installer/-/blob/20230607+deb12u4/build/config/arm64/netboot.cfg#L27
[3] - https://salsa.debian.org/installer-team/debian-installer/-/blob/20230607+deb12u4/build/util/gen-hd-image#L356
[4] - https://salsa.debian.org/installer-team/debian-installer/-/blob/20230607+deb12u4/build/util/efi-image#L200
More information about the Reproducible-bugs
mailing list