[Pkg-libburnia-devel] Reproducible patches for libisoburn and libisofs

Thomas Schmitt scdbackup at gmx.net
Thu Aug 11 14:29:26 UTC 2016 

Hi,

> Thank you so much for your efforts on this and the other changes. :)

I'm not done yet. Reproducible GPT GUIDs are still under construction.
(Slightly oxymoronic goal, isn't it ?)


> > - Use option
> >      --modification-date=YYYYMMDDhhmmsscc

> Great summary.

I am still fighting with myself over the decision whether to let
--modification-date= trigger reproducible GPT GUIDs based on its timestamp
parameter.
Problem is that grub-mkrescue uses --modification-date= to set a UUID-ish
id in the ISO for which it can search at boot time. Other than with
isohybrid in the Debian netinst ISOs, the GPT produced by grub-mkrescue is
really valid. So poor random quality of the GUIDs might cause problems.
Currently they come from /dev/urandom.

Will probably have to ask at grub-devel but have to be prepared to give
me the answer myself.

In worst case the list of advised options will get one more item
-----------------------------------------------------------------------
- If you let xorriso produce GPT, use option

    --gpt_disk_guid "modification-date"

  or reproducibly set your own disk GUID by

    --gpt_disk_guid XXXXXXXX-XXXX-XXXX-4X4X-YXXXXXXXXXXX

  with X being any of [0-9,a-f] and Y being any of [89ab]. See RFC 4122.
-----------------------------------------------------------------------

The ugliness of this advise text makes it desirable to live without it.

(There is an endianness issue with binary stored GUIDs, RFC 4122 text
 representation, and isohybrid GPT habits. So i advise to use value 4
 in both upper nibbles of the fourth component. Strangely, everybody is
 in sync about the endianness of the last component.)


> Can we get this version upload to sid? :)

1.4.5 is an unstable development stage. Release 1.4.6 might come soon.
Then it depends on whether my Debian sponsor is on holiday.

But first we need to get GPT under control and then give it a thorough
testing, because the change might involuntarily affect ISO production
of several distros.
(Best excuse for regressions will be that their GPTs are merely
 ornamental.)


Have a nice day :)

Thomas

More information about the Pkg-libburnia-devel mailing list