[Pkg-libburnia-devel] Reproducible patches for libisoburn and libisofs

Thomas Schmitt scdbackup at gmx.net
Fri Aug 19 20:03:28 UTC 2016 

Hi,

i wrote:
> > As it is now, it is the clearest no-brainer:
> > Export SOURCE_DATE_EPOCH and forget about any other time issues which
> > you don't create yourself by own xorriso arguments.

Chris Lamb wrote:
> I'm sorry but I don't quite follow and I don't want to read what I want
> to read.

Currently it is (hopefully) this way:

If the same SOURCE_DATE_EPOCH value is in effect with each xorriso run
then the user may expect that timestamps in the ISO are not an obstacle
for reproducibility. Regardless of input.
So it is only about names, ownership, permissions, and data content.
With popular option -r one can make ownership and permissions flatly
reproducible.

This can be changed by own xorriso arguments to the three xorrisofs
options named in the man page text:
  --modification-date=, --gpt_disk_guid, --set_all_file_dates.


> trying to avoid the case of — heaven forbid we broke
> the Debian CD creation! — that we would get the blame as ACKing on their
> behalf. :)

The popular debian-cd ones i can ACK quite well myself. (And then i'd
first need to convince Steve McIntyre of using Sid's xorriso.)
I test with
  debian-8.4.0-amd64-netinst.iso
  debian-8.5.0-i386-lxde-CD-1.iso
  debian-live-8.4.0-amd64-standard.iso
  debian-8.1.0-arm64-netinst.iso
  debian-7.9.0-kfreebsd-amd64-netinst.iso
  debian-7.4.0-mips-netinst.iso
  debian-7.4.0-sparc-netinst.iso
  debian-7.0-hppa-NETINST-1.iso
  debian-8.3.0-ppc64el-netinst.iso
  debian-9.0-sparc64-NETINST-1.iso
and mini.iso for amd64 and i386.

I mount them, let xorriso pack up the files and replay the boot related
-as mkisofs options which it deduced from inspecting the unmounted ISO.

Then i let xorriso report both boot equipments and let diff compare the
reports. After mounting both ISOs, two find runs over both trees make
sure that differences in file content, ownership, permissions, or time
get reported.
The few reported differences come from automatic timestamps and differing
block addresses which get patched into boot images. (The originally used
xorriso versions still produced the reproducibility-unfriendly sequence
of file data extents.)

My scruples are more towards adventurous distros which immediately use
my newest releases.


Have a nice day :)

Thomas

More information about the Pkg-libburnia-devel mailing list