[Reproducible-builds] generating reproducible ISOs with xorriso

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jun 4 13:01:50 UTC 2015


Hi libburnia/xorriso folks--

I participate in the Debian Reproducible Builds project [0] (cc'ed
here).  Our goal is to ensure that free software can be built from
source in a way that the binary outcome is byte-for-byte identical, so
that compromised build infrastructure can be detected.

One of the things that introduces variation in binaries are packages
that build ISOs using xorriso.  I wanted to see if xorriso would be
interested in offering a "reproducible" option during ISO creation.

The variation within an ISO can come from many places, probably
including:

 * filesystem timestamps

 * extent ordering/numbering (maybe derived from source filesystem
   ordering)
 
 * bootable metadata (Boot offsets?  i don't know the jargon, but there
   is a value reported by "isoinfo -d" called "Bootoff")

One example of a package that has unreproducible ISOs is grub:

  https://reproducible.debian.net/rb-pkg/unstable/amd64/grub2.html

We can try to minimize the external variations before building an ISO
(e.g. by "touch"ing all the source files to a static timestamp, and
maybe by sorting the files before generating a manifest to send to
xorriso?), but it seems like it would be simpler if there were a way to
tell xorriso to just make an identical image with all metadata
standardized in some way.

This mode might imply:

 * supplying a timestamp to be used for all imported files (like alter_date_r ?)
 * sorting files included so that extent numbering is constant
 * ... other things?

I don't know enough about how xorriso works to know what else would be
usefully standardized to make ISO creation byte-for-byte repeatable, but
I figure you do :)

Maybe this is actually already possible with xorriso, and i just need to
do add a few simple switches?  If so, do you have suggestions?

Thanks for your work on libburnia!

Regards,

        --dkg

[0] https://wiki.debian.org/ReproducibleBuilds/



More information about the Reproducible-builds mailing list