Fwd: Porting the standard image from live-wrapper to live-build

Holger Levsen holger at layer-acht.org
Wed Nov 11 12:38:25 GMT 2020


and cheers to Roland!

----- Forwarded message from Roland Clobus <rclobus at rclobus.nl> -----

Date: Wed, 11 Nov 2020 11:54:14 +0100
From: Roland Clobus <rclobus at rclobus.nl>
To: debian-live at lists.debian.org, debian-cd at lists.debian.org
Subject: Porting the standard image from live-wrapper to live-build
Message-ID: <6fa03430-b597-9957-c99c-01bd533e0f84 at rclobus.nl>
List-Id: <debian-cd.lists.debian.org>

Hello Debian-Live list and Debian-Images list,

On 2020-03-21T17:27+0200 [1] I wrote these mailing lists about the
generation of the official live images for Debian. Since then I have
announced my effort to make the generation of live images reproducible
[2] and have come really far (for the standard image). As detailed in my
blog [3] I can re-generate the official Debian 10.6 Live Standard image
now, using live-build. Since vmdebootstrap isn't available in the
current Debian Testing, and appears not to be planned to be included,
I've prepared an image that is as similar as feasible/meaningful using
the latest git version of live-build (with my own patches for adding
reproducibilty and a few hacks on top) [4].
With Debian point release 10.7 announced [5], now would be perhaps an
ideal moment to make the switch to live build.

This is a long mail with many questions, but please take the time to
answer some...

First, my restrictions/goals:
* While testing, use as little bandwidth as possible (therefore using
* Re-create the live-wrapper image for Debian 10.6 in the standard
configuration as close as possible
* Try to make a reasonable well reproducible live image
* Have reasonable short test cycles (therefore using /dev/shm)

Below follows a list of differences between the live-wrapper and
live-build images, and my personal opinion about them. Some features are
not present in live build and needs further action (marked with AP).
Please answer to this mail to confirm or reject my proposals:

* ISO volume ID contains '10.6.0'
** AP: live build mentions 'buster', which contains less details
* Makes a beep on boot
** AP: Should this be added to live build as well?
* The grub configuration contains 'SAYS ...'
** AP: Should this be added to live build as well?
* /pool contains some packages that are not in the squashfs image
** live build has a more minimal list
* /pool contains exim4, mailutils, mokutil, python2.7, but it is not in
the squashfs
** live build has a more minimal list
* /pool contains multiple versions of udeb files
** live build has only the active version
* The grub and isolinux menus contain all available languages
** AP: It would be nice to reproduce this in live build
* Contains /etc/hosts, /etc/machine-id, several logs in /var/log,
references to contrib and non-free in /var/lib/apt/lists
** live build cleans up these files better
* Does not contain apparmor (recommends of linux-image-4.19.0-11-amd64)
** live build contains all recommends packages
* Does not contain acpi-support-base (recommends of acpid)
** live build contains all recommends packages
* Contains /etc/modprobe.d/qemu-blacklist.conf (for bochs-drm)
** AP: Is this also needed in live build?
* Encoding is us-ascii, live build uses utf-8
** I think utf-8 would be the best
* The boot splash screen uses the Debian theme
** AP: live build shows a helmet and the versions of the live packages.
We need the Debian-themed splash screen, combined with the version numbers

* /EFI/boot contains a 32-bit EFI image on the amd64 iso.
** AP: Is this needed/correct?
* /pool contains firmware-free
** This is missing in the live-wrapper image
* boot/grub/grub.cfg: No findiso= line in the fail-safe mode
** AP: Untested by me, is it a bug?
* xorriso complains about issues with Joliet (symlinks not supported,
volid too long)
** AP: Do we need support for Joliet? Untested: does Windows XP/7/10
support RockRidge sufficiently well? And is it needed?
* The packages lists are available both uncompressed and as gzip file
** AP: Isn't just one variant suffient? live-wrapper only has the
uncompressed file

My comments to the command line options to lb config (as shown below):
* --security false
** AP: Shouldn't this be true per default for Debian Stable?
* --updates false
** AP: Shouldn't this be true per default for Debian Stable?
* --loadlin false
** Is this still tested? (I don't have a computer which can run 16-bit
executables at the moment)
* acpid
** If this is needed, shouldn't if be in the live-task-standard package?
* Rename install to d-i
** Only needed to make the image more similar to the live-wrapper image
-> should not be merged to the git repository of live-build
* The git repo [4] has 2 commits which start with 'HACK'
** Only needed to make the image more similar to the live-wrapper image
-> should not be merged to the git repository of live-build

With kind regards,
Roland Clobus

--- Appendix: Additional comparison on top of the result of diffoscope ---
# Compare the squashfs images
# 1. Align the timestamps to the official image. Everything after 10:00
will get the SOURCE_DATE_EPOCH timestamp
# 2. Remove the directories from the diff -> they might have different
'sizes', which are not of interest
TZ=UTC unsquashfs -lls live-wrapper-mounted/live/filesystem.squashfs |
sed -e "s/2020-09-26 10:[0-9][0-9]/2020-09-26 10:42/" | sed -e "/^d/d" >
TZ=UTC unsquashfs -lls live-build-mounted/live/filesystem.squashfs | sed
-e "/^d/d" > live-build.squash

--- Appendix: The command lines to build the live image ---
# Running from ramdisk with snapshot and similar to Debian Live 10.6
su -
lb build
--- Appendix: URLs ---
[1] https://lists.debian.org/debian-live/2020/03/msg00225.html
[2] https://lists.debian.org/debian-live/2020/09/msg00002.html
[3] https://rclobus.nl/blog/?p=190
[4] git https://salsa.debian.org/rclobus-guest/live-build.git: branch
[5] https://lists.debian.org/debian-release/2020/11/msg00041.html

--- Appendix: PS ---
PS1: The image is not 100% reproducible at the moment, but I'm getting
closer and closer (/var/lib/systemd/catalog/database is the last
non-reproducible file in this image)
PS2: I initially focussed on 'standard', because it is the smallest live

----- End forwarded message -----


 ⣾⠁⢠⠒⠀⣿⡁       holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20201111/8f904c47/attachment.sig>

More information about the Reproducible-builds mailing list