no reproducible trisquel isos?
- Anmelden oder Registrieren um Kommentare zu schreiben
What is your question or comment @tonlee? Debian and Ubuntu also do not have reproducible builds - that is a very hard thing to accomplish. I think I read recently that openSUSE has reproducible builds now, or is very close to it.
> do not have reproducible builds
I wanted to get it confirmed that reproducibility is not available.
If one or more gnu linux systems decide to go underground then reproducible builds are important?
It is important to avoid trusting trust attacks: https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
Thank god I remember reading this when I was 12~14 yo and I couldn't find it back. Thank you !
For some reason in memory I though this was made by Dennis Ritchie.
I am a translator!
I have not heard of "reproducible iso", rather of "reproducible builds" (https://en.wikipedia.org/wiki/Reproducible_builds).
Guix system does this. I know that people doing research like this because, with the exact same binaries, there is a good chance that the exact same input will produce the exact same output. I say good chance because I heard at least a case where, on different machines, even with the same binaries and the same input, the output was different (but I can't remember the details).
> have not heard of "reproducible iso"
I probably should have written reproducible builds.
https://blog.josefsson.org/2024/07/10/towards-idempotent-rebuilds
"Summarizing the results, debdistrebuild is able to rebuild 34% of Debian bullseye on amd64, 36% of bookworm on amd64, 32% of bookworm on arm64. The results for trixie and Ubuntu are disappointing, below 10%.
So what causes my rebuilds to be different from the official rebuilds? Some are trivial like the classical problem of varying build paths, resulting in a different NT_GNU_BUILD_ID causing a mismatch. Some are a bit strange, like a subtle difference in one of perl’s headers file. Some are due to embedded version numbers from a build dependency. Several of the build logs and diffoscope outputs doesn’t make sense, likely due to bugs in my build scripts, especially for Ubuntu which appears to strip translations and do other build variations that I don’t do. In general, the classes of reproducibility problems are the expected. Some are assembler differences for GnuPG’s gpgv-static, likely triggered by upload of a new version of gcc after the original package was built."
https://blog.josefsson.org/2025/03/24/reproducible-software-releases
https://reproducible-builds.org/who/projects
https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003291.html
> I wanted to get it confirmed that reproducibility is not available.
It's not an all or nothing. Some packages are reproducible and some are not.
Here the main takeaway is probably that since Trisquel cares about reproducibility, volunteers are welcome to report bugs on specific packages and/or to help fixing these bugs (maintainers also don't have an infinite time).
And if you look in more details at the status of reproducibility, what "reproducible" means also varies a lot across time and distributions or operating systems.
The idea is to take 2 different setup and have some variations (like a different hostname, time of build, etc) and see if you can reproduce the same binary.
The problem is that the more variation you introduce, the more issues you can find, but the better is the quality of reproducibility.
So it's probably better to think about it as an ongoing effort rather than a problem that is done or not done. New languages get invented and new packages appear and they also need to be made reproducible.
If we compare Debian with Guix for instance, Guix is not 100% reproducible and doesn't have reproducible installation iso either because syslinux isn't reproducible in Guix, and there are key package like Guile that weren't reproducible last time I heard people talking about it, but it also takes the concept further than distributions like Debian and bootstrap compilers from source (with the meaning of source being bent a lot to include generated C code for instance like with vala) and so on.
And Guix is packaged in Trisquel so once you update it to avoid security issues (see the GNU Guix manual for that) you can try to see what is reproducible and what isn't, ideally accross different distributions (like Guix system, Trisquel, Parabola, etc).
In the case of Trisquel what is interesting is that it also compares with Ubuntu packages ( https://gitlab.com/debdistutils/reproduce/trisquel/ ) so you also get some cross distribution reproducibility and the amount of reproducible packages was about 34% between Trisquel and Ubuntu at the time of Trisquel 11.