Reproducible installation images

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Reproducible installation images

From:	Ludovic Courtès
Subject:	Reproducible installation images
Date:	Mon, 11 Dec 2017 10:30:58 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)

Hi Mark,

Mark H Weaver <address@hidden> skribis:

> address@hidden (Ludovic Courtès) writes:
>
>>   Here are the bootable USB installation images and their signatures[*]:
>>     https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.i686-linux.iso.xz
>>     
>> https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.i686-linux.iso.xz.sig
>>     https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.x86_64-linux.iso.xz
>>     
>> https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.x86_64-linux.iso.xz.sig
>>
>>   Here is the QCOW2 virtual machine (VM) image and its signature:
>>     https://alpha.gnu.org/gnu/guix/guixsd-vm-image-0.14.0.x86_64-linux.xz
>>     https://alpha.gnu.org/gnu/guix/guixsd-vm-image-0.14.0.x86_64-linux.xz.sig
>>
>>   Here are the binary tarballs and their signatures[*]:
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.i686-linux.tar.xz
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.i686-linux.tar.xz.sig
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar.xz
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar.xz.sig
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.armhf-linux.tar.xz
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.armhf-linux.tar.xz.sig
>>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.aarch64-linux.tar.xz
>>     
>> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.aarch64-linux.tar.xz.sig
>
> To enable independent verification of these installer images, it would
> be helpful to include the precise commands needed to reproduce these
> images, and the git commit to run them on.
>
> What do you think?

The manual already gives those commands:

  https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html 
(bottom)

https://www.gnu.org/software/guix/manual/html_node/Building-the-Installation-Image.html

Do you think we should show them more prominently?

However, disk images are likely not bit-reproducible currently,
primarily due to non-determinism in how file systems populate the disk.

They might be reproducible if ‘guix system’ always creates files in the
same order, which is something we could enforce (perhaps that’s already
the case).  If it’s not sufficient, then we should look at what others
in the reproducible-builds.org effort have been doing (Tails achieved
reproducible ISO images, for instance, and I think OpenWrt people were
looking at ext2 reproducibility.)

There may also be lingering non-reproducibility issues in some of the
packages included that need to be addressed.

It would be good to investigate!

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

GNU Guix & GuixSD 0.14.0 released, Ludovic Courtès, 2017/12/07
- Re: GNU Guix & GuixSD 0.14.0 released, Konrad Hinsen, 2017/12/07
- Re: GNU Guix & GuixSD 0.14.0 released, Mark H Weaver, 2017/12/08
  - Reproducible installation images, Ludovic Courtès <=
    - Re: Reproducible installation images, ng0, 2017/12/11
    - Re: Reproducible installation images, Ludovic Courtès, 2017/12/11
    - Re: Reproducible installation images, Mark H Weaver, 2017/12/11
    - Re: Reproducible installation images, Ludovic Courtès, 2017/12/12
    - Re: Reproducible installation images, Mark H Weaver, 2017/12/12
    - Re: Reproducible installation images, Ludovic Courtès, 2017/12/15

Prev by Date: Re: Iso image size
Next by Date: Re: 03/03: gnu: libinput: Update to 1.9.3.
Previous by thread: Re: GNU Guix & GuixSD 0.14.0 released
Next by thread: Re: Reproducible installation images
Index(es):
- Date
- Thread