Debian bookworm live images now fully reproducible

[Posted March 26, 2025 by jzb]

In a short note to the Reproducible Builds mailing list, Debian developer Roland Clobus announced that live images for Debian 12.10 ("bookworm") are now 100% reproducible. See the reproducible live images and Debian Live todo pages on the Debian wiki for more information on the images.

correction: they are not fully reproducible due to nonfree packages.

Posted Mar 27, 2025 6:03 UTC (Thu) by IanKelling (subscriber, #89418) [Link] (6 responses)

Unless Debian starts producing fully free live images again, it is impossible to create fully reproducible live image of a current release.

As it says on https://reproducible-builds.org/docs/definition/: "A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts."

If you want to create a fully reproducible image, I suggest contributing to Trisquel.

correction: they are not fully reproducible due to nonfree packages.

Posted Mar 27, 2025 6:56 UTC (Thu) by Alterego (guest, #55989) [Link] (1 responses)

Debian wiki says that except 19 firmwares everything is reproducible.

What part is not reproducible or prevent it ? Can you explain more ?

correction: they are not fully reproducible due to nonfree packages.

Posted Mar 27, 2025 8:39 UTC (Thu) by IanKelling (subscriber, #89418) [Link]

The wiki says that because I just edited it to say that. But, the 17 number was based on incorrect info elsewhere on the debian wiki. The correct number for Debian 12 is 10 packages.

The problem is that Debian distributes binaries that it didn't build, and it doesn't have a copy of the source code required to build them. An unbuildable build is of course not a reproducable build. See also https://wiki.debian.org/DebianFreeSoftwareGuidelines.

correction: they are not fully reproducible due to nonfree packages.

Posted Mar 27, 2025 11:15 UTC (Thu) by paravoid (subscriber, #32869) [Link] (1 responses)

I'm confused. Is Trisquel working on build reproducibility for device firmware? How?

correction: they are not fully reproducible due to nonfree packages.

Posted Mar 28, 2025 8:50 UTC (Fri) by pabs (subscriber, #43278) [Link]

There is some open firmware, they could be working on reproducibility for those:

https://wiki.debian.org/Firmware/Open

correction: they are not fully reproducible due to nonfree packages.

Posted Mar 27, 2025 12:53 UTC (Thu) by intelfx (subscriber, #130118) [Link]

> Unless Debian starts producing fully free live images again, it is impossible to create fully reproducible live image of a current release.

Sure it is. For any binary artifact such as firmware, the original form equals to the deliverable. For a firmware file, the necessary and sufficient means of "fully reproducing" it is a single `cp` invocation.

I realize there is an agenda to push here, but perhaps don't use reproducibility to push it.

correction: they are not fully reproducible due to nonfree packages.

Posted Mar 27, 2025 13:02 UTC (Thu) by jbicha (subscriber, #75043) [Link]

It sounds to me like it depends on what your definition of "source code" is. And that's not nearly as simple to answer as it might appear.

Reproducible from binaries

Posted Mar 28, 2025 8:52 UTC (Fri) by pabs (subscriber, #43278) [Link] (1 responses)

Note that the reproducible build process here is from binary .deb files to binary .iso files, there are probably still some .deb files that aren't reproducibly buildable (even the libre ones).

Reproducible from binaries

Posted Mar 29, 2025 10:03 UTC (Sat) by IanKelling (subscriber, #89418) [Link]

I misunderstood. Thank you for the correction.