WIP: Make ISO build (almost) reproducible, given the same set of input packages #26
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For devel builds we use current date as ISO version. Allow to provide specific value, without marking the ISO as final.
This isn't exactly "last modification time of source", as the source for the final ISO include also all rpm packages from other components (and from Fedora), which may be newer than installer-qubes-os itself. But in practice it shouldn't be a problem as most of them will be only included as files without relying on any specific timestamps inside.
Package root filesystem directly as squashfs image. The most important gain is getting rid of greatly unreproducible ext4 image creation. But also it makes the output image slightly smaller, and the build faster. Also, dmsquash-live dracut module is not needed anymore, which reduce initramfs size.
Since moving to squashfs + overlay fs, it isn't needed anymore. And size of initrd for efi is critical.
…image Remove various caches not really needed. Sort group files and packages list. Strip timestamps from gconf file. Clamp mtime in fontconfig cache to SOURCE_DATE_EPOCH.
marmarek
changed the title
|
This should not be merged as is. Instead, patched packages should be extracted to separate repositories. This include at least:
|
|
@marmarek You should consider changing from |
|
The pungi version we currently use rely on createrepo. But yes, for the future version we'll definitely use something newer. Porting the patch shouldn't be that hard, it's just different language, right? ;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR makes the ISO build almost reproducible, assuming individual input
packages are the same. The only missing part is reproducing efiboot.img build
(FAT filesystem image for EFI boot).
After this being merged (and updated installer-qubes-os packages released), the
way to reproduce ISO should be, in qubes-builder configured for appropriate release:
The
INSTALLER_KICKSTARTis needed to download all the packages from yum.qubes-os.org, instead of local build - to ensure stable input. This requirement should be gone once all qubes packages will build reproducibly.For devel builds, use
ISO_VERSIONinstead ofQUBES_RELEASE.Until this is merged, to test this one need build installer (
make installer-qubes-os) and manually copyqubes-src/installer-qubes-os/pkgsfrom one build environment to another, then setCOMPONENTS=installer-qubes-os(instead of empty).As for efiboot.img, list of problems:
mcopyis slightly better - it's possible to keep file metadata the same withmcopy -i "$img" -mp source-file ::destination-fileiterated over all the files in stable order; but it still leaves differences at the end of fs image, similar to kernel driverMost of those patches (or equivalent) are already submitted upstream:
QubesOS/qubes-issues#816