Grml iso images deterministically reproducible?

[garlicgambit]

Is it possible to create deterministically reproducible grml iso images?

[mika]

So far no. Grml uses our grml-live software for building the ISOs. There are several steps involved, like debootstrap plus further package installation, generating an initrd (via initramfs-tools + live-boot-grml and their hooks/scripts), then the rootfs is packaged as squashfs image and finally generating the ISO via xorriso.

grml-live supports -w DATE to use the wayback machine (using snapshot.debian.org for installing packages from a specific date), so this should help in reproducing the software package state (while #91 is yet to be resolved). IIRC debootstrap (and mmdebstrap) support reproducible systems nowadays, looking at plougher/squashfs-tools@24da0c6 + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919207 squashfs-tools seems to support reproducible builds as well and according to https://reproducible-builds.org/docs/system-images/ it might be possible to also use xorriso for reproducible builds.

So the relevant building blocks might be there, but AFAIK no one looked closer into this so far for grml-live, any contributions regarding this a more than welcome though. :)

[garlicgambit]

Thanks for the detailed response. Looks promising. When we have time we'll look into it.

[mika]

JFTR: https://rclobus.nl/blog/?p=190 provides some information about status of reproducing the Debian live ISOs.