Re: [PATCH v3 2/3] mkrescue: add argument --fixed-time to get reproducible uuids

["Thomas Schmitt" <scdbackup@gmx.net>]

Hi,

Andrei Borzenkov wrote:
> I am not sure we should stretch reproducible builds that far. ISO
> image created by grub-mkrescue is not binary.

I was approached by Debian's reproducible-builds project because
they wanted to be able to create reproducible test ISOs.
  http://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20150601/001693.html


Vladimir Serbinenko wrote:
> > We need to find a way to reliably find boot
> > disk without depending on current time.

Andrei Borzenkov wrote:
> Well, UUID of isofs used by GRUB is not unique in any sense,

I understand that we rely on the improbability that two
competing ISOs got created in the same second.
So an explicitely chosen "UUID" must be sufficiently random
on the first production to distinguish non-identical images.
Re-productions should then use the same "UUID".

The "UUID" is stored in the ISO as timestamp string of form
YYYYMMDDhhmmsscc with decimal digits. E.g. 2015121517395800
"cc" means centi-seconds, which would be usable to expand the
"UUID" space by a factor of 100.
It cannot be forwarded as time_t, though.
One would need finer time granularity or a second integer variable
which would bring the "cc" part down to the composition of the
xorriso command. (xorrisofs option --modification-date, i assume)


> so it is not really much worse than it was before.
> Having reliable way to identify boot device imply some unique property
> of boot device which automatically conflict with idea of identical images.

Yep. Having identical images would mean that they are the same
in any aspect. So here we should have no problem, i think.
(Adventurous testers could now try what happens if they present
 their machine two copies of the same ISO on two devices.)


Have a nice day :)

Thomas