Tails

#1 Updated by intrigeri 2016-11-21 08:35:00

• Status changed from Confirmed to In Progress
• Feature Branch set to feature/11974-reproducible-iuk, iuk:feature/11974-reproducible-iuk

#2 Updated by intrigeri 2016-11-21 10:42:16

• % Done changed from 0 to 10

The only remaining variations on my system are:

• /​.​wh.​.​wh.​plnk/​*: content is stable but filenames vary; that’s aufs’ “Pseudo Link” feature, i.e. the way it deals with hardlinked files being modified; their content is actual file content (a few copyright files, 4 PNG images)
• (a number of) .wh.$DELETED_FILENAME files: mtime varies; this would be fixed by a mtime clamping feature in mksquashfs
• /​.​wh.​.​wh.​aufs and /​.​wh.​.​wh.orph: mtime varies; this would be fixed by a mtime clamping feature in mksquashfs

The kernel and aufs module versions being used are likely to introduce other variations, but I’m not worried about this: worst case we’ll run tails-create-iuk in the Vagrant box.

#4 Updated by intrigeri 2016-11-21 12:38:28

• Feature Branch changed from feature/11974-reproducible-iuk, iuk:feature/11974-reproducible-iuk to iuk:feature/11974-reproducible-iuk, iuk:debian_feature/11974-reproducible-iuk

#5 Updated by intrigeri 2016-11-21 13:08:01

• % Done changed from 10 to 20

diffoscope now says “live/3.0.squashfs: No file format specific differences found inside, yet data differs”. Which means that I’ve successfully fixed all aforementioned issues, but that’s still not enough.

#6 Updated by intrigeri 2016-12-14 14:52:59

• related to Bug #12032: The SquashFS creation is not deterministic added

#7 Updated by intrigeri 2017-03-13 14:03:09

• Assignee changed from intrigeri to anonym
• Target version set to Tails_2.12
• % Done changed from 20 to 30
• QA Check set to Ready for QA

With squashfs-tools 1:4.3-3.0tails4 installed, using iuk.git’s feature/11974-reproducible-iuk, I’ve build 2 different IUKs, each of them twice, and in both cases the output matched exactly.

for i in 1 2 ; do sudo SOURCE_DATE_EPOCH=1488999303 PERL5LIB=/path/to/tails/perl5lib/git/lib \
            ./bin/tails-create-iuk \
               --squashfs-diff-name test.squashfs \
               --old-iso tails-i386-2.10.iso \
               --new-iso tails-i386-2.11.iso \
               --outfile test$i.iuk \
done \
&& sudo cmp test*.iuk

Please try to reproduce this tomorrow (so the date has changed!) on your machine, and if it works for you too:

1. review
2. in iuk.git, merge the topic branch into master, and debian_feature/11974-reproducible-iuk into debian
3. in tails.git, cherry-pick into master the changes we made on feature/5630-deterministic-builds to the release process about passing SOURCE_DATE_EPOCH and LC_ALL to ./bin/tails-create-iuk

Note that tails-create-iuk now depends on a new enough tar (available in jessie-backports); I doubt it’s worth bothering documenting this, given all RM:s currently run Stretch or newer, that has the correct version

#8 Updated by anonym 2017-03-13 18:13:23

• Assignee changed from anonym to intrigeri
• QA Check changed from Ready for QA to Info Needed

Ack, waiting for the new day to arrive, but until then…

intrigeri wrote:
> Note that tails-create-iuk now depends on a new enough tar (available in jessie-backports); I doubt it’s worth bothering documenting this, given all RM:s currently run Stretch or newer, that has the correct version

Related: will I have to install squashfs-tools 1:4.3-3.0tails4 on my machine?

#10 Updated by intrigeri 2017-03-13 21:51:45

• Assignee changed from intrigeri to anonym
• QA Check changed from Info Needed to Ready for QA

#12 Updated by anonym 2017-04-17 21:34:54

• Status changed from In Progress to Fix committed
• Assignee deleted (anonym)
• % Done changed from 30 to 100
• QA Check changed from Ready for QA to Pass

Works for me! For you future Redmine archaeologists this is the sha256 I got: 1a1137a44988d24103f8c6396e48885aab24489585348d752355fc6aba2acfa1 (338206720 bytes)

Any way, merged!

#13 Updated by intrigeri 2017-04-17 22:12:44

• Status changed from Fix committed to In Progress
• Assignee set to intrigeri
• % Done changed from 100 to 90

(Reverting to “In Progress” as someone now has to release + build a package.)

> Any way, merged!

Thanks!

I guess it’s too late to sneak this into 2.12, especially since it’ll pull a newer tar package. So it doesn’t make sense to do the 3rd step I had requested when submitting for review (“in tails.git, cherry-pick into master the changes we made on feature/5630-deterministic-builds to the release process about passing SOURCE_DATE_EPOCH and LC_ALL to ./bin/tails-create-iuk”), so I’ll release 2.9, will upload it straight to feature-stretch, and will cherry-pick those changes there if I can’t merge Feature #5630 right away. We’ll simply have to avoid doing another Jessie-targeted release of tails-iuk if we ever release Tails 2.12.1 or 2.13.

#14 Updated by intrigeri 2017-04-17 22:32:34

• Priority changed from Normal to Elevated
• Target version changed from Tails_2.12 to Tails_3.0

Bumping priority so it’s on my radar tomorrow.

#17 Updated by intrigeri 2017-04-18 15:24:50

• Status changed from In Progress to Fix committed

Uploaded tails-iuk 2.9-1. Let’s close this once we have reproduced IUKs built on different machines.

#18 Updated by intrigeri 2017-04-18 19:48:54

• Status changed from Fix committed to Resolved
• Assignee deleted (intrigeri)
• % Done changed from 90 to 100

93a55c7058bc8dbb3a462472812d8de7da8c6df3ab1630a20b45d86449f8f138 Tails_i386_2.11_to_2.12.iuk for both anonym and I.

#19 Updated by intrigeri 2019-12-05 10:10:51

• related to Feature #17262: Make the build of overlayfs-based IUKs reproducible added