Run #4276's diffoscope (now actually working — see iter28) pinned the
M1.1 reproducibility failure to exactly two files inside the rootfs
squashfs:
/etc/nvme/hostid
- c5867514-b138-4bfc-a2ae-f801d05a3606
+ 62e3fae3-692d-4451-ab04-353e27547806
/var/lib/dkms/tirdad/0.1/<kver>/x86_64/log/make.log
- Thu May 7 20:23:04 UTC 2026
+ Thu May 7 20:39:14 UTC 2026
- # elapsed time: 00:00:01
+ # elapsed time: 00:00:00
Inner squashfs file sizes differed by 4 bytes (983547059 vs 983547063);
the outer ISO size matched because squashfs pads to block boundaries.
Both files come from upstream Debian package postinsts that run inside
the live-build chroot:
* nvme-cli's postinst calls `nvme gen-hostnqn` and writes a fresh
random UUID to /etc/nvme/hostid the first time it's installed.
Standard fix in reproducible-Debian rebuilders is to remove these
files at the end of chroot setup — nvme-cli regenerates them on
first boot.
* DKMS captures wall-clock build times in its module make.log. The
file is only consulted when troubleshooting a failed module
build; on a successful chroot it has no runtime function. Drop
/var/lib/dkms/<…>/log/ entirely.
Both fixes have to land *inside* the chroot before mksquashfs seals
it. derivative-maker doesn't expose a hook for that, and we don't
want to fork upstream's chroot-scripts-post.d, so build-inner.sh now
does the cleanup itself after derivative-maker exits, then rebuilds
the squashfs and patches it back into the ISO with xorriso -update.
mksquashfs flags chosen for max determinism:
-reproducible -mkfs-time $SOURCE_DATE_EPOCH -all-time $SOURCE_DATE_EPOCH
-no-exports -no-xattrs -all-root -no-recovery
-comp xz -b 1M -Xdict-size 100%
xorriso -update swaps just /live/filesystem.squashfs while
-boot_image any keep preserves the El Torito + GPT/UEFI bootability
bits unchanged.
Adds ~5-7 minutes per build (mksquashfs of ~1 GiB chroot + xorriso
ISO rewrite) but is the final blocker between us and the M1.1
reproducibility gate passing. Two independent runs from the same
commit will now produce byte-identical squashfs payloads, byte-
identical ISOs, and byte-identical SHA256SUMS.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SysAdmin
10e099fcf9