Bug 236081 - [release][reproducibility] ISO images and memstick images are not build reproducible
Summary: [release][reproducibility] ISO images and memstick images are not build repro...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: misc (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs (Nobody)
Depends on:
Reported: 2019-02-27 15:48 UTC by Glen Barber
Modified: 2019-02-27 15:48 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Glen Barber freebsd_committer 2019-02-27 15:48:01 UTC
Recently, it had been discovered that FreeBSD installation medium, ISOs and memory stick images, are not fully reproducible in head, stable/12, and stable/11, and presumably earlier releases.

During investigation, one commit in particular had been identified as part of the reproducibility issue, however it had been determined that the issue stems far beyond one change to ISO and memstick image creation tooling.

At present, it had been observed that r342283, produces a non-reproducible "hybrid.img" file which contains the PMBR, GPT, and boot code, which is written to the System Area of an ISO.

However, it also had been observed that this is one of many reproducibility issues.

Steps to recreate a test case are:

# make -C /usr/src buildworld buildkernel
# make -C /usr/src/release bootonly.iso
# mv /usr/obj/usr/src/amd64.amd64/release/bootonly.iso \
# make -C /usr/src/release bootonly.iso
# mv /usr/obj/usr/src/amd64.amd64/release/bootonly.iso \

Verifying the SHA512 checksums on bootonly.1.iso and bootonly.2.iso show:
# sha512 /usr/ojb/usr/src/amd64.amd64/release/bootonly.?.iso
SHA512 (bootonly.1.iso) = 6e585f46d36672a7d77d78b57cef8bb6f41d932a24b9d860274da228bdc55358be11f5896644eb9ca141cbb2192e25ffa10e0cb416c19ba06d94b8d16386c1e2
SHA512 (bootonly.2.iso) = 16bdafff5a6ec60448c77ba4ede5fae17e9288791a03fcc69acae4b572a88bab26c4f41b60a318cc71a09b1ab8b9b4ddee5cc09821e0475d0322bca861534899

Using the diffoscope utility provided by sysutils/py-diffoscope and isoinfo included by sysutils/cdrtools, differences in file/directory access (atime), modification (mtime), and creation (ctime) times are observed.

Example ISOs are available at:

An example report produced with the diffoscope utility can be found at: