installer/cd-dvd/iso-image: avoid leaking build timestamps #75484
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When 'grafting' '/nix/store/<hash>-loopback.cfg' from disk onto '/boot/grub/loopback.cfg' on the iso, the parent 'grub' directory does not exist yet. In this case it is automatically created and inherits its attributes, including timestamp, from /nix/store. This is correct/expected/intentional behavior of xorriso, but has the undesired result of leaking the timestamps of /nix/store into the iso. For this reason we put the loopback.cfg in a '/nix/store/<hash>-loopback.cfg/grub/loopback.cfg' instead, so it will inherit the attributes from the correctly-timestamped '/nix/store/<hash>-loopback.cfg/grub' directory. For the same reason we move '/EFI/boot/efi-background.png' down in the list so it is grafted after its parent '/EFI/boot' directory is created with the correct timestamp. fixes NixOS#74944
10 tasks
13 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When 'grafting' '/nix/store/-loopback.cfg' from disk onto
'/boot/grub/loopback.cfg' on the iso, the parent 'grub' directory does not
exist yet. In this case it is automatically created and inherits its
attributes, including timestamp, from /nix/store.
This is correct/expected/intentional behavior of xorriso, but has the
undesired result of leaking the timestamps of /nix/store into the iso. For
this reason we put the loopback.cfg in a
'/nix/store/-loopback.cfg/grub/loopback.cfg' instead, so it will inherit
the attributes from the correctly-timestamped
'/nix/store/-loopback.cfg/grub' directory.
For the same reason we move '/EFI/boot/efi-background.png' down in the list
so it is grafted after its parent '/EFI/boot' directory is created with
the correct timestamp.
Motivation for this change
Making the installations ISO's bit-by-bit deterministic/reproducible for easier (security) checking, fixes #74944
Things done
Tested that together with #74174
nix-build ./nixos/release-combined.nix -A nixos.iso_minimal.x86_64-linux --checknow succeedsNotify maintainers
cc @bjornfor @veprbl