mika
commented
4 years ago So far no. Grml uses our grml-live software for building the ISOs. There are several steps involved, like debootstrap plus further package installation, generating an initrd (via initramfs-tools + live-boot-grml and their hooks/scripts), then the rootfs is packaged as squashfs image and finally generating the ISO via xorriso.
grml-live supports -w DATE to use the wayback machine (using snapshot.debian.org for installing packages from a specific date), so this should help in reproducing the software package state (while https://github.com/grml/grml-live/issues/91 is yet to be resolved). IIRC debootstrap (and mmdebstrap) support reproducible systems nowadays, looking at https://github.com/plougher/squashfs-tools/commit/24da0c63c80be64e1adc3f24c27459ebe18a19af + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919207 squashfs-tools seems to support reproducible builds as well and according to https://reproducible-builds.org/docs/system-images/ it might be possible to also use xorriso for reproducible builds.
So the relevant building blocks might be there, but AFAIK no one looked closer into this so far for grml-live, any contributions regarding this a more than welcome though. :)
garlicgambit
Is it possible to create deterministically reproducible grml iso images?