lorax-templates-qubes: strip various non-determinisms from installer image

Remove various caches not really needed.
Sort group files and packages list.
Strip timestamps from gconf file.
Clamp mtime in fontconfig cache to SOURCE_DATE_EPOCH.

lorax-templates-qubes/templates/efi.tmpl

@@ -4,6 +4,8 @@ EFIARCH_LOWER=efiarch.lower()
 EFIBOOTDIR="EFI/BOOT"
 APPLE_EFI_ICON=inroot+"/usr/share/pixmaps/bootloader/fedora.icns"
 APPLE_EFI_DISKNAME=inroot+"/usr/share/pixmaps/bootloader/fedora-media.vol"
+import os, time
+SOURCE_DATE_EPOCH = os.environ.get('SOURCE_DATE_EPOCH', str(int(time.time())))
 %>
 
 mkdir ${EFIBOOTDIR}
@@ -62,6 +64,8 @@ install boot/efi/EFI/*/fonts/unicode.pf2 ${EFIBOOTDIR}/fonts/
     runcmd mount ${outroot}/${img} ${outroot}/${EFIBOOTDIR} -o loop
     mkdir "${EFIBOOTDIR}/System Volume Information"
     install "${configdir}/System Volume Information/*" "${EFIBOOTDIR}/System Volume Information/"
+    runcmd find ${outroot}/${EFIBOOTDIR} -newermt "@${SOURCE_DATE_EPOCH}" -exec \
+        touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" {} +
     runcmd umount ${outroot}/${img}
     # verify if the image is under 32MB (max size of boot image on iso9660)
     runcmd sh -x -c '[ $(stat -c %s ${outroot}/${img}) -le 33554432 ]'

lorax-templates-qubes/templates/runtime-cleanup.tmpl

@@ -357,3 +357,16 @@ removepkg cdparanoia-libs opus libtheora libvisual flac-libs gsm avahi-glib avah
 
 ## metacity requires libvorbis and libvorbisfile, but enc/dec are no longer needed
 removefrom libvorbis --allbut /usr/${libdir}/libvorbisfile.* /usr/${libdir}/libvorbis.*
+
+## make the image more reproducible
+
+## make machine-id empty but present to avoid systemd populating /etc with
+## preset settings
+runcmd truncate -s 0 ${root}/etc/machine-id
+## journalctl message catalog, non-deterministic
+remove /var/lib/systemd/catalog/database
+## non-reproducible ldconfig cache
+remove /var/cache/ldconfig/aux-cache
+remove /etc/pki/ca-trust/extracted/java/cacerts
+remove /etc/group-
+remove /etc/gshadow-

lorax-templates-qubes/templates/runtime-postinstall.tmpl

@@ -6,6 +6,8 @@
 PYTHONDIR = sorted(glob("usr/"+libdir+"/python?.?"))[0]
 stubs = ("list-harddrives", "raidstart", "raidstop")
 configdir = configdir + "/common"
+import os, time
+SOURCE_DATE_EPOCH = os.environ.get('SOURCE_DATE_EPOCH', str(int(time.time())))
 %>
 
 ## move_stubs()
@@ -134,6 +136,20 @@ runcmd mknod ${root}/dev/null c 1 3
 runcmd mknod ${root}/dev/urandom c 1 9
 
 ## Record the package versions used to create the image
-runcmd chroot ${root} /bin/rpm -qa --pipe "tee /root/lorax-packages.log"
+runcmd chroot ${root} /bin/rpm -qa --pipe "sort | tee /root/lorax-packages.log"
+
+## fix fonconfig cache containing timestamps
+runcmd chroot ${root} /usr/bin/find /usr/share/fonts /usr/share/X11/fonts -newermt "@${SOURCE_DATE_EPOCH}" -exec \
+    touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" {} +
+runcmd chroot ${root} /usr/bin/fc-cache -f
+
+## drop timestamp from gconf.xml
+runcmd sed -i -e 's/mtime="[0-9]*" //' ${root}/etc/gconf/gconf.xml.defaults/desktop/gnome/interface/%gconf.xml
+
+## sort groups
+runcmd chroot ${root} /bin/sh -c "LC_ALL=C sort /etc/group > /etc/group.new && mv /etc/group.new /etc/group"
+runcmd chroot ${root} /bin/sh -c "LC_ALL=C sort /etc/gshadow > /etc/gshadow.new && mv /etc/gshadow.new /etc/gschadow"
+chmod /etc/gshadow 0700
+
 
 ## TODO: we could run prelink here if we wanted?