reproducible builds and python

Bohuslav Kabrda bkabrda at redhat.com
Thu Aug 21 07:34:07 UTC 2014 

----- Original Message -----
> Hi everyone!
> 
> I've been doing some work towards reproducible builds in Fedora (mostly
> with various upstreams so far) and one of the elephants in the Room are
> obviously Pythons .pyc and .pyo files.
> 
> As those contain the mtime of the original .py file, they might be
> different for each rebuild of an srpm.
> For many rpms this isn't a problem, because the files are not modified
> and thus retain their timestamp from the archive. Quite a few rpms do
> modify to .py files though and because of that, every build has a
> different result.
> 
> I would like to propose to set the mtime of all .py files to a fixed
> (for this specific srpm) time. This could be done
> in /usr/lib/rpm/brp-python-bytecompile before doing the actual
> byte-compilation. This would result in the same .py{c,o} files being
> created for each rebuild.
> 
> The timestamp could be e.g. the mtime of the oldest file in the
> buildroot (which would assume that not _all_ of the files are modified)
> But if you are interested in the idea, I'd certainly be open to
> suggestions.

Generally, I like this idea, but I have some concerns:
- So the bytecompile script would "touch" all *.py files? It seems a bit hacky, not mentioning that in some specfiles (notably python3 itself) we actually have to do bytecompilation by hand for certain reasons.
- Obviously another question is what happens when _all_ files are modified. I can pretty much guarantee you that at any given time there will be at least one package in Fedora that will have all files modified (e.g. python-six has just one py file, so if we patch/touch it in some way, the problem is here). I'd like to see a proposal that handles this situation in a sane way.

Having {read about,experimented with} reproducible builds before, I can see the advantage that Fedora would get from this. Perhaps you could sum up the actual benefits of reproducible builds here so that even those who have never heard of this can see why this is worthwile?

Just thinking aloud here, but this should also be beneficial for RPMs generated with "setup.py bdist_rpm", right? As in "two RPMs generated by bdist_rpm from the same git/hg revision on the same architecture would have the same hash" - or am I wrong here?

Thanks,
Slavek

> To address the obvious question:
> Why not special-case those files when comparing rpms?
> 
> It will certainly be impossible to achieve this for all packages in
> Fedora, so for some files this might indeed be needed, but I think we
> should avoid this where possible. The idea of reproducible builds
> becomes meaningless if the amount of differences that you just ignore
> gets to big.
> 
> 
> What do you think of this proposal?
> 
> Greetings,
> Benedikt
> 
> _______________________________________________
> python-devel mailing list
> python-devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/python-devel

-- 
Regards,
Slavek Kabrda

More information about the python-devel mailing list