reproducible builds and python

Thu Sep 18 15:24:05 UTC 2014

On Mon, Aug 11, 2014 at 08:01:23PM +0200, bmorbach wrote:
> Hi everyone!
> 
> I've been doing some work towards reproducible builds in Fedora (mostly
> with various upstreams so far) and one of the elephants in the Room are
> obviously Pythons .pyc and .pyo files.
> 
> As those contain the mtime of the original .py file, they might be
> different for each rebuild of an srpm.
> For many rpms this isn't a problem, because the files are not modified
> and thus retain their timestamp from the archive. Quite a few rpms do
> modify to .py files though and because of that, every build has a
> different result.
> 
> I would like to propose to set the mtime of all .py files to a fixed
> (for this specific srpm) time. This could be done
> in /usr/lib/rpm/brp-python-bytecompile before doing the actual
> byte-compilation. This would result in the same .py{c,o} files being
> created for each rebuild.
> 
> The timestamp could be e.g. the mtime of the oldest file in the
> buildroot (which would assume that not _all_ of the files are modified)
> But if you are interested in the idea, I'd certainly be open to
> suggestions.
> 
> To address the obvious question:
> Why not special-case those files when comparing rpms?
> 
> It will certainly be impossible to achieve this for all packages in
> Fedora, so for some files this might indeed be needed, but I think we
> should avoid this where possible. The idea of reproducible builds
> becomes meaningless if the amount of differences that you just ignore
> gets to big.
> 
> 
> What do you think of this proposal?
> 
I'm not in love with this as it's throwing out information.  OTOH, the
information that's being thrown out may not be all that useful.  It would
help if we knew what the goal was here (besides simply being 100%
reproducible for the sake of being reproducible) as we could then think
about what we stand to gain for losing the real timestamp information.

One idea I just had -- only modify the timestamp of files whose mtime is
more recent than when the tarballs were unpacked.  This would leave files
that were simply untarred with the real upstream timestamps and any files
which would have had their timestamps modified anyway will get the new
timestamp.

One actual (though small) problem I see with lying about timestamps is that
your going to need to select a fixed time in the past that this timestamp
would be.  Looking at a directory of files and seeing that one file is from
about the time the package was built while the others are all older can be
an indication that the distro has changed the file from what is upstream
which can then lead to comparing against vanilla upstream to determine if
we're applying a patch that causes a bug.  If we have to apply a timestamp
in the past, that indication goes away.  (Small help because I only remember
doing this once in all my years of looking at files from packages :-)

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/python-devel/attachments/20140918/4effed09/attachment.sig>