On 02/01/2018 04:21 PM, Nick Coghlan wrote:
On 1 February 2018 at 23:54, Petr Viktorin
> Honestly, I'm not sure we want to use this in Fedora. Is anyone here into
> reproducible builds, to make a better argument for this?
I believe rpmbuild (et al) all set SOURCE_DATE_EPOCH in the
environment, so Fedora's likely to get the new CHECKED_HASH behaviour
by default: https://docs.python.org/dev/library/py_compile.html#py_compile.compile
Wait. These docs say "invalidation_mode will be forced to
PycInvalidationMode.CHECKED_HASH", which sounds quite scary. Is it
possible to use UNCHECKED_HASH with SOURCE_DATE_EPOCH?
(I don't think we use SOURCE_DATE_EPOCH now, but we might in the future.)
Given that SELinux typically won't allow user applications to
the bytecode anyway, we may want to specify the use of UNCHECKED_HASH
at build time instead - with that setting, Python will ignore source
file changes entirely, and trust that RPM will keep the source and pyc
And it lets us... avoid a stat call per import? I still fail to see the