On Thu, Feb 1, 2018 at 10:21 AM, Nick Coghlan <ncoghlan(a)gmail.com> wrote:
On 1 February 2018 at 23:54, Petr Viktorin
<pviktori(a)redhat.com> wrote:
> Honestly, I'm not sure we want to use this in Fedora. Is anyone here into
> reproducible builds, to make a better argument for this?
I believe rpmbuild (et al) all set SOURCE_DATE_EPOCH in the
environment, so Fedora's likely to get the new CHECKED_HASH behaviour
by default:
https://docs.python.org/dev/library/py_compile.html#py_compile.compile
Given that SELinux typically won't allow user applications to rewrite
the bytecode anyway, we may want to specify the use of UNCHECKED_HASH
at build time instead - with that setting, Python will ignore source
file changes entirely, and trust that RPM will keep the source and pyc
files consistent.
We have not set this to be on in Fedora. It's still switched off by
default. To the best of my knowledge, the only distribution doing it
so far is openSUSE.
--
真実はいつも一つ!/ Always, there's only one truth!