<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On 20 March 2017 at 23:34, Thomas Kluyver <span dir="ltr"><<a href="mailto:thomas@kluyver.me.uk" target="_blank">thomas@kluyver.me.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">On Mon, Mar 20, 2017, at 01:02 PM, Robin Becker wrote:<br></span><span class="gmail-">> I guess the algorithm variation across pythons would make dictionary order quite variable.<br>
<br>
</span>For a Python based tool, I think it's reasonable that reproducing a<br>
build requires running with the same version of Python.<br>
<br>
The requirement would be that, with enough information about the build<br>
environment, you *can* produce an identical PDF. It needn't (AFAIK) be<br>
identical every time anyone builds it.<br></blockquote><div><br></div><div>Right, one of the other aspects of reproducible-builds is looking into ways to define and distribute build environments in addition to the application source code: <a href="https://reproducible-builds.org/docs/definition-strategies/">https://reproducible-builds.org/docs/definition-strategies/</a><br><br></div><div>Within a given binary context (e.g. Debian packages), that may be a text description, like Debian's buildinfo files: <a href="https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles">https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles</a><br><br></div><div>For Fedora/RHEL/CentOS, the equivalent would probably be to extract a suitable config from the build system: <a href="https://fedoraproject.org/wiki/Using_the_Koji_build_system#Using_koji_to_generate_a_mock_config_to_replicate_a_buildroot">https://fedoraproject.org/wiki/Using_the_Koji_build_system#Using_koji_to_generate_a_mock_config_to_replicate_a_buildroot</a><br></div><div><br></div><div>In other cases, the build environment may itself by a binary artifact (e.g. the manylinux1 container images, or the "Holy Build Box" machine images).<br><br></div><div>Fully eliminating non-determinism usually does requiring switching to explicit sorting and ordered containers in build tools and scripts, as otherwise even things like directory listings or JSON serialisation can introduce variations in output when a build is run on a different machine. The reproducible-builds project offers some interesting tools to identify and analyse cases of non-reproducible outputs: <a href="https://reproducible-builds.org/tools/">https://reproducible-builds.org/tools/</a><br><br></div><div>However, nobody can reasonably expect arbitrary upstream projects (especially volunteer run ones) to be going out and pre-emptively solving that kind of problem - the most it's realistic to aim for is to encourage projects to be accommodating when upstream changes are proposed to introduce more determinism into the build processes for particular projects, as well as into the artifact generation process for tools that may be used as part of the build process for other projects. (And I agree with Thomas that it's likely the latter case that applies for reportlab-generated PDFs)<br></div></div><br></div><div class="gmail_extra">Cheers,<br></div><div class="gmail_extra">Nick.<br><br></div><div class="gmail_extra">P.S. Prompted by Gary Berhnhardt, one of the ways I've started thinking about the whole question of "built artifacts" in general is as a complex distributed caching problem, with reproducible builds being a way of ensuring that it's possible to check the validity of particular cache entries<br clear="all"></div><div class="gmail_extra"><br>-- <br><div class="gmail_signature">Nick Coghlan | <a href="mailto:ncoghlan@gmail.com" target="_blank">ncoghlan@gmail.com</a> | Brisbane, Australia</div>
</div></div>