[Distutils] reproducible builds

Nick Coghlan ncoghlan at gmail.com
Sat Mar 18 03:20:54 EDT 2017

On 18 March 2017 at 03:19, Robin Becker <robin at reportlab.com> wrote:

> An issue has been raised for reportlab to support a specific environment
> variable namely SOURCE_DATE_EPOCH. The intent is that we should get our
> time from this variable rather than time.localtime(time.time()) so that
> produced documents are more invariant.
> First off is this a reasonable request? The variable is defined by debian
> here https://reproducible-builds.org/specs/source-date-epoch/
> What happens if other distros decide not to use this environment variable?
> Do I really want distro specific code in the package?

While the reproducible builds effort started in Debian and is furthest
advanced there, it's not distro specific - interested developers working on
other distros were already looking into it, and the Core Infrastructure
Initiative has backed it as one of their security assurance initiatives.
Software Freedom Conservancy have a decent write-up on the current state of
things after December's Reproducible Builds Summit:

However, you'll probably want to make yourself a helper function that uses
SOURCE_DATE_EPOCH if defined, and falls back to the current time otherwise.
That way you'll get reproducible behaviour when a build system configures
the setting, while retaining your current behaviour for environments that


P.S. A question well worth asking for *us* is whether or not setting
SOURCE_DATE_EPOCH appropriately (if it isn't already set in the current
environment) should be part of the build system abstraction PEPs.

Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170318/5dbadc2d/attachment-0001.html>

More information about the Distutils-SIG mailing list