[Distutils] reproducible builds
Nick Coghlan
ncoghlan at gmail.com
Sat Mar 18 03:20:54 EDT 2017
On 18 March 2017 at 03:19, Robin Becker <robin at reportlab.com> wrote:
> An issue has been raised for reportlab to support a specific environment
> variable namely SOURCE_DATE_EPOCH. The intent is that we should get our
> time from this variable rather than time.localtime(time.time()) so that
> produced documents are more invariant.
>
> First off is this a reasonable request? The variable is defined by debian
> here https://reproducible-builds.org/specs/source-date-epoch/
>
> What happens if other distros decide not to use this environment variable?
> Do I really want distro specific code in the package?
>
While the reproducible builds effort started in Debian and is furthest
advanced there, it's not distro specific - interested developers working on
other distros were already looking into it, and the Core Infrastructure
Initiative has backed it as one of their security assurance initiatives.
Software Freedom Conservancy have a decent write-up on the current state of
things after December's Reproducible Builds Summit:
https://sfconservancy.org/blog/2016/dec/26/reproducible-builds-summit-report/
However, you'll probably want to make yourself a helper function that uses
SOURCE_DATE_EPOCH if defined, and falls back to the current time otherwise.
That way you'll get reproducible behaviour when a build system configures
the setting, while retaining your current behaviour for environments that
don't.
Cheers,
Nick.
P.S. A question well worth asking for *us* is whether or not setting
SOURCE_DATE_EPOCH appropriately (if it isn't already set in the current
environment) should be part of the build system abstraction PEPs.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170318/5dbadc2d/attachment-0001.html>
More information about the Distutils-SIG
mailing list