[Distutils] reproducible builds

Robin Becker robin at reportlab.com
Mon Mar 20 07:30:59 EDT 2017

On 18/03/2017 07:20, Nick Coghlan wrote:
> While the reproducible builds effort started in Debian and is furthest
> advanced there, it's not distro specific - interested developers working on
> other distros were already looking into it, and the Core Infrastructure
> Initiative has backed it as one of their security assurance initiatives.
> Software Freedom Conservancy have a decent write-up on the current state of
> things after December's Reproducible Builds Summit:
> https://sfconservancy.org/blog/2016/dec/26/reproducible-builds-summit-report/
thanks for this; it seems the emphasis is on security. If the intent is that 
reportlab should be able to reliably reproduce the same binary output then I 
think I need to do more than just fix a couple of dates. We use many dictionary 
like objects to produce PDF and I am not sure all are sorted by key during output.

Is there a way to excite dictionary ordering changes? I believe there was some 
way to modify the hashing introduced when the dos dictionary attacks were an 
issue. Would it be sufficient to generate documents with say Python 2.7 and 
check against 3.6?

> However, you'll probably want to make yourself a helper function that uses
> SOURCE_DATE_EPOCH if defined, and falls back to the current time otherwise.
> That way you'll get reproducible behaviour when a build system configures
> the setting, while retaining your current behaviour for environments that
> don't.
good advice and that's what I am doing.

> Cheers,
> Nick.
> P.S. A question well worth asking for *us* is whether or not setting
> SOURCE_DATE_EPOCH appropriately (if it isn't already set in the current
> environment) should be part of the build system abstraction PEPs.

Robin Becker

More information about the Distutils-SIG mailing list