[Distutils] reproducible builds
robin at reportlab.com
Mon Mar 20 07:30:59 EDT 2017
On 18/03/2017 07:20, Nick Coghlan wrote:
> While the reproducible builds effort started in Debian and is furthest
> advanced there, it's not distro specific - interested developers working on
> other distros were already looking into it, and the Core Infrastructure
> Initiative has backed it as one of their security assurance initiatives.
> Software Freedom Conservancy have a decent write-up on the current state of
> things after December's Reproducible Builds Summit:
thanks for this; it seems the emphasis is on security. If the intent is that
reportlab should be able to reliably reproduce the same binary output then I
think I need to do more than just fix a couple of dates. We use many dictionary
like objects to produce PDF and I am not sure all are sorted by key during output.
Is there a way to excite dictionary ordering changes? I believe there was some
way to modify the hashing introduced when the dos dictionary attacks were an
issue. Would it be sufficient to generate documents with say Python 2.7 and
check against 3.6?
> However, you'll probably want to make yourself a helper function that uses
> SOURCE_DATE_EPOCH if defined, and falls back to the current time otherwise.
> That way you'll get reproducible behaviour when a build system configures
> the setting, while retaining your current behaviour for environments that
good advice and that's what I am doing.
> P.S. A question well worth asking for *us* is whether or not setting
> SOURCE_DATE_EPOCH appropriately (if it isn't already set in the current
> environment) should be part of the build system abstraction PEPs.
More information about the Distutils-SIG