[Distutils] reproducible builds
Marius Gedminas
marius at gedmin.as
Tue Mar 21 07:46:47 EDT 2017
On Mon, Mar 20, 2017 at 11:30:59AM +0000, Robin Becker wrote:
> thanks for this; it seems the emphasis is on security. If the intent is that
> reportlab should be able to reliably reproduce the same binary output then I
> think I need to do more than just fix a couple of dates. We use many
> dictionary like objects to produce PDF and I am not sure all are sorted by
> key during output.
I'm sure the reproducible builds folks will send you patches if they
find any spots that you missed. ;-)
> Is there a way to excite dictionary ordering changes? I believe there was
> some way to modify the hashing introduced when the dos dictionary attacks
> were an issue. Would it be sufficient to generate documents with say Python
> 2.7 and check against 3.6?
Python 3.6 changed the dict implementation so the ordering is always stable
(and matches insertion order).
You'll want to test with Python 3.5, which perturbs the dict ordering
randomly, as a side effect of the randomized string/bytes hashes (unless
you fix it by setting the PYTHONHASHSEED environment variable[*])
[*] https://docs.python.org/3.3/using/cmdline.html#envvar-PYTHONHASHSEED
Regards,
Marius Gedminas
--
Yes, always begin work on inherited code by removing comments. Even if they
were maintained (they are not) they are natural language written by engineers
who cannot be understood ordering coffee in a diner. Getting back to comments
not being maintained, my saying on that one is, "Comments do not run."
-- Kenny Tilton
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170321/a060320d/attachment.sig>
More information about the Distutils-SIG
mailing list