[Distutils] reproducible builds
Brett Cannon
brett at python.org
Tue Mar 21 12:52:02 EDT 2017
On Tue, 21 Mar 2017 at 04:54 Marius Gedminas <marius at gedmin.as> wrote:
> On Mon, Mar 20, 2017 at 11:30:59AM +0000, Robin Becker wrote:
> > thanks for this; it seems the emphasis is on security. If the intent is
> that
> > reportlab should be able to reliably reproduce the same binary output
> then I
> > think I need to do more than just fix a couple of dates. We use many
> > dictionary like objects to produce PDF and I am not sure all are sorted
> by
> > key during output.
>
> I'm sure the reproducible builds folks will send you patches if they
> find any spots that you missed. ;-)
>
> > Is there a way to excite dictionary ordering changes? I believe there was
> > some way to modify the hashing introduced when the dos dictionary attacks
> > were an issue. Would it be sufficient to generate documents with say
> Python
> > 2.7 and check against 3.6?
>
> Python 3.6 changed the dict implementation so the ordering is always stable
> (and matches insertion order).
>
Do realize that is an implementation detail and not guaranteed by the
language specification, so it won't necessarily hold in the future or for
other interpreters.
-Brett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170321/f9af70bf/attachment.html>
More information about the Distutils-SIG
mailing list