[Distutils] Reproducible builds (Sdist)

Matthias Bussonnier bussonniermatthias at gmail.com
Mon Oct 2 11:20:18 EDT 2017

Hi all,

On Fri, Sep 29, 2017 at 12:04 PM, Jakub Wilk <jwilk at jwilk.net> wrote:
> It not enough to normalize timestamps. You need to normalize permissions and
> ownership, too.
> (I'm using https://pypi.python.org/pypi/distutils644 for normalizing
> permissions/ownership in my own packages.)
Thanks Jakub this will be helpful for me;

> Yeah, I don't believe distutils honors SOURCE_DATE_EPOCH at the moment.
>> Second; is there a convention to store the SDE value ?
> In the changelog.

I'll consider that as well;

On Sun, Oct 1, 2017 at 10:31 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> On 30 September 2017 at 06:02, Thomas Kluyver <thomas at kluyver.me.uk> wrote:
>> On Fri, Sep 29, 2017, at 07:16 PM, Matthias Bussonnier wrote:
> For distro level reproducible build purposes, we typically treat the
> published tarball *as* the original sources, and don't really worry
> about the question of "Can we reproduce that tarball, from that VCS
> tree?".

Thanks for the detail explanation Nick, even if this was not the
original goal of SDE,
I would still like to have it reproducible build of sdist even if my package
does not have source generation like Cython;  I'll embed the timestamp in the
commit for now;  and see if I can also extract the timestamp from the
commit log.
AFAICT it's `git log -1 --pretty=format:%ct` if it's of interest to anyone.

My interest in this is to have CI to build the sdist, and make sure independant
machines can get the same artifact in order to have a potentially distributed
agreement on what the sdist is.

Is there any plan (or would it be accepted), to try to upstream patches like
distutils644 Jakub linked to ?


More information about the Distutils-SIG mailing list