[Distutils] Reproducible builds (Sdist)
Matthias Bussonnier
bussonniermatthias at gmail.com
Mon Oct 2 11:20:18 EDT 2017
Hi all,
On Fri, Sep 29, 2017 at 12:04 PM, Jakub Wilk <jwilk at jwilk.net> wrote:
> It not enough to normalize timestamps. You need to normalize permissions and
> ownership, too.
>
> (I'm using https://pypi.python.org/pypi/distutils644 for normalizing
> permissions/ownership in my own packages.)
>
Thanks Jakub this will be helpful for me;
> Yeah, I don't believe distutils honors SOURCE_DATE_EPOCH at the moment.
>
>> Second; is there a convention to store the SDE value ?
>
> In the changelog.
I'll consider that as well;
On Sun, Oct 1, 2017 at 10:31 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> On 30 September 2017 at 06:02, Thomas Kluyver <thomas at kluyver.me.uk> wrote:
>> On Fri, Sep 29, 2017, at 07:16 PM, Matthias Bussonnier wrote:
>
> For distro level reproducible build purposes, we typically treat the
> published tarball *as* the original sources, and don't really worry
> about the question of "Can we reproduce that tarball, from that VCS
> tree?".
Thanks for the detail explanation Nick, even if this was not the
original goal of SDE,
I would still like to have it reproducible build of sdist even if my package
does not have source generation like Cython; I'll embed the timestamp in the
commit for now; and see if I can also extract the timestamp from the
commit log.
AFAICT it's `git log -1 --pretty=format:%ct` if it's of interest to anyone.
My interest in this is to have CI to build the sdist, and make sure independant
machines can get the same artifact in order to have a potentially distributed
agreement on what the sdist is.
Is there any plan (or would it be accepted), to try to upstream patches like
distutils644 Jakub linked to ?
Thanks,
--
Matthias
More information about the Distutils-SIG
mailing list