[Distutils] Reproducible builds (Sdist)
Jakub Wilk
jwilk at jwilk.net
Fri Sep 29 15:04:48 EDT 2017
* Matthias Bussonnier <bussonniermatthias at gmail.com>, 2017-09-29, 11:16:
>I'm interested in the reproducible build of an _sdist_.
>That is to say the process of going from a given commit to the
>corresponding TGZ file. It is my understanding that setting
>SOURCE_DATE_EPOCH (SDE for short) should allow a reproducible building
>of an Sdist;
It not enough to normalize timestamps. You need to normalize permissions
and ownership, too.
(I'm using https://pypi.python.org/pypi/distutils644 for normalizing
permissions/ownership in my own packages.)
>I cannot seem to be able to do that without unpacking and repacking the
>tgz myself;
Yeah, I don't believe distutils honors SOURCE_DATE_EPOCH at the
moment.
>Second; is there a convention to store the SDE value ?
In the changelog.
--
Jakub Wilk
More information about the Distutils-SIG
mailing list