[Distutils] Reproducible builds (Sdist)

Jakub Wilk jwilk at jwilk.net
Fri Sep 29 15:04:48 EDT 2017


* Matthias Bussonnier <bussonniermatthias at gmail.com>, 2017-09-29, 11:16:
>I'm interested in the reproducible build of an _sdist_.
>That is to say the process of going from a given commit to the 
>corresponding TGZ file. It is my understanding that setting 
>SOURCE_DATE_EPOCH (SDE for short) should allow a reproducible building 
>of an Sdist;

It not enough to normalize timestamps. You need to normalize permissions 
and ownership, too.

(I'm using https://pypi.python.org/pypi/distutils644 for normalizing 
permissions/ownership in my own packages.)

>I cannot seem to be able to do that without unpacking and repacking the 
>tgz myself;

Yeah, I don't believe distutils honors SOURCE_DATE_EPOCH at the 
moment.

>Second; is there a convention to store the SDE value ?

In the changelog.

-- 
Jakub Wilk


More information about the Distutils-SIG mailing list