On Feb 06, 2016, at 04:38 PM, Chris Angelico wrote: >Right, sure. The technical problems are still there. Although I'm >fairly confident that Debian's binaries would correspond to Debian's >source - but honestly, if I'm looking for sources for anything other >than the kernel, I probably want to get the latest from source >control, rather than using the somewhat older version shipped in the >repos. > >As to availability, though, most of the big distros (including Debian) >keep their sources around for a long time.
Not to get too deep into what other projects do, but yes in Debian, you can always get the patched source that corresponds to the binary you've installed, usually in both version controlled form and otherwise. I'd expect this to be true of most if not all of the Linux distros. A more interesting question is how you can actually verify this equivalence, and there are folks across the ecosystem working on reproducible builds. The idea is that you should be able to take the source that *claims* to correspond to that binary, and using the established build tools, locally reproduce a bit-wise exact duplicate of the binary. I've applied and submitted several patches to various upstreams that help with this effort, such as being able to pass in "locked" datetimes instead of the package always using e.g. datetime.now(). Let's not dive down the rabbit hole too far into how you can trust your build tool chain, and every other layer down to the quantum. Cheers, -Barry _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com