On Mon, Aug 11, 2014 at 08:01:23PM +0200, bmorbach wrote: > Hi everyone! > > I've been doing some work towards reproducible builds in Fedora (mostly > with various upstreams so far) and one of the elephants in the Room are > obviously Pythons .pyc and .pyo files. > > As those contain the mtime of the original .py file, they might be > different for each rebuild of an srpm. > For many rpms this isn't a problem, because the files are not modified > and thus retain their timestamp from the archive. Quite a few rpms do > modify to .py files though and because of that, every build has a > different result. > > I would like to propose to set the mtime of all .py files to a fixed > (for this specific srpm) time. This could be done > in /usr/lib/rpm/brp-python-bytecompile before doing the actual > byte-compilation. This would result in the same .py{c,o} files being > created for each rebuild. > > The timestamp could be e.g. the mtime of the oldest file in the > buildroot (which would assume that not _all_ of the files are modified) > But if you are interested in the idea, I'd certainly be open to > suggestions. > > To address the obvious question: > Why not special-case those files when comparing rpms? > > It will certainly be impossible to achieve this for all packages in > Fedora, so for some files this might indeed be needed, but I think we > should avoid this where possible. The idea of reproducible builds > becomes meaningless if the amount of differences that you just ignore > gets to big. > > > What do you think of this proposal? > I'm not in love with this as it's throwing out information. OTOH, the information that's being thrown out may not be all that useful. It would help if we knew what the goal was here (besides simply being 100% reproducible for the sake of being reproducible) as we could then think about what we stand to gain for losing the real timestamp information.
One idea I just had -- only modify the timestamp of files whose mtime is more recent than when the tarballs were unpacked. This would leave files that were simply untarred with the real upstream timestamps and any files which would have had their timestamps modified anyway will get the new timestamp. One actual (though small) problem I see with lying about timestamps is that your going to need to select a fixed time in the past that this timestamp would be. Looking at a directory of files and seeing that one file is from about the time the package was built while the others are all older can be an indication that the distro has changed the file from what is upstream which can then lead to comparing against vanilla upstream to determine if we're applying a patch that causes a bug. If we have to apply a timestamp in the past, that indication goes away. (Small help because I only remember doing this once in all my years of looking at files from packages :-) -Toshio
pgp5FNwlVovUM.pgp
Description: PGP signature
_______________________________________________ python-devel mailing list python-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/python-devel