[pacman-dev] [PATCH 5/5] makepkg: unify source file times for improved build reproducibility
Signed-off-by: Levente Polyak
---
scripts/makepkg.sh.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index bd92c526..83c80fa7 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -1731,6 +1731,9 @@ if (( !REPKG )); then
if (( PREPAREFUNC )); then
run_prepare
fi
+
+ # unify source times before building for reproducibility
+ find "$srcdir" -exec touch -h -d "@${SOURCE_DATE_EPOCH}" {} +
fi
if (( PKGVERFUNC )); then
--
2.12.2
Re: [pacman-dev] [PATCH 5/5] makepkg: unify source file times for improved build reproducibility
On 05/12/17 at 12:41pm, Levente Polyak wrote:
> Signed-off-by: Levente Polyak
> ---
> scripts/makepkg.sh.in | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index bd92c526..83c80fa7 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -1731,6 +1731,9 @@ if (( !REPKG )); then
> if (( PREPAREFUNC )); then
> run_prepare
> fi
> +
> + # unify source times before building for reproducibility
> + find "$srcdir" -exec touch -h -d "@${SOURCE_DATE_EPOCH}" {} +
> fi
>
> if (( PKGVERFUNC )); then
I'm still not convinced we should be doing this in makepkg and I'm not
sure exactly where our disagreement about this is at this point. So,
let me describe how I would handle reproducible packages and you can
tell me why your approach is better.
First, I'm only concerned about manipulating things that makepkg is
not directly responsible for. Anything that improves the
reproducibility of makepkg's own output is fine (e.g. removing the
timestamp from .PKGINFO and .MTREE files).
Beyond that, I don't think makepkg is the place for trying to make
a package reproducible. We seem to be in agreement that a separate
script will be necessary to actually reproduce a built package.
I would say that the same script should be used to build the original
package in the first place. Aside from the fact that changes like
this break existing usage patterns for makepkg, makepkg is never going
to be able to guarantee that a package is reproducible. There are
simply too many variables that can influence the resulting package for
makepkg to ever record them all.
Building a package that is reproducible requires a controlled
environment. The script that handles reproducing the package has to
be able to setup such an environment, so why not let it setup the
environment for the initial build? People that don't care about the
reproducibility of the resulting package can continue to use makepkg
as they do now and those that do care can use the wrapper script to
build it. And, makepkg doesn't have to concern itself with
reproducibility beyond making sure that its own output is
reproducible.
Such a script could handle the timestamp manipulation in this patch.
We already provide several makepkg options to control which steps are
run. The wrapper would invoke makepkg once to extract/prepare the
sources, the wrapper would then adjust the timestamps itself, finally
it would invoke makepkg again to continue the build.
apg
Re: [pacman-dev] [PATCH 5/5] makepkg: unify source file times for improved build reproducibility
On 13/05/17 01:09, Andrew Gregory wrote:
> On 05/12/17 at 12:41pm, Levente Polyak wrote:
>> Signed-off-by: Levente Polyak
>> ---
>> scripts/makepkg.sh.in | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
>> index bd92c526..83c80fa7 100644
>> --- a/scripts/makepkg.sh.in
>> +++ b/scripts/makepkg.sh.in
>> @@ -1731,6 +1731,9 @@ if (( !REPKG )); then
>> if (( PREPAREFUNC )); then
>> run_prepare
>> fi
>> +
>> +# unify source times before building for reproducibility
>> +find "$srcdir" -exec touch -h -d "@${SOURCE_DATE_EPOCH}" {} +
>> fi
>>
>> if (( PKGVERFUNC )); then
>
> I'm still not convinced we should be doing this in makepkg and I'm not
> sure exactly where our disagreement about this is at this point. So,
> let me describe how I would handle reproducible packages and you can
> tell me why your approach is better.
>
> First, I'm only concerned about manipulating things that makepkg is
> not directly responsible for. Anything that improves the
> reproducibility of makepkg's own output is fine (e.g. removing the
> timestamp from .PKGINFO and .MTREE files).
>
> Beyond that, I don't think makepkg is the place for trying to make
> a package reproducible. We seem to be in agreement that a separate
> script will be necessary to actually reproduce a built package.
> I would say that the same script should be used to build the original
> package in the first place. Aside from the fact that changes like
> this break existing usage patterns for makepkg, makepkg is never going
> to be able to guarantee that a package is reproducible. There are
> simply too many variables that can influence the resulting package for
> makepkg to ever record them all.
>
> Building a package that is reproducible requires a controlled
> environment. The script that handles reproducing the package has to
> be able to setup such an environment, so why not let it setup the
> environment for the initial build? People that don't care about the
> reproducibility of the resulting package can continue to use makepkg
> as they do now and those that do care can use the wrapper script to
> build it. And, makepkg doesn't have to concern itself with
> reproducibility beyond making sure that its own output is
> reproducible.
>
> Such a script could handle the timestamp manipulation in this patch.
> We already provide several makepkg options to control which steps are
> run. The wrapper would invoke makepkg once to extract/prepare the
> sources, the wrapper would then adjust the timestamps itself, finally
> it would invoke makepkg again to continue the build.
>
>From my understanding, the reproducible build goal is to have a package
build exactly on two invocations of the build tool. There are some
specific things that need to be set to achieve this (mostly
SOURCE_DATE_EPOCH), but the rest of the environment can be quite
variable. In fact, the testing framework to ensure reproducibility varies:
date and time,
build path,
hostname,
domain name,
filesystem,
environment variables,
timezone,
language,
locale,
user name,
user id,
group name,
group id,
kernel version,
umask,
CPU type,
number of CPU cores.
So the environment does not necessarily need to be exactly the same
between builds for it to be reproducible.
Given I think python packages are the primary problem here, I'm going to
propose another solution Clearly embedding the timestamp in the
pyc/o files is a design decision and not going to be changed. Could we
however, have a pass in makepkg that generates these files? In the
"tidy" loop. That would allow us to set times on the any .py files in
the package, and then generate pyc/o files. No setting of source times
needed.
Allan
Re: [pacman-dev] [PATCH 5/5] makepkg: unify source file times for improved build reproducibility
On 05/15/2017 08:51 PM, Allan McRae wrote: > Given I think python packages are the primary problem here, I'm going to > propose another solution Clearly embedding the timestamp in the > pyc/o files is a design decision and not going to be changed. Could we > however, have a pass in makepkg that generates these files? In the > "tidy" loop. That would allow us to set times on the any .py files in > the package, and then generate pyc/o files. No setting of source times > needed. > > Allan > As I said on IRC, this is easier said than done. We'd have to somehow figure out which files are python2 and which ones are python3; while most will be in the appropriate /usr/lib/python$ver directory, some will be elsewhere, e.g. Sigil installs python3 files used for its private plugin interface under /usr/share/sigil instead. Cinnamon seems to do the same (not that we ship pyc/pyo for any of that), as does bleachbit, but I am not sure why (since its launcher executable apparently claims either that or site-packages are both expected places to find itself???) but whatever, different topic. Reading the shebang could help cover those cases, but then again, not all python modules actually come with shebangs, probably because the author doesn't expect people to care. "Why do you need them, syntax highlighting is okay because .py and you're not running them, you're importing them." ... I was thinking of a different alternative. In keeping with other software that respects SOURCE_DATE_EPOCH, perhaps we should depend on the user opting in to reproducible builds by setting `SOURCE_DATE_EPOCH=something makepkg` Sort of like `makepkg --reproducible`, but without actually needing a flag. If SOURE_DATE_EPOCH is set by the user or script calling makepkg, then makepkg would respect it for its own internal use, as well as touch'ing files to that date. I think that should make everyone more or less happy, except the people who want to see users silently opted into reproducible builds for their own good. :D -- Eli Schwartz signature.asc Description: OpenPGP digital signature
Re: [pacman-dev] [PATCH 5/5] makepkg: unify source file times for improved build reproducibility
On 16/05/17 22:28, Eli Schwartz wrote: > On 05/15/2017 08:51 PM, Allan McRae wrote: >> Given I think python packages are the primary problem here, I'm going to >> propose another solution Clearly embedding the timestamp in the >> pyc/o files is a design decision and not going to be changed. Could we >> however, have a pass in makepkg that generates these files? In the >> "tidy" loop. That would allow us to set times on the any .py files in >> the package, and then generate pyc/o files. No setting of source times >> needed. >> >> Allan >> > > As I said on IRC, this is easier said than done. We'd have to somehow > figure out which files are python2 and which ones are python3; while > most will be in the appropriate /usr/lib/python$ver directory, some will > be elsewhere, e.g. Sigil installs python3 files used for its private > plugin interface under /usr/share/sigil instead. > > Cinnamon seems to do the same (not that we ship pyc/pyo for any of > that), as does bleachbit, but I am not sure why (since its launcher > executable apparently claims either that or site-packages are both > expected places to find itself???) but whatever, different topic. > > Reading the shebang could help cover those cases, but then again, not > all python modules actually come with shebangs, probably because the > author doesn't expect people to care. "Why do you need them, syntax > highlighting is okay because .py and you're not running them, you're > importing them." Other options... 1) We could actually use makepkg-template and have the python package provide a function to do this. 2) We could follow most other distros have have the pyo/c files generated by a hook (I am not a fan due to having more untracked files...) Allan
