Re: reproducible builds and python
On Mon, Aug 11, 2014 at 08:01:23PM +0200, bmorbach wrote:
> Hi everyone!
>
> I've been doing some work towards reproducible builds in Fedora (mostly
> with various upstreams so far) and one of the elephants in the Room are
> obviously Pythons .pyc and .pyo files.
>
> As those contain the mtime of the original .py file, they might be
> different for each rebuild of an srpm.
> For many rpms this isn't a problem, because the files are not modified
> and thus retain their timestamp from the archive. Quite a few rpms do
> modify to .py files though and because of that, every build has a
> different result.
>
> I would like to propose to set the mtime of all .py files to a fixed
> (for this specific srpm) time. This could be done
> in /usr/lib/rpm/brp-python-bytecompile before doing the actual
> byte-compilation. This would result in the same .py{c,o} files being
> created for each rebuild.
>
> The timestamp could be e.g. the mtime of the oldest file in the
> buildroot (which would assume that not _all_ of the files are modified)
> But if you are interested in the idea, I'd certainly be open to
> suggestions.
>
> To address the obvious question:
> Why not special-case those files when comparing rpms?
>
> It will certainly be impossible to achieve this for all packages in
> Fedora, so for some files this might indeed be needed, but I think we
> should avoid this where possible. The idea of reproducible builds
> becomes meaningless if the amount of differences that you just ignore
> gets to big.
>
>
> What do you think of this proposal?
>
I'm not in love with this as it's throwing out information. OTOH, the
information that's being thrown out may not be all that useful. It would
help if we knew what the goal was here (besides simply being 100%
reproducible for the sake of being reproducible) as we could then think
about what we stand to gain for losing the real timestamp information.
One idea I just had -- only modify the timestamp of files whose mtime is
more recent than when the tarballs were unpacked. This would leave files
that were simply untarred with the real upstream timestamps and any files
which would have had their timestamps modified anyway will get the new
timestamp.
One actual (though small) problem I see with lying about timestamps is that
your going to need to select a fixed time in the past that this timestamp
would be. Looking at a directory of files and seeing that one file is from
about the time the package was built while the others are all older can be
an indication that the distro has changed the file from what is upstream
which can then lead to comparing against vanilla upstream to determine if
we're applying a patch that causes a bug. If we have to apply a timestamp
in the past, that indication goes away. (Small help because I only remember
doing this once in all my years of looking at files from packages :-)
-Toshio
pgp5FNwlVovUM.pgp
Description: PGP signature
___
python-devel mailing list
python-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/python-devel
Re: reproducible builds and python
- Original Message -
> Hi everyone!
>
> I've been doing some work towards reproducible builds in Fedora (mostly
> with various upstreams so far) and one of the elephants in the Room are
> obviously Pythons .pyc and .pyo files.
>
> As those contain the mtime of the original .py file, they might be
> different for each rebuild of an srpm.
> For many rpms this isn't a problem, because the files are not modified
> and thus retain their timestamp from the archive. Quite a few rpms do
> modify to .py files though and because of that, every build has a
> different result.
>
> I would like to propose to set the mtime of all .py files to a fixed
> (for this specific srpm) time. This could be done
> in /usr/lib/rpm/brp-python-bytecompile before doing the actual
> byte-compilation. This would result in the same .py{c,o} files being
> created for each rebuild.
>
> The timestamp could be e.g. the mtime of the oldest file in the
> buildroot (which would assume that not _all_ of the files are modified)
> But if you are interested in the idea, I'd certainly be open to
> suggestions.
Generally, I like this idea, but I have some concerns:
- So the bytecompile script would "touch" all *.py files? It seems a bit hacky,
not mentioning that in some specfiles (notably python3 itself) we actually have
to do bytecompilation by hand for certain reasons.
- Obviously another question is what happens when _all_ files are modified. I
can pretty much guarantee you that at any given time there will be at least one
package in Fedora that will have all files modified (e.g. python-six has just
one py file, so if we patch/touch it in some way, the problem is here). I'd
like to see a proposal that handles this situation in a sane way.
Having {read about,experimented with} reproducible builds before, I can see the
advantage that Fedora would get from this. Perhaps you could sum up the actual
benefits of reproducible builds here so that even those who have never heard of
this can see why this is worthwile?
Just thinking aloud here, but this should also be beneficial for RPMs generated
with "setup.py bdist_rpm", right? As in "two RPMs generated by bdist_rpm from
the same git/hg revision on the same architecture would have the same hash" -
or am I wrong here?
Thanks,
Slavek
> To address the obvious question:
> Why not special-case those files when comparing rpms?
>
> It will certainly be impossible to achieve this for all packages in
> Fedora, so for some files this might indeed be needed, but I think we
> should avoid this where possible. The idea of reproducible builds
> becomes meaningless if the amount of differences that you just ignore
> gets to big.
>
>
> What do you think of this proposal?
>
> Greetings,
> Benedikt
>
> ___
> python-devel mailing list
> python-devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/python-devel
--
Regards,
Slavek Kabrda
___
python-devel mailing list
python-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/python-devel
Re: reproducible builds and python
On 08/12/2014 04:01 AM, bmorbach wrote:
> Hi everyone!
>
> I've been doing some work towards reproducible builds in Fedora (mostly
> with various upstreams so far) and one of the elephants in the Room are
> obviously Pythons .pyc and .pyo files.
>
> As those contain the mtime of the original .py file, they might be
> different for each rebuild of an srpm.
> For many rpms this isn't a problem, because the files are not modified
> and thus retain their timestamp from the archive. Quite a few rpms do
> modify to .py files though and because of that, every build has a
> different result.
>
> I would like to propose to set the mtime of all .py files to a fixed
> (for this specific srpm) time. This could be done
> in /usr/lib/rpm/brp-python-bytecompile before doing the actual
> byte-compilation. This would result in the same .py{c,o} files being
> created for each rebuild.
This sounds like a reasonable approach to me, especially if the mtime
for the SRPM is derived from dist-git.
Regards,
Nick.
--
Nick Coghlan
Red Hat Hosted & Shared Services
Software Engineering & Development, Brisbane
HSS Provisioning Architect
___
python-devel mailing list
python-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/python-devel
