On Tue, Feb 27, 2018 at 7:39 PM, Charles Lepple <clep...@gmail.com> wrote: > It is possible to get some level of reproducibility by > pinning the versions that you grab from PyPI, but then it's turtles all the > way down with the dependencies.
Good point. One of my goals is to make every build produce identical output given identical input, and you simply cannot do that with dynamic third party repos. With a local mirror of a debian-based distro, you have complete control over updates, and thanks to https://reproducible-builds.org/ we have a shot at actually achieving bit-for-bit identical output, each and every time, regardless of machine doing the build. And that is good for security. - Dan _______________________________________________ users mailing list users@buildbot.net https://lists.buildbot.net/mailman/listinfo/users
