[pacman-dev] [PATCH 5/5] makepkg: unify source file times for improved build reproducibility

Eli Schwartz eschwartz93 at gmail.com
Tue May 16 12:28:38 UTC 2017


On 05/15/2017 08:51 PM, Allan McRae wrote:
> Given I think python packages are the primary problem here, I'm going to
> propose another solution....  Clearly embedding the timestamp in the
> pyc/o files is a design decision and not going to be changed.  Could we
> however, have a pass in makepkg that generates these files?  In the
> "tidy" loop.  That would allow us to set times on the any .py files in
> the package, and then generate pyc/o files.   No setting of source times
> needed.
> 
> Allan
> 

As I said on IRC, this is easier said than done. We'd have to somehow
figure out which files are python2 and which ones are python3; while
most will be in the appropriate /usr/lib/python$ver directory, some will
be elsewhere, e.g. Sigil installs python3 files used for its private
plugin interface under /usr/share/sigil instead.

Cinnamon seems to do the same (not that we ship pyc/pyo for any of
that), as does bleachbit, but I am not sure why (since its launcher
executable apparently claims either that or site-packages are both
expected places to find itself???) but whatever, different topic.

Reading the shebang could help cover those cases, but then again, not
all python modules actually come with shebangs, probably because the
author doesn't expect people to care. "Why do you need them, syntax
highlighting is okay because .py and you're not running them, you're
importing them."

...

I was thinking of a different alternative. In keeping with other
software that respects SOURCE_DATE_EPOCH, perhaps we should depend on
the user opting in to reproducible builds by setting
`SOURCE_DATE_EPOCH=something makepkg`
Sort of like `makepkg --reproducible`, but without actually needing a flag.

If SOURE_DATE_EPOCH is set by the user or script calling makepkg, then
makepkg would respect it for its own internal use, as well as touch'ing
files to that date.
I think that should make everyone more or less happy, except the people
who want to see users silently opted into reproducible builds for their
own good. :D

-- 
Eli Schwartz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20170516/b4b96682/attachment.asc>


More information about the pacman-dev mailing list