Bug#804339: dh-python: please pass --force to `setup.py install` to avoid non-determinstic shebangs and dependencies

[Chris Lamb]

Source: dh-python
Version: 2.20151103
Severity: wishlist
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: randomness toolchain
X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org

Hi,

Whilst working on the "reproducible builds" effort [0], we noticed that 
dh-python non-deterministically creates packages with differing shebangs 
and--by extension--binary dependencies:

│ -#!/usr/bin/python3
│ +#!/usr/bin/python3.5

[..]

│ -Depends: python3-six, python3:any (>= 3.3.2-2~)
│ +Depends: python3-six, python3.5:any, python3:any (>= 3.3.2-2~)

This is caused by us building multiple Python versions into separate 
directories under {build_dir} but then installing them to the *same* {destdir}.

If any of these builds complete in under 1 second, distutils may decide to skip 
copying files to {destdir} as it incorrectly believes them to be up-to-date. 
This will result in a package arbitrarily containing scripts with different 
version shebangs and, by extension, binary dependencies.

A patch is attached that passes --force to `setup.py install [..]` which avoids 
the underling calls to distutils's `dep_util.newer` and always updates 
{destdir}.

 [0] https://wiki.debian.org/ReproducibleBuilds


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      la...@debian.org / chris-lamb.co.uk
       `-

diff --git a/dhpython/build/plugin_distutils.py 
b/dhpython/build/plugin_distutils.py
index ed139aa..7512cc8 100644
--- a/dhpython/build/plugin_distutils.py
+++ b/dhpython/build/plugin_distutils.py
@@ -107,7 +107,20 @@ class BuildSystem(Base):
             fpath = join(args['build_dir'], fname)
             rmtree(fpath) if isdir(fpath) else remove(fpath)
 
-        return '{interpreter.binary_dv} {setup_py} install --root {destdir} 
{args}'
+        # We pass --force to remove non-determinstic behaviour caused by us
+        # building multiple Python versions into separate directories under
+        # {build_dir} but then installing them to the *same* {destdir}.
+        #
+        # If any of these builds complete in under 1 second, distutils may
+        # decide to skip copying files to {destdir} as it incorrectly believes
+        # them to be up-to-date. This will result in a package arbitrarily
+        # containing scripts with different version shebangs and, by extension,
+        # binary dependencies.
+        #
+        # Passing --force here avoids the underling calls to distutils's
+        # `dep_util.newer` and always updates {destdir}.
+        #
+        return '{interpreter.binary_dv} {setup_py} install --force --root 
{destdir} {args}'
 
     @shell_command
     @create_pydistutils_cfg