Quick reproducibility protection:
https://github.com/apache/airflow/pull/57390
On Tue, Oct 28, 2025 at 12:34 AM Kaxil Naik <[email protected]> wrote:
Yeah I do use Py 3.10 as default for breeze.
On Mon, 27 Oct 2025 at 15:31, Jarek Potiuk <[email protected]> wrote:
Same diff :(). Tried on a different machine.
Interestingly enough the PR added by you 4 days ago also contains the
addition of the parentheses
https://github.com/apache/airflow-client-python/commit/241405e219eb76e9b43791466f3f4ed27d65a51a#diff-94fc09b38b570968d70d17aeb197363aefe1925a87a37b213b69b75ee2f4a357R65
We used fixed versions of all tools in the dockerfile.
And fix openapi generator: 7.13.0
First I found is that Python 3.10.19 image (previoulsly 3.10.18) has
been
released 4 days ago. I checked and used older version of Python 3.10 -
and
it was not it.
But then I found the reason. We are running patching of
trigger_dag_run_post_body.py in breeze. And there we are using AST:
source = TRIGGER_MODEL_PATH.read_text(encoding="utf-8")
tree = ast.parse(source)
LogicalDateDictPatch().visit(tree)
ast.fix_missing_locations(tree)
TRIGGER_MODEL_PATH.write_text(ast.unparse(tree),
encoding="utf-8")
This code is run in breeze, and when your breeze is installed with
python
3.10 it produces (), when you use 3.11+ to install breeze, it does not
add
the parentheses when "unparsing". So I guess your breeze is installed
with
Python 3.10.
You can check it with
uv tool list --show-python # will show you the python version used for
breeze
Then:
uv tool install -e ./dev/breeze --python python3.10
breeze release-management prepare-python-client --distribution-format
both
Followed by:
uv tool install -e ./dev/breeze --python python3.11
breeze release-management prepare-python-client --distribution-format
both
Will roduce .tar.gz files will differ by the extra () in Python 3.10
(you
can compare it with the "asf-dist" file with `diffoscope`
Very interesting case - just in time for the Reproducible Build Summit
:D.
And it also means that's it's a good idea that all our "manipulation"
of
the code runs inside the Dockerfile. not directly in Breeze (there
Python
version is fixed - to default version). i will fix it soon.
J.
On Mon, Oct 27, 2025 at 12:04 PM Kaxil Naik <[email protected]>
wrote:
Could you try the following from the Airflow repo:
git checkout python-client/3.1.0rc1
breeze release-management prepare-python-client --distribution-format
both
--python-client-repo "${CLIENT_REPO_ROOT}" --version-suffix ""
On Mon, 27 Oct 2025 at 08:31, Jarek Potiuk <[email protected]> wrote:
Kaxil - it would be good to know how you generated the client to
get
there
and fix the reproducibility issue.
BTW. Very related thing - I am going tonight to Vienna for two
days
to
take part in the "Reproducible Builds Summit"
https://reproducible-builds.org/news/2025/08/20/reproducible-builds-summit-in-vienna/
-> with the goal to make our builds permanently reproducible and
following
some emerging standards of reproducibility (there are things
brewing
and
the Summit is the place where things are not only talked but also
there
are
some workshops where I will attempt to apply those things I will
learn).
This will be extremely useful in the near future, when Apache
Trusted
Releases (
https://news.apache.org/foundation/entry/apache-trusted-releases-platform-begins-second-alpha
)
gets out of Alpha status - because having fully reproducible builds
is
the
prerequisite to release our software automatically via ASF-managed
build
infrastructure. This will mean that our releases will not only be
safer
and more secure, but will also have cryptographic attestations of
both
-
source provenance and managed and verified build process.
This is something that will make Airflow one of the first projects
in
the
ASF to make sort of a "golden standard" for supply-chain attack
prevention
(following the recent outbreak of things like xz (
https://en.wikipedia.org/wiki/XZ_Utils_backdoor), or more recent
shai-hulud
attack - self-replicating worm attacking 180+ packages (
https://www.trendmicro.com/en_us/research/25/i/npm-supply-chain-attack.html
).
We are also working in the security team to tighten our security
for
our
dependencies at release time as part of that effort.
J.
On Mon, Oct 27, 2025 at 9:17 AM Jarek Potiuk <[email protected]>
wrote:
+1 (binding): checked reproducibility, signatures, checksums
(licences
not
needed as we are using already checked and released "airflow"
sources
to
generate all client code).
I think there is a bit of discrepancy between the tag and
release.
I
run
a
reproducibility check and the code is slightly different (both
.sdist
and
whl are different).
├── apache_airflow_client-3.1.0.tar
│ ├── file list
│ │ @@ -164,15 +164,15 @@
│ │ -rw-r--r-- 0 0 0 7140 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/task_instance_response.py
│ │ -rw-r--r-- 0 0 0 1374 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/task_instance_state.py
│ │ -rw-r--r-- 0 0 0 6436 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/task_instances_batch_body.py
│ │ -rw-r--r-- 0 0 0 3152 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/task_instances_log_response.py
│ │ -rw-r--r-- 0 0 0 3019 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/task_outlet_asset_reference.py
│ │ -rw-r--r-- 0 0 0 6362 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/task_response.py
│ │ -rw-r--r-- 0 0 0 3083 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/time_delta.py
│ │ --rw-r--r-- 0 0 0 3641 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/trigger_dag_run_post_body.py
│ │ +-rw-r--r-- 0 0 0 3639 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/trigger_dag_run_post_body.py
│ │ -rw-r--r-- 0 0 0 3101 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/trigger_response.py
│ │ -rw-r--r-- 0 0 0 2920 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/triggerer_info_response.py
│ │ -rw-r--r-- 0 0 0 2997 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/update_hitl_detail_payload.py
│ │ -rw-r--r-- 0 0 0 3299 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/validation_error.py
│ │ -rw-r--r-- 0 0 0 5081 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/validation_error_loc_inner.py
│ │ -rw-r--r-- 0 0 0 5140 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/value.py
│ │ -rw-r--r-- 0 0 0 3159 2025-09-23
20:07:31.000000
apache_airflow_client-3.1.0/airflow_client/client/models/variable_body.py
│ ├──
apache_airflow_client-3.1.0/airflow_client/client/models/trigger_dag_run_post_body.py
│ │ @@ -58,15 +58,15 @@
│ │ * Fields in `self.additional_properties` are added
to
the
output dict.
│ │ """
│ │ excluded_fields: Set[str] =
set(['additional_properties'])
│ │ _dict = self.model_dump(by_alias=True,
exclude=excluded_fields, exclude_none=True)
│ │ if 'logical_date' not in _dict:
│ │ _dict['logical_date'] = None
│ │ if self.additional_properties is not None:
│ │ - for (_key, _value) in
self.additional_properties.items():
│ │ + for _key, _value in
self.additional_properties.items():
│ │ _dict[_key] = _value
│ │ return _dict
│ │
│ │ @classmethod
│ │ def from_dict(cls, obj: Optional[Dict[str, Any]]) ->
Optional[Self]:
│ │ """Create an instance of TriggerDAGRunPostBody from
a
dict"""
│ │ if obj is None:
I am not sure how the client was generated - and where the
difference
came
from - either different generator or our post-processing code (we
post-process the generated code to fix some of the generator
issues
->
https://github.com/apache/airflow/pull/50704 - or maybe that is
a
"black/ruff" formatting issue with different version of
ruff/black
used? But the difference is insignificant enough and easily
manually
verifiable, so that's not a reason for -1 (reproducibility for
now
is
optional check that can be followed by inspecting the
differences).
J.
On Mon, Oct 27, 2025 at 2:16 AM Kaxil Naik <[email protected]>
wrote:
Aah, yes thanks Jens. Files have been pushed.
On Sun, 26 Oct 2025 at 18:00, Jarek Potiuk <[email protected]>
wrote:
Ah.. I missed this one. Yeah - we need those.
On Sun, Oct 26, 2025 at 6:56 PM Jens Scheffler <
[email protected]
wrote:
Hi Kaxil,
finally wanted to make my PMC duties and check release but
needed
to
realize that ASC and SHA512 files are missing/not uploaded.
Can
you
please push them to SVN for validation?
Jens
On 22.10.25 22:26, Kaxil Naik wrote:
Hey fellow Airflowers,
I have cut the first release candidate for the Apache
Airflow
Python
Client
3.1.0.
This email is calling for a vote on the release,
which will last for 72 hours. Consider this my (binding)
+1.
Airflow Client 3.1.0rc1 is available at:
https://dist.apache.org/repos/dist/dev/airflow/clients/python/3.1.0rc1/
The apache_airflow_client-3.1.0.tar.gz is an sdist release
that
contains
INSTALL instructions, and also
is the official source release.
The apache_airflow_client-3.1.0-py3-none-any.whl is a
binary
wheel
release
that pip can install.
Those packages do not contain .rc* version as, when
approved,
they
will
be
released as the final version.
The rc packages are also available at PyPI (with rc
suffix)
and
you
can
install it with pip as usual:
https://pypi.org/project/apache-airflow-client/3.1.0rc1/
Public keys are available at:
https://dist.apache.org/repos/dist/release/airflow/KEYS
Only votes from PMC members are binding, but all members
of
the
community
are encouraged to test the release and vote with
"(non-binding)".
The test procedure for PMC members is described in:
https://github.com/apache/airflow/blob/main/dev/README_RELEASE_PYTHON_CLIENT.md#verify-the-release-candidate-by-pmc-members
The test procedure for contributors and members of the
community
who
would
like to test this RC is described in:
https://github.com/apache/airflow/blob/main/dev/README_RELEASE_PYTHON_CLIENT.md#verify-the-release-candidate-by-contributors
*Changelog*:
https://github.com/apache/airflow-client-python
/blob/3.1.0rc1/CHANGELOG.md
Regards,
Kaxil
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail:
[email protected]
