On 18/03/2017 07:20, Nick Coghlan wrote:
...........
While the reproducible builds effort started in Debian and is furthest
advanced there, it's not distro specific - interested developers working on
other distros were already looking into it, and the Core Infrastructure
Initiative has backed it as one of their security assurance initiatives.
Software Freedom Conservancy have a decent write-up on the current state of
things after December's Reproducible Builds Summit:
https://sfconservancy.org/blog/2016/dec/26/reproducible-builds-summit-report/
thanks for this; it seems the emphasis is on security. If the intent is that
reportlab should be able to reliably reproduce the same binary output then I
think I need to do more than just fix a couple of dates. We use many dictionary
like objects to produce PDF and I am not sure all are sorted by key during output.
Is there a way to excite dictionary ordering changes? I believe there was some
way to modify the hashing introduced when the dos dictionary attacks were an
issue. Would it be sufficient to generate documents with say Python 2.7 and
check against 3.6?
However, you'll probably want to make yourself a helper function that uses
SOURCE_DATE_EPOCH if defined, and falls back to the current time otherwise.
That way you'll get reproducible behaviour when a build system configures
the setting, while retaining your current behaviour for environments that
don't.
good advice and that's what I am doing.
Cheers,
Nick.
P.S. A question well worth asking for *us* is whether or not setting
SOURCE_DATE_EPOCH appropriately (if it isn't already set in the current
environment) should be part of the build system abstraction PEPs.
--
Robin Becker
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig
