[Django] #37159: Implement reproducible builds

Thu, 11 Jun 2026 11:11:02 -0700 

#37159: Implement reproducible builds
-------------------------------------+-------------------------------------
     Reporter:  Jacob Walls          |                     Type:
                                     |  Cleanup/optimization
       Status:  new                  |                Component:  Packaging
      Version:  dev                  |                 Severity:  Normal
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 When building Django artifacts, if the build is [https://reproducible-
 builds.org/ reproducible], then consumers can verify that an artifact was
 built from the revision it claims to be built from, and releasers can also
 confirm with each other (or with CI) before publishing.

 Florian [https://forum.djangoproject.com/t/adopt-pep-740-digital-
 attestations-for-django-releases/42460/18 mentioned] on the forum we are
 likely to want this:

 > Independent of whether any attestation might be a good idea or not, the
 first steps imo are reproducible builds. We might even have them without
 knowing it (or via slight adjustments only) since all in all we are just
 packing up some files from a known revision in a tar/zip and we mostly
 just need to fix timestamps (we don’t have to worry about compiled code
 etc). This way it is possible to verify the built release by multiple
 people before publishing. This makes a compromise of an individual machine
 even less likely/useful. The next step would be to build the release in CI
 as well providing another verifier for the reproducible build.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/37159>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019eb7e1466d-8b83fcac-ceef-4f99-b57b-62c79a1b7fa4-000000%40eu-central-1.amazonses.com.

Reply via email to