Ronald Klop wrote:
For CPython, SOURCE_DATE_EPOCH is but a small piece of the puzzle. The clarifying ask of this thread was for "bit-for-bit reproducibility".There is a website about this.https://reproducible-builds.org/docs/source-date-epoch/ *Van:* Tatsuki Makino <[email protected]> *Datum:* dinsdag, 11 november 2025 10:17*Aan:* Charlie Li <[email protected]>, cen <[email protected]>, [email protected]*Onderwerp:* Re: Reproducible builds of ports Ah, I see, so it was a topic in that direction :) ELF format itself doesn't, by default, include information such as the compilation timestamp, maybe. Even code that uses preprocessor __DATE__ and __TIME__ won't be reproducible unless we stop the clock, maybe. At the very least, we can't make the parts involving such times match perfectly, can we? :)
There is support for deterministic hash-based validation instead of timestamp validation [0] but does not address other aspects of the CPython bytecode format that make different run outputs not bit-for-bit identical. [1] The biggest other issue is hash randomisation. [2]
Hash randomisation, enabled by default, mitigates against classes of denial-of-service conditions. [3] Sure, disabling this default behaviour by setting a static seed value can make the resulting bytecode to be packaged bit-for-bit identical. This is what other system package distributions like openSUSE, Gentoo and Arch have been doing. However this reintroduces the DoS conditions for users of the packages outside of a build context. Not good.
Based on current realities, the only way to get closer to bit-for-bit is to not package bytecode at all. Also not good, [0] not least since the CPython execution model always compiles bytecode at runtime if a compiled cache does not already exist.
[0] https://peps.python.org/pep-0552/ [1] https://github.com/python/cpython/issues/73894[2] http://benno.id.au/blog/2013/01/15/python-determinism (main site seems to be dead, use Internet Archive Wayback Machine)
[3] https://docs.python.org/3/using/cmdline.html#cmdoption-R -- Charlie Li ...nope, still don't have an exit line.
OpenPGP_signature.asc
Description: OpenPGP digital signature
