On Monday, January 12, 2015 at 11:59:53 AM UTC+1, Thierry
(sage-googlesucks@xxx) wrote:
>
> Another mid-term compromise could be to strip some few upstream source,
> but in a checkable and reproducible manner, that is, with a spkg-src
> script that will produce deterministic tarballs, so that anyone (in
> particular the reviewer) can re-run the script and check the hashsums. By
> default, tarballs are quite volatile because of timestamps and ownership,
> also the file ordering seems to depend on the computer, the posix format
> is nondeterministic, and i may have missed some other subtleties.
>
Perhaps you could use the Python tarfile module to build that file in a
more portable way? I would hope that the tar file assembly itself does not
depend on code outside the CPython codebase. Subsequent compression might
of course be implemented in third-party libraries, and therefore lead to
unexpected results. To avoid that, it might be feasible to hashsum the
uncompressed stream, either exclusively or as a fallback if the compressed
stream hash doesn't match.
$ python2.7
>>> import tarfile
>>> intar = tarfile.open("matplotlib-1.4.2.tar.gz")
>>> outtar = tarfile.open("matplotlib-1.4.2.tar.bz2", "w:bz2")
>>> tostrip = "matplotlib-1.4.2/lib/matplotlib/tests/baseline_images/"
>>> for i in intar:
... if not i.name.startswith(tostrip):
... outtar.addfile(i)
...
>>> outtar.close()
>>>
$ bzcat matplotlib-1.4.2.tar.bz2 | shasum -b matplotlib-1.4.2.tar.bz2 -
3f929139a72d5ada741568100b1420575c12f637 *matplotlib-1.4.2.tar.bz2
fe26c0153727a599f0a3db98f07b548367d9d272 *-
--
You received this message because you are subscribed to the Google Groups
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to sage-devel+unsubscr...@googlegroups.com.
To post to this group, send email to sage-devel@googlegroups.com.
Visit this group at http://groups.google.com/group/sage-devel.
For more options, visit https://groups.google.com/d/optout.
