-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
building reproducible tarballs #542
Comments
It should be more or less reproducible anyway - we're using SOURCE_DATE_EPOCH and normalising file ownership and permissions when creating the sdist. But I don't think it's particularly easy to test this automatically (because you want to check that the results are the same across things like different platforms), so there may well be inconsistencies that have crept in. Fixes welcome! flit/flit_core/flit_core/sdist.py Lines 18 to 34 in 048c87c
flit/flit_core/flit_core/sdist.py Lines 167 to 168 in 048c87c
|
Looks like with SOURCE_DATE_EPOCH set, the tarball and wheel are both reproducible. And they match whether |
Very nice indeed, thanks for looking into it. So perhaps all that's needed is a note about that, e.g.
amended to
Though have a re-build step on a different os/container might be interesting. I have found that windows has... problems. |
They won't be reliably reproducible between |
Note that you use one of those specifically (either build or flit), the distributions generated will be reproducible. |
Given that source tarballs built by flit are reproducible already, is there anything actionable here? Update: yes, a documentation update. :) |
Ah, nvm me, I need to read things more carefully. 😅 |
I thought the main source of OS reproducibility issues was undefined file emitting order from directories which you just have to mitigate by sorting your input files by filenames. |
Yup, and we should be ensuring things are sorted, e.g.: flit/flit_core/flit_core/common.py Lines 87 to 94 in 3f1ed8b
flit/flit_core/flit_core/common.py Lines 442 to 447 in 3f1ed8b
|
Over on ipython, @Carreau has been using the retar script to post-process sdist tarballs to be
SOURCE_DATE_EPOCH
-aware.As it has no dependencies, so if all the licensing is copacetic, what about adopting that behavior to complement the
whl
-based ones inflit
?Noted on jupyterhub/team-compass#502 (comment)
The text was updated successfully, but these errors were encountered: