-
Notifications
You must be signed in to change notification settings - Fork 254
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use deterministic time for generated sdist files #142
Conversation
When generating setup.py and PKG-INFO files, ensure that generated files use a deterministic timestamp to enhance reproducibility of source distributions.
7bca967
to
ee3989e
Compare
I propose that this code should use cf. https://reproducible-builds.org/docs/source-date-epoch/ (Maybe setting this should even be required, and the timestamp left unchanged if the variable is not set.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As suggested earlier, I would propose to use SOURCE_DATE_EPOCH
.
Defaulting to 0
if it is not set might be ok, I am not sure of that. I somehow tend to leaving the current timestamp as default.
tar_info.mtime = 0 | ||
tar_info = self.clean_tarinfo(tar_info) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tar_info.mtime = 0 | |
tar_info = self.clean_tarinfo(tar_info) | |
tar_info.mtime = int(os.environ.get("SOURCE_DATE_EPOCH", 0)) | |
tar_info = self.clean_tarinfo(tar_info) |
tar_info.mtime = 0 | ||
tar_info = self.clean_tarinfo(tar_info) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tar_info.mtime = 0 | |
tar_info = self.clean_tarinfo(tar_info) | |
tar_info.mtime = int(os.environ.get("SOURCE_DATE_EPOCH", 0)) | |
tar_info = self.clean_tarinfo(tar_info) |
Oh, quoting from https://reproducible-builds.org/specs/source-date-epoch/ , it seems that honouring this variable is a MUST to comply with the reproducible builds standard. I was not aware of this. As such, I make my proposal a bit harder ;). It also talks about "timestamp clamping", which says that all timestamps that do not use the value from this variable must be earlier, so |
Had a chat with the people form reproducible-builds.org. It seems there were a few misunderstnadings on my side:
So if the maintainers want to keep it simple, just sticking with 0 seems fine. |
@stephsamson It seems you reviewed this PR. Did you take my comments into account? |
@Natureshadow for the purposes of this PR, I think that keeping |
@stephsamson Yes, I did say that using |
@Natureshadow I think that your suggestion, specifically for checking |
When generating setup.py and PKG-INFO files, ensure that generated
files use a deterministic timestamp to enhance reproducibility of
source distributions.
Resolves: python-poetry/poetry#1102