On 02/01/2018 04:21 PM, Nick Coghlan wrote:
On 1 February 2018 at 23:54, Petr Viktorin pviktori@redhat.com wrote:
Honestly, I'm not sure we want to use this in Fedora. Is anyone here into reproducible builds, to make a better argument for this?
I believe rpmbuild (et al) all set SOURCE_DATE_EPOCH in the environment, so Fedora's likely to get the new CHECKED_HASH behaviour by default: https://docs.python.org/dev/library/py_compile.html#py_compile.compile
Wait. These docs say "invalidation_mode will be forced to PycInvalidationMode.CHECKED_HASH", which sounds quite scary. Is it possible to use UNCHECKED_HASH with SOURCE_DATE_EPOCH?
(I don't think we use SOURCE_DATE_EPOCH now, but we might in the future.)
Given that SELinux typically won't allow user applications to rewrite the bytecode anyway, we may want to specify the use of UNCHECKED_HASH at build time instead - with that setting, Python will ignore source file changes entirely, and trust that RPM will keep the source and pyc files consistent.
And it lets us... avoid a stat call per import? I still fail to see the advantage :(