On 01. 02. 18 16:25, Neal Gompa wrote:
On Thu, Feb 1, 2018 at 10:21 AM, Nick Coghlan ncoghlan@gmail.com wrote:
On 1 February 2018 at 23:54, Petr Viktorin pviktori@redhat.com wrote:
Honestly, I'm not sure we want to use this in Fedora. Is anyone here into reproducible builds, to make a better argument for this?
I believe rpmbuild (et al) all set SOURCE_DATE_EPOCH in the environment, so Fedora's likely to get the new CHECKED_HASH behaviour by default: https://docs.python.org/dev/library/py_compile.html#py_compile.compile
Given that SELinux typically won't allow user applications to rewrite the bytecode anyway, we may want to specify the use of UNCHECKED_HASH at build time instead - with that setting, Python will ignore source file changes entirely, and trust that RPM will keep the source and pyc files consistent.
We have not set this to be on in Fedora. It's still switched off by default. To the best of my knowledge, the only distribution doing it so far is openSUSE.
This is now set in Fedora:
https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/57
Now all Python pyc files (except python3 itself) are in CHECKED_HASH mode. We need to figure this out.