On 1 February 2018 at 23:54, Petr Viktorin pviktori@redhat.com wrote:
Honestly, I'm not sure we want to use this in Fedora. Is anyone here into reproducible builds, to make a better argument for this?
I believe rpmbuild (et al) all set SOURCE_DATE_EPOCH in the environment, so Fedora's likely to get the new CHECKED_HASH behaviour by default: https://docs.python.org/dev/library/py_compile.html#py_compile.compile
Given that SELinux typically won't allow user applications to rewrite the bytecode anyway, we may want to specify the use of UNCHECKED_HASH at build time instead - with that setting, Python will ignore source file changes entirely, and trust that RPM will keep the source and pyc files consistent.
Cheers, Nick.