Re: [Django] #37159: Implement reproducible artifact builds

[Django]

#37159: Implement reproducible artifact builds
-------------------------------------+-------------------------------------
     Reporter:  Jacob Walls          |                    Owner:  Jacob
         Type:                       |  Walls
  Cleanup/optimization               |                   Status:  assigned
    Component:  Packaging            |                  Version:  dev
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Comment (by Charles Roelli):

 Hi Jacob,

 Thanks for bringing this up.

 The current build backend setuptools has an
 [https://github.com/pypa/setuptools/issues/2133 open issue for building
 reproducible sdists], so we won't get reproducible sdists out-of-the-box.
 As for the wheel, setting the environment variable `SOURCE_DATE_EPOCH`
 keeps the file modification timestamp constant, so that may be sufficient
 to get a reproducible wheel. For example, building the `6.0.6` tag twice
 with `SOURCE_DATE_EPOCH=1` gives:

 {{{
 ~/Code/django/6.0.6$ sha256sum ~1/build*/*
 206304aa753040e562768b91669c2c79659d1b688332af94ce29a626aa26a85a
 ~/Run/django/6.0.6/build1/django-6.0.6-py3-none-any.whl
 c915757dee35a461f569457ba73d567dc26934421971839886e3814196a821c0
 ~/Run/django/6.0.6/build1/django-6.0.6.tar.gz
 206304aa753040e562768b91669c2c79659d1b688332af94ce29a626aa26a85a
 ~/Run/django/6.0.6/build2/django-6.0.6-py3-none-any.whl
 ec46f79707689eb71eebe9aa9d4f2356e33d6e3234d1f3a344c76844b52c18eb
 ~/Run/django/6.0.6/build2/django-6.0.6.tar.gz
 }}}

 It may also be interesting to consider e.g. the build backend
 [https://hatch.pypa.io/1.9/why/#build-backend hatchling] which has more of
 a focus on reproducibility.

 We could also work towards removing existing artifacts committed to the
 repository like .mo files (#23321) and vendored CSS/JS, and building from
 source where possible.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/37159#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019ebb3a5a19-b9d789c2-eb07-4615-8765-e3dd82f21a30-000000%40eu-central-1.amazonses.com.