On Mon, 14 Mar 2016 14:15, Michael Matz wrote:
On Mon, 14 Mar 2016, Bernhard M. Wiedemann wrote:
Python packages are tricky to get right, because .pyc and .pyo files contain timestamps of their source file and will not be used unless it matches exactly. Why do we (and redhat) even include them? In Debian packages have only .py files and the precompiled .pyc files get added upon package installation.
I wonder if .pyc or .pyo bring any advantages at all at this time?
On slow HW, esp with rotating rust, YES. But "compile on install" ala debian - best controlled by config setting - seems the the way to go forward fast in this aspect. This will become more imporatant, as other script languages will follow with precompiled files, esp. for system-libs, say hello to the debates on perl6 doing such a thing, and ruby devs also looks into that, never mind what php7 tries.
It is even more tricky to get fully reproducible builds In OBS, because the build host name and signature time will vary.
I'm really not sure if we should strive for this. IMHO, if the contents of containers are provably the same, then the container itself doesn't matter much. In this case it seems to me that all files and scripts inside the rpm should be the same (and perhaps a selection of other rpm tags), not necessarily everything in the .rpm file.
If the goal is that others can reproduce a bit-identical .rpm file, then it seems reasonable to require them to have to adjust their build process (by e.g. setting the wanted build host name and fiddling with the signature process, they can't produce bit identical signatures anyway, as they don't have our secret key) ...
IMHO: 1: diff on the whole rpm-file is wrong, diff the payload cpio only, the rpm header has to be handled extra.
2: the sig-hash should be done on the payload, if one wants a sig on the header, do that extra.
3: payload hash gen is either by the per-file-content and a hash over all of the per-file-hashes , or the file and dir timestamps in the payload will ruin your fun, too.
That way build-compare can compare the payload at a first glance by the payload-hash-of-per-file-hashes
So for now I guess, I will continue working on fixing build-compare failures (e.g. from embedded timestamps, rebuild-counters or compile-time CPU detection)?
... so I think this is exactly the right way forward.
And thank you for the work invested. - Yamaban