On Mon, 14 Mar 2016, Bernhard M. Wiedemann wrote:
Python packages are tricky to get right, because .pyc and .pyo files contain timestamps of their source file and will not be used unless it matches exactly. Why do we (and redhat) even include them? In Debian packages have only .py files and the precompiled .pyc files get added upon package installation.
I wonder if .pyc or .pyo bring any advantages at all at this time?
It is even more tricky to get fully reproducible builds In OBS, because the build host name and signature time will vary.
I'm really not sure if we should strive for this. IMHO, if the contents of containers are provably the same, then the container itself doesn't matter much. In this case it seems to me that all files and scripts inside the rpm should be the same (and perhaps a selection of other rpm tags), not necessarily everything in the .rpm file.
If the goal is that others can reproduce a bit-identical .rpm file, then it seems reasonable to require them to have to adjust their build process (by e.g. setting the wanted build host name and fiddling with the signature process, they can't produce bit identical signatures anyway, as they don't have our secret key) ...
So for now I guess, I will continue working on fixing build-compare failures (e.g. from embedded timestamps, rebuild-counters or compile-time CPU detection)?
... so I think this is exactly the right way forward.