Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Reproducible sdist builds

See original GitHub issue
  • I have searched the issues of this repo and believe that this is not a duplicate.
  • I have searched the documentation and believe that my question is not covered.

Feature Request

Poetry (v0.12.15) makes different sdist archives by each build command invoke. It`s poor.

Would be great if poetry generated reproducible sdists for concrete SCM commits (with identical checksums!). In my setup.py-based projects i achieve this behaviour by setuptools.command.sdist substitution, where:

  • use bz2 archiver (gzip store current timestamp in archive)
  • sort archive items by path
  • assign owner/group of tar items to root:root
  • assign archive items timestamps from SCM (Mercurial, Git) commit metadata

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:3
  • Comments:7 (1 by maintainers)

github_iconTop GitHub Comments

2reactions
abncommented, Mar 22, 2021

@Natureshadow The linked PR should resolve this.

1reaction
zpahcommented, May 16, 2019

Can it be done with gzip and without root?

  1. Poetry use gzip.GzipFile in command sdist: https://github.com/sdispater/poetry/blob/cb6491415f59742f06f0ca322ec546b88aa412ef/poetry/masonry/builders/sdist.py#L56 Option mtime, for example, can be involed: gzip.GzipFile("test.txt.gz", mode="wb", mtime=stable_timestamp_from_scm). It will provide stable archive checksum.
  2. Without root ?! I mean any stable predictable uid/gid for all sdist tar-archive items! Poetry already does it. It add sdist items with uid/gid assigned to 0/0. User and group ‘root:root’ (uid=0, gid=0) in this case was good neutral candidat. For this purpose the privileges of the superuser are not required during archive creation.
Read more comments on GitHub >

github_iconTop Results From Across the Web

IPython reproducible builds - Quansight Labs
Starting with IPython 7.16.1 (released in June 2020), you should be able to recreate the sdist ( .tar.gz ) and wheel ( .whl...
Read more >
[Distutils] Reproducible builds (Sdist) - Python mailing list - Python.org
[Distutils] Reproducible builds (Sdist). Jakub Wilk jwilk at jwilk.net. Fri Sep 29 15:04:48 EDT 2017. Previous message (by thread): [Distutils] Reproducible ...
Read more >
Definitions — reproducible-builds.org
A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of...
Read more >
Source distribution - Hatch
A source distribution, or sdist , is an archive of Python "source code". ... The builder plugin name is sdist . ... Reproducible...
Read more >
Building reproducible Python applications for secured ...
The tools in this case are build and packaged into reproducible Debian ... Running python3 setup.py sdist to create the release tarball +...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Error trying to install a pre-release version of a package.

Next page

Dependency issue when poetry used in private dependency, 'install_requires' must be a string or list of strings