On Mon, 14 Oct 2024 at 04:00, Tim Orling <[email protected]> wrote: > Yoann and I were able to figure out a promising fix for maturin which is the > root cause of the reproducibility issues. It needs a little more testing and > rewording the commit message before we submit upstream (I mentioned data.tar > which is a .deb thing not a wheel thing) > > https://github.com/moto-timo/maturin/tree/sort-records
It's a bit more complicated and I thought I'd document that. There are three separate issues here: 1) Maturin creates a .whl (zip archive) where files are listed in a non-deterministic order in the archive index. I'm not 100% sure if your patch addresses this problem - does it? Are the files supplied to the zip writer in sorted order? 2) Maturin writes a RECORD file into that same archive which is as well listing files in a non-deterministic order. This is certainly addressed by the patch. 3) python3-installer takes the .whl from maturin and processes the files in it in the order they come, then writes out *its own* RECORD based on that order, discarding the RECORD from maturin. So it implicitly relies on the intermediate .whl being reproducible. I've fixed the third issue [1], and it does fix the reproducibility problem in the actual target install of cryptography. Installer shouldn't be trusting that its input is already sorted. [1] https://git.yoctoproject.org/poky-contrib/tree/meta/recipes-devtools/python/python3-installer/0001-src-installer-utils.py-sort-entries-before-writing-o.patch?h=akanavin/package-version-updates But the fix for maturin is of course is also welcome. Alex
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#205743): https://lists.openembedded.org/g/openembedded-core/message/205743 Mute This Topic: https://lists.openembedded.org/mt/108982711/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
