-
-
Notifications
You must be signed in to change notification settings - Fork 14.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pythonPackages.pip: make reproducible #102222
Conversation
3c62b00
to
aba81bc
Compare
Sorry for the notification spam. @FRidh is there any package beyond pip that is critical to test? Here are some packages that are now reproducible:
|
pytest is likely due to its own cache, although that we do handle. Please refer in the code to the upstream issue pypa/pip#7808. Same issue was also noticed by Bazel people pypa/pip#6505 (comment). |
aba81bc
to
5381e35
Compare
The previous attempt wasn't covering all of the bases. It relied on invoking that pip-install-hook, and didn't apply to pip itself. The core issue is that the generated .pyc files embed some of the temporary paths, which are randomly generated. See https://r13y.com/diff/bf8c3ca3148ebff9ecf41f294cc60b9f209c006d49699e356969ff32d736f1c6-8806a7cca91fdd300e48736bfcd57c4d0b54c1cc2fd61609f35143170862b59c.html In this new attempt, the approach is to patch the TempFile implementation directly, so that it creates stable temporary directories. We also assume that if SOURCE_DATE_EPOCH is set, we are in a scenario where reproducible builds are desirable and enter that branch. See also pypa/pip#7808
5381e35
to
f9e48d0
Compare
@FRidh fixed. Thanks for the review! |
should we upstream this? pip should respect SOURCE_DATE_EPOCH |
This patch is a hack. While the patch is for reproducibility, |
Semantically speaking SOURCE_DATE_EPOCH is not entirely correct. A better fix would be for upstream to fix their build so that the build directories are not included in the .pyc files. |
I was wong. it's #102156. |
I stopped reading after the if statement. Yea, this is a hack, but an improvement. |
This triggered failures in case of It seems as if Grep for
|
Seems like the issue is resolved in pip 20.2, upgrading now and reverting the patches. |
Reproducible builds of pyproject projects using pip is resolved. Fixes pypa/pip#7808 Fixes #81441 The more recent c409f69 caused trouble with pyproject troubles and had to be reverted anyway. #102222 (comment) Revert "pythonPackages.pip: make reproducible (#102222)" This reverts commit c409f69. Revert "python3Packages.pip: allow setting reproducible temporary directory via NIX_PIP_INSTALL_TMPDIR" This reverts commit aedbade.
Reproducible builds of pyproject projects using pip is resolved. Fixes pypa/pip#7808 Fixes #81441 The more recent c409f69 caused trouble with pyproject troubles and had to be reverted anyway. #102222 (comment) Revert "pythonPackages.pip: make reproducible (#102222)" This reverts commit c409f69. Revert "python3Packages.pip: allow setting reproducible temporary directory via NIX_PIP_INSTALL_TMPDIR" This reverts commit aedbade.
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/hydra-security-model-discussion/9801/12 |
The previous attempt wasn't covering all of the bases. It relied on
invoking that pip-install-hook, and didn't apply to pip itself.
The core issue is that the generated .pyc files embed some of the
temporary paths, which are randomly generated. See
https://r13y.com/diff/bf8c3ca3148ebff9ecf41f294cc60b9f209c006d49699e356969ff32d736f1c6-8806a7cca91fdd300e48736bfcd57c4d0b54c1cc2fd61609f35143170862b59c.html
In this new attempt, the approach is to patch the TempFile
implementation directly, so that it creates stable temporary
directories. We also assume that if SOURCE_DATE_EPOCH is set, we are in
a scenario where reproducible builds are desirable and enter that
branch.
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)