Re: Debian python package bytecode compatibility

[Sam Hartman <hartmans@debian.org>]

>>>>> "Paul" == Paul Wise <pabs@debian.org> writes:

    Paul> On Wed, Sep 29, 2021 at 8:25 AM Bastian Blank wrote:
    >> All Python source is compiled into bytecode during installation.

    Paul> Scripts in the bin/ directories are not compiled into
    Paul> bytecode, and there are a number of packages that do not
    Paul> compile .py files into bytecode:

So, I think that this is coming out of FIPS 140-3 which requires that
the installed software that is part of the validated cryptographic
module not be susceptible to unauthorized modification.
(There's discussions about unauthorized disclosure, although I think we
can safely say that disclosure of any software packaged in Debian main
is authorized)
I'll admit to a certain skepticism about what fraction of the python
code in Debian is reasonable to include in a validated cryptographic
module.  Let's assume there is some though.

There's a chain of signatures for the installed files, and so you could
presumably validate that the installed files have not been modified.
That is much more challenging for files generated from the postinst.

I think that using Debian as it exists today under the FIPS 140
validation rules would be tricky at least.