Re: Debian python package bytecode compatibility

To: debian-project@lists.debian.org
Subject: Re: Debian python package bytecode compatibility
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 29 Sep 2021 21:18:20 +0100
Message-id: <[🔎] YVTKDCWjR2TooyhA@riva.ucam.org>
Mail-followup-to: debian-project@lists.debian.org
In-reply-to: <[🔎] tslmtnvp6j3.fsf@suchdamage.org>
References: <[🔎] CAOMjbkFoqQn7exiXHbC25arLs7ynHnKiDmvd6uvV5WUhJCbayg@mail.gmail.com> <[🔎] 20210929082054.GA25829@shell.thinkmo.de> <[🔎] CAKTje6GpawffUMQj+x2HOY7REEXrKDOVCjiyfWwAw874SvmY0g@mail.gmail.com> <[🔎] tslmtnvp6j3.fsf@suchdamage.org>

On Wed, Sep 29, 2021 at 12:42:56PM -0600, Sam Hartman wrote:
> There's a chain of signatures for the installed files, and so you could
> presumably validate that the installed files have not been modified.
> That is much more challenging for files generated from the postinst.

I wondered about reproducibility of Python bytecode, and from a quick
web-search before the children's bedtime I ran across a couple of links
that look interesting to pursue:

  https://bugs.python.org/issue29708
  https://vulns.xyz/2021/08/reproducible-python-bytecode/

I couldn't find anything under Debian's reproducible builds banner (it
is after all slightly outside the usual area of building reproducible
.debs), but maybe I missed something.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Reply to:

References:
- Debian python package bytecode compatibility
  - From: Manoj Singh <rosesingh123@gmail.com>
- Re: Debian python package bytecode compatibility
  - From: Bastian Blank <waldi@debian.org>
- Re: Debian python package bytecode compatibility
  - From: Paul Wise <pabs@debian.org>
- Re: Debian python package bytecode compatibility
  - From: Sam Hartman <hartmans@debian.org>

Prev by Date: Re: Debian python package bytecode compatibility
Previous by thread: Re: Debian python package bytecode compatibility
Index(es):
- Date
- Thread