Open raboof opened 3 days ago
I suspect the directories that only differ in their stat
s are a red herring, and it's really the differences in ftplib.cpython-312.pyc
, ftplib.cpython-312.opt-1.pyc
and ftplib.cpython-312.opt-2.pyc
that are the issue. There's plenty of .pyc
files that reproduce successfully.
It's somewhat confusing that the cpython3/default.nix
has a reproducibleBuild
flag that is set to false
, but in fact the package has been reproducible: for example python3-3.11.9 in 24.05 (at 9603a116b8d554f) seems to be reproducible just fine. Looking at the history it sounds like generating default, unoptimized bytecode used to be nondeterministic (https://github.com/python/cpython/issues/73894), but it is not clear if that's still a problem in Python 3.11 and later.
The problem with ftplib on python312 does not seem new - it already existed at 9603a116b8d554f
Building this package multiple times does not yield bit-by-bit identical results, complicating the detection of Continuous Integration (CI) breaches. For more information on this issue, visit reproducible-builds.org.
Fixing bit-by-bit reproducibility also has additional advantages, such as avoiding hard-to-reproduce bugs, making content-addressed storage more effective and reducing rebuilds in such systems.
Steps To Reproduce
1. Build the package
This step will build the package. Specific arguments are passed to the command to keep the build artifacts so we can compare them in case of differences.
Execute the following command:
Or using the new command line style:
2. Compare the build artifacts
If the previous command completes successfully, no differences were found and there's nothing to do, builds are reproducible. If it terminates with the error message
error: derivation '<X>' may not be deterministic: output '<Y>' differs from '<Z>'
, usediffoscope
to investigate the discrepancies between the two build outputs. You may need to add the--exclude-directory-metadata recursive
option to ignore files and directories metadata (e.g. timestamp) differences.3. Examine the build log
To examine the build log, use:
Or with the new command line style:
Additional context
Add a :+1: reaction to issues you find important.