Closed abravalheri closed 2 years ago
This proposal was motivated by the recent discourse thread
What is the current situation/context?
Currently the combination of setuptools/wheel does not support reproducible builds completely. This makes some kinds of build non-verifiable.
What ought to be fixed, made, or implemented?
Complete support for reproducible build for both sdist and wheel using setuptools as a build backend.
What problems would this solve, and what new capabilities would it cause?
This would help to improve security in the Python packaging ecosystem, because developers would be able to independently verify packages.
What kinds of work are necessary to make this happen?
Implementation efforts are required for:
SOURCE_DATA_EPOCH
Documentation efforts are required to instruct developers how to verify distribution artifacts.
This proposal was motivated by the recent discourse thread
What is the current situation/context?
Currently the combination of setuptools/wheel does not support reproducible builds completely. This makes some kinds of build non-verifiable.
What ought to be fixed, made, or implemented?
Complete support for reproducible build for both sdist and wheel using setuptools as a build backend.
What problems would this solve, and what new capabilities would it cause?
This would help to improve security in the Python packaging ecosystem, because developers would be able to independently verify packages.
What kinds of work are necessary to make this happen?
Implementation efforts are required for:
SOURCE_DATA_EPOCH
environment variable for both sdists and wheels.Documentation efforts are required to instruct developers how to verify distribution artifacts.