Opened 51 minutes ago
Last modified 50 minutes ago
#37159 new Cleanup/optimization
Implement reproducible builds
| Reported by: | Jacob Walls | Owned by: | |
|---|---|---|---|
| Component: | Packaging | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Charles Roelli | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
When building Django artifacts, if the build is reproducible, then consumers can verify that an artifact was built from the revision it claims to be built from, and releasers can also confirm with each other (or with CI) before publishing.
Florian mentioned on the forum we are likely to want this:
Independent of whether any attestation might be a good idea or not, the first steps imo are reproducible builds. We might even have them without knowing it (or via slight adjustments only) since all in all we are just packing up some files from a known revision in a tar/zip and we mostly just need to fix timestamps (we don’t have to worry about compiled code etc). This way it is possible to verify the built release by multiple people before publishing. This makes a compromise of an individual machine even less likely/useful. The next step would be to build the release in CI as well providing another verifier for the reproducible build.
Charles, you mentioned to me at DjangoCon that you did some investigation into this already. Do you have any findings you can summarize?