[Bug 1983124] [NEW] python3.8-minimal postinstall scripts make reproducible bytecode difficult

Josh 1983124 at bugs.launchpad.net
Fri Jul 29 16:30:15 UTC 2022 

Public bug reported:

The python interpreter writes reproducible bytecode when two environment
variables (SOURCE_DATE_EPOCH and PYTHONHASHSEED) are set. Without
PYHONHASHSEED set, various internal data structures get serialized to a
.pyc file in arbitrary order. With PYTHONHASHSEED, that order is
deterministic.

The postinstall script in the python3.8-minimal package builds bytecode
with `python3.8 -E -S -O /usr/lib/python3.8/py_compile.py`. The -E
option in particular causes PYTHONHASHSEED to be ignored. Users who want
to reproducibly install Python into a container image must either delete
or rewrite the bytecode after the installation concludes.

Observed behavior: when the installer process runs with these two
environment variables, bytecode differs between installations.

Expected behavior: the same bytecode under every installation

** Affects: python3.8 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.8 in Ubuntu.
https://bugs.launchpad.net/bugs/1983124

Title:
  python3.8-minimal postinstall scripts make reproducible bytecode
  difficult

Status in python3.8 package in Ubuntu:
  New

Bug description:
  The python interpreter writes reproducible bytecode when two
  environment variables (SOURCE_DATE_EPOCH and PYTHONHASHSEED) are set.
  Without PYHONHASHSEED set, various internal data structures get
  serialized to a .pyc file in arbitrary order. With PYTHONHASHSEED,
  that order is deterministic.

  The postinstall script in the python3.8-minimal package builds
  bytecode with `python3.8 -E -S -O /usr/lib/python3.8/py_compile.py`.
  The -E option in particular causes PYTHONHASHSEED to be ignored. Users
  who want to reproducibly install Python into a container image must
  either delete or rewrite the bytecode after the installation
  concludes.

  Observed behavior: when the installer process runs with these two
  environment variables, bytecode differs between installations.

  Expected behavior: the same bytecode under every installation

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.8/+bug/1983124/+subscriptions

More information about the foundations-bugs mailing list