From owner-freebsd-security@FreeBSD.ORG Sun Jan 25 05:50:55 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2AC535C6 for ; Sun, 25 Jan 2015 05:50:55 +0000 (UTC) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps.rulingia.com", Issuer "CAcert Class 3 Root" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B3B6F7DF for ; Sun, 25 Jan 2015 05:50:54 +0000 (UTC) Received: from server.rulingia.com (c220-239-242-83.belrs5.nsw.optusnet.com.au [220.239.242.83]) by vps.rulingia.com (8.14.9/8.14.9) with ESMTP id t0P5o7IA048614 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 25 Jan 2015 16:50:13 +1100 (AEDT) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.14.9/8.14.9) with ESMTP id t0P5o0R6023931 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 25 Jan 2015 16:50:00 +1100 (AEDT) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.14.9/8.14.9/Submit) id t0P5nu5x023924; Sun, 25 Jan 2015 16:49:56 +1100 (AEDT) (envelope-from peter) Date: Sun, 25 Jan 2015 16:49:56 +1100 From: Peter Jeremy To: Garrett Wollman Subject: Re: Strange package checksum report Message-ID: <20150125054956.GB23253@server.rulingia.com> References: <21698.32224.747971.146491@khavrinen.csail.mit.edu> <868ugrr5r3.fsf@nine.des.no> <21700.23803.911745.834275@hergotha.csail.mit.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="7ZAtKRhVyVSsbBD2" Content-Disposition: inline In-Reply-To: <21700.23803.911745.834275@hergotha.csail.mit.edu> X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.5.23 (2014-03-12) Cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Jan 2015 05:50:55 -0000 --7ZAtKRhVyVSsbBD2 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2015-Jan-24 22:03:23 -0500, Garrett Wollman wro= te: >< said: >> These are Pyhon bytecode files. They are automatically regenerated if >> you have write access to them and Python thinks they are stale when it >> tries to load them. Apparently, Python's definition of "stale" is >> slightly more complex than just comparing timestamps; they are one of >> the reasons why Baptiste gave up reproducible package builds. > >That's unfortunate. Perhaps either Python can be trained to write >updated copies somewhere else? If Python isn't going to use the .pyc files we ship (because it thinks they are out of date), we might as well not ship them. > Or maybe we can generate them >at package installation rather than shipping pregenerated versions? My feeling is that we should only distribute .py files and build the =2Epyc files at package install time. As far as I can see, this is what Ubuntu and Debian (the two Linux distros I have ready access to) do. >(Would slow down builds of dependent packages, but those are the >breaks.) It would be interesting to know how big an impact this is. --=20 Peter Jeremy --7ZAtKRhVyVSsbBD2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJUxIQEXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs020kP/isDnEiiMRFfhJjQe9ObNERC ZySeSOjGn0G5T78ME/nb98YuHB1ieHly/RZMdD4cNKzK1YUHRPJZ2GxCZjk92+O7 lFkUOQW/Bq738QqGYdB8OhPBF1UGEN+YS1UfRtoVpONQZAVaItnDP6AASKfC7TCF k/5DNT/EMvN72UppSz5qKmA5OHjrIwEg+2jOicPdm5n+JwGwhVEIHODjkiWO33zn PRhw3ZsD4PYpENr+GAuooU8+JQ2EFZ7J4x5pm6D+T51pMEzwjLnAZEBE0B1B/WYG kD8tplUXfeEgfkLtLl32i8y4imPgw09PiC1GvBEVvianc9jFjQjXOyc3+YmF9fBZ E3gO4/vysHU1ec0MsIMrIhhxdRMZQ1U+Hb8ig8IdYhNr0ljYxN5f7hvw1iZyvHSf 4GftJIDc4U5LTSOJJKy/LuP00PdvvSBZvby9tLeLKkkpoTjV9G9X3PadjlRz1zpA Mw7FH+U319jB3e9WNBXQek8P9RU13NbcH4W+GzDrG9xV5K/Q4hZ0pCYbv7C71MFq naRoDYefJDK0qrgvsr8wvXFAUUlBisc7g62TrSfXe7RejDAxIib1S7EYeX4ESu0m KEO013F7CphUSQhwyhZFU3fB8HylIayUMCKzc2wGTGOGWNaSaA3TdGAX0fESSoS4 GR9DY0Edb2qAnQDUmf48 =F3kJ -----END PGP SIGNATURE----- --7ZAtKRhVyVSsbBD2--