[Reproducible-builds] Bug#804339: dh-python: please pass --force to `setup.py install` to avoid non-determinstic shebangs and dependencies

[Chris Lamb]

Source: dh-python
Version: 2.20151103
Severity: wishlist
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: randomness toolchain
X-Debbugs-Cc: reproducible-builds at lists.alioth.debian.org

Hi,

Whilst working on the "reproducible builds" effort [0], we noticed that dh-python non-deterministically creates packages with differing shebangs and--by extension--binary dependencies:

│ -#!/usr/bin/python3
│ +#!/usr/bin/python3.5

[..]

│ -Depends: python3-six, python3:any (>= 3.3.2-2~)
│ +Depends: python3-six, python3.5:any, python3:any (>= 3.3.2-2~)

This is caused by us building multiple Python versions into separate directories under {build_dir} but then installing them to the *same* {destdir}.

If any of these builds complete in under 1 second, distutils may decide to skip copying files to {destdir} as it incorrectly believes them to be up-to-date. This will result in a package arbitrarily containing scripts with different version shebangs and, by extension, binary dependencies.

A patch is attached that passes --force to `setup.py install [..]` which avoids the underling calls to distutils's `dep_util.newer` and always updates {destdir}.

 [0] https://wiki.debian.org/ReproducibleBuilds


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org / chris-lamb.co.uk
       `-
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dh-python.diff.txt
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20151107/1693130f/attachment.txt>