-
-
Notifications
You must be signed in to change notification settings - Fork 13.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python: deterministic interpreters #22585
Conversation
@FRidh, thanks for your PR! By analyzing the history of the files in this pull request, we identified @domenkozar, @edolstra and @peti to be potential reviewers. |
Python 2.7 diff #22570 (comment) |
Since 3.2.3 there is a
It also influences sets. When doing a Unfortunately, the bytecode is still not deterministic. |
DETERMINISTIC_BUILD=1; | ||
# Determinism: We fix the hashes of str, bytes and datetime objects. | ||
PYTHONHASHSEED = 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This only applies to the build process, right? I assume that the actual scripts will still run with random hash seeds; but we don't want to accidentally open up NixOS to hash collision attacks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We still need to disable it for nix-shell.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I disagree. What is nix-shell
used or designed for? For testing/building a package, or for building environments with certain packages? In my point of view its designed for the former, but its (mis)used a lot for the latter as well. If we are going to make changes for nix-shell
then we should also unset SOURCE_DATE_EPOCH
and likely a dozen other vars as well which will render it useless for the former use case.
In Nix 1.12 we have nix run
which, if I am correct, shouldn't set such env vars (unfortunately it still does).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@FRidh I don't think every user is aware of this, so their needs to be a big warning somewhere. Somebody may use nix-shell --command
in their own services/timer so this could make people vulnerable to hash collision attacks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also there is the nix-shell -i
shebang feature for which the Nix documentation even includes a Python example.
At the end of the installation I now force it to rebuild all bytecode. Both 2.7 and 3.5 are now deterministic. cc @edanaher could you check regarding your issue? |
find "$out" -name 'wininst*.exe' | xargs -r rm -f | ||
|
||
# Determinism: rebuild all bytecode | ||
# We exclude lib2to3 because that's Python 2 code which fails |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here the reason is slightly different...but it includes incorrect syntax
Looks good to me; nvr is nice and fast, and there's only a single EROFS:
I still find it a little strange that that file is still attempting to be re-cached, but it's not a significant performance issue. If you're not seeing determinism issues with it, I certainly don't see any problem. |
@edanaher I'll have a look at the sysconfigdata issue. For some reason it was removed, and I don't know why. |
d7771d4
to
24f5f22
Compare
Versions 2.7, 3.5 and 3.6 are now reproducible. I've applied the patches to 3.4 as well but there's one file left causing problems. I've updated the docs and the release notes. The issue with I think this is ready now. What say you? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apart from the link in the release notes, LGTM.
There is some randomness in the Windows installers. Since we don't need them, we delete them.
- Windows installers are indeterministic and we don't need them. - since Python 3 ensurepip is installed by default. pip is indeteministic and we don't need it. - rebuild bytecode to ensure its deterministic
@globin its not clear to me what you mean but we can fix that later. |
@FRidh: this or something else new on staging has broken 3.4 setuptools:
|
Thanks @vcunat , I'll have a look at it later today. |
Python: deterministic interpreters (cherry picked from commit 04c41e7)
Python 3.4 is fixed with b588ed9 |
@vcunat am I correct none of this is in 17.03? |
Python 3.6 is fixed with a1f6b8b |
@FRidh: this PR is in 17.03. I pushed it in response to your comment. |
When rereading it, I probably misunderstood you and just cherry-picked the whole merge, but I suppose it will be OK if we pick these fixes as well? |
I saw only the merge and none of the commits in 17.03, so that's why I was asking. Yes, all these commits plus the two fix commits can go in. |
For reference, the 17.03 commit: bee7854. I don't know why GitHub doesn't display a mention on this PR – I think it does, normally. |
I picked those two commits and tested they fix the builds. |
Python: deterministic interpreters (cherry picked from commit 04c41e7)
Motivation for this change
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)