Python: deterministic interpreters #22585
Conversation
|
@FRidh, thanks for your PR! By analyzing the history of the files in this pull request, we identified @domenkozar, @edolstra and @peti to be potential reviewers. |
|
Python 2.7 diff #22570 (comment) |
|
Since 3.2.3 there is a
It also influences sets. When doing a Unfortunately, the bytecode is still not deterministic. |
| DETERMINISTIC_BUILD=1; | ||
| # Determinism: We fix the hashes of str, bytes and datetime objects. | ||
| PYTHONHASHSEED = 0; |
There was a problem hiding this comment.
This only applies to the build process, right? I assume that the actual scripts will still run with random hash seeds; but we don't want to accidentally open up NixOS to hash collision attacks
There was a problem hiding this comment.
We still need to disable it for nix-shell.
There was a problem hiding this comment.
I disagree. What is nix-shell used or designed for? For testing/building a package, or for building environments with certain packages? In my point of view its designed for the former, but its (mis)used a lot for the latter as well. If we are going to make changes for nix-shell then we should also unset SOURCE_DATE_EPOCH and likely a dozen other vars as well which will render it useless for the former use case.
In Nix 1.12 we have nix run which, if I am correct, shouldn't set such env vars (unfortunately it still does).
There was a problem hiding this comment.
@FRidh I don't think every user is aware of this, so their needs to be a big warning somewhere. Somebody may use nix-shell --command in their own services/timer so this could make people vulnerable to hash collision attacks.
There was a problem hiding this comment.
Also there is the nix-shell -i shebang feature for which the Nix documentation even includes a Python example.
|
At the end of the installation I now force it to rebuild all bytecode. Both 2.7 and 3.5 are now deterministic. cc @edanaher could you check regarding your issue? |
| find "$out" -name 'wininst*.exe' | xargs -r rm -f | ||
|
|
||
| # Determinism: rebuild all bytecode | ||
| # We exclude lib2to3 because that's Python 2 code which fails |
There was a problem hiding this comment.
here the reason is slightly different...but it includes incorrect syntax
|
Looks good to me; nvr is nice and fast, and there's only a single EROFS: I still find it a little strange that that file is still attempting to be re-cached, but it's not a significant performance issue. If you're not seeing determinism issues with it, I certainly don't see any problem. |
|
@edanaher I'll have a look at the sysconfigdata issue. For some reason it was removed, and I don't know why. |
FRidh
force-pushed
the
repr
branch
2 times, most recently
from
d7771d4
to
24f5f22
Compare
FRidh
changed the title
|
Versions 2.7, 3.5 and 3.6 are now reproducible. I've applied the patches to 3.4 as well but there's one file left causing problems. I've updated the docs and the release notes. The issue with I think this is ready now. What say you? |
There is some randomness in the Windows installers. Since we don't need them, we delete them.
- Windows installers are indeterministic and we don't need them. - since Python 3 ensurepip is installed by default. pip is indeteministic and we don't need it. - rebuild bytecode to ensure its deterministic
|
@globin its not clear to me what you mean but we can fix that later. |
|
@FRidh: this or something else new on staging has broken 3.4 setuptools: |
|
Thanks @vcunat , I'll have a look at it later today. |
Python: deterministic interpreters (cherry picked from commit 04c41e7)
|
Python 3.4 is fixed with b588ed9 |
|
@vcunat am I correct none of this is in 17.03? |
|
Python 3.6 is fixed with a1f6b8b |
|
@FRidh: this PR is in 17.03. I pushed it in response to your comment. |
|
When rereading it, I probably misunderstood you and just cherry-picked the whole merge, but I suppose it will be OK if we pick these fixes as well? |
|
I saw only the merge and none of the commits in 17.03, so that's why I was asking. Yes, all these commits plus the two fix commits can go in. |
|
For reference, the 17.03 commit: bee7854. I don't know why GitHub doesn't display a mention on this PR – I think it does, normally. |
|
I picked those two commits and tested they fix the builds. |
Python: deterministic interpreters (cherry picked from commit 04c41e7)
Motivation for this change
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)