Currently verify_release (script that confirms build reproducibility) just runs python3 -m build. This leads to the source tarball to potentially include unexpected files (which then leads to the wheel changing as the wheel metadata refers to the source files)
Workaround: run git clean -xdf to delete all non-committed files in the source directory before running verify_release.
Possible fixes:
- source tarball should not include files (e.g. files inside
tuf/api/.mypy_cache/) just because they are in the source dir?
- OR verify_release should create a clean git clone before running build
Currently verify_release (script that confirms build reproducibility) just runs
python3 -m build. This leads to the source tarball to potentially include unexpected files (which then leads to the wheel changing as the wheel metadata refers to the source files)Workaround: run
git clean -xdfto delete all non-committed files in the source directory before running verify_release.Possible fixes:
tuf/api/.mypy_cache/) just because they are in the source dir?