<<On Sun, 25 Jan 2015 02:47:12 +0100, Dag-Erling Sm??rgrav <des at des.no> said:> Garrett Wollman <wollman at csail.mit.edu> writes: >> Checking for packages with mismatched checksums: >> p5-XML-SAX-0.99_2: /usr/local/lib/perl5/site_perl/XML/SAX/ParserDetails.ini> This file is updated whenever you install or remove a SAX parser, so > this is expected. There are at least half a dozen different Perl SAX > implementations in the ports tree.So perhaps this file should be treated as, um, whatever our equivalent of a "conffile" is from dpkg-land.> These are Pyhon bytecode files. They are automatically regenerated if > you have write access to them and Python thinks they are stale when it > tries to load them. Apparently, Python's definition of "stale" is > slightly more complex than just comparing timestamps; they are one of > the reasons why Baptiste gave up reproducible package builds.That's unfortunate. Perhaps either Python can be trained to write updated copies somewhere else? Or maybe we can generate them at package installation rather than shipping pregenerated versions? (Would slow down builds of dependent packages, but those are the breaks.)> Is your clock synchronized with NTP? Is this a VM? What is the > underlying filesystem?Yes, on all machines; no; and ZFS. -GAWollman
On 2015-Jan-24 22:03:23 -0500, Garrett Wollman <wollman at bimajority.org> wrote:><<On Sun, 25 Jan 2015 02:47:12 +0100, Dag-Erling Sm??rgrav <des at des.no> said: >> These are Pyhon bytecode files. They are automatically regenerated if >> you have write access to them and Python thinks they are stale when it >> tries to load them. Apparently, Python's definition of "stale" is >> slightly more complex than just comparing timestamps; they are one of >> the reasons why Baptiste gave up reproducible package builds. > >That's unfortunate. Perhaps either Python can be trained to write >updated copies somewhere else?If Python isn't going to use the .pyc files we ship (because it thinks they are out of date), we might as well not ship them.> Or maybe we can generate them >at package installation rather than shipping pregenerated versions?My feeling is that we should only distribute .py files and build the .pyc files at package install time. As far as I can see, this is what Ubuntu and Debian (the two Linux distros I have ready access to) do.>(Would slow down builds of dependent packages, but those are the >breaks.)It would be interesting to know how big an impact this is. -- Peter Jeremy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 949 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150125/b4f4b7c9/attachment.sig>
Garrett Wollman <wollman at bimajority.org> writes:> Dag-Erling Sm?rgrav <des at des.no> writes: > > These are Pyhon bytecode files. They are automatically regenerated if > > you have write access to them and Python thinks they are stale when it > > tries to load them. Apparently, Python's definition of "stale" is > > slightly more complex than just comparing timestamps; they are one of > > the reasons why Baptiste gave up reproducible package builds. > That's unfortunate.Well, it's a bug. I assume that you're using official packages and don't have a locally compiled Python interpreter or anything like that? Could you perhaps turn on auditing in order to find out what's touching these files? DES -- Dag-Erling Sm?rgrav - des at des.no