From 09f6b03b2e15d267303d4086f85b21fe498f3267 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 8 Feb 2017 23:54:44 +0100 Subject: [PATCH 01/11] Python 2.7: improve determinism There is some randomness in the Windows installers. Since we don't need them, we delete them. --- .../interpreters/python/cpython/2.7/default.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix index ccf9296e0bc..0f09bf7650b 100644 --- a/pkgs/development/interpreters/python/cpython/2.7/default.nix +++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix @@ -178,6 +178,17 @@ in stdenv.mkDerivation { echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev + + # Determinism: Windows installers were not deterministic. + # We're also not interested in building Windows installers. + find "$out" -name 'wininst*.exe' | xargs -r rm -f + + # Determinism: rebuild all bytecode + # We exclude lib2to3 because that's Python 2 code which fails + # We rebuild three times, once for each optimization level + find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i - ''; passthru = let From 8970a9c86e0fe0935ed5c53897874f38ba497fac Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Thu, 9 Feb 2017 10:14:21 +0100 Subject: [PATCH 02/11] Python 3.5: improve determinism - Windows installers are indeterministic and we don't need them. - since Python 3 ensurepip is installed by default. pip is indeteministic and we don't need it. - rebuild bytecode to ensure its deterministic --- .../python/cpython/3.5/default.nix | 40 +++++++++++++++---- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/pkgs/development/interpreters/python/cpython/3.5/default.nix b/pkgs/development/interpreters/python/cpython/3.5/default.nix index 215229086b7..10f2029e064 100644 --- a/pkgs/development/interpreters/python/cpython/3.5/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.5/default.nix @@ -50,6 +50,12 @@ in stdenv.mkDerivation { NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s"; + # Determinism: The interpreter is patched to write null timestamps when compiling python files. + # This way python doesn't try to update them when we freeze timestamps in nix store. + DETERMINISTIC_BUILD=1; + # Determinism: We fix the hashes of str, bytes and datetime objects. + PYTHONHASHSEED=0; + prePatch = optionalString stdenv.isDarwin '' substituteInPlace configure --replace '`/usr/bin/arch`' '"i386"' substituteInPlace configure --replace '-Wl,-stack_size,1000000' ' ' @@ -63,10 +69,25 @@ in stdenv.mkDerivation { }) ]; - postPatch = optionalString (x11Support && (tix != null)) '' + postPatch = '' + # Determinism + substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])" + # Determinism. This is done unconditionally + substituteInPlace "Lib/importlib/_bootstrap_external.py" --replace "source_mtime = int(st['mtime'])" "source_mtime = 1" + '' + optionalString (x11Support && (tix != null)) '' substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'" ''; + CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}"; + LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}"; + LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}"; + + configureFlags = [ + "--enable-shared" + "--with-threads" + "--without-ensurepip" + ]; + preConfigure = '' for i in /usr /sw /opt /pkg; do # improve purity substituteInPlace ./setup.py --replace $i /no-such-path @@ -75,12 +96,6 @@ in stdenv.mkDerivation { export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -msse2" export MACOSX_DEPLOYMENT_TARGET=10.6 ''} - - configureFlagsArray=( --enable-shared --with-threads - CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}" - LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}" - LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}" - ) ''; setupHook = ./setup-hook.sh; @@ -103,6 +118,10 @@ in stdenv.mkDerivation { # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py + # Determinism: Windows installers were not deterministic. + # We're also not interested in building Windows installers. + find "$out" -name 'wininst*.exe' | xargs -r rm -f + # Use Python3 as default python ln -s "$out/bin/idle3" "$out/bin/idle" ln -s "$out/bin/pip3" "$out/bin/pip" @@ -110,6 +129,13 @@ in stdenv.mkDerivation { ln -s "$out/bin/python3" "$out/bin/python" ln -s "$out/bin/python3-config" "$out/bin/python-config" ln -s "$out/lib/pkgconfig/python3.pc" "$out/lib/pkgconfig/python.pc" + + # Determinism: rebuild all bytecode + # We exclude lib2to3 because that's Python 2 code which fails + # We rebuild three times, once for each optimization level + find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i - ''; postFixup = '' From dd3a501a4ba29c2e929928981dcac3768b44c77b Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Thu, 9 Feb 2017 16:30:15 +0100 Subject: [PATCH 03/11] Python: mkPythonDerivation: use PYTHONHASHSEED=0 --- .../interpreters/python/mk-python-derivation.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/python/mk-python-derivation.nix b/pkgs/development/interpreters/python/mk-python-derivation.nix index c8fedaf75fc..69eea056c76 100644 --- a/pkgs/development/interpreters/python/mk-python-derivation.nix +++ b/pkgs/development/interpreters/python/mk-python-derivation.nix @@ -57,9 +57,12 @@ python.stdenv.mkDerivation (builtins.removeAttrs attrs ["disabled"] // { inherit pythonPath; - # patch python interpreter to write null timestamps when compiling python files - # this way python doesn't try to update them when we freeze timestamps in nix store + + # Determinism: The interpreter is patched to write null timestamps when compiling python files. + # This way python doesn't try to update them when we freeze timestamps in nix store. DETERMINISTIC_BUILD=1; + # Determinism: We fix the hashes of str, bytes and datetime objects. + PYTHONHASHSEED = 0; buildInputs = [ wrapPython ] ++ buildInputs ++ pythonPath ++ [ (ensureNewerSourcesHook { year = "1980"; }) ] From 14a88e76cf3009b00e7cd57050101a7291a042ed Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Sun, 19 Feb 2017 11:36:05 +0100 Subject: [PATCH 04/11] Python 3.5: use system expat and ffi --- .../development/interpreters/python/cpython/3.5/default.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkgs/development/interpreters/python/cpython/3.5/default.nix b/pkgs/development/interpreters/python/cpython/3.5/default.nix index 10f2029e064..082f6ff6789 100644 --- a/pkgs/development/interpreters/python/cpython/3.5/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.5/default.nix @@ -1,5 +1,7 @@ { stdenv, fetchurl, fetchpatch , bzip2 +, expat +, libffi , gdbm , lzma , ncurses @@ -32,7 +34,7 @@ let sitePackages = "lib/${libPrefix}/site-packages"; buildInputs = filter (p: p != null) [ - zlib bzip2 lzma gdbm sqlite readline ncurses openssl ] + zlib bzip2 expat lzma libffi gdbm sqlite readline ncurses openssl ] ++ optionals x11Support [ tcl tk libX11 xproto ] ++ optionals stdenv.isDarwin [ CF configd ]; @@ -86,6 +88,8 @@ in stdenv.mkDerivation { "--enable-shared" "--with-threads" "--without-ensurepip" + "--with-system-expat" + "--with-system-ffi" ]; preConfigure = '' From 1531b5edd254fbc3a2d2eae869979045918cb29c Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:03:24 +0100 Subject: [PATCH 05/11] Python 3.6: improve determinism --- .../python/cpython/3.6/default.nix | 40 +++++++++++++++---- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/pkgs/development/interpreters/python/cpython/3.6/default.nix b/pkgs/development/interpreters/python/cpython/3.6/default.nix index 42f8d109af2..7ccd4fcede6 100644 --- a/pkgs/development/interpreters/python/cpython/3.6/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.6/default.nix @@ -50,6 +50,12 @@ in stdenv.mkDerivation { NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s"; + # Determinism: The interpreter is patched to write null timestamps when compiling python files. + # This way python doesn't try to update them when we freeze timestamps in nix store. + DETERMINISTIC_BUILD=1; + # Determinism: We fix the hashes of str, bytes and datetime objects. + PYTHONHASHSEED=0; + prePatch = optionalString stdenv.isDarwin '' substituteInPlace configure --replace '`/usr/bin/arch`' '"i386"' substituteInPlace configure --replace '-Wl,-stack_size,1000000' ' ' @@ -63,10 +69,25 @@ in stdenv.mkDerivation { }) ]; - postPatch = optionalString (x11Support && (tix != null)) '' + postPatch = '' + # Determinism + substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])" + # Determinism. This is done unconditionally + substituteInPlace "Lib/importlib/_bootstrap_external.py" --replace "source_mtime = int(st['mtime'])" "source_mtime = 1" + '' + optionalString (x11Support && (tix != null)) '' substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'" ''; + CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}"; + LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}"; + LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}"; + + configureFlags = [ + "--enable-shared" + "--with-threads" + "--without-ensurepip" + ]; + preConfigure = '' for i in /usr /sw /opt /pkg; do # improve purity substituteInPlace ./setup.py --replace $i /no-such-path @@ -75,12 +96,6 @@ in stdenv.mkDerivation { export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -msse2" export MACOSX_DEPLOYMENT_TARGET=10.6 ''} - - configureFlagsArray=( --enable-shared --with-threads - CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}" - LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}" - LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}" - ) ''; setupHook = ./setup-hook.sh; @@ -103,6 +118,10 @@ in stdenv.mkDerivation { # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py + # Determinism: Windows installers were not deterministic. + # We're also not interested in building Windows installers. + find "$out" -name 'wininst*.exe' | xargs -r rm -f + # Use Python3 as default python ln -s "$out/bin/idle3" "$out/bin/idle" ln -s "$out/bin/pip3" "$out/bin/pip" @@ -110,6 +129,13 @@ in stdenv.mkDerivation { ln -s "$out/bin/python3" "$out/bin/python" ln -s "$out/bin/python3-config" "$out/bin/python-config" ln -s "$out/lib/pkgconfig/python3.pc" "$out/lib/pkgconfig/python.pc" + + # Determinism: rebuild all bytecode + # We exclude lib2to3 because that's Python 2 code which fails + # We rebuild three times, once for each optimization level + find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i - ''; passthru = let From d33f6f40321d98c58c32feb3faa943e7745623e1 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:03:40 +0100 Subject: [PATCH 06/11] Python 3.6: use system expat and ffi --- pkgs/development/interpreters/python/cpython/3.6/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/interpreters/python/cpython/3.6/default.nix b/pkgs/development/interpreters/python/cpython/3.6/default.nix index 7ccd4fcede6..ebf621d5057 100644 --- a/pkgs/development/interpreters/python/cpython/3.6/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.6/default.nix @@ -1,6 +1,8 @@ { stdenv, fetchurl, fetchpatch , glibc , bzip2 +, expat +, libffi , gdbm , lzma , ncurses @@ -86,6 +88,8 @@ in stdenv.mkDerivation { "--enable-shared" "--with-threads" "--without-ensurepip" + "--with-system-expat" + "--with-system-ffi" ]; preConfigure = '' From 1bbf249befb19fd477613b278d012757e02c69ac Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:07:21 +0100 Subject: [PATCH 07/11] Python 3.4: improve determinism --- .../python/cpython/3.4/default.nix | 45 ++++++++++++++----- 1 file changed, 35 insertions(+), 10 deletions(-) diff --git a/pkgs/development/interpreters/python/cpython/3.4/default.nix b/pkgs/development/interpreters/python/cpython/3.4/default.nix index 72419f8e194..7508c39319e 100644 --- a/pkgs/development/interpreters/python/cpython/3.4/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.4/default.nix @@ -50,21 +50,41 @@ in stdenv.mkDerivation { NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s"; + # Determinism: The interpreter is patched to write null timestamps when compiling python files. + # This way python doesn't try to update them when we freeze timestamps in nix store. + DETERMINISTIC_BUILD=1; + # Determinism: We fix the hashes of str, bytes and datetime objects. + PYTHONHASHSEED=0; + prePatch = optionalString stdenv.isDarwin '' substituteInPlace configure --replace '`/usr/bin/arch`' '"i386"' substituteInPlace configure --replace '-Wl,-stack_size,1000000' ' ' ''; - postPatch = optionalString (x11Support && (tix != null)) '' + postPatch = '' + # Determinism + substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])" + # Determinism. This is done unconditionally + substituteInPlace "Lib/importlib/_bootstrap_external.py" --replace "source_mtime = int(st['mtime'])" "source_mtime = 1" + '' + optionalString (x11Support && (tix != null)) '' substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'" '' # Avoid picking up getentropy() from glibc >= 2.25, as that would break # on older kernels. http://bugs.python.org/issue29157 - + optionalString stdenv.isLinux - '' + + optionalString stdenv.isLinux '' substituteInPlace Python/random.c --replace 'defined(HAVE_GETENTROPY)' '0' cat Python/random.c - ''; + ''; + + CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}"; + LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}"; + LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}"; + + configureFlags = [ + "--enable-shared" + "--with-threads" + "--without-ensurepip" + ]; preConfigure = '' for i in /usr /sw /opt /pkg; do # improve purity @@ -74,12 +94,6 @@ in stdenv.mkDerivation { export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -msse2" export MACOSX_DEPLOYMENT_TARGET=10.6 ''} - - configureFlagsArray=( --enable-shared --with-threads - CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}" - LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}" - LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}" - ) ''; setupHook = ./setup-hook.sh; @@ -102,6 +116,10 @@ in stdenv.mkDerivation { # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py + # Determinism: Windows installers were not deterministic. + # We're also not interested in building Windows installers. + find "$out" -name 'wininst*.exe' | xargs -r rm -f + # Use Python3 as default python ln -s "$out/bin/idle3" "$out/bin/idle" ln -s "$out/bin/pip3" "$out/bin/pip" @@ -109,6 +127,13 @@ in stdenv.mkDerivation { ln -s "$out/bin/python3" "$out/bin/python" ln -s "$out/bin/python3-config" "$out/bin/python-config" ln -s "$out/lib/pkgconfig/python3.pc" "$out/lib/pkgconfig/python.pc" + + # Determinism: rebuild all bytecode + # We exclude lib2to3 because that's Python 2 code which fails + # We rebuild three times, once for each optimization level + find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i - ''; postFixup = '' From 57ded03833df30d15fbfe9238f02ddf1a88d2c65 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:07:35 +0100 Subject: [PATCH 08/11] Python 3.4: use system expat and ffi --- pkgs/development/interpreters/python/cpython/3.4/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/interpreters/python/cpython/3.4/default.nix b/pkgs/development/interpreters/python/cpython/3.4/default.nix index 7508c39319e..44ee739fd39 100644 --- a/pkgs/development/interpreters/python/cpython/3.4/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.4/default.nix @@ -1,5 +1,7 @@ { stdenv, fetchurl , bzip2 +, expat +, libffi , gdbm , lzma , ncurses @@ -84,6 +86,8 @@ in stdenv.mkDerivation { "--enable-shared" "--with-threads" "--without-ensurepip" + "--with-system-expat" + "--with-system-ffi" ]; preConfigure = '' From 04b7a2791e50614fb36eb3dfc0c080c3617c9178 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:42:34 +0100 Subject: [PATCH 09/11] Python 3.4: improve determinism --- pkgs/development/interpreters/python/cpython/3.4/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/interpreters/python/cpython/3.4/default.nix b/pkgs/development/interpreters/python/cpython/3.4/default.nix index 44ee739fd39..143dbcd5686 100644 --- a/pkgs/development/interpreters/python/cpython/3.4/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.4/default.nix @@ -67,7 +67,7 @@ in stdenv.mkDerivation { # Determinism substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])" # Determinism. This is done unconditionally - substituteInPlace "Lib/importlib/_bootstrap_external.py" --replace "source_mtime = int(st['mtime'])" "source_mtime = 1" + substituteInPlace "Lib/importlib/_bootstrap.py" --replace "source_mtime = int(source_stats['mtime'])" "source_mtime = 1" '' + optionalString (x11Support && (tix != null)) '' substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'" '' From 37704e90e29893121837b662eb0a34af2b8acf48 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:55:58 +0100 Subject: [PATCH 10/11] Python: explain deterministic build in docs --- doc/languages-frameworks/python.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/doc/languages-frameworks/python.md b/doc/languages-frameworks/python.md index 19f241fb185..0c7e521b11e 100644 --- a/doc/languages-frameworks/python.md +++ b/doc/languages-frameworks/python.md @@ -641,6 +641,19 @@ community to help save time. No tool is preferred at the moment. - [pypi2nix](https://github.com/garbas/pypi2nix) by Rok Garbas - [pypi2nix](https://github.com/offlinehacker/pypi2nix) by Jaka Hudoklin +### Deterministic builds + +Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. +Minor modifications had to be made to the interpreters in order to generate +deterministic bytecode. This has security implications and is relevant for +those using Python in a `nix-shell`. + +When the environment variable `DETERMINISTIC_BUILD` is set, all bytecode will have timestamp 1. +The `buildPythonPackage` function sets `DETERMINISTIC_BUILD` as well as +[PYTHONHASHSEED](https://docs.python.org/3.5/using/cmdline.html#envvar-PYTHONHASHSEED). +Both are also exported in `nix-shell`. + + ## FAQ ### How can I install a working Python environment? From f69292ddc019d222a5c458c7095ccc8815abce53 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:56:16 +0100 Subject: [PATCH 11/11] Python: explain deterministic builds in release notes --- nixos/doc/manual/release-notes/rl-1703.xml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml index 3758a3bf2aa..aa9dc455ba2 100644 --- a/nixos/doc/manual/release-notes/rl-1703.xml +++ b/nixos/doc/manual/release-notes/rl-1703.xml @@ -253,6 +253,17 @@ following incompatible changes: + + + Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. + Minor modifications had to be made to the interpreters in order to generate + deterministic bytecode. This has security implications and is relevant for + those using Python in a nix-shell. See the Nixpkgs manual + for details. + + + +