feat: add environment variable to disable writing installer metadata files #8877
Conversation
adisbladis
force-pushed
the
reproducible-builds-no-dist-info
branch
6 times, most recently
from
aaa8644 to
0b53fc9
Compare
|
Thanks for putting up the PR! Note to other reviewers, we briefly discussed using an environment variable for this in Discord. I don't have strong opinions on the name, but we might want to use Otherwise, I'm not well suited to be the primary reviewer for this. Perhaps @konstin or @charliermarsh would be interested. |
adisbladis
force-pushed
the
reproducible-builds-no-dist-info
branch
from
0b53fc9 to
94ebfbb
Compare
It made more sense to me when writing this to think about it the other way around, but it's indeed seems more consistent with other options to use |
adisbladis
force-pushed
the
reproducible-builds-no-dist-info
branch
3 times, most recently
from
7d992a0 to
64977b4
Compare
|
What's the motivation for going through wheel installation for repackaging over re-zipping the wheel into the target format you are interested in? |
Sorry, I don't understand the question? I'll explain my use case in more detail, hopefully we'll find some understanding. The use case for this PR is to replace usage of
In nixpkgs we use:
For distribution packaging we want reproducible builds, meaning that the outputs produced by a packaging script should be bit-for-bit identical. I have implemented an alternative Python build infrastructure for Nix where I use uv. At some point in the future I'd like to replace the nixpkgs install hook with a uv implementation too. A requisite for that is that outputs are reproducible. |
adisbladis
force-pushed
the
reproducible-builds-no-dist-info
branch
2 times, most recently
from
ca26dd0 to
8313229
Compare
|
Ping @charliermarsh |
|
I'm not super excited to maintain this but I see the value. I think we should call this "installer metadata" rather than "extra dist-info", since the latter is just a term we made up within the wheel installer crate. How's that sound? |
adisbladis
force-pushed
the
reproducible-builds-no-dist-info
branch
3 times, most recently
from
aceed99 to
3cf1701
Compare
Thank you. I understand that the use case is a bit niche from a Python perspective.
Yep, that sounds much better! |
adisbladis
changed the title
…files This change introduces the `UV_NO_INSTALLER_METADATA` environment variable as a way to opt out of the extra installer metadata files that `uv` is creating. This is important to achieve reproducible builds in distribution packaging, allowing to replace usage of [installer](https://pypi.org/project/installer) with `uv pip install`. At the time of writing these files are: - `uv_cache.json` Contains timestamps which are non-reproducible. These hashes also leak in to the `RECORD` file. - `direct_url.json` Contains the path to the installed wheel. While not non-reproducible it's not required for distribution packaging. - `INSTALLER` Again, not non-reproducible, but of no value in distribution packaging.
adisbladis
force-pushed
the
reproducible-builds-no-dist-info
branch
from
3cf1701 to
83374b1
Compare
|
Ping again @charliermarsh |
|
Ack, will review (and hopefully merge) soon. |
astral-sh/uv#8877 was merged, but the feature is not released yet. Set the env var in preparation of the next release that contains the reproducibility fix.
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.5.6` -> `0.5.7` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.5.7`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#057) [Compare Source](astral-sh/uv@0.5.6...0.5.7) ##### Enhancements - Ignore dynamic version in source dist ([#​9549](astral-sh/uv#9549)) - Improve build frontend error handling ([#​9611](astral-sh/uv#9611)) - Un-hide `uv build --no-build-logs` option ([#​9642](astral-sh/uv#9642)) - Flag version mismatch between sdist and wheel during `uv build` ([#​9633](astral-sh/uv#9633)) - Improve message when updater receipt is for a different uv executable ([#​9487](astral-sh/uv#9487)) - Add environment variable to disable writing installer metadata files ([#​8877](astral-sh/uv#8877)) - Add managed downloads for the latest CPython releases: `3.9.21`, `3.10.16`, `3.11.11`, `3.12.8`, and `3.13.1` ([#​9696](astral-sh/uv#9696)) ##### Preview features - Build backend: Add hint on import with preview disabled ([#​9691](astral-sh/uv#9691)) - Build backend: Add direct builds to the resolver and installer ([#​9621](astral-sh/uv#9621)) - Build backend: Add integration test for scripts ([#​9635](astral-sh/uv#9635)) - Build backend: Add template to `uv init` ([#​9661](astral-sh/uv#9661)) - Build backend: Add `--list` option ([#​9610](astral-sh/uv#9610)) ##### Bug fixes - Create missing parent directories for output file of `uv export` / `uv pip compile` ([#​9648](astral-sh/uv#9648)) - Fix missing display of non-freethreaded Python 3.13 in `python list` ([#​9669](astral-sh/uv#9669)) - Implement `Ord` and `PartialOrd` without origin for `Requirement` ([#​9624](astral-sh/uv#9624)) - Include more sources to avoid lowest bound warning ([#​9644](astral-sh/uv#9644)) - Respect build tag priority in `uv.lock` ([#​9677](astral-sh/uv#9677)) ##### Documentation - Add `build-essentials` note to build failures doc ([#​9641](astral-sh/uv#9641)) - Add entry-point for distroless image in GitLab documentation ([#​9093](astral-sh/uv#9093)) - Add documentation for `uv python pin` without a `REQUEST` argument ([#​9631](astral-sh/uv#9631)) - Add a link to `uv python pin` reference docs ([#​9630](astral-sh/uv#9630)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Summary
This change introduces the
UV_NO_INSTALLER_METADATAenvironment variableas a way to opt out of the extra installer metadata files that
uvis creating.This is important to achieve reproducible builds in distribution
packaging, allowing to replace usage of
installer with
uv pip install.At the time of writing these files are:
uv_cache.jsonContains timestamps which are non-reproducible.
These hashes also leak in to the
RECORDfile.direct_url.jsonContains the path to the installed wheel.
While not non-reproducible it's not required for distribution packaging.
INSTALLERAgain, not non-reproducible, but of no value in distribution packaging.
Test Plan
Automated test added.