You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 1, 2023. It is now read-only.
I was just checking out how we build platform independent wheels (good job here, thanks! πββοΈ) and it looks like we are downloading and using some external dependencies (like boost, zlib).
To guarantee for reproducibility and pin down what we bake into the wheel we should probably make sure the downloaded file's checksums match to what we expect. And if not error out.
The text was updated successfully, but these errors were encountered:
This is good idea. As we are moving towards manylinux2010, there will be no "our" downloads. All will be done either by multibuild or we will relay on Centos binary packages.
For multibuild I propose that handle the integrity checks within multibuild itself.
This still will not guarantee bit-for-bit reproducibility (e.g. security updates in dependant libraries), but I guess this will improve trust in what we build.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I was just checking out how we build platform independent wheels (good job here, thanks! πββοΈ) and it looks like we are downloading and using some external dependencies (like boost, zlib).
To guarantee for reproducibility and pin down what we bake into the wheel we should probably make sure the downloaded file's checksums match to what we expect. And if not error out.
The text was updated successfully, but these errors were encountered: