Skip to content
This repository has been archived by the owner on Dec 1, 2023. It is now read-only.

Checksums for external deps we download #2

Open
daniel-j-h opened this issue Mar 18, 2019 · 1 comment
Open

Checksums for external deps we download #2

daniel-j-h opened this issue Mar 18, 2019 · 1 comment

Comments

@daniel-j-h
Copy link

I was just checking out how we build platform independent wheels (good job here, thanks! πŸ™‡β€β™‚οΈ) and it looks like we are downloading and using some external dependencies (like boost, zlib).

To guarantee for reproducibility and pin down what we bake into the wheel we should probably make sure the downloaded file's checksums match to what we expect. And if not error out.

@wiktorn
Copy link
Collaborator

wiktorn commented Feb 17, 2020

This is good idea. As we are moving towards manylinux2010, there will be no "our" downloads. All will be done either by multibuild or we will relay on Centos binary packages.

For multibuild I propose that handle the integrity checks within multibuild itself.

This still will not guarantee bit-for-bit reproducibility (e.g. security updates in dependant libraries), but I guess this will improve trust in what we build.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

No branches or pull requests

2 participants