Giters

abhinavsingh / proxy.py

💫 Ngrok FRP Alternative • ⚡ Fast • 🪶 Lightweight • 0️⃣ Dependency • 🔌 Pluggable • 😈 TLS interception • 🔒 DNS-over-HTTPS • 🔥 Poor Man's VPN • ⏪ Reverse & ⏩ Forward • 👮🏿 "Proxy Server" framework • 🌐 "Web Server" framework • ➵ ➶ ➷ ➠ "PubSub" framework • 👷 "Work" acceptor & executor framework

Home Page:https://abhinavsingh.com/proxy-py-a-lightweight-single-file-http-proxy-server-in-python/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Entry in .git_archival.txt makes repository artifacts non-reproducible

dvzrv opened this issue · comments

commented

Describe the bug
Hi 👋

We are currently rebuilding all relevant packages against Python 3.12 on Arch Linux.

While revisiting the proxy.py package I noticed that it uses setuptools_scm and a .git_archival.txt setup which makes the artifacts of this repository non-reproducible.

As we would like to be able to rely on transparent sources (those not created by a custom process) for our packages, it would be great if you could revise/ remove the .git_archival.txt file from this repository.

To Reproduce
Steps to reproduce the behavior:

  1. Download an auto-generated tarball of a tag/ tag commit right after its creation
  2. Download an auto-generated tarball of a tag/ tag commit after an additional commit has been done on the default branch
  3. The checksums do not match

Expected behavior
The artifacts of a repository (the auto-generated tarballs) do not change due to arbitrary changes to the repository done after a tag.

Version information

  • OS: all
  • Browser: n/a
  • Device: n/a
  • proxy.py Version: all with the .git_archival.txt

Additional context
The problem has been discussed upstream in pypa/setuptools_scm#806 and led to them revising (removing) the problematic content in question in their documentation (pypa/setuptools_scm#1033).

Screenshots
n/a

commented

Including @webknjaz in the discussion. We already changed a few things within .git_archival.txt last month (see #1345). I also understand the concern that @dvzrv is raising (regarding non-reproducible artifacts). Can you provide some guidance here from your experience. Thank you

commented

The guidance is the same as in many other repos where @dvzrv opened the same issue — use sdists on PyPI. They are immutable and are the source for the downstreams. Using regular Git instead of the exported archive should also work.
Proxy.py can also use https://github.com/re-actors/checkout-python-sdist to guarantee that all the necessary sources are actually available in sdists long-term.

commented

The guidance is the same as in many other repos [..] — use sdists on PyPI.

No, the guidance should instead be to follow the revised upstream documentation of setuptools_scm (https://github.com/pypa/setuptools_scm/pull/1033/files) and remove known problematic settings from that file :)

Using regular Git instead of the exported archive should also work.

It doesn't (as one can not lock the file contents at a given tag due to the problematic settings in .git_archival.txt).

@abhinavsingh AFAIK this entire topic is basically down to two things (for you as project maintainer):

  • If you have to rely on building from auto-generated source tarballs and can not use the available overrides, use a .git_archival.txt without the problematic settings.
  • If you don't have to rely on building from auto-generated source tarballs at all, don't use a .git_archival.txt (as overrides exist)
commented

Ah, so one line can be removed and I that'll work. I'll need to adjust it in my projects too, then.

Git archive is something that is useful for non-tagged commits so I wouldn't remove the use of this feature. It's much more frictionless, than having to instruct the users to set env vars.