[Python-Dev] Licensing issue (?) for Frozen Python? [was: More optimisation ideas]

[Barry Warsaw]

On Feb 06, 2016, at 04:38 PM, Chris Angelico wrote:

>Right, sure. The technical problems are still there. Although I'm
>fairly confident that Debian's binaries would correspond to Debian's
>source - but honestly, if I'm looking for sources for anything other
>than the kernel, I probably want to get the latest from source
>control, rather than using the somewhat older version shipped in the
>repos.
>
>As to availability, though, most of the big distros (including Debian)
>keep their sources around for a long time.

Not to get too deep into what other projects do, but yes in Debian, you can
always get the patched source that corresponds to the binary you've
installed, usually in both version controlled form and otherwise.  I'd expect
this to be true of most if not all of the Linux distros.

A more interesting question is how you can actually verify this equivalence,
and there are folks across the ecosystem working on reproducible builds.  The
idea is that you should be able to take the source that *claims* to correspond
to that binary, and using the established build tools, locally reproduce a
bit-wise exact duplicate of the binary.  I've applied and submitted several
patches to various upstreams that help with this effort, such as being able to
pass in "locked" datetimes instead of the package always using
e.g. datetime.now().

Let's not dive down the rabbit hole too far into how you can trust your build
tool chain, and every other layer down to the quantum.

Cheers,
-Barry