Starting with IPython 7.16.1 (released in June 2020), you should be able to recreate the sdist (.tar.gz) and wheel (.whl), and get byte for byte identical result to the wheels published on PyPI. This is a critical step toward being able to trust your computing platforms, and a key component to improve efficiency of build and packaging platforms. It also potentially impacts fast conda environment creation for users. The following goes into some reasons for why you should care.

Since the cornerstone paper Refections on trusting Trust, there have always been advocates of reproducible builds. In today’s highly interconnected world, and with the speed at which new software is released and deployed, being able to confirm the provenance of build artifacts and verify that the supply chain has not been affected by a malicious actor is often critical. To help in this endeavour, the movement of reproducible builds, attempts to push software toward a deterministic and reproducible build process.

While information security practitioners were one of the earliest groups who advocated for reproducible builds, there are a number of other advantages to ensure the same artifacts can be reproduced identically.

#ipython #packaging #python