Usage#
asaman can be used in various ways, the simplest form would be to create a reproducible wheel for your own project, via a source tarball.
To achive this, the project uses a SOURCE_DATE_EPOCH value as 1309379017, this time has been chosen to remember Aaron Swartz, his first commit to the SecureDrop project. You can pass a different value as an argument to –sde.
We also use /tmp/pip-wheel-build/ directory to build the wheels.
Command line options#
Usage: asaman [OPTIONS]
Tool to build reproducible wheels.
Options:
-s, --source FILE A single source tarball or zip file.
-d, --directory DIRECTORY A directory containing all source tarballs and
zips.
-o, --output DIRECTORY The output directory to store all wheel files.
Default: ./wheels
-r, --requirement FILE Path to the requirement.txt file which contains
all packages to build along with hashes.
--sde TEXT Custom SOURCE_DATE_EPOCH value.
--no-hash DO NOT USE UNLESS VERY SURE: In case we skip hash
checking for download.
--keep-sources Copy over the sources to output directory
--with-index TEXT In case you want to install build time
dependencies from an index, pass the URL.
--trusted-host TEXT Pass --trusted-host VALUE to pip, helps in local
indexes over HTTP. Pass the correct hostname.
--skip-build-deps While downloading the sources, skip downloading
the build dependencies as source [default: True]
--help Show this message and exit.
Creating wheel from a source tarball#
asaman -s path/to/source.tar.gz
This comamnd will create a wheel and copy it to the ./wheels directory.
Note
Please remember to install all the build dependencies before hand in the virtualenvironment.
In case you just started bootstrapping your build environment (or want to use a specific Index to download the dependencies), you can use –with-index argument, If you are using a local index on HTTP only, pass on the hostname via –trusted-host command line argument.
Creating wheels from the requirements file#
asaman -r requirements.txt
Warning
You will need hashes for every dependencies in the requirements file. You can create that via pip-tools project. Read more below.
If you want to keep the source packages too, pass –keep-sources flag in the command line.
Creating requirements.txt file with hashes#
Use the pip-tools project.
pip-compile --generate-hashes --allow-unsafe --output-file=requirements.txt requirements.in
Please make sure that include all the build dependencies of any dependency. If you don’t then pip will download the build dependencies from PyPI and install them in the build environment.
To help identify build dependencies while you are building from a requirements file, during download and extracting each source tarball via pip, you can notice any dependency which has build time dependency or not. Otherwise, you can manually look at the build-time dependencies.
For example, in the following text you can find a few packages with build time dependencies. Look at the lines with Getting requirements to build wheel.
Collecting build==0.7.0
Using cached build-0.7.0.tar.gz (15 kB)
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing wheel metadata ... done
Collecting click==8.0.1
Using cached click-8.0.1.tar.gz (327 kB)
Collecting packaging==21.0
Using cached packaging-21.0.tar.gz (83 kB)
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing wheel metadata ... done
Collecting pep517==0.11.0
Using cached pep517-0.11.0.tar.gz (25 kB)
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing wheel metadata ... done
Creating new requirements file with hashes from our own wheels#
asaman-generate requirements.txt
The asaman-generate command will help you to create a fresh verified-requirements.txt, which will contain the hashes from reproducible wheels. You can pass the -o/–output option to pass your custom file name.
asaman-generate --help
Usage: asaman-generate [OPTIONS] REQUIREMENT
Tool to build verified requirements file from reproducible wheels.
Options:
-o, --output FILE The output file. Default: verified-{requirement}.txt
-w, --wheels DIRECTORY The directory with reproducible wheels.
-s, --skip TEXT The packages we don't want in our final requirement
file.
--help Show this message and exit.
Warning
The following should only be done if you know exactly what you are doing.
One can even pass –no-hash option to not verify the hashes of the packages while downloading.