Reproducible .whl files

[agronholm]

Originally reported by: Barry Warsaw (Bitbucket: warsaw, GitHub: warsaw)

---

Over in Debian-land, there is an initiative to create reproducible builds. As we use .whl files for pip and virtualenv, we want the .whl files to be reproducible too. Here is the Debian bug:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776026

and the provided patch against the current Debian version.

https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;att=1;bug=776026;filename=wheel_reproducible.patch

The bdist_wheel.py and metadata.py chunks seem reasonable, but I don't like hardcoding the timestamp in archive.py. I don't have a better idea currently though -- maybe you do?

I'll try to put together a proper pull request once I think of a way to handle the timestamps.

---

• Bitbucket: https://bitbucket.org/pypa/wheel/issue/143

[agronholm]

Original comment by Daniel Holth (Bitbucket: dholth, GitHub: dholth):

---

Interesting, I thought we had already accepted some patches related to sorting metadata elements.

Previously in Debian-land, the last Debian changelog timestamp was used in ar headers. You could have a new environment variable or command line option or both for bdist_wheel that would set the timestamp.

It looks like zipfile will let you set the timestamp without changing it on the filesystem if you use writestr() instead of write(), with the drawback that all the files you're writing get loaded into memory first instead of being read and compressed in tiny 8kb blocks.

[agronholm]

Original comment by Barry Warsaw (Bitbucket: warsaw, GitHub: warsaw):

---

Not sure how to link PRs with issues on BB, but here ya go: https://bitbucket.org/pypa/wheel/pull-request/52/apply-the-debian-patch-for-reproducible/diff

[agronholm]

Original comment by Barry Warsaw (Bitbucket: warsaw, GitHub: warsaw):

---

Debian proposes to rename the environment variable to work in a package-agnostic way:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795942

s/WHEEL_FORCE_TIMESTAMP/SOURCE_DATE_EPOCH

[agronholm]

Original comment by Barry Warsaw (Bitbucket: warsaw, GitHub: warsaw):

---

Also, to avoid timezone issues, please use gmtime() instead of localtime().

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789981

[agronholm]

Original comment by Nate Coraor (Bitbucket: natefoo, GitHub: natefoo):

---

Fixed in pull request #52 (additional changes from @warsaw's comments in bb4330cd4618)