Your message dated Fri, 12 Jun 2015 18:34:34 +0000
with message-id <[email protected]>
and subject line Bug#776026: fixed in wheel 0.24.0-2
has caused the Debian Bug report #776026,
regarding wheel: please make whl files reproducible
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
776026: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776026
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: wheel
Version: 0.24.0-1
Severity: wishlist
Tags: patch
User: [email protected]
Usertags: toolchain timestamps randomness
Hi!
While working on Debian's “reproducible builds” effort [1], we have noticed
that wheel files (.whl) cannot be build reproducibly.
The data inside metadata.json is unsorted and varies with each build.
And the zip archive timestamps also depend on the build time of packages.
The attached patch fixes this by sorting the JSON file, and by using fixed
timestamps for each file in the archive.
Regards,
Reiner
[1]: https://wiki.debian.org/ReproducibleBuilds
diff --git a/debian/changelog b/debian/changelog
index 7023d20..6d31446 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+wheel (0.24.0-1.0~reproducible1) UNRELEASED; urgency=low
+
+ * Added patch to make whl files reproducible
+
+ -- Reiner Herrmann <[email protected]> Thu, 22 Jan 2015 20:59:52 +0100
+
wheel (0.24.0-1) unstable; urgency=medium
* New upstream release.
diff --git a/debian/patches/reproducible_whl_files.patch b/debian/patches/reproducible_whl_files.patch
new file mode 100644
index 0000000..310a863
--- /dev/null
+++ b/debian/patches/reproducible_whl_files.patch
@@ -0,0 +1,31 @@
+Description: Generate reproducible wheel files
+ - Sort the entries of metadata.json
+ - Use fixed timestamps for files in archive
+Author: Reiner Herrmann <[email protected]>
+
+Index: wheel-0.24.0/wheel/archive.py
+===================================================================
+--- wheel-0.24.0.orig/wheel/archive.py
++++ wheel-0.24.0/wheel/archive.py
+@@ -39,6 +39,8 @@ def make_wheelfile_inner(base_name, base
+ deferred = []
+
+ def writefile(path):
++ tstamp = 315576060 # earliest supported date by zip (1.1.1980)
++ os.utime(path, (tstamp, tstamp))
+ zip.write(path, path)
+ log.info("adding '%s'" % path)
+
+Index: wheel-0.24.0/wheel/bdist_wheel.py
+===================================================================
+--- wheel-0.24.0.orig/wheel/bdist_wheel.py
++++ wheel-0.24.0/wheel/bdist_wheel.py
+@@ -409,7 +409,7 @@ class bdist_wheel(Command):
+ pymeta['extensions']['python.details']['document_names']['license'] = license_filename
+
+ with open(metadata_json_path, "w") as metadata_json:
+- json.dump(pymeta, metadata_json)
++ json.dump(pymeta, metadata_json, sort_keys=True)
+
+ adios(egginfo_path)
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..a435ba8
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+reproducible_whl_files.patch
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: wheel
Source-Version: 0.24.0-2
We believe that the bug you reported is fixed in the latest version of
wheel, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Barry Warsaw <[email protected]> (supplier of updated wheel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 12 Jun 2015 14:14:29 -0400
Source: wheel
Binary: python-wheel python3-wheel python-wheel-common
Architecture: source all
Version: 0.24.0-2
Distribution: unstable
Urgency: medium
Maintainer: Barry Warsaw <[email protected]>
Changed-By: Barry Warsaw <[email protected]>
Description:
python-wheel - built-package format for Python
python-wheel-common - built-package format for Python
python3-wheel - built-package format for Python
Closes: 776026 782405
Changes:
wheel (0.24.0-2) unstable; urgency=medium
.
* d/control:
- Bump Standards-Version with no other changes necessary.
- Add XS-Testsuite header for DEP-8 tests.
* d/rules:
- Add commented out DH_VERBOSE setting.
- Override the manpage date for reproducible builds. (Closes: #782405)
* d/patch/reproducible-whls.diff: Add based on initial contribution
from Reiner Herrmann, with further refinements by Barry Warsaw based
on upstream pull request review. (Closes: #776026)
* d/watch: Use the pypi.debian.net redirector.
* d/tests: Add smoke and reproducible .whl file DEP-8 tests.
Checksums-Sha1:
4396191626137bb3ce16ec324e7888a8e1212821 2210 wheel_0.24.0-2.dsc
83da9230302b74c313026033dc73109836732c99 10524 wheel_0.24.0-2.debian.tar.xz
509455619077b873ed93ae208b17d96589bc9c79 8288
python-wheel-common_0.24.0-2_all.deb
0eafa55c9907e49c9fe79b82478d37f1043a6e91 48430 python-wheel_0.24.0-2_all.deb
a8568996116f2564c8727163d7555607236aa8f1 48498 python3-wheel_0.24.0-2_all.deb
Checksums-Sha256:
5114568de83820865711098540395b7a19901d069ea690071fb71adb0fbe8249 2210
wheel_0.24.0-2.dsc
5deb5bc17fbae449464f4999fe93f21bbd2faf8b69695c45b55b957173c37599 10524
wheel_0.24.0-2.debian.tar.xz
35a5c55bb2858c3296361579b23c5c0d12018f2f2568b919f5eb8be46eec2af2 8288
python-wheel-common_0.24.0-2_all.deb
2eccd269fcac5fdd2a5a1b3ebfd09c3d7d408c88081a807f96f1eb7c90c9698e 48430
python-wheel_0.24.0-2_all.deb
f8b30186b9133f18898f006fe3c016b0dbdfeae4d2240ff343e92d7d51f88ea3 48498
python3-wheel_0.24.0-2_all.deb
Files:
1d02e83f5323ba472940990fbd533110 2210 python optional wheel_0.24.0-2.dsc
96378b318251060ae444d6133edb96f1 10524 python optional
wheel_0.24.0-2.debian.tar.xz
75f26ce45261b49377a02871c7371b90 8288 python optional
python-wheel-common_0.24.0-2_all.deb
e348d6c512ae986730503e4f81fd6697 48430 python optional
python-wheel_0.24.0-2_all.deb
8ae0564e33ba9b794930b06251867e16 48498 python optional
python3-wheel_0.24.0-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVeyJ7AAoJEBJutWOnSwa/eNcP/1vAUTueWfvsa+VvRIaeUUc+
cYSxTyxao2mrw//+m+NmovVCVhrPDIbIiFopRv3ZpMmpy3PRU4WRgXscoAn+EfIM
pecJ8BCOBsm5tK7eKrxygVUPyQCLLQUEv5BBExLt+V12C2CznCXYpMFiMkUb8iFS
bkl0BlSjOBNhmzCaaLXo8tdmz2JOImfxnH/AU/hJajfN7rkDFX9HG5EMixm3UiL3
V7/gNY2JLcKIsGFveAKWbH/+m0mWtwEQOyVOx0neLADpsx96jtFSMOQan5fThJxF
hQMFadEAQbv2JFdIJTazBN/AdYQP7hy1suktHEYfesroacabWmrsDzJa9eabfeXS
Iq3bnk6UVloHQhPImlbNTVMug/FgL70WqMUZq2PY+RVqt72XytsSUl+kkHpEilKX
dygxe3j+kcHO0RqHZEGtEr6UEaYpaoHvddjSsrQe4ghG9NC5xmxCaOAmLQ4D6ivQ
GMWHfesZ71AU+qVY9MjzgaaN1Y0Y4H2fkcFxxreYNDw2/cR0MuC3a8GC4EuDi4p0
jEKif26uSxXdY3ZcOwBe/Q1w8JZX7Wh74kb0eDCCEqM+/1CqFqeUdXAHoyJmsWRs
C+yyaB820sdgn2L231MNJre4C1ktk9ItP9lbkhQanVa5Lax8QVXbx6Gz5Q+IxFj7
5CBp0m1/EJCyGTyEPW+6
=4PEi
-----END PGP SIGNATURE-----
--- End Message ---
