[Reproducible-builds] Bug#776026: wheel: please make whl files reproducible

[Reiner Herrmann]

Source: wheel
Version: 0.24.0-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: toolchain timestamps randomness

Hi!

While working on Debian's “reproducible builds” effort [1], we have noticed
that wheel files (.whl) cannot be build reproducibly.
The data inside metadata.json is unsorted and varies with each build.
And the zip archive timestamps also depend on the build time of packages.

The attached patch fixes this by sorting the JSON file, and by using fixed
timestamps for each file in the archive.

Regards,
 Reiner

[1]: https://wiki.debian.org/ReproducibleBuilds

diff --git a/debian/changelog b/debian/changelog
index 7023d20..6d31446 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+wheel (0.24.0-1.0~reproducible1) UNRELEASED; urgency=low
+
+  * Added patch to make whl files reproducible
+
+ -- Reiner Herrmann <rei...@reiner-h.de>  Thu, 22 Jan 2015 20:59:52 +0100
+
 wheel (0.24.0-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/patches/reproducible_whl_files.patch b/debian/patches/reproducible_whl_files.patch
new file mode 100644
index 0000000..310a863
--- /dev/null
+++ b/debian/patches/reproducible_whl_files.patch
@@ -0,0 +1,31 @@
+Description: Generate reproducible wheel files
+ - Sort the entries of metadata.json
+ - Use fixed timestamps for files in archive
+Author: Reiner Herrmann <rei...@reiner-h.de>
+
+Index: wheel-0.24.0/wheel/archive.py
+===================================================================
+--- wheel-0.24.0.orig/wheel/archive.py
++++ wheel-0.24.0/wheel/archive.py
+@@ -39,6 +39,8 @@ def make_wheelfile_inner(base_name, base
+     deferred = []
+ 
+     def writefile(path):
++        tstamp = 315576060  # earliest supported date by zip (1.1.1980)
++        os.utime(path, (tstamp, tstamp))
+         zip.write(path, path)
+         log.info("adding '%s'" % path)
+ 
+Index: wheel-0.24.0/wheel/bdist_wheel.py
+===================================================================
+--- wheel-0.24.0.orig/wheel/bdist_wheel.py
++++ wheel-0.24.0/wheel/bdist_wheel.py
+@@ -409,7 +409,7 @@ class bdist_wheel(Command):
+             pymeta['extensions']['python.details']['document_names']['license'] = license_filename
+ 
+         with open(metadata_json_path, "w") as metadata_json:
+-            json.dump(pymeta, metadata_json)
++            json.dump(pymeta, metadata_json, sort_keys=True)
+ 
+         adios(egginfo_path)
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..a435ba8
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+reproducible_whl_files.patch

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds