Source: wheel Version: 0.24.0-1 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: toolchain timestamps randomness
Hi! While working on Debian's “reproducible builds” effort [1], we have noticed that wheel files (.whl) cannot be build reproducibly. The data inside metadata.json is unsorted and varies with each build. And the zip archive timestamps also depend on the build time of packages. The attached patch fixes this by sorting the JSON file, and by using fixed timestamps for each file in the archive. Regards, Reiner [1]: https://wiki.debian.org/ReproducibleBuilds
diff --git a/debian/changelog b/debian/changelog index 7023d20..6d31446 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +wheel (0.24.0-1.0~reproducible1) UNRELEASED; urgency=low + + * Added patch to make whl files reproducible + + -- Reiner Herrmann <rei...@reiner-h.de> Thu, 22 Jan 2015 20:59:52 +0100 + wheel (0.24.0-1) unstable; urgency=medium * New upstream release. diff --git a/debian/patches/reproducible_whl_files.patch b/debian/patches/reproducible_whl_files.patch new file mode 100644 index 0000000..310a863 --- /dev/null +++ b/debian/patches/reproducible_whl_files.patch @@ -0,0 +1,31 @@ +Description: Generate reproducible wheel files + - Sort the entries of metadata.json + - Use fixed timestamps for files in archive +Author: Reiner Herrmann <rei...@reiner-h.de> + +Index: wheel-0.24.0/wheel/archive.py +=================================================================== +--- wheel-0.24.0.orig/wheel/archive.py ++++ wheel-0.24.0/wheel/archive.py +@@ -39,6 +39,8 @@ def make_wheelfile_inner(base_name, base + deferred = [] + + def writefile(path): ++ tstamp = 315576060 # earliest supported date by zip (1.1.1980) ++ os.utime(path, (tstamp, tstamp)) + zip.write(path, path) + log.info("adding '%s'" % path) + +Index: wheel-0.24.0/wheel/bdist_wheel.py +=================================================================== +--- wheel-0.24.0.orig/wheel/bdist_wheel.py ++++ wheel-0.24.0/wheel/bdist_wheel.py +@@ -409,7 +409,7 @@ class bdist_wheel(Command): + pymeta['extensions']['python.details']['document_names']['license'] = license_filename + + with open(metadata_json_path, "w") as metadata_json: +- json.dump(pymeta, metadata_json) ++ json.dump(pymeta, metadata_json, sort_keys=True) + + adios(egginfo_path) + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..a435ba8 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +reproducible_whl_files.patch
signature.asc
Description: OpenPGP digital signature