New submission from ghost43 <>:

Currently `ZipFile.writestr` writes the local time into the ZipFile.
(depends on both current time and local timezone)

This makes pip installing a package generate non-reproducible build artifacts.

Specifically, `Scripts/*.exe` files (created for packages that define 
entry_points/console_scripts) are not reproducible on Windows when installed by 
pip. This also leaks into the `*.dist-info/RECORD` files.

For example, after running `pip install wheel` or `pip install pyinstaller`,
in `wheel-0.37.1.dist-info/RECORD`, I have this line:
in `pyinstaller-4.10.dist-info/RECORD`, I have these lines:

Upon comparing multiple `Scripts/wheel.exe` files, I've found that the only 
difference is due to the above-mentioned timestamp embedded inside the exe (or 
rather, same timestamp embedded twice).

The `exe` files get created by `distlib` (vendored by pip).
Here is a traceback with an artificial exception to illustrate the codepath:
(env) PS C:\tmp> pip install --no-build-isolation pyinstaller
Collecting pyinstaller
  Using cached pyinstaller-4.10-py3-none-win_amd64.whl (2.0 MB)
Requirement already satisfied: setuptools in c:\tmp\env\lib\site-packages (from 
pyinstaller) (61.0.0)
Requirement already satisfied: pyinstaller-hooks-contrib>=2020.6 in 
c:\tmp\env\lib\site-packages (from pyinstaller) (2022.3)
Requirement already satisfied: altgraph in c:\tmp\env\lib\site-packages (from 
pyinstaller) (0.17.2)
Requirement already satisfied: pefile>=2017.8.1 in c:\tmp\env\lib\site-packages 
(from pyinstaller) (2021.9.3)
Requirement already satisfied: pywin32-ctypes>=0.2.0 in 
c:\tmp\env\lib\site-packages (from pyinstaller) (0.2.0)
Requirement already satisfied: future in c:\tmp\env\lib\site-packages (from 
pefile>=2017.8.1->pyinstaller) (0.18.2)
Installing collected packages: pyinstaller
ERROR: Exception:
Traceback (most recent call last):
  File "C:\tmp\env\lib\site-packages\pip\_internal\cli\", line 
167, in exc_logging_wrapper
    status = run_func(*args)
  File "C:\tmp\env\lib\site-packages\pip\_internal\cli\", line 
205, in wrapper
    return func(self, options, args)
  File "C:\tmp\env\lib\site-packages\pip\_internal\commands\", line 
405, in run
    installed = install_given_reqs(
  File "C:\tmp\env\lib\site-packages\pip\_internal\req\", line 73, 
in install_given_reqs
  File "C:\tmp\env\lib\site-packages\pip\_internal\req\", line 
769, in install
"C:\tmp\env\lib\site-packages\pip\_internal\operations\install\", line 
729, in install_wheel
"C:\tmp\env\lib\site-packages\pip\_internal\operations\install\", line 
646, in _install_wheel
    generated_console_scripts = maker.make_multiple(scripts_to_generate)
  File "C:\tmp\env\lib\site-packages\pip\_vendor\distlib\", line 440, 
in make_multiple
    filenames.extend(self.make(specification, options))
"C:\tmp\env\lib\site-packages\pip\_internal\operations\install\", line 
427, in make
    return super().make(specification, options)
  File "C:\tmp\env\lib\site-packages\pip\_vendor\distlib\", line 429, 
in make
    self._make_script(entry, filenames, options=options)
  File "C:\tmp\env\lib\site-packages\pip\_vendor\distlib\", line 329, 
in _make_script
    self._write_script(scriptnames, shebang, script, filenames, ext)
  File "C:\tmp\env\lib\site-packages\pip\_vendor\distlib\", line 263, 
in _write_script
    raise Exception(f"heyheyhey2. {sha256(launcher)=}. {sha256(shebang)=}. 
{sha256(zip_data)=}. " +
Exception: heyheyhey2. sha256(launcher)='a00a877acefc'. 
sha256(shebang)='58628e924f22'. sha256(zip_data)='a423496a0482'. 
('SOURCE_DATE_EPOCH' in os.environ)=True
The interesting code is here:
This calls into the cpython standard library, where `time.time()` gets written 
into the file:

Ideally, either `distlib` or the stdlib  `zipfile` module should be changed to 
respect `SOURCE_DATE_EPOCH`, but it's not entirely clear to me which...

The attached patch changes `ZipFile.writestr` to respect `SOURCE_DATE_EPOCH` if 


components: Library (Lib)
files: zipfile_respect_sourcedate.diff
keywords: patch
messages: 416015
nosy: ghost43
priority: normal
severity: normal
status: open
title: ZipFile.writestr should respect SOURCE_DATE_EPOCH
type: enhancement
versions: Python 3.10, Python 3.11, Python 3.9
Added file:

Python tracker <>
Python-bugs-list mailing list

Reply via email to