pypa
Deterministically normalize wheel ZIP metadata
So as to enable reproducible builds, it would be nice if auditwheel could deterministically normalize the ZIP metadata in wheels it repairs.
It would be ideal if this was either done by default, or easily enabled with a simple option (for example, --deterministic or similar).
Sources of nondeterminism in ZIP metadata include:
- Timestamps -- Of course, auditwheel already normalizes ZIP timestamps if
SOURCE_DATE_EPOCHis set. However, it would be helpful to normalize the timestamps even ifSOURCE_DATE_EPOCHis not set. - File permissions and ownership
- Ordering of ZIP entries. -- This generally seems to already be effectively deterministic, at least with the handful of experiments I've run. I'm not sure what nondeterminism might exist depending on OS, OS variants, Python build backends, etc.
- Potentially other things
I am filing this issue here with auditwheel in the hopes that a solution in auditwheel could serve as a blanket solution in a centralized tool, improving wheel reproducibility through the Python ecosystem.
See also:
- https://github.com/pypa/cibuildwheel/issues/2344
- https://github.com/pyca/cryptography/issues/12811
I have put together some notes about deterministic Python wheels: https://github.com/tabbyrobin/expt-repro-python-wheels/blob/main/notes-on-wheel-determinism.md
And I started a thread about the subject here, to hopefully spark discussion with various projects/the wider Python community: https://discuss.python.org/t/best-practices-for-deterministically-normalizing-wheel-zip-metadata/90662