Simplify release verification by building wheel files determinstically

Question

Simplify release verification by building wheel files determinstically

jezdez opened this issue 4 years ago · 0 comments

When you build wheel files unfortunately they are not build deterministically (read: reproducible) at the moment. This is a larger issue in the wheel library since it creates a list of files included in the wheel file that also includes timestamps for each file when adding the file to the wheel file and not of its original file creation datetime.

There is however a workaround that I think we could use in the future, the SOURCE_DATE_EPOCH env variable (https://reproducible-builds.org/docs/source-date-epoch/).

Flit explains it a bit like that as well: https://flit.readthedocs.io/en/latest/reproducible.html

That would override the timestamp used in the list of files and should make it possible to create local copies of the files created on the Jazzband continuous integration system.

So here’s the idea to make this easier for Jazzband:

Create a timestamp on the CI system in the release workflow with the current epoch on the build system.
Find a way to submit that timestamp together with the rest of the metadata to the Jazzband package index (e.g. as part of the package meta data, or an asset file on the CI service or ..).
During verification, use the original timestamp from CI when recreating the wheel file locally.

So all we would need to do is to provide a way to store the SOURCE_DATE_EPOCH timestamp to solve (2) and document (3).