search

ionelmc / tox-wheel

A Tox plugin that builds and installs wheels instead of sdist. Note that this plugin is obsolte as tox 4.0 already has wheel support.
BSD 2-Clause "Simplified" License
23 stars 10 forks source link

Reproducible builds by default #22

Open chadac opened 2 years ago

chadac commented 2 years ago

There is currently a known issue with wheel where the built artifacts are not 100% deterministic -- the compressed wheel uses the current timestamp when adding dates to files. This is an issue for creating reproducible builds as the hash of two identical wheels built at different times are different.

This can be resolved (as referred in the issue) by setting SOURCE_DATE_EPOCH to a post 1980-01-01 date before running wheel, and in tox by passing it via setenv or passenv. However, I'm wondering if this is perhaps something that should be set as a sane default for developers? It seems like having deterministic builds by default would be better in almost all scenarios.

I think this could be done as a hook into the venv before running -- by perhaps setting setenv in the venv before execution, (if setenv or passenv doesn't contain this already) and adding an env flag --wheel-constant-source-date for people to reset to legacy behavior.

For other package builder examples -- Poetry has this as an unconfigurable default.

I'm curious what other's thoughts are on this. At least in my opinion, I think determinism should be a default, although I'm not sure if other processes could depend on these timestamps.

mcarans commented 2 years ago

Determinism seems like a sensible default to me.