setuptools-reproducible 0.1

Extension of setuptools to support reproducible dists

setuptools-reproducible

This is a PEP 517 Build backend enabling reproducible builds with setuptools.

Setuptools can create reproducible wheel archives (.whl) by setting SOURCE_DATE_EPOCH at build time, but setting the env var is insufficient for creating reproducible sdists (.tar.gz).

setuptools-reproducible wraps the hooks build_sdist and build_wheel with some modifications to make reproducible builds by default:

• In the build environment, SOURCE_DATE_EPOCH=0 will be used if it wasn't already configured.
• Tarfile modes are set to 0o644 for regular files and 0o755 for directories.
• The uid/gid of archive members are set to 0, and the username/groupname are set to empty string.
• Gzip header values set to source date epoch.

With these modifications, a source tree with the same content should result in a built package with the same checksum when created within the same build environment.

Note: checksums are not necessarily constant across platform and Python versions, due to differences such Windows/Unix line endings and Python standard library changes.

Usage:

The backend functions identically to upstream setuptools. The only thing a user needs to change is to specify the build system in pyproject.toml:

[build-system]
requires = ["setuptools-reproducible"]
build-backend = "setuptools_reproducible"

Setting SOURCE_DATE_EPOCH is unnecessary, unless you want to override the default value of 0 i.e. 1970-01-01 00:00:00 UTC.

Acknowledgements:

This implementation was inspired by a helpful comment from Lisandro Dalcin in setuptools issue #2133, and also used some ideas from the project repro-tarfile.