Reproducibility has so far been concerned primarily with binary packages, but it's also desirable for source tarballs to be reproducible starting from a version-control checkout. This is particularly important for Python, where 'setup.py sdist' can run arbitrary code and generated files (e.g. Cython-generated C) are often included in sdists. As a small step toward this goal, please add support for the SOURCE_DATE_EPOCH environment variable to distutils.command.sdist. The most natural way to implement this would be with an additional user option, perhaps called 'timestamp_limit', which takes a date and time argument. File modification timestamps in the generated tarball or zipfile will be adjusted to be no later than that time. If 'timestamp_limit' is not set, it defaults to the value of os.environ['SOURCE_DATE_EPOCH']. The specification for SOURCE_DATE_EPOCH may be found at https://reproducible-builds.org/specs/source-date-epoch/ .
https://github.com/python/cpython/pull/20331 is a first step toward this. See comments in there, I would love some reviews. If that gets im I'll be happy to send further refactor to make the compression step also respect SOURCE_DATE_EPOCH. For projects building with older python you should be able to unpack/repack with your custom scripts that should allow you have bytes identical tar in many cases.
Distutils is now deprecated (see PEP 632) and all tagged issues are being closed. From now until removal, only release blocking issues will be considered for distutils. If this issue does not relate to distutils, please remove the component and reopen it. If you believe it still requires a fix, most likely the issue should be re-reported at https://github.com/pypa/setuptools
History
Date
User
Action
Args
2022-04-11 14:59:22
admin
set
github: 82813
2021-02-03 18:08:04
steve.dower
set
status: open -> closednosy: + steve.dowermessages: + resolution: out of datestage: patch review -> resolved
