ENH: make sdist archives reproducible

Author: dnicolodi

mesonpy/__init__.py

@@ -867,6 +867,7 @@ def sdist(self, directory: Path) -> pathlib.Path:
         meson_dist_name = f'{self._meson_name}-{self._meson_version}'
         meson_dist_path = pathlib.Path(self._build_dir, 'meson-dist', f'{meson_dist_name}.tar.gz')
         sdist_path = pathlib.Path(directory, f'{dist_name}.tar.gz')
+        pyproject_toml_mtime = 0
 
         with tarfile.open(meson_dist_path, 'r:gz') as meson_dist, mesonpy._util.create_targz(sdist_path) as sdist:
             for member in meson_dist.getmembers():
@@ -877,6 +878,9 @@ def sdist(self, directory: Path) -> pathlib.Path:
                     stem = member.name.split('/', 1)[1]
                     member.name = '/'.join((dist_name, stem))
 
+                    if stem == 'pyproject.toml':
+                        pyproject_toml_mtime = member.mtime
+
                     # Reset owner and group to root:root.  This mimics what
                     # 'git archive' does and makes the sdist reproducible upon
                     # being built by different users.
@@ -889,7 +893,23 @@ def sdist(self, directory: Path) -> pathlib.Path:
             member = tarfile.TarInfo(f'{dist_name}/PKG-INFO')
             member.uid = member.gid = 0
             member.uname = member.gname = 'root'
-            member.mtime = time.time()
+
+            # Set the 'PKG-INFO' modification time to the modification time of
+            # 'pyproject.toml' in the archive generated by 'meson dist'.  In
+            # turn this is the last commit time, unless touched by a dist
+            # script.  This makes the sdist reproducible upon being built at
+            # different times, when dist scripts are not used, which should be
+            # the majority of cases.
+            #
+            # Note that support for dynamic version in project metadata allows
+            # the version to depend on the build time.  Therefore, setting the
+            # 'PKG-INFO' modification time to the 'pyproject.toml'
+            # modification time can be seen as not strictly correct.  However,
+            # the sdist standard does not dictate which modification time to
+            # use for 'PKG-INFO'.  This choice allows to make the sdist
+            # byte-for-byte reproducible in the most common case.
+            member.mtime = pyproject_toml_mtime
+
             metadata = bytes(self._metadata.as_rfc822())
             member.size = len(metadata)
             sdist.addfile(member, io.BytesIO(metadata))

mesonpy/_util.py

@@ -37,7 +37,11 @@ def create_targz(path: Path) -> Iterator[tarfile.TarFile]:
     os.makedirs(os.path.dirname(path), exist_ok=True)
     file = typing.cast(IO[bytes], gzip.GzipFile(
         path,
-        mode='wb',
+        mode='w',
+        # Set the stream last modification time to 0.  This mimics
+        # what 'git archive' does and makes the archives byte-for-byte
+        # reproducible.
+        mtime=0,
     ))
     tar = tarfile.TarFile(
         mode='w',

tests/test_sdist.py

@@ -9,6 +9,7 @@
 import sys
 import tarfile
 import textwrap
+import time
 
 import pytest
 
@@ -191,3 +192,15 @@ def test_generated_files(sdist_generated_files):
 
     # All the archive members have a valid mtime.
     assert 0 not in mtimes
+
+
+def test_reproducible(package_pure, tmp_path):
+    t1 = time.time()
+    sdist_path_a = mesonpy.build_sdist(tmp_path / 'a')
+    t2 = time.time()
+    # Ensure that the two sdists are build at least one second apart.
+    time.sleep(max(t1 + 1.0 - t2, 0.0))
+    sdist_path_b = mesonpy.build_sdist(tmp_path / 'b')
+
+    assert sdist_path_a == sdist_path_b
+    assert tmp_path.joinpath('a', sdist_path_a).read_bytes() == tmp_path.joinpath('b', sdist_path_b).read_bytes()