reproducibly 0.0.12__tar.gz → 0.0.16__tar.gz

{reproducibly-0.0.12 → reproducibly-0.0.16}/PKG-INFO

@@ -1,16 +1,15 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.4
 Name: reproducibly
-Version: 0.0.12
-Summary: Reproducibly build Python packages
+Version: 0.0.16
+Summary: Reproducibly build Python packages.
 Author-email: Keith Maxwell <keith.maxwell@gmail.com>
-Requires-Python: >=3.11
+Requires-Python: >=3.13
 Description-Content-Type: text/markdown
 Classifier: Programming Language :: Python :: 3
-Classifier: License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)
-Requires-Dist: build==1.2.1
-Requires-Dist: cibuildwheel==2.20.0
-Requires-Dist: packaging==24.1
-Requires-Dist: pyproject_hooks==1.1.0
+Requires-Dist: build==1.2.2.post1
+Requires-Dist: cibuildwheel==3.0.1
+Requires-Dist: packaging==25.0
+Requires-Dist: pyproject-hooks==1.2.0
 Project-URL: Homepage, https://github.com/maxwell-k/reproducibly/
 Project-URL: Issues, https://github.com/maxwell-k/reproducibly/issues
 
@@ -47,13 +46,14 @@ cog.out("\n```\n" + RESULT.stdout + "```\n\n")
 ```
 usage: reproducibly.py [-h] [--version] input [input ...] output
 
-Reproducibly build Python packages
+Reproducibly build Python packages.
 
 features:
 
 - Builds a source distribution (sdist) from a git repository
 - Builds a wheel from a sdist
 - Resets metadata like user and group names and ids to predictable values
+- Uses no compression for predictable file hashes across Linux distributions
 - By default uses the last commit date and time from git
 - Respects SOURCE_DATE_EPOCH when building a sdist
 - Single file script with inline script metadata or PyPI package
@@ -93,5 +93,7 @@ To run unit tests and integration tests:
 README.md
 Copyright 2023 Keith Maxwell
 SPDX-License-Identifier: CC-BY-SA-4.0
+
+vim: set filetype=markdown.dprint.cog.htmlCommentNoSpell :
 -->
 

{reproducibly-0.0.12 → reproducibly-0.0.16}/README.md

@@ -31,13 +31,14 @@ cog.out("\n```\n" + RESULT.stdout + "```\n\n")
 ```
 usage: reproducibly.py [-h] [--version] input [input ...] output
 
-Reproducibly build Python packages
+Reproducibly build Python packages.
 
 features:
 
 - Builds a source distribution (sdist) from a git repository
 - Builds a wheel from a sdist
 - Resets metadata like user and group names and ids to predictable values
+- Uses no compression for predictable file hashes across Linux distributions
 - By default uses the last commit date and time from git
 - Respects SOURCE_DATE_EPOCH when building a sdist
 - Single file script with inline script metadata or PyPI package
@@ -77,4 +78,6 @@ To run unit tests and integration tests:
 README.md
 Copyright 2023 Keith Maxwell
 SPDX-License-Identifier: CC-BY-SA-4.0
+
+vim: set filetype=markdown.dprint.cog.htmlCommentNoSpell :
 -->

{reproducibly-0.0.12 → reproducibly-0.0.16}/pyproject.toml

@@ -1,9 +1,8 @@
 # SPDX-FileCopyrightText: 2024 Keith Maxwell <keith.maxwell@gmail.com>
-#
 # SPDX-License-Identifier: CC0-1.0
 
 [build-system]
-requires = ["flit_core >=3.2,<4"]
+requires = ["flit_core ==3.12.0"]
 build-backend = "flit_core.buildapi"
 
 [project]
@@ -13,17 +12,17 @@ authors = [
   { name = "Keith Maxwell", email = "keith.maxwell@gmail.com" },
 ]
 readme = "README.md"
-requires-python = ">=3.11"
+requires-python = ">=3.13"
 classifiers = [
   "Programming Language :: Python :: 3",
-  "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)",
 ]
 dependencies = [
-  "build==1.2.1",
-  "cibuildwheel==2.20.0",
-  "packaging==24.1",
-  "pyproject_hooks==1.1.0",
+  "build==1.2.2.post1",
+  "cibuildwheel==3.0.1",
+  "packaging==25.0",
+  "pyproject-hooks==1.2.0",
 ]
+licence = "MPL-2.0"
 
 [project.urls]
 Homepage = "https://github.com/maxwell-k/reproducibly/"
@@ -34,3 +33,16 @@ reproducibly = "reproducibly:main"
 
 [tool.codespell]
 skip = './htmlcov'
+
+[tool.ruff.lint]
+select = ["ALL"]
+ignore = [
+  "D203", # incompatible with D211
+  "D213", # incompatible with D212
+  "I", # prefer usort to ruff isort implementation
+  "PT", # prefer unittest style
+  "S310", # the rule errors on the "use instead" code from `ruff rule S310`
+  "S602", # assume arguments to subprocess.run are validated
+  "S603", # assume trusted input  to subprocess.run
+  "T201", # print is used for output in command line scripts
+]

{reproducibly-0.0.12 → reproducibly-0.0.16}/reproducibly.py

@@ -1,10 +1,11 @@
-"""Reproducibly build Python packages
+"""Reproducibly build Python packages.
 
 features:
 
 - Builds a source distribution (sdist) from a git repository
 - Builds a wheel from a sdist
 - Resets metadata like user and group names and ids to predictable values
+- Uses no compression for predictable file hashes across Linux distributions
 - By default uses the last commit date and time from git
 - Respects SOURCE_DATE_EPOCH when building a sdist
 - Single file script with inline script metadata or PyPI package
@@ -14,20 +15,21 @@ features:
 # Copyright 2024 Keith Maxwell
 # SPDX-License-Identifier: MPL-2.0
 import gzip
-import tarfile
 from argparse import ArgumentParser, RawDescriptionHelpFormatter
 from contextlib import chdir
-from datetime import datetime
-from enum import auto, Enum, nonmember
+from datetime import datetime, UTC
+from enum import auto, Enum
 from os import environ, utime
 from pathlib import Path
 from shutil import copyfileobj, move
 from stat import S_IWGRP, S_IWOTH
 from subprocess import CalledProcessError, run
 from sys import version_info
+from tarfile import TarFile, TarInfo
 from tempfile import TemporaryDirectory
+from types import TracebackType
 from typing import cast, Literal, TypedDict
-from zipfile import ZipFile, ZipInfo
+from zipfile import ZIP_DEFLATED, ZipFile, ZipInfo
 
 from build import ProjectBuilder
 from build.env import DefaultIsolatedEnv
@@ -35,31 +37,15 @@ from cibuildwheel.__main__ import build_in_directory
 from cibuildwheel.options import CommandLineArguments
 from pyproject_hooks import default_subprocess_runner
 
-# [[[cog import cog ; from pathlib import Path ]]]
-# [[[end]]]
-
-# [[[cog
-# import tomllib
-# with open("pyproject.toml", "rb") as f:
-#   pyproject = tomllib.load(f)
-# cog.outl("# /// script")
-# cog.outl(f'# requires-python = "{pyproject["project"]["requires-python"]}"')
-# cog.outl("# dependencies = [")
-# for dependency in pyproject["project"]["dependencies"]:
-#     cog.outl(f"#   \"{dependency}\",")
-# cog.outl("# ]")
-# cog.outl("# ///")
-# ]]]
 # /// script
-# requires-python = ">=3.11"
+# requires-python = ">=3.13"
 # dependencies = [
-#   "build==1.2.1",
-#   "cibuildwheel==2.20.0",
-#   "packaging==24.1",
-#   "pyproject_hooks==1.1.0",
+#     "build==1.2.2.post1",
+#     "cibuildwheel==3.0.1",
+#     "packaging==25.0",
+#     "pyproject-hooks==1.2.0",
 # ]
 # ///
-# [[[end]]]
 
 
 # - Built distributions are created from source distributions
@@ -67,19 +53,22 @@ from pyproject_hooks import default_subprocess_runner
 # - Built distributions are typically zip files
 # - The default date for this script is the earliest date supported by both
 # - The minimum date value supported by zip files, is documented in
-#   <https://github.com/python/cpython/blob/3.11/Lib/zipfile.py>.
-EARLIEST = datetime(1980, 1, 1, 0, 0, 0).timestamp()  # 315532800.0
+#   <https://github.com/python/cpython/blob/3.13/Lib/zipfile.py>.
+EARLIEST = datetime(1980, 1, 1, 0, 0, 0, tzinfo=UTC).timestamp()  # 315532800.0
 
 
-__version__ = "0.0.12"
+__version__ = "0.0.16"
 
 
 def _build(
-    srcdir: Path, output: Path, distribution: Literal["wheel"] | Literal["sdist"]
+    srcdir: Path,
+    output: Path,
+    distribution: Literal["wheel", "sdist"],
 ) -> Path:
-    """Call the build API
+    """Call the build API.
 
-    Returns the path to the built distribution"""
+    Returns the path to the built distribution
+    """
     with DefaultIsolatedEnv() as env:
         builder = ProjectBuilder.from_isolated_env(
             env,
@@ -93,20 +82,21 @@ def _build(
 
 
 def _extract_to_empty_directory(sdist: Path, directory: str) -> Path:
-    with tarfile.open(sdist) as t:
-        t.extractall(directory)
+    with TarFile.open(sdist) as t:
+        t.extractall(directory, filter="data")
     return next(Path(directory).iterdir())
 
 
 def _cibuildwheel(sdist: Path, output: Path) -> Path:
-    """Call the cibuildwheel API
+    """Call the cibuildwheel API.
 
-    Returns the path to the built distribution"""
+    Returns the path to the built distribution
+    """
     with (
         ModifiedEnvironment(
             CIBW_BUILD_FRONTEND="build",
             CIBW_CONTAINER_ENGINE="podman",
-            CIBW_ENVIRONMENT_PASS_LINUX="SOURCE_DATE_EPOCH",
+            CIBW_ENVIRONMENT_PASS_LINUX="SOURCE_DATE_EPOCH",  # noqa: S106 …_PASS_… is not a password
             CIBW_ENVIRONMENT="PIP_TIMEOUT=150",
         ),
         TemporaryDirectory() as directory,
@@ -120,30 +110,39 @@ def _cibuildwheel(sdist: Path, output: Path) -> Path:
             build_in_directory(args)
         wheel = next(args.output_dir.glob("*.whl"))
         output.joinpath(wheel.name).unlink(missing_ok=True)
-        path = Path(move(wheel, output))
-    return path
+        return Path(move(wheel, output))
 
 
 class Arguments(TypedDict):
+    """Input arguments to reproducibly.py."""
+
     repositories: list[Path]
     sdists: list[Path]
     output: Path
 
 
 class ModifiedEnvironment:
-    """A context manager to temporarily change environment variables"""
+    """A context manager to temporarily change environment variables."""
 
-    def __init__(self, **kwargs: str | None):
+    def __init__(self, **kwargs: str | None) -> None:
+        """Initialise with all arguments as environment variables."""
         self.during: dict[str, str | None] = kwargs
 
-    def __enter__(self):
-        self.before = {key: environ.get(key) for key in self.during.keys()}
+    def __enter__(self) -> None:
+        """Set the environment variables."""
+        self.before = {key: environ.get(key) for key in self.during}
         self._update(self.during)
 
-    def __exit__(self, exc_type, exc_value, exc_traceback):
+    def __exit__(
+        self,
+        exc_type: type[BaseException] | None,
+        exc_value: BaseException | None,
+        exc_traceback: TracebackType | None,
+    ) -> None:
+        """Reset environment."""
         self._update(self.before)
 
-    def _update(self, other):
+    def _update(self, other: dict[str, str | None]) -> None:
         for key, value in other.items():
             if value is None:
                 if key in environ:
@@ -153,19 +152,21 @@ class ModifiedEnvironment:
 
 
 class Builder(Enum):
+    """Enum to identifier build package."""
+
     cibuildwheel = auto()
     build = auto()
 
-    @nonmember
     @staticmethod
     def which(archive: Path) -> "Builder":
-        with tarfile.open(archive, "r:gz") as tar:
+        """Return Builder.cibuildwheel if .c files are present otherwise Build.build."""
+        with TarFile.open(archive, "r:gz") as tar:
             c = any(i.name.endswith(".c") for i in tar.getmembers())
         return Builder.cibuildwheel if c else Builder.build
 
 
-def cleanse_metadata(path_: Path, mtime: float) -> int:
-    """Cleanse metadata from a single source distribution
+def cleanse_sdist(path_: Path, mtime: float) -> int:
+    """Cleanse a single source distribution.
 
     - Set all uids and gids to zero
     - Set all unames and gnames to root
@@ -173,22 +174,22 @@ def cleanse_metadata(path_: Path, mtime: float) -> int:
     - Set modified time for .tar inside .gz
     - Set modified time for files inside the .tar
     - Remove group and other write permissions for files inside the .tar
+    - Set the compression level to zero i.e. no compression
     """
-    path = path_.absolute()
+    filename = path_.absolute()
 
     mtime = max(mtime, EARLIEST)
 
-    with TemporaryDirectory() as directory:
-        with tarfile.open(path) as tar:
-            tar.extractall(path=directory)
+    with TemporaryDirectory() as path:
+        with TarFile.open(filename) as tarfile:
+            tarfile.extractall(path=path, filter="data")
 
-        path.unlink(missing_ok=True)
-        (extracted,) = Path(directory).iterdir()
-        uncompressed = f"{extracted}.tar"
+        filename.unlink(missing_ok=True)
+        (bare,) = Path(path).iterdir()
 
-        prefix = directory.removeprefix("/") + "/"
+        prefix = path.removeprefix("/") + "/"
 
-        def filter_(tarinfo: tarfile.TarInfo) -> tarfile.TarInfo:
+        def filter_(tarinfo: TarInfo) -> TarInfo:
             tarinfo.mtime = int(mtime)
             tarinfo.uid = tarinfo.gid = 0
             tarinfo.uname = tarinfo.gname = "root"
@@ -196,44 +197,63 @@ def cleanse_metadata(path_: Path, mtime: float) -> int:
             tarinfo.path = tarinfo.path.removeprefix(prefix)
             return tarinfo
 
-        with tarfile.open(uncompressed, "w") as tar:
-            tar.add(extracted, filter=filter_)
-
-        with gzip.GzipFile(filename=path, mode="wb", mtime=mtime) as file:
-            with open(uncompressed, "rb") as tar:
-                copyfileobj(tar, file)
-        utime(path, (mtime, mtime))
+        tar = f"{bare}.tar"
+        with TarFile.open(tar, "w") as tarfile:
+            tarfile.add(bare, filter=filter_)
+
+        with (
+            Path(tar).open("rb") as fsrc,
+            gzip.GzipFile(
+                filename=filename,
+                mode="wb",
+                mtime=mtime,
+                compresslevel=0,
+            ) as fdst,
+        ):
+            copyfileobj(fsrc, fdst)
+        utime(filename, (mtime, mtime))
     return 0
 
 
 def latest_modification_time(archive: Path) -> str:
-    """Latest modification time for a gzipped tarfile as a string"""
-    with tarfile.open(archive, "r:gz") as tar:
+    """Latest modification time for a gzipped tarfile as a string."""
+    with TarFile.open(archive, "r:gz") as tar:
         latest = max(member.mtime for member in tar.getmembers())
-    return "{:.0f}".format(latest)
+    return f"{latest:.0f}"
 
 
 def latest_commit_time(repository: Path) -> float:
-    """Return the time of the last commit to a repository
+    """Return the time of the last commit to a repository.
 
     As a UNIX timestamp, defined as the number of seconds, excluding leap
-    seconds, since 01 Jan 1970 00:00:00 UTC."""
+    seconds, since 01 Jan 1970 00:00:00 UTC.
+    """
     cmd = ("git", "-C", repository, "log", "-1", "--pretty=%ct")
     output = run(cmd, check=True, capture_output=True, text=True).stdout
     return float(output.rstrip("\n"))
 
 
 def breadth_first_key(path: str) -> list[str | list]:
+    """Key for sorting breadth first.
+
+    An example of breadth first sorted strings:
+
+    1. z
+    2. a/y
+    3. a/b/x
+
+    """
     start, sep, end = path.partition("/")
     return [sep, start, breadth_first_key(end)] if end else [sep, start]
 
 
 def key(input_: bytes | ZipInfo) -> tuple[int, list[str | list]]:
+    """Key for reproducibly sorting ZipFiles."""
     if hasattr(input_, "filename"):
-        item = cast(ZipInfo, input_).filename
+        item = cast("ZipInfo", input_).filename
         path = item
     else:
-        item = cast(bytes, input_).decode()
+        item = cast("bytes", input_).decode()
         path = item.split(",")[0]
     if "/RECORD" in path:
         group = 3
@@ -244,11 +264,24 @@ def key(input_: bytes | ZipInfo) -> tuple[int, list[str | list]]:
     return (group, breadth_first_key(item))
 
 
-def zipumask(path: Path, umask: int = 0o022) -> Path:
-    """Apply a umask to a zip file at path
+def fix_zip_members(path: Path, umask: int = 0o022) -> Path:
+    """Apply fixes to members in a zip file.
+
+    Processes the zip file in place. Path is both the source and destination, a
+    temporary working copy is made.
+
+    - Apply a umask to each member
+    - Change to compression level zero
 
-    Path is both the source and destination, a temporary working copy is
-    made."""
+    When using the default deflate compression and comparing wheels created on
+    Ubuntu 24.04 and Fedora 40, minor differences in the size of the compressed
+    wheel were observed. For example:
+
+    │ -112 files, 909030 bytes uncompressed, 272160 bytes compressed:  70.1%
+    │ +112 files, 909030 bytes uncompressed, 271653 bytes compressed:  70.1%
+
+    As a solution this function uses compression level zero i.e. no compression.
+    """
     operand = ~(umask << 16)
 
     with TemporaryDirectory() as directory:
@@ -257,6 +290,8 @@ def zipumask(path: Path, umask: int = 0o022) -> Path:
             for member in original.infolist():
                 data = original.read(member)
                 member.external_attr = member.external_attr & operand
+                member.compress_type = ZIP_DEFLATED
+                member.compress_level = 0
                 destination.writestr(member, data)
         path.unlink()
         move(copy, path)  # can't rename as /tmp may be a different device
@@ -270,7 +305,7 @@ def _is_git_repository(path: Path) -> bool:
 
     try:
         process = run(
-            ["git", "rev-parse", "--show-toplevel"],
+            ("git", "rev-parse", "--show-toplevel"),
             cwd=path,
             check=True,
             capture_output=True,
@@ -285,6 +320,7 @@ def _is_git_repository(path: Path) -> bool:
 
 
 def parse_args(args: list[str] | None) -> Arguments:
+    """Parse command line arguments."""
     parser = ArgumentParser(
         prog="reproducibly.py",
         formatter_class=RawDescriptionHelpFormatter,
@@ -311,7 +347,7 @@ def parse_args(args: list[str] | None) -> Arguments:
 
 
 def _sortwheel(wheel: Path) -> Path:
-    """Sort the lines in */RECORD and files in a wheel
+    """Sort the lines in */RECORD and files in a wheel.
 
     pypa/wheel has had reproducible builds since 0.27.0 (2016-02-05); this
     script post processes a wheel file to match the ordering that pypa/wheel
@@ -329,7 +365,8 @@ def _sortwheel(wheel: Path) -> Path:
     From observation of pypa/wheel output desired order is below. This can be
     called breadth first. It is easily created recursively. For a directory,
     list all the files in order then repeat for all of the subdirectories in
-    order."""
+    order.
+    """
     with TemporaryDirectory() as directory:
         intermediate = Path(directory) / wheel.name
         with ZipFile(wheel, "r") as original, ZipFile(intermediate, "w") as destination:
@@ -347,6 +384,7 @@ def _sortwheel(wheel: Path) -> Path:
 
 
 def main(arguments: list[str] | None = None) -> int:
+    """Reproducibly build Python packages."""
     parsed = parse_args(arguments)
     for repository in parsed["repositories"]:
         sdist = _build(repository, parsed["output"], "sdist")
@@ -354,7 +392,7 @@ def main(arguments: list[str] | None = None) -> int:
             date = float(environ["SOURCE_DATE_EPOCH"])
         else:
             date = latest_commit_time(repository)
-        cleanse_metadata(sdist, date)
+        cleanse_sdist(sdist, date)
     for sdist in parsed["sdists"]:
         with ModifiedEnvironment(SOURCE_DATE_EPOCH=latest_modification_time(sdist)):
             if Builder.which(sdist) == Builder.cibuildwheel:
@@ -363,7 +401,7 @@ def main(arguments: list[str] | None = None) -> int:
                 with TemporaryDirectory() as directory:
                     srcdir = _extract_to_empty_directory(sdist, directory)
                     built = _build(srcdir, parsed["output"], "wheel")
-        _sortwheel(zipumask(built))
+        fix_zip_members(_sortwheel(built))
     return 0