Builds are not (fully) reproducible due to file permissions stored in .whl #362
Description
In order to obtain a fully reproducible build one has to build the wheel with the same umask.
Here how to reproduce the issue; tested with wheel 0.34.2, using pypa/sampleproject as an example.
$ export SOURCE_DATE_EPOCH=$(git log -n 1 --pretty=%ct)
$ echo $SOURCE_DATE_EPOCH
1593523015
$ umask 022
$ python setup.py --quiet bdist_wheel
$ sha3-512sum -N 32 dist/sampleproject-2.0.0-py3-none-any.whl
A64A8921 dist/sampleproject-2.0.0-py3-none-any.whl
but changing the umask I have
$ umask 000
$ python setup.py --quiet bdist_wheel
$ sha3-512sum -N 32 dist/sampleproject-2.0.0-py3-none-any.whl
FED67824 dist/sampleproject-2.0.0-py3-none-any.whl
This is due to the fact that file permissions, stored in the .whl file, are affected by the umask at build time.
$ zipinfo dist/sampleproject-2.0.0-py3-none-any.whl
Archive: dist/sampleproject-2.0.0-py3-none-any.whl
Zip file size: 4208 bytes, number of entries: 10
-rw-rw-rw- 2.0 unx 111 b- defN 20-Jun-30 13:16 sample/__init__.py
-rw-r--r-- 2.0 unx 9 b- defN 20-Jun-30 13:16 sample/package_data.dat
-rw-rw-rw- 2.0 unx 43 b- defN 20-Jun-30 13:16 sample/simple.py
-rw-r--r-- 2.0 unx 9 b- defN 20-Jun-30 13:16 sampleproject-2.0.0.data/data/my_data/data_file
-rw-r--r-- 2.0 unx 1081 b- defN 20-Jun-30 13:16 sampleproject-2.0.0.dist-info/LICENSE.txt
-rw-rw-rw- 2.0 unx 3043 b- defN 20-Jun-30 13:16 sampleproject-2.0.0.dist-info/METADATA
-rw-rw-rw- 2.0 unx 92 b- defN 20-Jun-30 13:16 sampleproject-2.0.0.dist-info/WHEEL
-rw-rw-rw- 2.0 unx 40 b- defN 20-Jun-30 13:16 sampleproject-2.0.0.dist-info/entry_points.txt
-rw-rw-rw- 2.0 unx 7 b- defN 20-Jun-30 13:16 sampleproject-2.0.0.dist-info/top_level.txt
?rw-rw-r-- 2.0 unx 843 b- defN 20-Jun-30 13:16 sampleproject-2.0.0.dist-info/RECORD
10 files, 5278 bytes uncompressed, 2740 bytes compressed: 48.1%
I think that file permissions should be normalised in the .whl file, and not dependant on the build environment. This same approach is implemented in flit, since v. 0.12