Reproducible wheels at SecureDrop
SecureDrop workstation project's packages are reproducible. We use prebuilt
wheels (by us) along with GPG signatures to verify and install them using pip
during the Debian package building step. But, the way we built those wheels
(standard pip command), they were not reproducible.
To fix this problem, Jennifer Helsby (aka redshiftzero) built a tool and the results are available at https://reproduciblewheels.com/. Every night her tool is building the top 100 + our dependency packages on Debian Buster and verifies the reproducibly of them. She has a detailed write up on the steps.
While this issue was fixed, a related issue was to have reproducible source
tarballs. python3 setup.py sdist
still does not give us a reproducible
tarballs. Conor Schaefer, our CTO at the Freedom of the Press Foundation
decided to tackle that issue using a few more lines of
bash
in our build scripts. Now we have reproducible wheels and source tarballs
(based on specified timestamps) for our projects.