I applied the non-timestamp changes from the Debian patch directly. For the timestamp issue, I added support for WHEEL_FORCE_TIMESTAMP envar. I actually added a test for this latter. I may be violating project coding styles all of the place, so please be gentle. :) Hopefully the change makes sense.
There is also a per-file header on each member of the zip file (not at the end, and written during ZipFile.write()) that includes the timestamp. So unfortunately modifying all the ZipInfo is not enough to create bit-identical zipfiles time and time again.
FWIW, I applied this patch to wheel_0.24.0-2 in Debian, which I've just uploaded. I added some DEP-8 tests to prove that the whl files are reproducible when the environment variable is set, even between wheels built 5 seconds apart. The tests pass so I think this PR is good!
If you do end up modifying it before merging, let me know (or I guess bb will notify me), and I'll update the Debian patch to match. Ideally of course, we'd get a new PyPI release with the fix and I could just drop the Debian delta.
@Daniel Holth This looks good to me, tests pass, and it performed fine even with a ~1GB package file. I'll go ahead and merge this and then make the changes @Barry Warsaw suggested in issue #143 unless you have any objections.
Directories are not explicitly added so this should not be an issue. I don't believe it's possible to add an empty directory to an sdist or a bdist using MANIFEST.in or other methods.
Attributes are not preserved, but this matches the existing behavior of all other built distribution formats from wheel (before this change) to egg to a plain bdist. Currently, only sdist preserves permissions.
Spoke too soon, I must've checked the statement about permissions with the wrong version of wheel. Indeed, the wheel's contents are set with empty attributes, which results in files with no permissions set upon extraction. I'll have a fix for this shortly.