Deterministically normalize wheel ZIP metadata

[tabbyrobin]

So as to enable reproducible builds, it would be nice if auditwheel could deterministically normalize the ZIP metadata in wheels it repairs.

It would be ideal if this was either done by default, or easily enabled with a simple option (for example, --deterministic or similar).

Sources of nondeterminism in ZIP metadata include:

• Timestamps -- Of course, auditwheel already normalizes ZIP timestamps if SOURCE_DATE_EPOCH is set. However, it would be helpful to normalize the timestamps even if SOURCE_DATE_EPOCH is not set.
• File permissions and ownership
• Ordering of ZIP entries. -- This generally seems to already be effectively deterministic, at least with the handful of experiments I've run. I'm not sure what nondeterminism might exist depending on OS, OS variants, Python build backends, etc.
• Potentially other things

I am filing this issue here with auditwheel in the hopes that a solution in auditwheel could serve as a blanket solution in a centralized tool, improving wheel reproducibility through the Python ecosystem.

See also:

• Deterministically normalize wheel ZIP metadata cibuildwheel#2344
• Provide verifiably reproducible wheels on PyPI pyca/cryptography#12811

[tabbyrobin]

I have put together some notes about deterministic Python wheels:
https://github.com/tabbyrobin/expt-repro-python-wheels/blob/main/notes-on-wheel-determinism.md

And I started a thread about the subject here, to hopefully spark discussion with various projects/the wider Python community:
https://discuss.python.org/t/best-practices-for-deterministically-normalizing-wheel-zip-metadata/90662