[Django] #33411: Django 2.2.26 tarball on PyPI differs from djangoproject.org

6 views
Skip to first unread message

Django

unread,
Jan 5, 2022, 5:39:19 AM1/5/22
to django-...@googlegroups.com
#33411: Django 2.2.26 tarball on PyPI differs from djangoproject.org
-----------------------------------------+------------------------
Reporter: mbakke | Owner: nobody
Type: Uncategorized | Status: new
Component: Packaging | Version: 2.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
PyPI is serving a different tarball than djangoproject.org for 2.2.26.

{{{
a84c71495d12388ea3e7cb271ba0b6c020e51831477a65e7cd00fe1cce80d103
Django-2.2.26.tar.gz
dfa537267d52c6243a62b32855a744ca83c37c70600aacffbfd98bc5d6d8518f
Django-2.2.26.tar.gz.pypi
}}}

The only difference is in gzip compression metadata:

{{{
$ file Django-2.2.26.tar.gz*
Django-2.2.26.tar.gz: gzip compressed data, was "Django-2.2.26.tar",
last modified: Tue Jan 4 09:30:26 2022, max compression, original size
modulo 2^32 52469760
Django-2.2.26.tar.gz.pypi: gzip compressed data, was "Django-2.2.26.tar",
last modified: Tue Jan 4 09:40:48 2022, max compression, original size
modulo 2^32 52469760
}}}

The GPG signatures for 2.2.26 on PyPI and djangoproject.org are OK
however.

--
Ticket URL: <https://code.djangoproject.com/ticket/33411>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Jan 5, 2022, 6:04:07 AM1/5/22
to django-...@googlegroups.com
#33411: Django 2.2.26 tarball on PyPI differs from djangoproject.org
-------------------------------+--------------------------------------
Reporter: mbakke | Owner: nobody
Type: Uncategorized | Status: closed
Component: Packaging | Version: 2.2
Severity: Normal | Resolution: invalid

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Changes (by Carlton Gibson):

* status: new => closed
* resolution: => invalid


Comment:

Yes, as per the metadata, the archives were created separately. As you
noted they are otherwise identical — specifically they have the tagged
content for Django 2.2.26 as at 44e7cca62382f2535ed0f5d2842b433f0bd23a57.

Closing on that basis.

Nonetheless, is there a particular issue you wanted to highlight? (I can't
see immediately any concern?)

--
Ticket URL: <https://code.djangoproject.com/ticket/33411#comment:1>

Django

unread,
Jan 6, 2022, 4:02:53 AM1/6/22
to django-...@googlegroups.com
#33411: Django 2.2.26 tarball on PyPI differs from djangoproject.org
-------------------------------+--------------------------------------
Reporter: Marius Bakke | Owner: nobody
Type: Uncategorized | Status: closed
Component: Packaging | Version: 2.2
Severity: Normal | Resolution: invalid

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------

Comment (by Marius Bakke):

No particular concern, just a surprise e.g. for downstreams who provide
both URLs as download location.

I had started writing this ticket before realizing that only the gzip
metadata differed.

Thanks for checking!

--
Ticket URL: <https://code.djangoproject.com/ticket/33411#comment:2>

Reply all
Reply to author
Forward
0 new messages