#33411 closed Uncategorized (invalid)
Django 2.2.26 tarball on PyPI differs from djangoproject.org
| Reported by: | Marius Bakke | Owned by: | nobody |
|---|---|---|---|
| Component: | Packaging | Version: | 2.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
PyPI is serving a different tarball than djangoproject.org for 2.2.26.
a84c71495d12388ea3e7cb271ba0b6c020e51831477a65e7cd00fe1cce80d103 Django-2.2.26.tar.gz dfa537267d52c6243a62b32855a744ca83c37c70600aacffbfd98bc5d6d8518f Django-2.2.26.tar.gz.pypi
The only difference is in gzip compression metadata:
$ file Django-2.2.26.tar.gz* Django-2.2.26.tar.gz: gzip compressed data, was "Django-2.2.26.tar", last modified: Tue Jan 4 09:30:26 2022, max compression, original size modulo 2^32 52469760 Django-2.2.26.tar.gz.pypi: gzip compressed data, was "Django-2.2.26.tar", last modified: Tue Jan 4 09:40:48 2022, max compression, original size modulo 2^32 52469760
The GPG signatures for 2.2.26 on PyPI and djangoproject.org are OK however.
Change History (2)
comment:1 by , 2 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 2 years ago
No particular concern, just a surprise e.g. for downstreams who provide both URLs as download location.
I had started writing this ticket before realizing that only the gzip metadata differed.
Thanks for checking!
Note:
See TracTickets
for help on using tickets.
Yes, as per the metadata, the archives were created separately. As you noted they are otherwise identical — specifically they have the tagged content for Django 2.2.26 as at 44e7cca62382f2535ed0f5d2842b433f0bd23a57.
Closing on that basis.
Nonetheless, is there a particular issue you wanted to highlight? (I can't see immediately any concern?)