Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#33411 closed Uncategorized (invalid)

Django 2.2.26 tarball on PyPI differs from djangoproject.org

Reported by: Marius Bakke Owned by: nobody
Component: Packaging Version: 2.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

PyPI is serving a different tarball than djangoproject.org for 2.2.26.

a84c71495d12388ea3e7cb271ba0b6c020e51831477a65e7cd00fe1cce80d103  Django-2.2.26.tar.gz
dfa537267d52c6243a62b32855a744ca83c37c70600aacffbfd98bc5d6d8518f  Django-2.2.26.tar.gz.pypi

The only difference is in gzip compression metadata:

$ file Django-2.2.26.tar.gz*
Django-2.2.26.tar.gz:      gzip compressed data, was "Django-2.2.26.tar", last modified: Tue Jan  4 09:30:26 2022, max compression, original size modulo 2^32 52469760
Django-2.2.26.tar.gz.pypi: gzip compressed data, was "Django-2.2.26.tar", last modified: Tue Jan  4 09:40:48 2022, max compression, original size modulo 2^32 52469760

The GPG signatures for 2.2.26 on PyPI and djangoproject.org are OK however.

Change History (2)

comment:1 by Carlton Gibson, 3 years ago

Resolution: invalid
Status: newclosed

Yes, as per the metadata, the archives were created separately. As you noted they are otherwise identical — specifically they have the tagged content for Django 2.2.26 as at 44e7cca62382f2535ed0f5d2842b433f0bd23a57.

Closing on that basis.

Nonetheless, is there a particular issue you wanted to highlight? (I can't see immediately any concern?)

comment:2 by Marius Bakke, 3 years ago

No particular concern, just a surprise e.g. for downstreams who provide both URLs as download location.

I had started writing this ticket before realizing that only the gzip metadata differed.

Thanks for checking!

Note: See TracTickets for help on using tickets.
Back to Top