bump epochs to produce valid SBOMs (#17337)

* bump epochs to produce valid SBOMs Signed-off-by: Jason Hall <[email protected]> * fix pygments Signed-off-by: Jason Hall <[email protected]> * fix invalid licenses; bump configobj which wasn't rebuilt Signed-off-by: Jason Hall <[email protected]> * revert zig Signed-off-by: Jason Hall <[email protected]> * pygments: fix shbang Signed-off-by: Jason Hall <[email protected]> * pygments: fix shbang again Signed-off-by: Jason Hall <[email protected]> * pygments: fix shbang again Signed-off-by: Jason Hall <[email protected]> * pygments: fix shbang again Signed-off-by: Jason Hall <[email protected]> * revert font-misc, custom license Signed-off-by: Jason Hall <[email protected]> --------- Signed-off-by: Jason Hall <[email protected]>
wolfi-dev · Apr 21, 2024 · 9558f84 · 9558f84
1 parent 430f3ab
commit 9558f84
Show file tree

Hide file tree

Showing 31 changed files with 40 additions and 33 deletions.
diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
@@ -178,14 +178,15 @@ jobs:
         uses: ./.github/actions/docker-run
         with:
           run: |
-            apk add py3-ntia-conformance-checker
+            apk add py3-ntia-conformance-checker spdx-tools-java
             for f in \$(find packages -name '*.apk'); do
                 echo ==== Checking SBOM for \$f ====
                 tar -Oxf \$f var/lib/db/sbom/ > sbom.json
                 echo ::group::sbom.json
                 cat sbom.json
                 echo ::endgroup::
                 ntia-checker -v --file sbom.json
+                tools-java Verify sbom.json
             done
 
       - name: Check for file

diff --git a/hiredis.yaml b/hiredis.yaml
@@ -1,7 +1,7 @@
 package:
   name: hiredis
   version: 1.2.0
-  epoch: 0
+  epoch: 1
   description: Minimalistic C client for Redis
   copyright:
     - license: BSD-3-Clause

diff --git a/libdbi.yaml b/libdbi.yaml
@@ -1,7 +1,7 @@
 package:
   name: libdbi
   version: 0.9.0
-  epoch: 0
+  epoch: 1
   description: "Database independent abstraction layer for C"
   copyright:
     - license: LGPL-2.1-or-later

diff --git a/libnotify.yaml b/libnotify.yaml
@@ -1,10 +1,10 @@
 package:
   name: libnotify
   version: 0.8.3
-  epoch: 0
+  epoch: 2
   description: "GNOME/libnotify mirror"
   copyright:
-    - license: LGPL-2.1
+    - license: LGPL-2.1-or-later
 
 environment:
   contents:

diff --git a/libnsl.yaml b/libnsl.yaml
@@ -1,10 +1,10 @@
 package:
   name: libnsl
   version: 2.0.1
-  epoch: 0
+  epoch: 1
   description: This library contains the public client interface for NIS(YP) and NIS+ in a IPv6 ready version
   copyright:
-    - license: LGPL-2.1
+    - license: LGPL-2.1-or-later
 
 environment:
   contents:

diff --git a/libpsl-native.yaml b/libpsl-native.yaml
@@ -1,7 +1,7 @@
 package:
   name: libpsl-native
   version: 7.4.0
-  epoch: 0
+  epoch: 1
   description: this library provides functionality missing from .NET Core via system calls
   copyright:
     - license: MIT

diff --git a/libxrandr.yaml b/libxrandr.yaml
@@ -1,7 +1,7 @@
 package:
   name: libxrandr
   version: 1.5.4
-  epoch: 0
+  epoch: 1
   description: X11 RandR extension library
   copyright:
     - license: MIT

diff --git a/libxshmfence.yaml b/libxshmfence.yaml
@@ -2,7 +2,7 @@
 package:
   name: libxshmfence
   version: 1.3.2
-  epoch: 0
+  epoch: 1
   description: X11 shared memory fences
   copyright:
     - license: MIT

diff --git a/llvm-lld-16.yaml b/llvm-lld-16.yaml
@@ -1,7 +1,7 @@
 package:
   name: llvm-lld-16
   version: 16.0.6
-  epoch: 4
+  epoch: 5
   description: The LLVM Linker
   copyright:
     - license: Apache-2.0

diff --git a/llvm-lld-17.yaml b/llvm-lld-17.yaml
@@ -1,7 +1,7 @@
 package:
   name: llvm-lld-17
   version: 17.0.6
-  epoch: 0
+  epoch: 1
   description: The LLVM Linker
   copyright:
     - license: Apache-2.0

diff --git a/openmp-17.yaml b/openmp-17.yaml
@@ -1,7 +1,7 @@
 package:
   name: openmp-17
   version: 17.0.6
-  epoch: 0
+  epoch: 1
   description: "LLVM OpenMP library"
   copyright:
     - license: Apache-2.0

diff --git a/py3-annotated-types.yaml b/py3-annotated-types.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-annotated-types
   version: 0.6.0
-  epoch: 1
+  epoch: 2
   description: Reusable constraint types to use with typing.Annotated
   copyright:
     - license: MIT

diff --git a/py3-boolean.py.yaml b/py3-boolean.py.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-boolean.py
   version: "4.0"
-  epoch: 0
+  epoch: 1
   description: Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.
   copyright:
     - license: BSD-2-Clause

diff --git a/py3-bracex.yaml b/py3-bracex.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-bracex
   version: '2.4'
-  epoch: 1
+  epoch: 2
   description: Bash style brace expander.
   copyright:
     - license: MIT

diff --git a/py3-click-option-group.yaml b/py3-click-option-group.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-click-option-group
   version: 0.5.6
-  epoch: 1
+  epoch: 2
   description: "Option groups missing in Click."
   copyright:
     - license: BSD-3-Clause

diff --git a/py3-click.yaml b/py3-click.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-click
   version: 8.1.7
-  epoch: 2
+  epoch: 3
   description: Composable command line interface toolkit
   copyright:
     - license: BSD-3-Clause

diff --git a/py3-conda-package-streaming.yaml b/py3-conda-package-streaming.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-conda-package-streaming
   version: 0.9.0
-  epoch: 2
+  epoch: 3
   description: An efficient library to read from new and old format .conda and .tar.bz2 conda packages.
   copyright:
     - license: "BSD-3-Clause"

diff --git a/py3-configobj.yaml b/py3-configobj.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-configobj
   version: 5.0.8
-  epoch: 1
+  epoch: 2
   description: Config file reading, writing and validation.
   copyright:
     - license: BSD-2-Clause

diff --git a/py3-defusedxml.yaml b/py3-defusedxml.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-defusedxml
   version: 0.7.1
-  epoch: 1
+  epoch: 2
   description: XML bomb protection for Python stdlib modules
   copyright:
     - license: PSF-2.0

diff --git a/py3-face.yaml b/py3-face.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-face
   version: 22.0.0
-  epoch: 1
+  epoch: 2
   description: "A command-line application framework (and CLI parser). Friendly for users, full-featured for developers."
   copyright:
     - license: BSD-3-Clause

diff --git a/py3-glom.yaml b/py3-glom.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-glom
   version: 23.5.0
-  epoch: 0
+  epoch: 1
   description: "Python's nested data operator (and CLI), for all your declarative restructuring needs. Got data? Glom it!"
   copyright:
     - license: BSD-3-Clause

diff --git a/py3-h11.yaml b/py3-h11.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-h11
   version: 0.14.0
-  epoch: 2
+  epoch: 3
   description: A pure-Python, bring-your-own-I/O implementation of HTTP/1.1
   copyright:
     - license: MIT

diff --git a/py3-markdown-it-py.yaml b/py3-markdown-it-py.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-markdown-it-py
   version: 3.0.0
-  epoch: 1
+  epoch: 2
   description: "Python port of markdown-it. Markdown parsing, done right!"
   copyright:
     - license: MIT

diff --git a/py3-mdurl.yaml b/py3-mdurl.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-mdurl
   version: 0.1.2
-  epoch: 1
+  epoch: 2
   description: "Markdown URL utilities"
   copyright:
     - license: MIT

diff --git a/py3-pygments.yaml b/py3-pygments.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-pygments
   version: 2.17.2
-  epoch: 0
+  epoch: 1
   description: Syntax highlighting package written in Python
   copyright:
     - license: BSD-2-Clause
@@ -13,6 +13,9 @@ environment:
       - busybox
       - ca-certificates-bundle
       - py3-pip
+  environment:
+    # This is needed to work around the error "ValueError: ZIP does not support timestamps before 1980"
+    SOURCE_DATE_EPOCH: 315532800
 
 pipeline:
   - uses: git-checkout
@@ -23,6 +26,9 @@ pipeline:
 
   - runs: pip install . --prefix=/usr --root=${{targets.destdir}}
 
+  - runs: |
+      sed -i '1s|^#!/usr/bin/python$|#!/usr/bin/python3|' ${{targets.destdir}}/usr/bin/pygmentize
+
 subpackages:
   - name: py3-pygments-doc
     pipeline:

diff --git a/py3-python-lsp-jsonrpc.yaml b/py3-python-lsp-jsonrpc.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-python-lsp-jsonrpc
   version: 1.1.2
-  epoch: 1
+  epoch: 2
   description: "JSON RPC 2.0 server library"
   copyright:
     - license: MIT

diff --git a/py3-rdflib.yaml b/py3-rdflib.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-rdflib
   version: 7.0.0
-  epoch: 0
+  epoch: 1
   description: RDFLib is a Python library for working with RDF, a simple yet powerful language for representing information.
   copyright:
     - license: BSD-3-Clause

diff --git a/py3-uritools.yaml b/py3-uritools.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-uritools
   version: 4.0.2
-  epoch: 0
+  epoch: 1
   description: URI parsing, classification and composition
   copyright:
     - license: MIT

diff --git a/py3-xmltodict.yaml b/py3-xmltodict.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-xmltodict
   version: 0.13.0
-  epoch: 0
+  epoch: 1
   description: Makes working with XML feel like you are working with JSON
   copyright:
     - license: MIT

diff --git a/ruby3.2-redis.yaml b/ruby3.2-redis.yaml
@@ -2,7 +2,7 @@
 package:
   name: ruby3.2-redis
   version: 5.0.8
-  epoch: 0
+  epoch: 1
   description: A Ruby client that tries to match Redis API one-to-one, while still providing an idiomatic interface.
   copyright:
     - license: MIT

diff --git a/shared-mime-info.yaml b/shared-mime-info.yaml
@@ -1,7 +1,7 @@
 package:
   name: shared-mime-info
   version: "2.4"
-  epoch: 0
+  epoch: 1
   description: Freedesktop.org Shared MIME Info
   copyright:
     - license: GPL-2.0-or-later