From 9558f8457e2186346c8b31d4c6003e23d6e63a54 Mon Sep 17 00:00:00 2001
From: Jason Hall <jason@chainguard.dev>
Date: Sat, 20 Apr 2024 20:53:54 -0400
Subject: [PATCH] bump epochs to produce valid SBOMs (#17337)

* bump epochs to produce valid SBOMs

Signed-off-by: Jason Hall <jason@chainguard.dev>

* fix pygments

Signed-off-by: Jason Hall <jason@chainguard.dev>

* fix invalid licenses; bump configobj which wasn't rebuilt

Signed-off-by: Jason Hall <jason@chainguard.dev>

* revert zig

Signed-off-by: Jason Hall <jason@chainguard.dev>

* pygments: fix shbang

Signed-off-by: Jason Hall <jason@chainguard.dev>

* pygments: fix shbang again

Signed-off-by: Jason Hall <jason@chainguard.dev>

* pygments: fix shbang again

Signed-off-by: Jason Hall <jason@chainguard.dev>

* pygments: fix shbang again

Signed-off-by: Jason Hall <jason@chainguard.dev>

* revert font-misc, custom license

Signed-off-by: Jason Hall <jason@chainguard.dev>

---------

Signed-off-by: Jason Hall <jason@chainguard.dev>
---
 .github/workflows/ci-build.yaml  | 3 ++-
 hiredis.yaml                     | 2 +-
 libdbi.yaml                      | 2 +-
 libnotify.yaml                   | 4 ++--
 libnsl.yaml                      | 4 ++--
 libpsl-native.yaml               | 2 +-
 libxrandr.yaml                   | 2 +-
 libxshmfence.yaml                | 2 +-
 llvm-lld-16.yaml                 | 2 +-
 llvm-lld-17.yaml                 | 2 +-
 openmp-17.yaml                   | 2 +-
 py3-annotated-types.yaml         | 2 +-
 py3-boolean.py.yaml              | 2 +-
 py3-bracex.yaml                  | 2 +-
 py3-click-option-group.yaml      | 2 +-
 py3-click.yaml                   | 2 +-
 py3-conda-package-streaming.yaml | 2 +-
 py3-configobj.yaml               | 2 +-
 py3-defusedxml.yaml              | 2 +-
 py3-face.yaml                    | 2 +-
 py3-glom.yaml                    | 2 +-
 py3-h11.yaml                     | 2 +-
 py3-markdown-it-py.yaml          | 2 +-
 py3-mdurl.yaml                   | 2 +-
 py3-pygments.yaml                | 8 +++++++-
 py3-python-lsp-jsonrpc.yaml      | 2 +-
 py3-rdflib.yaml                  | 2 +-
 py3-uritools.yaml                | 2 +-
 py3-xmltodict.yaml               | 2 +-
 ruby3.2-redis.yaml               | 2 +-
 shared-mime-info.yaml            | 2 +-
 31 files changed, 40 insertions(+), 33 deletions(-)

diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
index 94d677ba651..c73a386d8d4 100644
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -178,7 +178,7 @@ jobs:
         uses: ./.github/actions/docker-run
         with:
           run: |
-            apk add py3-ntia-conformance-checker
+            apk add py3-ntia-conformance-checker spdx-tools-java
             for f in \$(find packages -name '*.apk'); do
                 echo ==== Checking SBOM for \$f ====
                 tar -Oxf \$f var/lib/db/sbom/ > sbom.json
@@ -186,6 +186,7 @@ jobs:
                 cat sbom.json
                 echo ::endgroup::
                 ntia-checker -v --file sbom.json
+                tools-java Verify sbom.json
             done
 
       - name: Check for file
diff --git a/hiredis.yaml b/hiredis.yaml
index 73e3d0f28f3..5ba531ffa8a 100644
--- a/hiredis.yaml
+++ b/hiredis.yaml
@@ -1,7 +1,7 @@
 package:
   name: hiredis
   version: 1.2.0
-  epoch: 0
+  epoch: 1
   description: Minimalistic C client for Redis
   copyright:
     - license: BSD-3-Clause
diff --git a/libdbi.yaml b/libdbi.yaml
index b8ffa5a3e85..8f21313fd18 100644
--- a/libdbi.yaml
+++ b/libdbi.yaml
@@ -1,7 +1,7 @@
 package:
   name: libdbi
   version: 0.9.0
-  epoch: 0
+  epoch: 1
   description: "Database independent abstraction layer for C"
   copyright:
     - license: LGPL-2.1-or-later
diff --git a/libnotify.yaml b/libnotify.yaml
index e3aa519ec47..9309d432400 100644
--- a/libnotify.yaml
+++ b/libnotify.yaml
@@ -1,10 +1,10 @@
 package:
   name: libnotify
   version: 0.8.3
-  epoch: 0
+  epoch: 2
   description: "GNOME/libnotify mirror"
   copyright:
-    - license: LGPL-2.1
+    - license: LGPL-2.1-or-later
 
 environment:
   contents:
diff --git a/libnsl.yaml b/libnsl.yaml
index f6d708b119c..f48b1e446df 100644
--- a/libnsl.yaml
+++ b/libnsl.yaml
@@ -1,10 +1,10 @@
 package:
   name: libnsl
   version: 2.0.1
-  epoch: 0
+  epoch: 1
   description: This library contains the public client interface for NIS(YP) and NIS+ in a IPv6 ready version
   copyright:
-    - license: LGPL-2.1
+    - license: LGPL-2.1-or-later
 
 environment:
   contents:
diff --git a/libpsl-native.yaml b/libpsl-native.yaml
index 96969477aad..8d6b9afbdb9 100644
--- a/libpsl-native.yaml
+++ b/libpsl-native.yaml
@@ -1,7 +1,7 @@
 package:
   name: libpsl-native
   version: 7.4.0
-  epoch: 0
+  epoch: 1
   description: this library provides functionality missing from .NET Core via system calls
   copyright:
     - license: MIT
diff --git a/libxrandr.yaml b/libxrandr.yaml
index b2c4c0cbf4e..22dbab89fae 100644
--- a/libxrandr.yaml
+++ b/libxrandr.yaml
@@ -1,7 +1,7 @@
 package:
   name: libxrandr
   version: 1.5.4
-  epoch: 0
+  epoch: 1
   description: X11 RandR extension library
   copyright:
     - license: MIT
diff --git a/libxshmfence.yaml b/libxshmfence.yaml
index d90494dbed7..0e549e9e9e8 100644
--- a/libxshmfence.yaml
+++ b/libxshmfence.yaml
@@ -2,7 +2,7 @@
 package:
   name: libxshmfence
   version: 1.3.2
-  epoch: 0
+  epoch: 1
   description: X11 shared memory fences
   copyright:
     - license: MIT
diff --git a/llvm-lld-16.yaml b/llvm-lld-16.yaml
index 8f5a0f256f5..7cea5d7f381 100644
--- a/llvm-lld-16.yaml
+++ b/llvm-lld-16.yaml
@@ -1,7 +1,7 @@
 package:
   name: llvm-lld-16
   version: 16.0.6
-  epoch: 4
+  epoch: 5
   description: The LLVM Linker
   copyright:
     - license: Apache-2.0
diff --git a/llvm-lld-17.yaml b/llvm-lld-17.yaml
index 18ed749f6c8..2aa2236c81e 100644
--- a/llvm-lld-17.yaml
+++ b/llvm-lld-17.yaml
@@ -1,7 +1,7 @@
 package:
   name: llvm-lld-17
   version: 17.0.6
-  epoch: 0
+  epoch: 1
   description: The LLVM Linker
   copyright:
     - license: Apache-2.0
diff --git a/openmp-17.yaml b/openmp-17.yaml
index d8d219b8971..843c027a4d9 100644
--- a/openmp-17.yaml
+++ b/openmp-17.yaml
@@ -1,7 +1,7 @@
 package:
   name: openmp-17
   version: 17.0.6
-  epoch: 0
+  epoch: 1
   description: "LLVM OpenMP library"
   copyright:
     - license: Apache-2.0
diff --git a/py3-annotated-types.yaml b/py3-annotated-types.yaml
index 1f864ccfa4d..097568c5b7b 100644
--- a/py3-annotated-types.yaml
+++ b/py3-annotated-types.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-annotated-types
   version: 0.6.0
-  epoch: 1
+  epoch: 2
   description: Reusable constraint types to use with typing.Annotated
   copyright:
     - license: MIT
diff --git a/py3-boolean.py.yaml b/py3-boolean.py.yaml
index cd340f1e6a8..946c6d0cfbc 100644
--- a/py3-boolean.py.yaml
+++ b/py3-boolean.py.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-boolean.py
   version: "4.0"
-  epoch: 0
+  epoch: 1
   description: Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.
   copyright:
     - license: BSD-2-Clause
diff --git a/py3-bracex.yaml b/py3-bracex.yaml
index 40e260cc244..5cba5e3edff 100644
--- a/py3-bracex.yaml
+++ b/py3-bracex.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-bracex
   version: '2.4'
-  epoch: 1
+  epoch: 2
   description: Bash style brace expander.
   copyright:
     - license: MIT
diff --git a/py3-click-option-group.yaml b/py3-click-option-group.yaml
index 3b332ae97f4..b5138379128 100644
--- a/py3-click-option-group.yaml
+++ b/py3-click-option-group.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-click-option-group
   version: 0.5.6
-  epoch: 1
+  epoch: 2
   description: "Option groups missing in Click."
   copyright:
     - license: BSD-3-Clause
diff --git a/py3-click.yaml b/py3-click.yaml
index e9706134e22..82ced7c1817 100644
--- a/py3-click.yaml
+++ b/py3-click.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-click
   version: 8.1.7
-  epoch: 2
+  epoch: 3
   description: Composable command line interface toolkit
   copyright:
     - license: BSD-3-Clause
diff --git a/py3-conda-package-streaming.yaml b/py3-conda-package-streaming.yaml
index eedc1b840f7..8f64f663ad4 100644
--- a/py3-conda-package-streaming.yaml
+++ b/py3-conda-package-streaming.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-conda-package-streaming
   version: 0.9.0
-  epoch: 2
+  epoch: 3
   description: An efficient library to read from new and old format .conda and .tar.bz2 conda packages.
   copyright:
     - license: "BSD-3-Clause"
diff --git a/py3-configobj.yaml b/py3-configobj.yaml
index c6e09dcde03..e3c0f174ec1 100644
--- a/py3-configobj.yaml
+++ b/py3-configobj.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-configobj
   version: 5.0.8
-  epoch: 1
+  epoch: 2
   description: Config file reading, writing and validation.
   copyright:
     - license: BSD-2-Clause
diff --git a/py3-defusedxml.yaml b/py3-defusedxml.yaml
index c445d95a66e..446b0ba1fb9 100644
--- a/py3-defusedxml.yaml
+++ b/py3-defusedxml.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-defusedxml
   version: 0.7.1
-  epoch: 1
+  epoch: 2
   description: XML bomb protection for Python stdlib modules
   copyright:
     - license: PSF-2.0
diff --git a/py3-face.yaml b/py3-face.yaml
index ddd42f10440..ee5c3216b3d 100644
--- a/py3-face.yaml
+++ b/py3-face.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-face
   version: 22.0.0
-  epoch: 1
+  epoch: 2
   description: "A command-line application framework (and CLI parser). Friendly for users, full-featured for developers."
   copyright:
     - license: BSD-3-Clause
diff --git a/py3-glom.yaml b/py3-glom.yaml
index 613991535fe..84d15475eae 100644
--- a/py3-glom.yaml
+++ b/py3-glom.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-glom
   version: 23.5.0
-  epoch: 0
+  epoch: 1
   description: "Python's nested data operator (and CLI), for all your declarative restructuring needs. Got data? Glom it!"
   copyright:
     - license: BSD-3-Clause
diff --git a/py3-h11.yaml b/py3-h11.yaml
index 6733f392350..e7b6a87a03a 100644
--- a/py3-h11.yaml
+++ b/py3-h11.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-h11
   version: 0.14.0
-  epoch: 2
+  epoch: 3
   description: A pure-Python, bring-your-own-I/O implementation of HTTP/1.1
   copyright:
     - license: MIT
diff --git a/py3-markdown-it-py.yaml b/py3-markdown-it-py.yaml
index 0e8b5f584bd..8b525015a0e 100644
--- a/py3-markdown-it-py.yaml
+++ b/py3-markdown-it-py.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-markdown-it-py
   version: 3.0.0
-  epoch: 1
+  epoch: 2
   description: "Python port of markdown-it. Markdown parsing, done right!"
   copyright:
     - license: MIT
diff --git a/py3-mdurl.yaml b/py3-mdurl.yaml
index 74aaf2fe94b..c376e0ce626 100644
--- a/py3-mdurl.yaml
+++ b/py3-mdurl.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-mdurl
   version: 0.1.2
-  epoch: 1
+  epoch: 2
   description: "Markdown URL utilities"
   copyright:
     - license: MIT
diff --git a/py3-pygments.yaml b/py3-pygments.yaml
index f21e1dc07fe..f01ae19c0a8 100644
--- a/py3-pygments.yaml
+++ b/py3-pygments.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-pygments
   version: 2.17.2
-  epoch: 0
+  epoch: 1
   description: Syntax highlighting package written in Python
   copyright:
     - license: BSD-2-Clause
@@ -13,6 +13,9 @@ environment:
       - busybox
       - ca-certificates-bundle
       - py3-pip
+  environment:
+    # This is needed to work around the error "ValueError: ZIP does not support timestamps before 1980"
+    SOURCE_DATE_EPOCH: 315532800
 
 pipeline:
   - uses: git-checkout
@@ -23,6 +26,9 @@ pipeline:
 
   - runs: pip install . --prefix=/usr --root=${{targets.destdir}}
 
+  - runs: |
+      sed -i '1s|^#!/usr/bin/python$|#!/usr/bin/python3|' ${{targets.destdir}}/usr/bin/pygmentize
+
 subpackages:
   - name: py3-pygments-doc
     pipeline:
diff --git a/py3-python-lsp-jsonrpc.yaml b/py3-python-lsp-jsonrpc.yaml
index 6a7ce611a14..48f8abdebef 100644
--- a/py3-python-lsp-jsonrpc.yaml
+++ b/py3-python-lsp-jsonrpc.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-python-lsp-jsonrpc
   version: 1.1.2
-  epoch: 1
+  epoch: 2
   description: "JSON RPC 2.0 server library"
   copyright:
     - license: MIT
diff --git a/py3-rdflib.yaml b/py3-rdflib.yaml
index 921de57ba57..f00dce77161 100644
--- a/py3-rdflib.yaml
+++ b/py3-rdflib.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-rdflib
   version: 7.0.0
-  epoch: 0
+  epoch: 1
   description: RDFLib is a Python library for working with RDF, a simple yet powerful language for representing information.
   copyright:
     - license: BSD-3-Clause
diff --git a/py3-uritools.yaml b/py3-uritools.yaml
index 4efaf006c7f..826530ec234 100644
--- a/py3-uritools.yaml
+++ b/py3-uritools.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-uritools
   version: 4.0.2
-  epoch: 0
+  epoch: 1
   description: URI parsing, classification and composition
   copyright:
     - license: MIT
diff --git a/py3-xmltodict.yaml b/py3-xmltodict.yaml
index ff6f9d6298e..e84c6eb8f2c 100644
--- a/py3-xmltodict.yaml
+++ b/py3-xmltodict.yaml
@@ -2,7 +2,7 @@
 package:
   name: py3-xmltodict
   version: 0.13.0
-  epoch: 0
+  epoch: 1
   description: Makes working with XML feel like you are working with JSON
   copyright:
     - license: MIT
diff --git a/ruby3.2-redis.yaml b/ruby3.2-redis.yaml
index 4dd6333ed25..7d12dd18768 100644
--- a/ruby3.2-redis.yaml
+++ b/ruby3.2-redis.yaml
@@ -2,7 +2,7 @@
 package:
   name: ruby3.2-redis
   version: 5.0.8
-  epoch: 0
+  epoch: 1
   description: A Ruby client that tries to match Redis API one-to-one, while still providing an idiomatic interface.
   copyright:
     - license: MIT
diff --git a/shared-mime-info.yaml b/shared-mime-info.yaml
index 07be79aac67..3b58121326b 100644
--- a/shared-mime-info.yaml
+++ b/shared-mime-info.yaml
@@ -1,7 +1,7 @@
 package:
   name: shared-mime-info
   version: "2.4"
-  epoch: 0
+  epoch: 1
   description: Freedesktop.org Shared MIME Info
   copyright:
     - license: GPL-2.0-or-later