* Fay Stegerman <f...@obfusk.net> [2024-04-11 01:48]:
> * Holger Levsen <hol...@layer-acht.org> [2024-04-10 19:43]:
> > On Wed, Apr 10, 2024 at 06:12:21PM +0100, Chris Lamb wrote:
> > > Holger Levsen wrote:
> > >
> > > > when building libscout 2.3.2-3 on current unstable, the result is also
> > > > unreproducible, but diffoscope crashes when analysing the diff.
> > > I think this is somewhat related to:
> > > https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/362
> > > … which was said to be fixed by Fay in
> > > cc3b077f6ef97b4e20036e9823926fe633c7d4d0
> > > that released as diffoscope version 263 on 2024-04-05.
> > > However, I can see that the current output of libscout/amd64 on
> > > tests.reproducible-builds.org is failing with this very version:
> >
> > yes, indeed.
> >
> > also, this happened before too, I'm sure about at least with diffoscope 260
> > already.
> >
> > > Will loop Fay in via Salsa presently.
> >
> > thank you!
>
> Salsa is probably better for figuring out what to do next, but I get these
> mails
> too :)
>
> The libscout.jar has duplicate ZIP entries in the central directory, pointing
> to
> the same actual entry in the ZIP. So the "overlapped entries" error is
> entirely
> correct, even if it's not a zip bomb.
>
> >>> import zipfile
> >>> zf = zipfile.ZipFile("libscout.jar")
> >>> fh = zf.open("javax/annotation/CheckForNull.class")
> zipfile.BadZipFile: Overlapped entries:
> 'javax/annotation/CheckForNull.class' (possible zip bomb)
[...]
I do have a workaround of sorts for this specific case of duplicate entries.
I'll open a cpython issue to report it to upstream. Though they may not
consider this a bug, possibly even the correct behaviour. Not sure myself tbh
:)
>>> for info in reversed(zf.infolist()):
... zf.NameToInfo[info.filename] = info
>>> fh = zf.open("javax/annotation/CheckForNull.class") # works now
- Fay
