* Fay Stegerman <f...@obfusk.net> [2024-04-11 01:48]: > * Holger Levsen <hol...@layer-acht.org> [2024-04-10 19:43]: > > On Wed, Apr 10, 2024 at 06:12:21PM +0100, Chris Lamb wrote: > > > Holger Levsen wrote: > > > > > > > when building libscout 2.3.2-3 on current unstable, the result is also > > > > unreproducible, but diffoscope crashes when analysing the diff. > > > I think this is somewhat related to: > > > https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/362 > > > … which was said to be fixed by Fay in > > > cc3b077f6ef97b4e20036e9823926fe633c7d4d0 > > > that released as diffoscope version 263 on 2024-04-05. > > > However, I can see that the current output of libscout/amd64 on > > > tests.reproducible-builds.org is failing with this very version: > > > > yes, indeed. > > > > also, this happened before too, I'm sure about at least with diffoscope 260 > > already. > > > > > Will loop Fay in via Salsa presently. > > > > thank you! > > Salsa is probably better for figuring out what to do next, but I get these > mails > too :) > > The libscout.jar has duplicate ZIP entries in the central directory, pointing > to > the same actual entry in the ZIP. So the "overlapped entries" error is > entirely > correct, even if it's not a zip bomb. > > >>> import zipfile > >>> zf = zipfile.ZipFile("libscout.jar") > >>> fh = zf.open("javax/annotation/CheckForNull.class") > zipfile.BadZipFile: Overlapped entries: > 'javax/annotation/CheckForNull.class' (possible zip bomb) [...]
I do have a workaround of sorts for this specific case of duplicate entries. I'll open a cpython issue to report it to upstream. Though they may not consider this a bug, possibly even the correct behaviour. Not sure myself tbh :) >>> for info in reversed(zf.infolist()): ... zf.NameToInfo[info.filename] = info >>> fh = zf.open("javax/annotation/CheckForNull.class") # works now - Fay