when building libscout 2.3.2-3 on current unstable, the result is also unreproducible, but diffoscope crashes when analysing the diff.
Holger Levsen wrote:
when building libscout 2.3.2-3 on current unstable, the result is also unreproducible, but diffoscope crashes when analysing the diff.I think this is somewhat related to:
https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/362
… which was said to be fixed by Fay in cc3b077f6ef97b4e20036e9823926fe633c7d4d0
that released as diffoscope version 263 on 2024-04-05.
However, I can see that the current output of libscout/amd64 on tests.reproducible-builds.org is failing with this very version:
Will loop Fay in via Salsa presently.
On Wed, Apr 10, 2024 at 06:12:21PM +0100, Chris Lamb wrote:
Holger Levsen wrote:
when building libscout 2.3.2-3 on current unstable, the result is also unreproducible, but diffoscope crashes when analysing the diff.I think this is somewhat related to:
https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/362
… which was said to be fixed by Fay in cc3b077f6ef97b4e20036e9823926fe633c7d4d0
that released as diffoscope version 263 on 2024-04-05.
However, I can see that the current output of libscout/amd64 on tests.reproducible-builds.org is failing with this very version:
yes, indeed.
also, this happened before too, I'm sure about at least with diffoscope 260 already.
Will loop Fay in via Salsa presently.
thank you!
* Holger Levsen <holger@layer-acht.org> [2024-04-10 19:43]:[...]
On Wed, Apr 10, 2024 at 06:12:21PM +0100, Chris Lamb wrote:
Holger Levsen wrote:
when building libscout 2.3.2-3 on current unstable, the result is also unreproducible, but diffoscope crashes when analysing the diff.I think this is somewhat related to:
https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/362 … which was said to be fixed by Fay in cc3b077f6ef97b4e20036e9823926fe633c7d4d0
that released as diffoscope version 263 on 2024-04-05.
However, I can see that the current output of libscout/amd64 on tests.reproducible-builds.org is failing with this very version:
yes, indeed.
also, this happened before too, I'm sure about at least with diffoscope 260 already.
Will loop Fay in via Salsa presently.
thank you!
Salsa is probably better for figuring out what to do next, but I get these mails
too :)
The libscout.jar has duplicate ZIP entries in the central directory, pointing to
the same actual entry in the ZIP. So the "overlapped entries" error is entirely
correct, even if it's not a zip bomb.
>>> import zipfile
>>> zf = zipfile.ZipFile("libscout.jar")
>>> fh = zf.open("javax/annotation/CheckForNull.class")
zipfile.BadZipFile: Overlapped entries: 'javax/annotation/CheckForNull.class' (possible zip bomb)
Salsa is probably better for figuring out what to do next, but I get
these mails too :)
unzip does seem to extract all the files, though it errors out. Not sure what
diffoscope should do here. This is definitely a broken ZIP file.
Salsa is probably better for figuring out what to do next, but I get these mails
too :)
The libscout.jar has duplicate ZIP entries in the central directory, pointing to
the same actual entry in the ZIP. So the "overlapped entries" error is entirely
correct, even if it's not a zip bomb.
unzip does seem to extract all the files, though it errors out. Not sure what
diffoscope should do here. This is definitely a broken ZIP file. That bug should probably be reported against libscout or whatever tooling it used to create that JAR.
unzip does seem to extract all the files, though it errors out. Not sure what
diffoscope should do here. This is definitely a broken ZIP file. That bug should probably be reported against libscout or whatever tooling it used to create that JAR.
I agree it's more complicated, but fundamentally, diffoscope should *not* crash
here! (but rather report the broken zip file.)
* Holger Levsen <holger@layer-acht.org> [2024-04-11 02:14]:
unzip does seem to extract all the files, though it errors out. Not sure what
diffoscope should do here. This is definitely a broken ZIP file. That bug
should probably be reported against libscout or whatever tooling it used to
create that JAR.
I agree it's more complicated, but fundamentally, diffoscope should *not* crash
here! (but rather report the broken zip file.)
I think we all agree it shouldn't crash :)
What I meant is that I'm not sure it should simply catch the error, report the
file as broken, and not attempt extraction, or if it makes sense to attempt to
work around this issue, at least in cases like this specific one where the entries are exact duplicates and the files can presumably be safely extracted.
I think my workaround (which could be implemented slightly differently as well,
without modifying the ZipFile, but processing it differently in diffoscope) would accomplish that for this JAR at least. I could make an MR for that. Though as I said I will also report this upstream to cpython, probably tomorrow.
- Fay
The attached patch avoids the crash in this case, FWIW. […]
I would still recommend catching the error for other cases.
Applied in Git with attribution taken from your email.[...]
Fixed as well. And it adds a nice comment displaying the issue.
On Thu, Apr 11, 2024 at 11:28:19AM +0100, Chris Lamb wrote:
[...]
Applied in Git with attribution taken from your email.[...]
Fixed as well. And it adds a nice comment displaying the issue.
awesome, thank you both!
https://salsa.debian.org/reproducible-builds/diffoscope/-/merge_requests/140
unzip does seem to extract all the files, though it errors out. Not sure what
diffoscope should do here. This is definitely a broken ZIP file. That bug should probably be reported against libscout or whatever tooling it used to create that JAR.
I've got two remaining questions about libscout (and diffoscope)
On Thu, Apr 11, 2024 at 01:48:18AM +0200, Fay Stegerman wrote:
unzip does seem to extract all the files, though it errors out. Not sure what
diffoscope should do here. This is definitely a broken ZIP file. That bug should probably be reported against libscout or whatever tooling it used to create that JAR.
you filed https://github.com/python/cpython/issues/117779
(thanks again!), am I correct to assume that thus there's no need
to file a seperate bug against libscout?
and 2nd, https://tests.reproducible-builds.org/debian/rb-pkg/unstable/arm64/diffoscope-results/libscout.html
now as expected displays:
'./usr/share/java/libscout.jar' has 35 duplicate entries './usr/share/java/libscout.jar' has 35 duplicate entries
(which is nice, though maybe could only been shown once?)
but https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/arm64/diffoscope-results/libscout.html[...]
shows this:
Command `'zipdetails --redact --scan --utc {}'` failed with exit code 255. Standard output:
though this later is done using diffoscope from unstable while the
rest of the userland is bullseye, so this might be expected as well?
(thanks again!), am I correct to assume that thus there's no needIt's generating a broken ZIP file with duplicate entries. It really shouldn't
to file a seperate bug against libscout?
be doing that, regardless of whether we can extract the files nonetheless. That's still a bug that should be reported and fixed.
(which is nice, though maybe could only been shown once?)Ah. It correctly shows that twice as there could be differences between the two
files being compared wrt whether they have duplicate entries (and if so how many).
And if you run 'diffoscope foo.zip bar.zip' it'll show those two different file
names. But in this case we have nested archives and the path (and in this case
also the number of duplicate entries) is identical for both, so maybe we can tweak the output to show which top-level file it belongs to?
though this later is done using diffoscope from unstable while theAh. Looks like zipdetails(1) on bullseye doesn't support the --redact, --scan,
rest of the userland is bullseye, so this might be expected as well?
and --utc options yet.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 05:15:47 |
Calls: | 6,706 |
Files: | 12,236 |
Messages: | 5,350,492 |