Bug#1078883: diffoscope: FTBFS: failing tests
Chris Lamb
lamby at debian.org
Mon Aug 19 11:37:46 BST 2024
Santiago Vila wrote:
> E zipfile.BadZipFile: Overlapped entries: 'dir/text' (possible zip bomb)
(FAO to help folks joining the thread: this was from a rebuild of
stable, not of unstable. This bug does not affect unstable nor
testing.)
So, this is essentially the same issue as #1068705, which we believe
was caused by a regression in CPython [0] which was, in turn, caused
by an attempt to make the handling of .zip file safer [1].
We worked around this in diffoscope by catching the exception [2].
Then, we added a visible user note that we had done so [3].
I think we have four options:
1. Revert the security-related changes in CPython.
2. Write and apply a patch to CPython to fix the CPython regression.
3. Backport the two patches (or just the second [2]) to stable.
4. Do nothing and accept that diffoscope FTBFS in stable.
(1) is pretty much a no-go, and then I don't think a patch to (2) will
be forthcoming as I lack the confidence to safely write one. And (4)
only works if we think that someone will effect (2) for us, will be
backported by the CPython devs _and_ it will land in bookworm soon. A
tall order.
(3) is thus probably the best plan. The first (or both) of the
linked changes [2][3] could straightforwardly and safely be backported
to stable… if folks that it is justified. Let me know.
Regards,
— lamby
[0] https://github.com/python/cpython/issues/117779
[1] https://github.com/python/cpython/pull/110016
[2] https://salsa.debian.org/reproducible-builds/diffoscope/commit/9c7e817c79f19e67e56d564b55b728a54a35423b
[3] https://salsa.debian.org/reproducible-builds/diffoscope/-/merge_requests/140/diffs
--
,''`.
: :' : Chris Lamb
`. `'` lamby at debian.org 🍥 chris-lamb.co.uk
`-
More information about the Reproducible-builds
mailing list