[New-bugs-announce] [issue43547] support ZIP files with zeroed out fields (e.g. for reproducible builds)
Hans-Christoph Steiner
report at bugs.python.org
Thu Mar 18 17:25:38 EDT 2021
New submission from Hans-Christoph Steiner <hans at eds.org>:
It is now standard for Java JARs and Android APKs (both ZIP files) to zero out lots of the fields in the ZIP header. For example:
* each file entry has the date set to zero
* the create_system is always set to zero on all platforms
zipfile currently cannot create such ZIPs because of two small restrictions that it introduced:
* must use a tuple of 6 values to set the date
* forced create_system value based on sys.platform == 'win32'
* maybe other fields?
I lump these together because it might make sense to handle this with a single argument, something like zero_header=True. The use case is for working with ZIP, JAR, APK, AAR files for reproducible builds. The whole build system for F-Droid is built in Python. We need to be able to copy the JAR/APK signatures in order to reproduce signed builds using only the source code and the signature files themselves. Right now, that's not possible because building a ZIP with Python's zipfile cannot zero out the ZIP header like other tools can, including Java.
----------
components: IO, Library (Lib)
messages: 389040
nosy: eighthave
priority: normal
severity: normal
status: open
title: support ZIP files with zeroed out fields (e.g. for reproducible builds)
versions: Python 3.10, Python 3.6, Python 3.7, Python 3.8, Python 3.9
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43547>
_______________________________________
More information about the New-bugs-announce
mailing list