diffoscope 256 released 💠

Chris Lamb chris at reproducible-builds.org
Fri Feb 9 20:29:52 UTC 2024


The diffoscope maintainers are pleased to announce the release of
version 256 of diffoscope.

diffoscope tries to get to the bottom of what makes files or
directories different. It will recursively unpack archives of many
kinds and transform various binary formats into more human-readable
form to compare them. It can compare two tarballs, ISO images, or PDF
just as easily.

Version 256 includes the following changes:

  * Use a determistic name when extracting content from GPG artifacts instead
    of trusting the value of gpg's --use-embedded-filenames. This prevents a
    potential information disclosure vulnerability that could have been
    exploited by providing a specially-crafted GPG file with an embedded
    filename of, say, "../../.ssh/id_rsa". Many thanks to Daniel Kahn Gillmor
    <dkg at debian.org> for reporting this issue and providing feedback.
    (Closes: reproducible-builds/diffoscope#361)
  * Temporarily fix support for Python 3.11.8 re. a potential regression
    with the handling of ZIP files. (See reproducible-builds/diffoscope#362)

## Download

Version 256 is available from Debian unstable as well as PyPI, and
will shortly be available on other platforms surely. More details can
be found here:


… but source tarballs may be located here:


The corresponding Docker image may be run via (for example):

  $ docker run --rm -t -w $(pwd) -v $(pwd):$(pwd):ro \
      registry.salsa.debian.org/reproducible-builds/diffoscope a b

## Contribute

diffoscope is developed within the "Reproducible builds" effort.

  - Git repository

  - Docker image, eg.

  - Issues and feature requests

  - Contribution instructions (eg. to file an issue)


    ⬋   ⬊      Chris Lamb
   o     o     reproducible-builds.org 💠
    ⬊   ⬋

More information about the rb-general mailing list