Three bytes in a zip file

Fay Stegerman flx at obfusk.net
Fri Mar 8 16:21:43 UTC 2024 

* Chris Lamb <chris at reproducible-builds.org> [2024-03-08 12:16]:
> Oh this is great work! So, using your tool, did you manage to solve the
> underlying non-determinism? :)
> 
> Based on the output (which labels the field as an 'extra atime' or
> similar), it seems like you've managed to work out which part of your
> toolchain is making the build reproducible — or am I being too
> optimistic?

The original reproducibility issue this thread started with was traced back to
the atime back then, my tool just hopefully makes doing that a bit easier :)

I don't know how the original issue was fixed, but I can, eh, reproduce (and get
rid of) such an atime difference easily:

$ touch foo
$ zip foo.zip foo   # this modifies the atime
$ zip bar.zip foo   # so this sees a different atime
$ diff-zip-meta foo.zip bar.zip
--- foo.zip
+++ bar.zip
entry foo:
  extra (entry):
-   5554090003fb32eb65fb32eb6575780b000104e803000004e8030000
+   5554090003fb32eb650133eb6575780b000104e803000004e8030000
- extra (entry) atime=2024-03-08 15:47:07
+ extra (entry) atime=2024-03-08 15:47:13
$ rm foo.zip bar.zip
$ zip -X foo.zip foo
$ zip -X bar.zip foo
$ diff-zip-meta foo.zip bar.zip
--- foo.zip
+++ bar.zip
$ rm foo.zip bar.zip
$ touch -a --date @0 foo
$ zip foo.zip foo
$ touch -a --date @0 foo
$ zip bar.zip foo
$ diff-zip-meta foo.zip bar.zip
--- foo.zip
+++ bar.zip

> ps. Separate to that, how amenable would you be to working with me getting
>     this extra .ZIP metadata support built directly into diffoscope at
>     some point…?

I haven't had time to work on packaging repro-apk for Debian, or to make an MR
for integrating it w/ diffoscope (or work on diffoscope at all really), but I
did make a quick PoC for the latter (though only for APK files, not regular ZIP
files) a while ago [1], FWIW.

- Fay

[1] https://salsa.debian.org/obfusk/diffoscope/-/commit/50a3830a7d433d968a92f24911dc85846d843bae

> Fay Stegerman wrote:
> > * Larry Doolittle <larry at doolittle.boa.org> [2023-04-06 23:59]:
> >> Do you know of any tooling that can help decode zip file contents in general?
> >
> > I know this thread is almost a year old now, but I finally got to my backlog
> > working on diff-zip-meta.py [1], which is a tool specifically intended to
> > elucidated differences in ZIP/APK metadata.  And as of today, the master branch
> > supports showing the kind of timestamp differences you reported in
> > human-readable form, not just as a difference in the raw data:
> >
> > $ diff-zip-meta foo.zip bar.zip
> > --- foo.zip
> > +++ bar.zip
> > entry foo:
> >   extra (entry):
> > -   55540900035164ea655164ea6575780b000104e803000004e8030000
> > +   55540900035164ea655464ea6575780b000104e803000004e8030000
> > - extra (entry) atime=2024-03-08 01:05:21
> > + extra (entry) atime=2024-03-08 01:05:24
> >
> > - Fay
> >
> > [1] https://github.com/obfusk/reproducible-apk-tools#diff-zip-metapy

More information about the rb-general mailing list