Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Related, my two favourite ZIP parser issues:

https://bugzilla.mozilla.org/show_bug.cgi?id=1534483 "Ambiguous zip parsing allows hiding add-on files from linter and reviewers"

https://issues.chromium.org/issues/40082940 "Security: Crazy Linker on Android allows modification of Chrome APK without breaking signature"

The big problem with the ZIP format is that although the "spec" says what a ZIP file looks like, it does not tell you in concrete terms how to parse it, leading to all sorts of ambiguities and divergent implementations. Someone needs to write a "strict ZIP" spec that has explicit and well-defined parsing rules, and then we need to get every existing ZIP implementation to agree to follow said spec.



Or: better yet, just use an archive format for archival and a compression layer for compression. Don't use zip at all.


What non-compressing archive format would you suggest? tar doesn't support random access which is a non-starter for many use cases.


DAR (Disk ARchiver)[1] looks to be a good alternative. It supports random access, encryption, and individual file compression within the archive.

[1] http://dar.linux.free.fr/


That seems counter to GP's suggestion of doing compression at a separate layer


Not really. There's no "dar compression" format. It calls different compression tools just like tar.


You could say the same about ZIP (it uses deflate by default but optionally supports things like zstd)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: