And indeed jars are zip files.
Zip has two distinct ways to get a list of all files both of which can be out of sync. This has led to a security issue in https://addons.mozilla.org where it was possible to hide files from reviewers while still having them executed by firefox itself: 1534483 - Ambiguous zip parsing allows hiding add-on files from linter and reviewers
2 Likes
My understanding is that one of the huge differences is that the kernel caches path traversal stuff in Linux but not in Windows, and that's not fixed with DevDrives. (It improves various things, particularly for people without a virus scanner exclusion, but AFAIK even with a DevDrive it'll still be slower in Windows.)
Interesting. I do want to get directory handles into std. Then those could eventually be used in rustc. It'd still incur the cost for leaf entries but not for all the ancestors.
1 Like
Infuriatingly, pkzip is both a defacto industry standard used by a million tools and is also totally crap. Not just the redundant file lists, it's also the ambiguous central directory/unescaped archive comment, directory entries being solely flagged by being empty files ending in /, inconsistent support and usage of \ for /, by default only having MSDOS 2-second mtime precision, with multiple extensions with platform specific values that can and often are all present, and so on and so forth.
It's simply so easy to design, document and implement a minimal for-purpose archive format, that every time I see pkzip used I just feel sad.
Of course, a good, permissively licensed standard format would be better, but the pickings seem rather thin; most are focused on improving compression which makes them a bit too complicated for a straight .zip replacement. I'd love to hear suggestions!
3 Likes