| > and it would be rather absurd for any Python-based installer to use anything else to do the decompression. You'd reasonably think, but it's difficult to assert this: a lot of people use third-party tooling (uv, but also a lot of hand-rolled stuff), and Python packages aren't always processed in a straight-line-from-the-index manner. (I think a good reference example of this is security scanners: a scanner might fetch a wheel ZIP and analyze it, and use whatever ZIP implementation it pleases.) It's also worth noting that one of the differentials here concerns the Central Directory, but the other one is more pernicious: the ZIP APPNOTE[1] isn't really clear about how implementations should key from to EOCDR back to the local file entries, and implementations have (reasonably, IMO) interpreted the language differently. Python's zipfile chooses to do it in one way that I think is justifiable, but it's a "true" differential in the sense that there's no golden answer. > (Or maybe there isn't a clear rule for what counts as a "bomb", and PyPI has to choose a threshold value?) Yes, it's this. There are legitimate uses for high-ratio archives (e.g. compressed OS images), but Python package distributions are (generally) not one of them. PyPI has its own compression ratio that's intended to be a sweet spot between "that was compressed really well" and "someone is trying to ZIP-bomb the index." [1]: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT |
I mean, for people (like myself) explicitly attempting to implement alternatives to pip. And to my understanding, pip itself does use `zipfile` as well.
Are you proposing that there are people out there making package installers for personal use?
> and Python packages aren't always processed in a straight-line-from-the-index manner.
I don't know what you have in mind here.