zipapp disregards filter when checking if target overwrites source

[Jolmberg]

Bug report

Bug description:

A check was recently added (#130509) to ensure that the target of a zipapp.create_archive() call does not overwrite any of its source files. However, this check does not consider the filter parameter of create_archive and this results in false positives.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Linked PRs

• gh-132933: Allow zipapp target to overwrite filtered source file #132934

[picnixz]

A check was recently added to ensure that the target of a zipapp.create_archive() call does not overwrite

Can you bisect the commit or give a reference for prosperity? TiA.

[Jolmberg]

@picnixz Right, it was added in this commit:

64ccbbb gh-130379: Fix incorrect zipapp logic to avoid including the target in itself (gh-130509)

Should I amend the commit to mention it in the message?
Also, I'm not sure if a news entry is warranted for this little fix. Thoughts?

[picnixz]

cc @pfmoore

[picnixz]

Should I amend the commit to mention it in the message?

No when the fix is merged there'll be a reference to this issue and if the one who merges your PR decides so, they may also include the bad commit.

Also, I'm not sure if a news entry is warranted for this little fix. Thoughts?

Yes, because it was backported to 3.13. No because it's a fix of a fix that hasn't been in a stable release yet, only in alphas. So people will get confused if there is one entry saying "we fixed this" and another saying "we fixed the fix" I think (the changelog is essentially for "what's different between 3.14 and 3.13 and not between 3.14.0a7 and 3.14.0a*)

[pfmoore]

I've added a review to the PR. If the comments I've made there can be addressed, I'm willing to consider adding this. But please be clear - this does not mean that putting the target in the source directory is safe, or recommended.

To repeat what I said on the PR for reference, the real answer here is that you shouldn't be putting the generated zipapp in the directory containing the source files for the zipapp. That's not good practice, and it's perfectly possible to end up with a corrupt zipapp by doing so. If you insist on doing this, then rather than adding a filter, you can delete the zipapp before recreating it. That will avoid the "false positive" error, as well as being safer in general.

Remember - the source directory is what your app will be built from. You should be carefully controlling the content of that directory. Putting arbitrary build files in there, even if you add filters to strip them out, is not safe practice for maintaining your source code.