RFR: 8345431: Improve jar --validate to detect duplicate or invalid entries [v9]
Henry Jen
henryjen at openjdk.org
Wed May 21 15:24:56 UTC 2025
On Wed, 21 May 2025 14:00:03 GMT, Lance Andersen <lancea at openjdk.org> wrote:
>>> For the inconsistent order in the LOC and CEN, we can treat it as invalid, I chose not to because that's not a violation, but if we do extend that as specification for JAR file format, then we can change that to invalid and non-zero exit code.
>>
>> For the `jar --validate` operation, it would be useful to not just warn (and thus exit with a non-zero exit code) for issues that violate the ZIP or JAR specification, but also for inconsistencies and uncommon JAR contents that might cause some unexpected behaviour within the platform runtime. This helps with identifying and analyzing such unexpected issues in the JAR (but not strictly violations of any specification) even before that JAR gets used in the platform runtime. This is no different for the duplicate entries in the JAR file, for which we issue warnings even if the ZIP specification explicitly allows it (and the JAR specification doesn't make a mention of it).
>>
>> Based on some experiments we have run, it's not very common for a JAR file to have a different order in CEN as compared to LOC, so I think any JAR file that has a different order between these structures should result in a warning (and thus a non-zero exit code) from the validate operation.
>
>> Point taken. For documentation wise, I don't think it's necessary to specify at this point. For the inconsistent order in the LOC and CEN, we can treat it as invalid, I chose not to because that's not a violation, but if we do extend that as specification for JAR file format, then we can change that to invalid and non-zero exit code.
>
> I am OK to currently specify as non-zero, it is a discussion that can be continued as to what if anything more to do (as Jai mentions)
>
> Any warnings should result in a non-zero for a return code.
OK, I'll update the PR to consider inconsistent order to be invalid even though it won't cause issue but indeed a sign that's not created by the official `jar` tool.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24430#discussion_r2100570620
More information about the core-libs-dev
mailing list