python · ambv · Apr 8, 2025 · Apr 8, 2025 · Apr 8, 2025
diff --git a/sbom.py b/sbom.py
@@ -608,12 +608,12 @@
     # Now we walk the tarball and compare known files to our expected checksums in the SBOM.
     # All files that aren't already in the SBOM can be added as "CPython" files.
     for member in tarball.getmembers():
-        if member.isdir():  # Skip directories!
+        if member.isdir() or not member.isfile():  # Skip directories and symlinks!
             continue
 
         # Get the member from the tarball. CPython prefixes all of its
         # source code with 'Python-{version}/...'.
-        assert member.isfile() and member.name.startswith(f"Python-{cpython_version}/")
+        assert member.name.startswith(f"Python-{cpython_version}/")
 
         # Calculate the hashes, either for comparison with a known value
         # or to embed in the SBOM as a new file. SHA1 is only used because