21 Feb
2011
21 Feb
'11
11:37 a.m.
On Mon, Feb 21, 2011 at 11:08:05AM +0100, Dieter Plaetinck wrote:
what's the reasoning behind no longer showing all files in the "source package"? I found this feature quite useful.
There were several vulnerabilities with the automatic tarball extraction. Think of "tarballs bombs" (as in "ZIP bombs"). Think of what happens when a source tarball that contains a symlink to "/etc/passwd" is uploaded (and the web server isn't chrooted). Just to give two simple samples. Moreover, I've heard of some encoding issues with users just copy-pasting files from the AUR frontend. Generally, everyone should download and use the tarballs to build packages. The PKGBUILD preview is retained due to several requests.