On Mon, 21 Feb 2011 11:37:18 +0100 Lukas Fleischer <archlinux@cryptocrack.de> wrote:
On Mon, Feb 21, 2011 at 11:08:05AM +0100, Dieter Plaetinck wrote:
what's the reasoning behind no longer showing all files in the "source package"? I found this feature quite useful.
There were several vulnerabilities with the automatic tarball extraction. Think of "tarballs bombs" (as in "ZIP bombs"). Think of what happens when a source tarball that contains a symlink to "/etc/passwd" is uploaded (and the web server isn't chrooted). Just to give two simple samples.
Hmm.. would it be that much work to make the AUR code/installation more secure, rather then just dropping the functionality? just asking...
Moreover, I've heard of some encoding issues with users just copy-pasting files from the AUR frontend.
this is kindof vague. "encoding issues"... issues at AUR side or client side? if the former, that would be a bug that could get fixed.
Generally, everyone should download and use the tarballs to build packages.
Yes, but I'm not talking about building packages, I'm talking about getting a quick idea of what the package contains and how it gets built/installed. for that, the "files" previous was very useful. Dieter