On Mon, Feb 21, 2011 at 11:37 AM, Lukas Fleischer <archlinux@cryptocrack.de> wrote:
On Mon, Feb 21, 2011 at 11:08:05AM +0100, Dieter Plaetinck wrote:
what's the reasoning behind no longer showing all files in the "source package"? I found this feature quite useful.
There were several vulnerabilities with the automatic tarball extraction. Think of "tarballs bombs" (as in "ZIP bombs"). Think of what happens when a source tarball that contains a symlink to "/etc/passwd" is uploaded (and the web server isn't chrooted). Just to give two simple samples.
Moreover, I've heard of some encoding issues with users just copy-pasting files from the AUR frontend. Generally, everyone should download and use the tarballs to build packages. The PKGBUILD preview is retained due to several requests.
Thanks for information and work! -- Sébastien Luttringer www.seblu.net