[aur-general] Upgraded AUR to 1.8.0

Lukas Fleischer archlinux at cryptocrack.de
Mon Feb 21 05:37:18 EST 2011


On Mon, Feb 21, 2011 at 11:08:05AM +0100, Dieter Plaetinck wrote:
> what's the reasoning behind no longer showing all files in the "source
> package"? I found this feature quite useful.

There were several vulnerabilities with the automatic tarball
extraction. Think of "tarballs bombs" (as in "ZIP bombs"). Think of what
happens when a source tarball that contains a symlink to "/etc/passwd"
is uploaded (and the web server isn't chrooted). Just to give two simple
samples.

Moreover, I've heard of some encoding issues with users just
copy-pasting files from the AUR frontend. Generally, everyone should
download and use the tarballs to build packages. The PKGBUILD preview is
retained due to several requests.


More information about the aur-general mailing list