[aur-general] Upgraded AUR to 1.8.0
Seblu
seblu at seblu.net
Mon Feb 21 05:48:54 EST 2011
On Mon, Feb 21, 2011 at 11:37 AM, Lukas Fleischer
<archlinux at cryptocrack.de> wrote:
> On Mon, Feb 21, 2011 at 11:08:05AM +0100, Dieter Plaetinck wrote:
>> what's the reasoning behind no longer showing all files in the "source
>> package"? I found this feature quite useful.
>
> There were several vulnerabilities with the automatic tarball
> extraction. Think of "tarballs bombs" (as in "ZIP bombs"). Think of what
> happens when a source tarball that contains a symlink to "/etc/passwd"
> is uploaded (and the web server isn't chrooted). Just to give two simple
> samples.
>
> Moreover, I've heard of some encoding issues with users just
> copy-pasting files from the AUR frontend. Generally, everyone should
> download and use the tarballs to build packages. The PKGBUILD preview is
> retained due to several requests.
>
Thanks for information and work!
--
Sébastien Luttringer
www.seblu.net
More information about the aur-general
mailing list