[aur-general] Upgraded AUR to 1.8.0

Dieter Plaetinck dieter at plaetinck.be
Mon Feb 21 05:55:59 EST 2011


On Mon, 21 Feb 2011 11:37:18 +0100
Lukas Fleischer <archlinux at cryptocrack.de> wrote:

> On Mon, Feb 21, 2011 at 11:08:05AM +0100, Dieter Plaetinck wrote:
> > what's the reasoning behind no longer showing all files in the
> > "source package"? I found this feature quite useful.
> 
> There were several vulnerabilities with the automatic tarball
> extraction. Think of "tarballs bombs" (as in "ZIP bombs"). Think of
> what happens when a source tarball that contains a symlink to
> "/etc/passwd" is uploaded (and the web server isn't chrooted). Just
> to give two simple samples.

Hmm.. would it be that much work to make the AUR code/installation
more secure, rather then just dropping the functionality? just asking...

> Moreover, I've heard of some encoding issues with users just
> copy-pasting files from the AUR frontend.

this is kindof vague. "encoding issues"... issues at AUR side or client
side? if the former, that would be a bug that could get fixed.


> Generally, everyone should download and use the tarballs to build packages.

Yes, but I'm not talking about building packages, I'm talking about
getting a quick idea of what the package contains and how it gets
built/installed. for that, the "files" previous was very useful.

Dieter



More information about the aur-general mailing list