[aur-general] Upgraded AUR to 1.8.0
Dieter Plaetinck
dieter at plaetinck.be
Mon Feb 21 05:55:59 EST 2011
On Mon, 21 Feb 2011 11:37:18 +0100
Lukas Fleischer <archlinux at cryptocrack.de> wrote:
> On Mon, Feb 21, 2011 at 11:08:05AM +0100, Dieter Plaetinck wrote:
> > what's the reasoning behind no longer showing all files in the
> > "source package"? I found this feature quite useful.
>
> There were several vulnerabilities with the automatic tarball
> extraction. Think of "tarballs bombs" (as in "ZIP bombs"). Think of
> what happens when a source tarball that contains a symlink to
> "/etc/passwd" is uploaded (and the web server isn't chrooted). Just
> to give two simple samples.
Hmm.. would it be that much work to make the AUR code/installation
more secure, rather then just dropping the functionality? just asking...
> Moreover, I've heard of some encoding issues with users just
> copy-pasting files from the AUR frontend.
this is kindof vague. "encoding issues"... issues at AUR side or client
side? if the former, that would be a bug that could get fixed.
> Generally, everyone should download and use the tarballs to build packages.
Yes, but I'm not talking about building packages, I'm talking about
getting a quick idea of what the package contains and how it gets
built/installed. for that, the "files" previous was very useful.
Dieter
More information about the aur-general
mailing list