[aur-general] AUR no more extracting source tarballs ( was: Upgraded AUR to 1.8.0)

Dieter Plaetinck dieter at plaetinck.be
Mon Feb 21 09:46:47 EST 2011


On Mon, 21 Feb 2011 14:50:39 +0100
Lukas Fleischer <archlinux at cryptocrack.de> wrote:


> The only issue that might affect the end users as well is "ZIP bombs".
> Most users will probably notice such a thing before it is entirely
> extracted, just interrupt tar(1)/gzip(1) and send a removal request to
> aur-general, however.

hmmm. some good points.
I guess I could try the suggested approach and see how I like it.
However, now that you bring up the "zip bombs", do you think it's
feasible to scan for them serverside without compromising security
and/or making things needlessly complicated? it would be useful for
clients if that one aspect could be filtered out in advance.

Dieter


More information about the aur-general mailing list