On Mon, 21 Feb 2011 11:37:18 +0100 Lukas Fleischer <archli...@cryptocrack.de> wrote:
> On Mon, Feb 21, 2011 at 11:08:05AM +0100, Dieter Plaetinck wrote: > > what's the reasoning behind no longer showing all files in the > > "source package"? I found this feature quite useful. > > There were several vulnerabilities with the automatic tarball > extraction. Think of "tarballs bombs" (as in "ZIP bombs"). Think of > what happens when a source tarball that contains a symlink to > "/etc/passwd" is uploaded (and the web server isn't chrooted). Just > to give two simple samples. Hmm.. would it be that much work to make the AUR code/installation more secure, rather then just dropping the functionality? just asking... > Moreover, I've heard of some encoding issues with users just > copy-pasting files from the AUR frontend. this is kindof vague. "encoding issues"... issues at AUR side or client side? if the former, that would be a bug that could get fixed. > Generally, everyone should download and use the tarballs to build packages. Yes, but I'm not talking about building packages, I'm talking about getting a quick idea of what the package contains and how it gets built/installed. for that, the "files" previous was very useful. Dieter
