gtristan commented on PR #1810: URL: https://github.com/apache/buildstream/pull/1810#issuecomment-2213662984
Thanks for bringing this to our attention. Frankly this does not affect us since this is only used in testing, in a scenario where we automatically generate the tarball to be extracted. With that said, it would appear to affect the `buildstream-plugins` repository at https://github.com/apache/buildstream-plugins/blob/master/src/buildstream_plugins/sources/cargo.py#L149. Even though we only ever extract tarballs which have been checksummed with sha256sums and protect against bad tarballs, there is an automated discovery process for getting new tarballs, so it is worthwhile to address this issue there. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
