El 4/4/24 a las 14:22, Johannes Schauer Marin Rodrigues escribió:
Since I don't think a tarball without ./ is really "wrong" to the point
that it needs to be recreated (this is in fact the very first in my life
that a tarball without ./ causes any kind of trouble), I think it would be
desirable to support those tarballs as well.
how did you create that tarball?
debootstrap to a directory
cd /chroot/directory
tar czvf /srv/whatever.tar.gz *
Yes, I know what using "." instead of "*" would solve the problem, but as I
said,
sbuild already supports perfectly tarballs without ./ in the "file" backend,
so the consistent thing would be to support them for unshare as well.
So, we (Jochen and myself) wonder if any of the following patches would be
acceptable to you.
The first patch adds --anchored option to tar invocation so that the exclude
patterns are matched from the beginning only (not anywhere in the filename),
then adds the remaining eight exclude patterns for tarballs without "./".
I could agree that the end result is not very nice, but it's simple,
effective, and imo it's not really so much ugly.
However, while we are at it, I wonder why it's necessary to uncompress
anything in /dev at all these days. Would it work if everything in /dev is
excluded?
The second patch (untested) supports tarballs with or without ./ and at the
same time simplifies the exclude patterns to just two.
Your addition of --anchored drops support for tarballs with members that start
with ././ or with ./././ and so on.
Yes, but those tarballs are a lot more uncommon, so if we had to choose between
supporting "" and "./" or supporting "./" and "././" and "./././" etc, I guess
supporting "" and "./" would be preferred.
So, well spotted, but I don't think that dropping support for ././
would be a big deal.
Your second patch is described as "Do not extract anything in /dev" but what it
actually excludes is the directory itself and not just everything in it.
That's why I said "untested" :-) The point was to convey the idea,
not the implementation.
Maybe a better solution would be to pipe the tarballs through mmtarfilter and
just remove all the device nodes from them. This avoids requiring any --exclude
options for tar.
Hmm, but if we get to such point, maybe we should really advocate for
debootstrap
and friends to stop including any /dev/* files at all.
Thanks.
