guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: zipbomb handling should not be done in url-fetch/zipbomb


From: Eric Bavier
Subject: Re: zipbomb handling should not be done in url-fetch/zipbomb
Date: Sun, 18 Jun 2017 17:21:05 -0500
User-agent: K-9 Mail for Android


On June 17, 2017 3:13:33 PM CDT, address@hidden wrote:
>Arun Isaac <address@hidden> skribis:
>
>> * Proposal
>>
>> zip bomb (zip archives without a top level directory) handling should
>> not be done in `url-fetch/zipbomb'. It should be implemented as a
>> boolean argument to the `unpack' phase.
>
>I guess the Boolean argument would determine whether to do (chdir
>(first-subdirectory ".")), right?
>
>Unfortunately that’s not enough for the cases where an origin has
>patches or a snippet, because that code also assumes there’s only one
>subdirectory (see ‘patch-and-repack’ in (guix packages)).
>
>Perhaps the right fix would be to fix ‘patch-and-repack’ somehow.

I think this would be preferable. Since it means that users of 'guix build -S' 
would still get "unbombed" sources.

`~Eric

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]