zipbomb handling should not be done in url-fetch/zipbomb

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

zipbomb handling should not be done in url-fetch/zipbomb

From:	Arun Isaac
Subject:	zipbomb handling should not be done in url-fetch/zipbomb
Date:	Fri, 16 Jun 2017 15:15:54 +0530

* Proposal

zip bomb (zip archives without a top level directory) handling should
not be done in `url-fetch/zipbomb'. It should be implemented as a
boolean argument to the `unpack' phase.

Likewise for url-fetch/tarbomb as well.

* Rationale

I'm changing the download method of a few packages to url-fetch/zipbomb,
and the source gets downloaded again. This should not happen. It is the
same source archive after all. Why download another copy? In my
particular case, these source archives happen to be quite big (around
500 MB) as well.

The download method in source/origin/method should only be involved in
downloading. It should not handle how the downloaded source archive is
unpacked. That is the job of the `unpack' phase. url-fetch/zipbomb
unnecessarily duplicates the "unzip" command invocation.

* Feedback

WDYT?

[Prev in Thread]

Current Thread

[Next in Thread]

zipbomb handling should not be done in url-fetch/zipbomb, Arun Isaac <=
- Re: zipbomb handling should not be done in url-fetch/zipbomb, Ludovic Courtès, 2017/06/17
  - Re: zipbomb handling should not be done in url-fetch/zipbomb, Eric Bavier, 2017/06/18
  - Re: zipbomb handling should not be done in url-fetch/zipbomb, Arun Isaac, 2017/06/20
    - Re: zipbomb handling should not be done in url-fetch/zipbomb, Ludovic Courtès, 2017/06/21

Prev by Date: Re: What is the reason for archive keys ending up in /usr?
Next by Date: Re: 01/01: gnu: gmime: Update to 3.0.1.
Previous by thread: Hydra evaluation of 'master' failed, due to texlive changes?
Next by thread: Re: zipbomb handling should not be done in url-fetch/zipbomb
Index(es):
- Date
- Thread