[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: zipbomb handling should not be done in url-fetch/zipbomb
|
From: |
Eric Bavier |
|
Subject: |
Re: zipbomb handling should not be done in url-fetch/zipbomb |
|
Date: |
Sun, 18 Jun 2017 17:21:05 -0500 |
|
User-agent: |
K-9 Mail for Android |
On June 17, 2017 3:13:33 PM CDT, address@hidden wrote:
>Arun Isaac <address@hidden> skribis:
>
>> * Proposal
>>
>> zip bomb (zip archives without a top level directory) handling should
>> not be done in `url-fetch/zipbomb'. It should be implemented as a
>> boolean argument to the `unpack' phase.
>
>I guess the Boolean argument would determine whether to do (chdir
>(first-subdirectory ".")), right?
>
>Unfortunately that’s not enough for the cases where an origin has
>patches or a snippet, because that code also assumes there’s only one
>subdirectory (see ‘patch-and-repack’ in (guix packages)).
>
>Perhaps the right fix would be to fix ‘patch-and-repack’ somehow.
I think this would be preferable. Since it means that users of 'guix build -S'
would still get "unbombed" sources.
`~Eric
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.