On Mon, Feb 21, 2011 at 11:37 AM, Lukas Fleischer <[email protected]> wrote: > On Mon, Feb 21, 2011 at 11:08:05AM +0100, Dieter Plaetinck wrote: >> what's the reasoning behind no longer showing all files in the "source >> package"? I found this feature quite useful. > > There were several vulnerabilities with the automatic tarball > extraction. Think of "tarballs bombs" (as in "ZIP bombs"). Think of what > happens when a source tarball that contains a symlink to "/etc/passwd" > is uploaded (and the web server isn't chrooted). Just to give two simple > samples. > > Moreover, I've heard of some encoding issues with users just > copy-pasting files from the AUR frontend. Generally, everyone should > download and use the tarballs to build packages. The PKGBUILD preview is > retained due to several requests. > Thanks for information and work!
-- Sébastien Luttringer www.seblu.net
