Am 04.10.2017 um 20:17 schrieb Adonay Felipe Nogueira: > Does the .zip file have a a single directory on the root? > > If not, then we can call it a zipbomb/tarbomb. These bombs are bad > because they can replace things without notice, and can be very > difficult to track what was added. Last time I checked Guix expects only > a single directory in the root of the file --- this might have changed, > but I didn't test it since one year ago.
Hello, this is a different problem. Tarbombs are still a problem, but unrelated to this. The gnu-build-system does not have unzip by default. If a package's source comes in a zip the package must have unzip as native-input. If it isn't the (system* "unzip" source) call in the unpack function will fail because there is no unzip executable. Happy hacking!
