From mboxrd@z Thu Jan  1 00:00:00 1970
From: Arun Isaac <arunisaac@systemreboot.net>
Subject: zipbomb handling should not be done in url-fetch/zipbomb
Date: Fri, 16 Jun 2017 15:15:54 +0530
Message-ID: <9f5ff0ec.AEAALfWcKw0AAAAAAAAAAAOtZhgAAAACwQwAAAAAAAW9WABZQ6jZ@mailjet.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56317)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<9f5ff0ec.AEAALfWcKw0AAAAAAAAAAAOtZhgAAAACwQwAAAAAAAW9WABZQ6jZ@bnc3.mailjet.com>)
	id 1dLnpS-0005fz-EN
	for guix-devel@gnu.org; Fri, 16 Jun 2017 05:46:11 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from
	<9f5ff0ec.AEAALfWcKw0AAAAAAAAAAAOtZhgAAAACwQwAAAAAAAW9WABZQ6jZ@bnc3.mailjet.com>)
	id 1dLnpN-00026X-Jp
	for guix-devel@gnu.org; Fri, 16 Jun 2017 05:46:10 -0400
Received: from o121.p8.mailjet.com ([87.253.233.121]:33809)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from
	<9f5ff0ec.AEAALfWcKw0AAAAAAAAAAAOtZhgAAAACwQwAAAAAAAW9WABZQ6jZ@bnc3.mailjet.com>)
	id 1dLnpN-00025U-9m
	for guix-devel@gnu.org; Fri, 16 Jun 2017 05:46:05 -0400
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org


* Proposal

zip bomb (zip archives without a top level directory) handling should
not be done in `url-fetch/zipbomb'. It should be implemented as a
boolean argument to the `unpack' phase.

Likewise for url-fetch/tarbomb as well.

* Rationale

I'm changing the download method of a few packages to url-fetch/zipbomb,
and the source gets downloaded again. This should not happen. It is the
same source archive after all. Why download another copy? In my
particular case, these source archives happen to be quite big (around
500 MB) as well.

The download method in source/origin/method should only be involved in
downloading. It should not handle how the downloaded source archive is
unpacked. That is the job of the `unpack' phase. url-fetch/zipbomb
unnecessarily duplicates the "unzip" command invocation.

* Feedback

WDYT?
=