Arun Isaac <arunis...@systemreboot.net> skribis: > * Proposal > > zip bomb (zip archives without a top level directory) handling should > not be done in `url-fetch/zipbomb'. It should be implemented as a > boolean argument to the `unpack' phase.
I guess the Boolean argument would determine whether to do (chdir (first-subdirectory ".")), right? Unfortunately that’s not enough for the cases where an origin has patches or a snippet, because that code also assumes there’s only one subdirectory (see ‘patch-and-repack’ in (guix packages)). Perhaps the right fix would be to fix ‘patch-and-repack’ somehow. > * Rationale > > I'm changing the download method of a few packages to url-fetch/zipbomb, > and the source gets downloaded again. This should not happen. It is the > same source archive after all. Why download another copy? In my > particular case, these source archives happen to be quite big (around > 500 MB) as well. The only reason it triggers a redownload is because the name is different (specifically, ‘url-fetch/zipbomb’ prepends “zipbomb-” to the name.) To avoid the redownload you could do “guix download file://…” with the right file name. > The download method in source/origin/method should only be involved in > downloading. It should not handle how the downloaded source archive is > unpacked. That is the job of the `unpack' phase. url-fetch/zipbomb > unnecessarily duplicates the "unzip" command invocation. I admit it was a bit of a hack :-), but fixing the ‘unpack’ phase won’t be enough. Thanks, Ludo’.
