>> * Proposal >> >> zip bomb (zip archives without a top level directory) handling should >> not be done in `url-fetch/zipbomb'. It should be implemented as a >> boolean argument to the `unpack' phase. > > I guess the Boolean argument would determine whether to do (chdir > (first-subdirectory ".")), right? > > Unfortunately that’s not enough for the cases where an origin has > patches or a snippet, because that code also assumes there’s only one > subdirectory (see ‘patch-and-repack’ in (guix packages)).
Ah, I didn't think of that. > Perhaps the right fix would be to fix ‘patch-and-repack’ somehow. Unfortunately, I don't know what that fix would look like. :-( Perhaps `patch-and-repack' should somehow autodetect whether the archive is a bomb or not. Do you think that is a good solution? It sounds overcomplicated to me. Or, we can just let this matter rest as it is not too important.
