On 2024-12-25 08:13:37, Johannes Schauer Marin Rodrigues wrote: > commits without any rationale behind them are the best </scarcasm>
Ugh, wtf. Uh. So it looks like this is a feature of zstd that it won't follow symlinks when reading compressed files!! So i guess this is not a bug in sbuild after all, but specifically about zstd tarballs. Sigh. > This also reminds me of #1089105 which comes down to zstd not accepting > compressed data on stdin and writing the uncompressed result to stdout without > also passing --force. Seems entirely unintuitive to me... Is it worth filing this against zstd and affecting sbuild maybe? > Thank you for having found this. Maybe we should just call zstd with '--force' > and call it a dway... That seems dangerous in many ways: zstd setup this thing which sounds to me like a security feature, albeit poorly documented... If I read this right, there's even a TOCTOU bug in there, because we're checking symlinks before use, and and an attacker could replace a file with a symlink later. Anyway. Not sure what to do about this, I think the best might possibly be to move this to the zstd package... Sorry for all the trouble! :) a. -- One has a moral responsibility to disobey unjust laws. - Martin Luther King, Jr.