Tarbomb in release src tarball file #8685

New Issue

Closed

opened 2025-11-02 08:14:28 -06:00 by GiteaMirror · 5 comments

GiteaMirror commented 2025-11-02 08:14:28 -06:00

Owner

Copy Link

Originally created by @eleksir on GitHub (Mar 12, 2022).

Gitea Version

1.16.3

Git Version

N/A

Operating System

N/A

How are you running Gitea?

tar xf gitea-src-1.16.3.tar.gz

Database

No response

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

N/A

Description

Gitea official src, gitea-src-1.16.3.tar.gz, (from releases page at github, particulary at release of 1.16.3) contains tarbomb. Such behavior is considered bad etiquette on the part of the archive's creator.

Expected behavior is (after untarring) to find this pile of files in subdir named gitea-src-1.16.3 or even better in subdir named gitea-1.16.3.

Screenshots

N/A

Originally created by @eleksir on GitHub (Mar 12, 2022). ### Gitea Version 1.16.3 ### Git Version N/A ### Operating System N/A ### How are you running Gitea? tar xf gitea-src-1.16.3.tar.gz ### Database _No response_ ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist N/A ### Description Gitea official src, gitea-src-1.16.3.tar.gz, (from releases page at [github](https://github.com/go-gitea/gitea/releases), particulary at [release of 1.16.3](https://github.com/go-gitea/gitea/releases/tag/v1.16.3)) contains [tarbomb](https://en.wikipedia.org/wiki/Tar_(computing)#Tarbomb). Such behavior is considered bad etiquette on the part of the archive's creator. Expected behavior is (after untarring) to find this pile of files in subdir named gitea-src-1.16.3 or even better in subdir named gitea-1.16.3. ### Screenshots N/A

GiteaMirror added the hacktoberfesttopic/distributionissue/confirmedgood first issue labels 2025-11-02 08:14:28 -06:00

GiteaMirror closed this issue 2025-11-02 08:14:28 -06:00

GiteaMirror commented 2025-11-02 08:14:29 -06:00

Author

Owner

Copy Link

@wULLSnpAXbWZGYDYyhWTKKspEQoaYxXyhoisqHf commented on GitHub (Mar 12, 2022):

fair point, IMO, this shouldn't be hard to fix.
what I usually tend to do anyway is automaticaly create a folder for pretty much any archive I am untarring, then use tar with -C newfolder. those times I forget to prepare a folder hurt, though.

@wULLSnpAXbWZGYDYyhWTKKspEQoaYxXyhoisqHf commented on GitHub (Mar 12, 2022): fair point, IMO, this shouldn't be hard to fix. what I usually tend to do anyway is automaticaly create a folder for pretty much any archive I am untarring, then use tar with `-C newfolder`. those times I forget to prepare a folder hurt, though.

GiteaMirror commented 2025-11-02 08:14:29 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Mar 14, 2022):

That's generated by Github I think, maybe you should submit an issue to them?

@lunny commented on GitHub (Mar 14, 2022): That's generated by Github I think, maybe you should submit an issue to them?

GiteaMirror commented 2025-11-02 08:14:29 -06:00

Author

Owner

Copy Link

@eleksir commented on GitHub (Mar 15, 2022):

https://github.com/twpayne/chezmoi/issues/1576

absolutely same thing but it was resolved without Github intervention.

@eleksir commented on GitHub (Mar 15, 2022): https://github.com/twpayne/chezmoi/issues/1576 absolutely same thing but it was resolved without Github intervention.

GiteaMirror commented 2025-11-02 08:14:29 -06:00

Author

Owner

Copy Link

@techknowlogick commented on GitHub (Mar 15, 2022):

gitea-src-1.16.3.tar.gz (and similar) is a custom tar that we create in the make-release step of CI, so it would need to be updated in our CI.

@techknowlogick commented on GitHub (Mar 15, 2022): `gitea-src-1.16.3.tar.gz` (and similar) is a custom tar that we create in the make-release step of CI, so it would need to be updated in our CI.

GiteaMirror commented 2025-11-02 08:14:30 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Mar 16, 2022):

We'd need to use --transform or --xform option in the tar within the release-sources target in the Makefile here:

ed1d95c55d/Makefile (L648)

@eleksir would you like to test and propose a PR?

---

documentation for the tar command and the --transform option can be found here:

https://www.gnu.org/software/tar/manual/html_section/transform.html

@zeripath commented on GitHub (Mar 16, 2022): We'd need to use `--transform` or `--xform` option in the `tar` within the `release-sources` target in the `Makefile` here: https://github.com/go-gitea/gitea/blob/ed1d95c55dfa91d1c9a486bfb8e00375d4038e29/Makefile#L648 @eleksir would you like to test and propose a PR? --- documentation for the tar command and the `--transform` option can be found here: https://www.gnu.org/software/tar/manual/html_section/transform.html

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label good first issue hacktoberfest issue/confirmed topic/distribution

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#8685