Tarbomb in release src tarball file

[eleksir]

Gitea Version

1.16.3

Git Version

N/A

Operating System

N/A

How are you running Gitea?

tar xf gitea-src-1.16.3.tar.gz

Database

No response

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

N/A

Description

Gitea official src, gitea-src-1.16.3.tar.gz, (from releases page at github, particulary at release of 1.16.3) contains tarbomb. Such behavior is considered bad etiquette on the part of the archive's creator.

Expected behavior is (after untarring) to find this pile of files in subdir named gitea-src-1.16.3 or even better in subdir named gitea-1.16.3.

Screenshots

N/A

[wULLSnpAXbWZGYDYyhWTKKspEQoaYxXyhoisqHf]

fair point, IMO, this shouldn't be hard to fix.
what I usually tend to do anyway is automaticaly create a folder for pretty much any archive I am untarring, then use tar with -C newfolder. those times I forget to prepare a folder hurt, though.

[lunny]

That's generated by Github I think, maybe you should submit an issue to them?

[eleksir]

twpayne/chezmoi#1576

absolutely same thing but it was resolved without Github intervention.

[techknowlogick]

gitea-src-1.16.3.tar.gz (and similar) is a custom tar that we create in the make-release step of CI, so it would need to be updated in our CI.

[zeripath]

We'd need to use --transform or --xform option in the tar within the release-sources target in the Makefile here:

gitea/Makefile

Line 648 in ed1d95c

tar $(addprefix $(EXCL),$(TAR_EXCLUDES)) -czf $(DIST)/release/gitea-src-$(VERSION).tar.gz .

@eleksir would you like to test and propose a PR?

---

documentation for the tar command and the --transform option can be found here:

https://www.gnu.org/software/tar/manual/html_section/transform.html