Ensure tar_info extraction filter compatibility in runtime archives
#23
Assignees
Labels
Category: Bug
Something isn't working
Comments
ncoghlan
changed the title
tar_info extraction filter compatibility in layer archivestar_info extraction filter compatibility in runtime archives
ncoghlan
added a commit
that referenced
this issue
Oct 24, 2024
Also correctly marks some `pack_venv` APIs as private. Closes #23
ncoghlan
added a commit
that referenced
this issue
Oct 24, 2024
Also correctly marks some `pack_venv` APIs as private. Closes #23
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
python-build-standaloneCPython runtime tarballs are currently being unpacked in "fully trusted" mode (thetarfilemodule's default in Python 3.13 and earlier).To avoid a Python 3.14 compatibility issue (where the default is changing to
data_filtermode), I attempted to enable thetar_filtermode which prevents the potential security issues with fully trusted tarballs, but still allows full use of various tarfile features that are needed when shipping a CPython runtime archive.This change revealed that the python-build-standalone archives are enabling group write permissions on many of the files in the runtime bundles (astral-sh/python-build-standalone#349), so enabling
tar_filtermeans changing the expected hashes of the CPython runtimes (since it clears those group write permission flags).To avoid introducing a discrepancy between Python 3.12+ and Python 3.11 (which doesn't support tar extraction filters), the change to clear the group and world write permissions on files in published archives also needs to be enforced by
venvstacksitself (so even if the runtime files get unpacked into the build folder with0o664permissions, they'll still be set to0o644in the layer archive)The text was updated successfully, but these errors were encountered: