Use conda-package-handling.api.extract instead of tarfile.TarFile.extractall
#5390
Conversation
conda-bot
added
the
cla-signed
kenodegard
force-pushed
the
tarfile-filter-data
branch
from
b625204
to
b4e4360
Compare
CodSpeed Performance ReportMerging #5390 will not alter performanceComparing Summary
|
kenodegard
force-pushed
the
tarfile-filter-data
branch
2 times, most recently
from
4d24e41
to
a3ba98f
Compare
kenodegard
force-pushed
the
tarfile-filter-data
branch
from
a3ba98f
to
d9f416f
Compare
|
Note that the
How do we handle that? Detect the used version and only add filter if supported? Or somehow assume/ensure that a recent enough Python version is available? |
|
@zklaus ah I had not caught that it was backported, I guess the easiest in this case would be duck typing |
|
The deprecation warning is only added in 3.12, so I'd say we only specify |
kenodegard
changed the title
tarfile by specifying filter='data'conda-package-handling.api.extract instead of tarfile.TarFile.extractall
|
I suppose the continuation of the discussion about the appropriate filter belongs in cph now, but anyway, I think we might even need a custom filter, at least if we want to maintain the logic including umasks. |
|
We implemented our own filter in conda-package-streaming. Could we use the Python one instead or pass our filter function through that parameter? |
| @@ -31,6 +31,7 @@ | |||
| from conda.gateways.disk.create import TemporaryDirectory | |||
| from conda.models.records import PackageRecord | |||
| from conda.models.version import VersionOrder | |||
| from conda_package_handling.api import extract | |||
There was a problem hiding this comment.
This API can only extract .conda or .tar.bz2, not any other .tgz etc. variant.
Description
Python 3.12 introduced a deprecation warning in
tarfileto warn of a future change in Python 3.14 where the defaultfilterbehavior intarfile.TarFile.extract/tarfile.TarFile.extractallwill change.Instead of allowing all file locations (and types) to be unpacked, the new default behavior is to only unpack the safe files (relative to the current location, no special file types, etc.). This is a reasonable change so here we attempt to adopt this change preemptively (and end up simplifying some of our code too!).The decision to be made is whether we wish to use the strictest filtering (https://docs.python.org/3/library/tarfile.html#tarfile.data_filter) or the more permissive but still safer than before filtering (https://docs.python.org/3/library/tarfile.html#tarfile.tar_filter), I'm assuming we do not want the wild west no filtering of today (https://docs.python.org/3/library/tarfile.html#tarfile.fully_trusted_filter).Instead of adjusting how we use
tarfilewe instead opt to useconda-package-handlingfor our extraction needs (it is then up toconda-package-streaming&conda-package-handlingto filter correctly).Side note, it is odd that this deprecation warning didn't surface earlier.
Xref #5387 #5379 #5281 conda/conda-package-streaming#87
Checklist - did you ...
newsdirectory (using the template) for the next release's release notes?Add / update necessary tests?Add / update outdated documentation?