Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 933433

Summary: sys-apps/portage: TarFile.extract() DeprecationWarning about filter argument
Product: Portage Development Reporter: Zac Medico <zmedico>
Component: Binary packages supportAssignee: Portage team <dev-portage>
Status: RESOLVED FIXED    
Severity: normal CC: zmedico
Priority: Normal Keywords: InVCS
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/portage/pull/1338
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 933499    
Bug Blocks:    

Description Zac Medico gentoo-dev 2024-06-02 19:58:58 UTC 
Portage emits this DeprecationWarning during gpkg extraction:

/usr/lib/python3.13/site-packages/portage/gpkg.py:675: DeprecationWarning: Python 3.14 will, by default, filter extracted tar archives and reject files or modify their metadata. Use the filter argument to control this behavior.

It looks like we should probably use filter="fully_trusted" and it's been backported to python 3.8.17:

https://docs.python.org/3.8/library/tarfile.html#tarfile-extraction-filter
Comment 1 Zac Medico gentoo-dev 2024-06-02 20:05:29 UTC 
It looks like overriding the default extraction_filter is probably convenient:

https://docs.python.org/3.8/library/tarfile.html#tarfile.TarFile.extraction_filter
Comment 2 Larry the Git Cow gentoo-dev 2024-06-09 17:54:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/portage.git/commit/?id=f620a0769a509966295954c2b0c76e46e8fb4289

commit f620a0769a509966295954c2b0c76e46e8fb4289
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2024-06-02 21:53:04 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-06-09 17:53:31 +0000

    tar_safe_extract: Use tarfile.fully_trusted_filter
    
    This suppresses a DeprecationWarning triggered because the
    tarfile.data_filter will become the new default in python3.14.
    The fully_trusted filter should be suitable here because
    tar_safe_extract already performs security validation on
    tar members prior to extraction.
    
    Bug: https://bugs.gentoo.org/933433
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 lib/portage/gpkg.py | 9 +++++++++
 1 file changed, 9 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2024-09-11 01:30:57 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02d0e00a1ba811b39140d10e17488f7fc3916534

commit 02d0e00a1ba811b39140d10e17488f7fc3916534
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-11 01:30:10 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-11 01:30:30 +0000

    sys-apps/portage: add 3.0.66
    
    Closes: https://bugs.gentoo.org/435066
    Closes: https://bugs.gentoo.org/907061
    Closes: https://bugs.gentoo.org/910560
    Closes: https://bugs.gentoo.org/933433
    Closes: https://bugs.gentoo.org/934220
    Closes: https://bugs.gentoo.org/934514
    Closes: https://bugs.gentoo.org/934784
    Closes: https://bugs.gentoo.org/935830
    Closes: https://bugs.gentoo.org/936273
    Closes: https://bugs.gentoo.org/937384
    Closes: https://bugs.gentoo.org/937485
    Closes: https://bugs.gentoo.org/937740
    Closes: https://bugs.gentoo.org/937888
    Closes: https://bugs.gentoo.org/937891
    Closes: https://bugs.gentoo.org/938127
    Closes: https://bugs.gentoo.org/933499
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/portage/Manifest              |   1 +
 sys-apps/portage/portage-3.0.66.ebuild | 227 +++++++++++++++++++++++++++++++++
 2 files changed, 228 insertions(+)