Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 933433 - sys-apps/portage: TarFile.extract() DeprecationWarning about filter argument
Summary: sys-apps/portage: TarFile.extract() DeprecationWarning about filter argument
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Binary packages support (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Portage team
URL:
Whiteboard:
Keywords: InVCS
Depends on: 933499
Blocks:
  Show dependency tree
 
Reported: 2024-06-02 19:58 UTC by Zac Medico
Modified: 2024-09-11 01:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zac Medico gentoo-dev 2024-06-02 19:58:58 UTC
Portage emits this DeprecationWarning during gpkg extraction:

/usr/lib/python3.13/site-packages/portage/gpkg.py:675: DeprecationWarning: Python 3.14 will, by default, filter extracted tar archives and reject files or modify their metadata. Use the filter argument to control this behavior.

It looks like we should probably use filter="fully_trusted" and it's been backported to python 3.8.17:

https://docs.python.org/3.8/library/tarfile.html#tarfile-extraction-filter
Comment 1 Zac Medico gentoo-dev 2024-06-02 20:05:29 UTC
It looks like overriding the default extraction_filter is probably convenient:

https://docs.python.org/3.8/library/tarfile.html#tarfile.TarFile.extraction_filter
Comment 2 Larry the Git Cow gentoo-dev 2024-06-09 17:54:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/portage.git/commit/?id=f620a0769a509966295954c2b0c76e46e8fb4289

commit f620a0769a509966295954c2b0c76e46e8fb4289
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2024-06-02 21:53:04 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-06-09 17:53:31 +0000

    tar_safe_extract: Use tarfile.fully_trusted_filter
    
    This suppresses a DeprecationWarning triggered because the
    tarfile.data_filter will become the new default in python3.14.
    The fully_trusted filter should be suitable here because
    tar_safe_extract already performs security validation on
    tar members prior to extraction.
    
    Bug: https://bugs.gentoo.org/933433
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 lib/portage/gpkg.py | 9 +++++++++
 1 file changed, 9 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2024-09-11 01:30:57 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02d0e00a1ba811b39140d10e17488f7fc3916534

commit 02d0e00a1ba811b39140d10e17488f7fc3916534
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-11 01:30:10 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-11 01:30:30 +0000

    sys-apps/portage: add 3.0.66
    
    Closes: https://bugs.gentoo.org/435066
    Closes: https://bugs.gentoo.org/907061
    Closes: https://bugs.gentoo.org/910560
    Closes: https://bugs.gentoo.org/933433
    Closes: https://bugs.gentoo.org/934220
    Closes: https://bugs.gentoo.org/934514
    Closes: https://bugs.gentoo.org/934784
    Closes: https://bugs.gentoo.org/935830
    Closes: https://bugs.gentoo.org/936273
    Closes: https://bugs.gentoo.org/937384
    Closes: https://bugs.gentoo.org/937485
    Closes: https://bugs.gentoo.org/937740
    Closes: https://bugs.gentoo.org/937888
    Closes: https://bugs.gentoo.org/937891
    Closes: https://bugs.gentoo.org/938127
    Closes: https://bugs.gentoo.org/933499
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/portage/Manifest              |   1 +
 sys-apps/portage/portage-3.0.66.ebuild | 227 +++++++++++++++++++++++++++++++++
 2 files changed, 228 insertions(+)