From cefbf7e1f6a047205c2800cfabd2429a674ce87b Mon Sep 17 00:00:00 2001 From: Austin Ziegler Date: Sun, 29 Dec 2024 21:55:14 -0500 Subject: [PATCH] chore: Rework governance documentation and meta Standardized documentation filenames and reworked the security policy. --- .hoerc | 83 ++++---- CHANGELOG.md | 258 +++++++++++++++++++++++ Code-of-Conduct.md => CODE_OF_CONDUCT.md | 0 Contributing.md => CONTRIBUTING.md | 33 +-- CONTRIBUTORS.md | 26 +++ History.md | 236 --------------------- Licence.md => LICENCE.md | 2 +- Manifest.txt | 12 +- README.md | 70 ++++++ README.rdoc | 92 -------- Rakefile | 23 +- SECURITY.md | 54 +++++ docs/ruby.txt | 6 +- minitar.gemspec | 26 +-- 14 files changed, 481 insertions(+), 440 deletions(-) create mode 100644 CHANGELOG.md rename Code-of-Conduct.md => CODE_OF_CONDUCT.md (100%) rename Contributing.md => CONTRIBUTING.md (81%) create mode 100644 CONTRIBUTORS.md delete mode 100644 History.md rename Licence.md => LICENCE.md (94%) create mode 100644 README.md delete mode 100644 README.rdoc create mode 100644 SECURITY.md diff --git a/.hoerc b/.hoerc index d01618e..cef1b42 100644 --- a/.hoerc +++ b/.hoerc @@ -1,48 +1,41 @@ --- exclude: !ruby/regexp '/ - \.(?: - tmp | - swp - )$ - | - \.(?: - bundle | - git | - github | - hg | - idea | - svn | - vagrant + \.gemspec$ + | \.tmp$ + | \.swp$ + | ^\.(?: + DS_Store + | autotest + | byebug_history + | gemtest + | gitattributes + | gitignore + | hoerc + | minitest\.rb + | simplecov-prelude\.rb + | workenv + | (?: + appveyor + | coveralls + | fasterer + | pullreview + | rubocop.* + | standard.* + | travis + | unused + )\.yml + )$ + | ^\.(?: + bundle + | github + | git + | hg + | idea + | svn + | vagrant )\/ - | - [Aa]ppraisals - | - [gG]emfile(?:\.lock)? - | - \.(?: - appveyor | - coveralls | - fasterer | - pullreview | - rubocop.* | - standard.* | - travis | - unused - )\.yml$ - | - (?i:TAGS)$ - | - \.(?: - DS_Store | - autotest | - byebug_history | - gemtest | - gitattributes | - gitignore | - hoerc | - minitest.rb | - simplecov-prelude.rb - )$ - | - \.gemspec$ - /x' + | [gG]emfile(?:\.lock)?$ + | [Aa]ppraisals$ + | (?i:TAGS)$ + | Vagrantfile$ +/x' diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..a1c60cf --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,258 @@ +# Changelog + +## NEXT / 2025-MM-DD + +- Governance: + + Changes described here are effective 2024-12-31. + + - Update gem management details to use markdown files for everything, enabled + in part by [flavorjones/hoe-markdown][hoe-markdown]. Several files were + renamed to be more consistent with standard practices. + + - Updated security notes with an [age][age] public key rather than pointing to + Keybase.io and a PGP public key which I no longer use. The use of the + [Tidelift security contact][tidelift] is recommended over direct disclosure. + +## 1.0.2 / 2024-08-23 + +- Bugfix: + + - Minitar 1.0.1 was released with an unchanged gemspec. Reported by Debashish + Biswas in [#65][issue-65]. + +## 1.0.1 / 2024-08-08 + +- Bugfix: + + - Resolve a constant lookup issue. The accepted fix has been provided by Aram + Price in [#58][issue-58]. + +## 1.0.0 / 2024-08-07 + +- Breaking Changes: + + - Minimum Ruby version is 3.1. + + - The `Archive::Tar::Minitar` namespace has been completely removed and + `Minitar` is a class instead of a module. + +- Enhancements: + + - Added `Minitar.pack_as_file`, originally proposed by John Prince back in + 2011 [#7][issue-7]. + +## 0.12.1 / 2024-08-21 + +- Reverted adbbb9b596 to restore compatibility with Ruby < 2.0. Resolves + [#63][issue-63] reported by Robert Schulze. + +## 0.12 / 2024-08-06 + +- Properly handle very long GNU filenames, resolving [#46][issue-46]. +- Handle very long GNU filenames that are 512 or more bytes, resolving + [#45][issue-45]. Originally implemented in [#47][pull-47] by Vijay, but + accidentally closed. + +## 0.11 / 2022-12-31 + +- symlink support is complete. Merged as PR [#42][pull-42], rebased and built on + top of PR [#12][pull-12] by fetep. + +- kymmt90 fixed a documentation error on `Minitar.pack` in PR [#43][pull-43]. + +- This version is a soft-deprecation of all versions before Ruby 2.7, as they + will no longer be tested in CI. + +## 0.10 / 2022-03-26 + +- nevesenin fixed an issue with long filename handling. Merged as PR + [#40][pull-40]. + +## 0.9 / 2019-09-04 + +- jtappa added the ability to skip fsync with a new option to `Minitar.unpack` + and `Minitar::Input#extract_entry`. Provide `:fsync => false` as the last + parameter to enable. Merged from a modified version of PR [#37][pull-37]. + +## 0.8 / 2019-01-05 + +- inkstak resolved an issue introduced in the fix for [#31][issue-31] by + allowing spaces to be considered valid characters in strict octal handling. + Octal conversion ignores leading spaces. Merged from a slightly modified + version of PR [#35][pull-35]. + +- dearblue contributed PR [#32][pull-32] providing an explicit call to #bytesize + for strings that include multibyte characters. The PR has been modified to be + compatible with older versions of Ruby and extend tests. + +- Akinori MUSHA (knu) contributed PR [#36][pull-36] that treats certain badly + encoded regular files (with names ending in `/`) as if they were directories + on decode. + +## 0.7 / 2018-02-19 + +- Fixed issue [#28][issue-28] with a modified version of PR [#29][pull-29] + covering the security policy and position for `Minitar`. Thanks so much to + [@ooooooo\_q](https://github.com/ooooooo_q) for the report and an initial + patch. Additional information was added as [#30][issue-30]. + +- dearblue contributed PR [#33][pull-33] providing a fix for `Minitar::Reader` + when the IO-like object does not have a `#pos` method. + +- Kevin McDermott contributed PR [#34][pull-34] so that an InvalidTarStream is + raised if the tar header is not valid, preventing incorrect streaming of files + from a non-tarfile. This is a minor breaking change, so the version has been + bumped accordingly. + +- Kazuyoshi Kato contributed PR [#26][pull-26] providing support for the GNU tar + long filename extension. + +- Addressed a potential DOS with negative size fields in tar headers + ([#31][issue-31]). This has been handled in two ways: the size field in a tar + header is interpreted as a strict octal value and the `Minitar` reader will + raise an InvalidTarStream if the size ends up being negative anyway. + +## 0.6.1 / 2017-02-07 + +- Fixed issue [#24][issue-24] where streams were being improperly closed + immediately on open unless there was a block provided. + +- Hopefully fixes issue [#23][issue-23] by releasing archive-tar-minitar after + minitar-cli is available. + +## 0.6 / 2017-02-07 + +- Breaking Changes: + + - Extracted `bin/minitar` into a new gem, `minitar-cli`. No, I am _not_ going + to bump the major version for this. As far as I can tell, few people use the + command-line utility anyway. (Installing `archive-tar-minitar` will install + both `minitar` and `minitar-cli`, at least until version 1.0.) + + - `Minitar` extraction before 0.6 traverses directories if the tarball + includes a relative directory reference, as reported in [#16][issue-16] by + [@ecneladis](https://github.com/ecneladis). This has been disallowed + entirely and will throw a `SecureRelativePathError` when found. + Additionally, if the final destination of an entry is an already-existing + symbolic link, the existing symbolic link will be removed and the file will + be written correctly (on platforms that support symbolic links). + +- Enhancements: + + - Licence change. After speaking with Mauricio Fernández, we have changed the + licensing of this library to Ruby and Simplified BSD and have dropped the + GNU GPL license. This takes effect from the 0.6 release. + - Printing a deprecation warning for including Archive::Tar to put `Minitar` + in the top-level namespace. + - Printing a deprecation warning for including `Archive::Tar::Minitar` into a + class (`Minitar` will be a class for version 1.0). + - Moved `Archive::Tar::PosixHeader` to `Archive::Tar::Minitar::PosixHeader` + with a deprecation warning. Do not depend on + `Archive::Tar::Minitar::PosixHeader`, as it will be moving to + `::Minitar::PosixHeader` in a future release. + - Added an alias, `::Minitar`, for `Archive::Tar::Minitar`, opted in with + `require 'minitar'`. In future releases, this alias will be enabled by + default, and the `Archive::Tar` namespace will be removed entirely for + version 1.0. + - Modified the handling of `mtime` in `PosixHeader` to do an integer + conversion (`#to_i`) so that a Time object can be used instead of the + integer value of the time object. + - `Writer::RestrictedStream` was renamed to `Writer::WriteOnlyStream` for + clarity. No alias or deprecation warning was provided for this as it is an + internal implementation detail. + - `Writer::BoundedStream` was renamed to `Writer::BoundedWriteStream` for + clarity. A deprecation warning is provided on first use because a + BoundedWriteStream may raise a `BoundedWriteStream::FileOverflow` exception. + - `Writer::BoundedWriteStream::FileOverflow` has been renamed to + `Writer::WriteBoundaryOverflow` and inherits from `StandardError` instead of + `RuntimeError`. Note that for Ruby 2.0 or higher, an error will be raised + when specifying `Writer::BoundedWriteStream::FileOverflow` because + `Writer::BoundedWriteStream` has been declared a private constant. + - Modified `Writer#add_file_simple` to accept the data for a file in + `opts[:data]`. When `opts[:data]` is provided, a stream block must not be + provided. Improved the documentation for this method. + - Modified `Writer#add_file` to accept `opts[:data]` and transparently call + `Writer#add_file_simple` in this case. + - Methods that require blocks are no longer required, so the + `Archive::Tar::Minitar::BlockRequired` exception has been removed with a + warning (this may not work on Ruby 1.8). + - Dramatically reduced the number of strings created when creating a POSIX + tarball header. + - Added a helper, `Input.each_entry` that iterates over each entry in an + opened entry object. + +- Bugs: + + - Fix [#2][issue-2] to handle IO streams that are not seekable, such as pipes, + `STDIN`, or `STDOUT`. + - Fix [#3][issue-3] to make the test timezone resilient. + - Fix [#4][issue-4] for supporting the reading of tar files with filenames in + the GNU long filename extension format. Ported from + [@atoulme](https://github.com/atoulme)’s fork, originally provided by Curtis + Sampson. + - Fix [#6][issue-6] by making it raise the correct error for a long filename + with no path components. + - Fix [#13][issue-13] provided by [@fetep](https://github.com/fetep) fixes an + off-by-one error on filename splitting. + - Fix [#14][issue-14] provided by [@kzys](https://github.com/kzys) should fix + Windows detection issues. + - Fix [#16][issue-16] as specified above. + - Fix an issue where `Minitar.pack` would not include Unix hidden files when + creating a tarball. + +- Development: + + - Modernized minitar tooling around Hoe. + - Added travis and coveralls. + +## 0.5.2 / 2008-02-26 + +- Bugs: + - Fixed a Ruby 1.9 compatibility error. + +## 0.5.1 / 2004-09-27 + +- Bugs: + - Fixed a variable name error. + +## 0.5.0 + +- Initial release. Does files and directories. Command does create, extract, and + list. + +[age]: https://github.com/FiloSottile/age +[hoe-halostatue]: https://github.com/halostatue/hoe-halostatue +[hoe-markdown]: https://github.com/flavorjones/hoe-markdown +[issue-13]: [#13](https://github.com/halostatue/minitar/issues/13) +[issue-14]: [#14](https://github.com/halostatue/minitar/issues/14) +[issue-16]: [#16](https://github.com/halostatue/minitar/issues/16) +[issue-23]: [#23](https://github.com/halostatue/minitar/issues/23) +[issue-24]: [#24](https://github.com/halostatue/minitar/issues/24) +[issue-28]: [#28](https://github.com/halostatue/minitar/issues/28) +[issue-2]: [#2](https://github.com/halostatue/minitar/issues/2) +[issue-30]: [#30](https://github.com/halostatue/minitar/issues/30) +[issue-31]: [#31](https://github.com/halostatue/minitar/issues/31) +[issue-3]: [#3](https://github.com/halostatue/minitar/issues/3) +[issue-45]: [#45](https://github.com/halostatue/minitar/issues/45) +[issue-46]: [#46](https://github.com/halostatue/minitar/issues/46) +[issue-4]: [#4](https://github.com/halostatue/minitar/issues/4) +[issue-58]: [#58](https://github.com/halostatue/minitar/issues/58) +[issue-63]: [#63](https://github.com/halostatue/minitar/issues/63) +[issue-65]: [#65](https://github.com/halostatue/minitar/issues/65) +[issue-6]: [#6](https://github.com/halostatue/minitar/issues/6) +[issue-7]: [#7](https://github.com/halostatue/minitar/issues/7) +[pull-12]: [#12](https://github.com/halostatue/minitar/pull/12) +[pull-26]: [#26](https://github.com/halostatue/minitar/pull/26) +[pull-29]: [#29](https://github.com/halostatue/minitar/pull/29) +[pull-32]: [#32](https://github.com/halostatue/minitar/pull/32) +[pull-33]: [#33](https://github.com/halostatue/minitar/pull/33) +[pull-34]: [#34](https://github.com/halostatue/minitar/pull/34) +[pull-35]: [#35](https://github.com/halostatue/minitar/pull/35) +[pull-36]: [#36](https://github.com/halostatue/minitar/pull/36) +[pull-37]: [#37](https://github.com/halostatue/minitar/pull/37) +[pull-40]: [#40](https://github.com/halostatue/minitar/pull/40) +[pull-42]: [#42](https://github.com/halostatue/minitar/pull/42) +[pull-43]: [#43](https://github.com/halostatue/minitar/pull/43) +[pull-47]: [#47](https://github.com/halostatue/minitar/pull/47) +[tidelift]: https://tidelift.com/security diff --git a/Code-of-Conduct.md b/CODE_OF_CONDUCT.md similarity index 100% rename from Code-of-Conduct.md rename to CODE_OF_CONDUCT.md diff --git a/Contributing.md b/CONTRIBUTING.md similarity index 81% rename from Contributing.md rename to CONTRIBUTING.md index 187999a..9fe6f8d 100644 --- a/Contributing.md +++ b/CONTRIBUTING.md @@ -1,4 +1,4 @@ -## Contributing +# Contributing I value any contribution to minitar you can provide: a bug report, a feature request, or code contributions. There are a few guidelines for contributing to @@ -15,7 +15,7 @@ minitar: - Submit a GitHub pull request with your changes. - New or changed behaviours require appropriate documentation. -### Test Dependencies +## Test Dependencies minitar uses Ryan Davis’s [Hoe][Hoe] to manage the release process, and it adds a number of rake tasks. You will mostly be interested in: @@ -47,7 +47,7 @@ You can run tests with code coverage analysis by running: $ rake test:coverage -### Workflow +## Workflow Here's the most direct way to get your work merged into the project: @@ -62,33 +62,6 @@ Here's the most direct way to get your work merged into the project: - Create a pull request against halostatue/minitar and describe what your change does and the why you think it should be merged. -### Contributors - -- Austin Ziegler created minitar, based on work originally written by Mauricio - Fernández for rpa-base. - -Thanks to everyone who has contributed to minitar: - -- Akinori MUSHA (knu) -- Antoine Toulme -- Curtis Sampson -- Daniel J. Berger -- dearblue -- inkstak -- John Prince -- Jorie Tappa -- Kazuyoshi Kato -- Kevin McDermott -- Matthew Kent -- Merten Falk -- Michal Suchanek -- Mike Furr -- ooooooo_q -- Pete Fritchman -- Vijay (bv-vijay) -- Yamamoto Kōhei -- Zach Dennis - [minitest]: https://github.com/seattlerb/minitest [quality commit messages]: http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html [hoe]: https://github.com/seattlerb/hoe diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md new file mode 100644 index 0000000..bcb4043 --- /dev/null +++ b/CONTRIBUTORS.md @@ -0,0 +1,26 @@ +# Contributors + +- Austin Ziegler created minitar, based on work originally written by Mauricio + Fernández for rpa-base. + +Thanks to everyone who has contributed to minitar: + +- Akinori MUSHA (knu) +- Antoine Toulme +- Curtis Sampson +- Daniel J. Berger +- dearblue +- inkstak +- John Prince +- Jorie Tappa +- Kazuyoshi Kato +- Kevin McDermott +- Matthew Kent +- Merten Falk +- Michal Suchanek +- Mike Furr +- ooooooo\_q +- Pete Fritchman +- Vijay (bv-vijay) +- Yamamoto Kōhei +- Zach Dennis diff --git a/History.md b/History.md deleted file mode 100644 index 1015b1b..0000000 --- a/History.md +++ /dev/null @@ -1,236 +0,0 @@ -# History - -## 1.0.2 / 2024-08-23 - -- Bugfix: - - - Minitar 1.0.1 was released with an unchanged gemspec. Reported by Debashish - Biswas in [#65][#65]. - -## 1.0.1 / 2024-08-08 - -- Bugfix: - - - Resolve a constant lookup issue. The accepted fix has been provided by Aram - Price in [#58][#58]. - -## 1.0.0 / 2024-08-07 - -- Breaking Changes: - - - Minimum Ruby version is 3.1. - - - The `Archive::Tar::Minitar` namespace has been completely removed and - `Minitar` is a class instead of a module. - -- Enhancements: - - - Added `Minitar.pack_as_file`, originally proposed by John Prince back in - 2011 [#7][#7]. - -## 0.12.1 / 2024-08-21 - -- Reverted @adbbb9b596 to restore compatibility with Ruby < 2.0. Resolves - [#63][#63] reported by Robert Schulze. - -## 0.12 / 2024-08-06 - -- Properly handle very long GNU filenames, resolving [#46][#46]. -- Handle very long GNU filenames that are 512 or more bytes, resolving - [#45][#45]. Originally implemented in [#47][#47] by Vijay, but accidentally - closed. - -## 0.11 / 2022-12-31 - -- symlink support is complete. Merged as PR [#42][#42], rebased and built on top - of PR [#12][#12] by fetep. - -- kymmt90 fixed a documentation error on `Minitar.pack` in PR [#43][#43]. - -- This version is a soft-deprecation of all versions before Ruby 2.7, as they - will no longer be tested in CI. - -## 0.10 / 2022-03-26 - -- nevesenin fixed an issue with long filename handling. Merged as PR [#40][#40]. - -## 0.9 / 2019-09-04 - -- jtappa added the ability to skip fsync with a new option to `Minitar.unpack` - and `Minitar::Input#extract_entry`. Provide `:fsync => false` as the last - parameter to enable. Merged from a modified version of PR [#37][#37]. - -## 0.8 / 2019-01-05 - -- inkstak resolved an issue introduced in the fix for [#31][#31] by allowing - spaces to be considered valid characters in strict octal handling. Octal - conversion ignores leading spaces. Merged from a slightly modified version of - PR [#35][#35]. - -- dearblue contributed PR [#32][#32] providing an explicit call to #bytesize for - strings that include multibyte characters. The PR has been modified to be - compatible with older versions of Ruby and extend tests. - -- Akinori MUSHA (knu) contributed PR [#36][#36] that treats certain badly - encoded regular files (with names ending in `/`) as if they were directories - on decode. - -## 0.7 / 2018-02-19 - -- Fixed issue [#28][#28] with a modified version of PR [#29][#29] covering the - security policy and position for `Minitar`. Thanks so much to ooooooo_q for - the report and an initial patch. Additional information was added as - [#30][#30]. - -- dearblue contributed PR [#33][#33] providing a fix for `Minitar::Reader` when - the IO-like object does not have a `#pos` method. - -- Kevin McDermott contributed PR [#34][#34] so that an InvalidTarStream is - raised if the tar header is not valid, preventing incorrect streaming of files - from a non-tarfile. This is a minor breaking change, so the version has been - bumped accordingly. - -- Kazuyoshi Kato contributed PR [#26][#26] providing support for the GNU tar - long filename extension. - -- Addressed a potential DOS with negative size fields in tar headers - ([#31][#31]). This has been handled in two ways: the size field in a tar - header is interpreted as a strict octal value and the `Minitar` reader will - raise an InvalidTarStream if the size ends up being negative anyway. - -## 0.6.1 / 2017-02-07 - -- Fixed issue [#24][#24] where streams were being improperly closed immediately - on open unless there was a block provided. - -- Hopefully fixes issue [#23][#23] by releasing archive-tar-minitar after - minitar-cli is available. - -## 0.6 / 2017-02-07 - -- Breaking Changes: - - - Extracted `bin/minitar` into a new gem, `minitar-cli`. No, I am _not_ going - to bump the major version for this. As far as I can tell, few people use the - command-line utility anyway. (Installing `archive-tar-minitar` will install - both `minitar` and `minitar-cli`, at least until version 1.0.) - - - `Minitar` extraction before 0.6 traverses directories if the tarball - includes a relative directory reference, as reported in [#16][#16] by - @ecneladis. This has been disallowed entirely and will throw a - `SecureRelativePathError` when found. Additionally, if the final destination - of an entry is an already-existing symbolic link, the existing symbolic link - will be removed and the file will be written correctly (on platforms that - support symbolic links). - -- Enhancements: - - - Licence change. After speaking with Mauricio Fernández, we have changed the - licensing of this library to Ruby and Simplified BSD and have dropped the - GNU GPL license. This takes effect from the 0.6 release. - - Printing a deprecation warning for including Archive::Tar to put `Minitar` - in the top-level namespace. - - Printing a deprecation warning for including `Archive::Tar::Minitar` into a - class (`Minitar` will be a class for version 1.0). - - Moved `Archive::Tar::PosixHeader` to `Archive::Tar::Minitar::PosixHeader` - with a deprecation warning. Do not depend on - `Archive::Tar::Minitar::PosixHeader`, as it will be moving to - `::Minitar::PosixHeader` in a future release. - - Added an alias, `::Minitar`, for `Archive::Tar::Minitar`, opted in with - `require 'minitar'`. In future releases, this alias will be enabled by - default, and the `Archive::Tar` namespace will be removed entirely for - version 1.0. - - Modified the handling of `mtime` in `PosixHeader` to do an integer - conversion (`#to_i`) so that a Time object can be used instead of the - integer value of the time object. - - `Writer::RestrictedStream` was renamed to `Writer::WriteOnlyStream` for - clarity. No alias or deprecation warning was provided for this as it is an - internal implementation detail. - - `Writer::BoundedStream` was renamed to `Writer::BoundedWriteStream` for - clarity. A deprecation warning is provided on first use because a - BoundedWriteStream may raise a `BoundedWriteStream::FileOverflow` exception. - - `Writer::BoundedWriteStream::FileOverflow` has been renamed to - `Writer::WriteBoundaryOverflow` and inherits from `StandardError` instead of - `RuntimeError`. Note that for Ruby 2.0 or higher, an error will be raised - when specifying `Writer::BoundedWriteStream::FileOverflow` because - `Writer::BoundedWriteStream` has been declared a private constant. - - Modified `Writer#add_file_simple` to accept the data for a file in - `opts[:data]`. When `opts[:data]` is provided, a stream block must not be - provided. Improved the documentation for this method. - - Modified `Writer#add_file` to accept `opts[:data]` and transparently call - `Writer#add_file_simple` in this case. - - Methods that require blocks are no longer required, so the - `Archive::Tar::Minitar::BlockRequired` exception has been removed with a - warning (this may not work on Ruby 1.8). - - Dramatically reduced the number of strings created when creating a POSIX - tarball header. - - Added a helper, `Input.each_entry` that iterates over each entry in an - opened entry object. - -- Bugs: - - - Fix [#2][#2] to handle IO streams that are not seekable, such as pipes, - `STDIN`, or `STDOUT`. - - Fix [#3][#3] to make the test timezone resilient. - - Fix [#4][#4] for supporting the reading of tar files with filenames in the - GNU long filename extension format. Ported from @atoulme’s fork, originally - provided by Curtis Sampson. - - Fix [#6][#6] by making it raise the correct error for a long filename with - no path components. - - Fix [#13][#13] provided by @fetep fixes an off-by-one error on filename - splitting. - - Fix [#14][#14] provided by @kzys should fix Windows detection issues. - - Fix [#16][#16] as specified above. - - Fix an issue where `Minitar.pack` would not include Unix hidden files when - creating a tarball. - -- Development: - - - Modernized minitar tooling around Hoe. - - Added travis and coveralls. - -## 0.5.2 / 2008-02-26 - -- Bugs: - - Fixed a Ruby 1.9 compatibility error. - -## 0.5.1 / 2004-09-27 - -- Bugs: - - Fixed a variable name error. - -## 0.5.0 - -- Initial release. Does files and directories. Command does create, extract, and - list. - -[#2]: https://github.com/halostatue/minitar/issues/2 -[#3]: https://github.com/halostatue/minitar/issues/3 -[#4]: https://github.com/halostatue/minitar/issues/4 -[#6]: https://github.com/halostatue/minitar/issues/6 -[#7]: https://github.com/halostatue/minitar/issues/7 -[#12]: https://github.com/halostatue/minitar/pull/12 -[#13]: https://github.com/halostatue/minitar/issues/13 -[#14]: https://github.com/halostatue/minitar/issues/14 -[#16]: https://github.com/halostatue/minitar/issues/16 -[#23]: https://github.com/halostatue/minitar/issues/23 -[#24]: https://github.com/halostatue/minitar/issues/24 -[#26]: https://github.com/halostatue/minitar/issues/27 -[#28]: https://github.com/halostatue/minitar/issues/28 -[#29]: https://github.com/halostatue/minitar/pull/29 -[#30]: https://github.com/halostatue/minitar/issues/30 -[#31]: https://github.com/halostatue/minitar/issues/31 -[#32]: https://github.com/halostatue/minitar/pull/32 -[#33]: https://github.com/halostatue/minitar/pull/33 -[#34]: https://github.com/halostatue/minitar/pull/34 -[#35]: https://github.com/halostatue/minitar/pull/35 -[#36]: https://github.com/halostatue/minitar/pull/36 -[#37]: https://github.com/halostatue/minitar/pull/37 -[#40]: https://github.com/halostatue/minitar/pull/40 -[#42]: https://github.com/halostatue/minitar/pull/42 -[#43]: https://github.com/halostatue/minitar/pull/43 -[#45]: https://github.com/halostatue/minitar/issues/45 -[#46]: https://github.com/halostatue/minitar/issues/46 -[#47]: https://github.com/halostatue/minitar/pull/47 -[#58]: https://github.com/halostatue/minitar/issues/58 -[#65]: https://github.com/halostatue/minitar/issues/65 diff --git a/Licence.md b/LICENCE.md similarity index 94% rename from Licence.md rename to LICENCE.md index aba7213..7d0f571 100644 --- a/Licence.md +++ b/LICENCE.md @@ -10,6 +10,6 @@ terms of Ruby’s licence or the Simplified BSD licence. See the file docs/bsdl.txt in the main distribution. -### Ruby’s Licence +### Ruby's Licence See the file docs/ruby.txt in the main distribution. diff --git a/Manifest.txt b/Manifest.txt index b8f0282..8570f51 100644 --- a/Manifest.txt +++ b/Manifest.txt @@ -1,10 +1,12 @@ -Code-of-Conduct.md -Contributing.md -History.md -Licence.md +CHANGELOG.md +CODE_OF_CONDUCT.md +CONTRIBUTING.md +CONTRIBUTORS.md +LICENCE.md Manifest.txt -README.rdoc +README.md Rakefile +SECURITY.md docs/bsdl.txt docs/ruby.txt lib/minitar.rb diff --git a/README.md b/README.md new file mode 100644 index 0000000..956770b --- /dev/null +++ b/README.md @@ -0,0 +1,70 @@ +# minitar + +- home :: https://github.com/halostatue/minitar +- issues :: https://github.com/halostatue/minitar/issues +- code :: https://github.com/halostatue/minitar/ + +## Description + +The minitar library is a pure-Ruby library that operates on POSIX tar(1) archive +files. + +minitar (previously called Archive::Tar::Minitar) is based heavily on code +originally written by Mauricio Julio Fernández Pradier for the rpa-base project. + +## Synopsis + +Using minitar is easy. The simplest case is: + +```ruby +require 'minitar' + +# Packs everything that matches Find.find('tests'). +# test.tar will automatically be closed by Minitar.pack. +Minitar.pack('tests', File.open('test.tar', 'wb')) + +# Unpacks 'test.tar' to 'x', creating 'x' if necessary. +Minitar.unpack('test.tar', 'x') +``` + +A gzipped tar can be written with: + +```ruby + require 'zlib' + # test.tgz will be closed automatically. + Minitar.pack('tests', Zlib::GzipWriter.new(File.open('test.tgz', 'wb')) + + # test.tgz will be closed automatically. + Minitar.unpack(Zlib::GzipReader.new(File.open('test.tgz', 'rb')), 'x') +``` + +As the case above shows, one need not write to a file. However, it will +sometimes require that one dive a little deeper into the API, as in the case of +StringIO objects. Note that I'm not providing a block with Minitar::Output, as +Minitar::Output#close automatically closes both the Output object and the +wrapped data stream object. + +```ruby +begin + sgz = Zlib::GzipWriter.new(StringIO.new(String.new)) + tar = Output.new(sgz) + Find.find('tests') do |entry| + Minitar.pack_file(entry, tar) + end +ensure + # Closes both tar and sgz. + tar.close +end +``` + +## Minitar and Security + +See [SECURITY](./SECURITY.md) + +## minitar Semantic Versioning + +The minitar library uses a [Semantic Versioning][semver] scheme with one change: + +- When PATCH is zero (`0`), it will be omitted from version references. + +[semver]: http://semver.org/ diff --git a/README.rdoc b/README.rdoc deleted file mode 100644 index b8d4097..0000000 --- a/README.rdoc +++ /dev/null @@ -1,92 +0,0 @@ -= minitar - -home :: https://github.com/halostatue/minitar/ -code :: https://github.com/halostatue/minitar/ -bugs :: https://github.com/halostatue/minitar/issues -rdoc :: https://rdoc.info/gems/minitar/ -cli :: https://github.com/halostatue/minitar-cli - -== Description - -The minitar library is a pure-Ruby library that provides the ability to deal -with POSIX tar(1) archive files. - -This is release 0.12. This is likely the last revision before 1.0. - -minitar (previously called Archive::Tar::Minitar) is based heavily on code -originally written by Mauricio Julio Fernández Pradier for the rpa-base -project. - -== Synopsis - -Using minitar is easy. The simplest case is: - - require 'minitar' - - # Packs everything that matches Find.find('tests'). - # test.tar will automatically be closed by Minitar.pack. - Minitar.pack('tests', File.open('test.tar', 'wb')) - - # Unpacks 'test.tar' to 'x', creating 'x' if necessary. - Minitar.unpack('test.tar', 'x') - -A gzipped tar can be written with: - - require 'zlib' - # test.tgz will be closed automatically. - Minitar.pack('tests', Zlib::GzipWriter.new(File.open('test.tgz', 'wb')) - - # test.tgz will be closed automatically. - Minitar.unpack(Zlib::GzipReader.new(File.open('test.tgz', 'rb')), 'x') - -As the case above shows, one need not write to a file. However, it will -sometimes require that one dive a little deeper into the API, as in the case of -StringIO objects. Note that I'm not providing a block with Minitar::Output, as -Minitar::Output#close automatically closes both the Output object and the -wrapped data stream object. - - begin - sgz = Zlib::GzipWriter.new(StringIO.new(String.new)) - tar = Output.new(sgz) - Find.find('tests') do |entry| - Minitar.pack_file(entry, tar) - end - ensure - # Closes both tar and sgz. - tar.close - end - -== Minitar and Security - -Minitar aims to be secure by default for the data *inside* of a tarfile. If -there are any security issues discovered, please feel free to open an issue. -Should you wish to make a more confidential report, you can find my PGP key -information at {Keybase}[https://keybase.io/halostatue]. Bear with me: I do not -use PGP regularly, so it may take some time to remember the command invocations -required to successfully handle this. - -Minitar does *not* perform validation of path names provided to the convenience -calsses Minitar::Output and Minitar::Input, which use Kernel.open for their -underlying implementations when not given an IO-like object. - -Improper use of these classes with arbitrary input filenames may leave your -your software to the same class of vulnerability as reported for Net::FTP -({CVE-2017-17405}[https://nvd.nist.gov/vuln/detail/CVE-2017-17405]). Of -particular note, "if the localfile argument starts with the '|' pipe character, -the command following the pipe character is executed." - -Additionally, the use of the `open-uri` library (which extends Kernel.open with -transparent implementations of Net::HTTP, Net::HTTPS, and Net::FTP), there are -other possible vulnerabilities when accepting arbitrary input, as -{detailed}[https://sakurity.com/blog/2015/02/28/openuri.html] by Egor Homakov. - -These security vulnerabilities may be avoided, even with the Minitar::Output -and Minitar::Input convenience classes, by providing IO-like objects instead of -pathname-like objects as the source or destination of these classes. - -== minitar Semantic Versioning - -The minitar library uses a {Semantic Versioning}[http://semver.org/] scheme -with one change: - -* When PATCH is zero (+0+), it will be omitted from version references. diff --git a/Rakefile b/Rakefile index 925e972..4cfe13c 100644 --- a/Rakefile +++ b/Rakefile @@ -6,31 +6,28 @@ require "rake/clean" $LOAD_PATH.unshift("support") -Hoe.plugin :doofus -Hoe.plugin :gemspec2 -Hoe.plugin :git2 +Hoe.plugin :halostatue Hoe.plugin :minitest -Hoe.plugin :rubygems -Hoe.plugin :cov + +Hoe.plugins.delete :debug +Hoe.plugins.delete :newb +Hoe.plugins.delete :publish +Hoe.plugins.delete :signing Hoe.spec "minitar" do developer("Austin Ziegler", "halostatue@gmail.com") - self.history_file = "History.md" - self.readme_file = "README.rdoc" - require_ruby_version ">= 3.1" self.licenses = ["Ruby", "BSD-2-Clause"] - spec_extras[:metadata] = ->(val) { val["rubygems_mfa_required"] = "true" } + spec_extras[:metadata] = ->(val) { + val.merge!({"rubygems_mfa_required" => "true"}) + } extra_dev_deps << ["base64", "~> 0.2"] extra_dev_deps << ["hoe", "~> 4.0"] - extra_dev_deps << ["hoe-doofus", "~> 1.0"] - extra_dev_deps << ["hoe-gemspec2", "~> 1.1"] - extra_dev_deps << ["hoe-git2", "~> 1.7"] - extra_dev_deps << ["hoe-rubygems", "~> 1.0"] + extra_dev_deps << ["hoe-halostatue", "~> 1.0"] extra_dev_deps << ["minitest", "~> 5.16"] extra_dev_deps << ["minitest-autotest", "~> 1.0"] extra_dev_deps << ["minitest-focus", "~> 1.0"] diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..4594332 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,54 @@ +# Minitar Security Policy + +Minitar aims to be secure by default for the data _inside_ of a tar file. + +## Supported Versions + +Security reports are accepted only for the most recent major release. As of +December 2024, that is the 1.0 release series. Older releases are no longer +supported. + +## Reporting a Vulnerability + +By preference, use the [Tidelift security contact][tidelift]. Tidelift will +coordinate the fix and disclosure. + +Alternatively, Send an email to [minitar@halostatue.ca][email] with the text +`Minitar` in the subject. Emails sent to this address should be encrypted using +[age][age] with the following public key: + +``` +age1fc6ngxmn02m62fej5cl30lrvwmxn4k3q2atqu53aatekmnqfwumqj4g93w +``` + +## Exclusions + +There are several classes of "security" issues which will not be accepted for +Minitar, because any issues arising from these are a matter of the library being +used incorrectly. + +Minitar does _not_ perform validation or sanitization of path names provided to +the convenience classes `Minitar::Output` and `Minitar::Input`, which use +`Kernel.open` for their underlying implementations when not given an IO-like +object. + +Improper use of these convenience classes with arbitrary input filenames may +leave your your software to the same class of vulnerability as reported for +Net::FTP ([CVE-2017-17405][CVE-2017-17405]). If the input filename argument +starts with the pipe character (`|`), the command following the pipe character +is executed. + +Additionally, the use of the `open-uri` library (which extends `Kernel.open` +with transparent implementations of `Net::HTTP`, `Net::HTTPS`, and `Net::FTP`), +there are other possible vulnerabilities when accepting arbitrary input, as +[detailed][openuri] by Egor Homakov. + +These security vulnerabilities may be avoided, even with the `Minitar::Output` +and `Minitar::Input` convenience classes, by providing IO-like objects instead +of pathname-like objects as the source or destination of these classes. + +[tidelift]: https://tidelift.com/security +[email]: mailto:minitar@halostatue.ca +[age]: https://github.com/FiloSottile/age +[CVE-2017-17405]: https://nvd.nist.gov/vuln/detail/CVE-2017-17405 +[openuri]: https://sakurity.com/blog/2015/02/28/openuri.html diff --git a/docs/ruby.txt b/docs/ruby.txt index f7f597f..426810a 100644 --- a/docs/ruby.txt +++ b/docs/ruby.txt @@ -44,13 +44,13 @@ You can redistribute it and/or modify it under either the terms of the For the list of those files and their copying conditions, see the file LEGAL. - 5. The scripts and library files supplied as input to or produced as + 5. The scripts and library files supplied as input to or produced as output from the software do not automatically fall under the - copyright of the software, but belong to whomever generated them, + copyright of the software, but belong to whomever generated them, and may be sold commercially, and may be aggregated with this software. 6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - PURPOSE. \ No newline at end of file + PURPOSE. diff --git a/minitar.gemspec b/minitar.gemspec index 98072a2..6ba69a9 100644 --- a/minitar.gemspec +++ b/minitar.gemspec @@ -6,30 +6,27 @@ Gem::Specification.new do |s| s.version = "1.0.2".freeze s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version= - s.metadata = { "bug_tracker_uri" => "https://github.com/halostatue/minitar/issues", "homepage_uri" => "https://github.com/halostatue/minitar/", "rubygems_mfa_required" => "true", "source_code_uri" => "https://github.com/halostatue/minitar/" } if s.respond_to? :metadata= + s.metadata = { "bug_tracker_uri" => "https://github.com/halostatue/minitar/issues", "homepage_uri" => "https://github.com/halostatue/minitar", "rubygems_mfa_required" => "true", "source_code_uri" => "https://github.com/halostatue/minitar/" } if s.respond_to? :metadata= s.require_paths = ["lib".freeze] s.authors = ["Austin Ziegler".freeze] - s.date = "2024-08-23" - s.description = "The minitar library is a pure-Ruby library that provides the ability to deal\nwith POSIX tar(1) archive files.\n\nThis is release 0.12. This is likely the last revision before 1.0.\n\nminitar (previously called Archive::Tar::Minitar) is based heavily on code\noriginally written by Mauricio Julio Fern\u00E1ndez Pradier for the rpa-base\nproject.".freeze + s.date = "2024-12-31" + s.description = "The minitar library is a pure-Ruby library that operates on POSIX tar(1) archive\nfiles.\n\nminitar (previously called Archive::Tar::Minitar) is based heavily on code\noriginally written by Mauricio Julio Fern\u00E1ndez Pradier for the rpa-base project.".freeze s.email = ["halostatue@gmail.com".freeze] - s.extra_rdoc_files = ["Code-of-Conduct.md".freeze, "Contributing.md".freeze, "History.md".freeze, "Licence.md".freeze, "Manifest.txt".freeze, "README.rdoc".freeze, "docs/bsdl.txt".freeze, "docs/ruby.txt".freeze] - s.files = ["Code-of-Conduct.md".freeze, "Contributing.md".freeze, "History.md".freeze, "Licence.md".freeze, "Manifest.txt".freeze, "README.rdoc".freeze, "Rakefile".freeze, "docs/bsdl.txt".freeze, "docs/ruby.txt".freeze, "lib/minitar.rb".freeze, "lib/minitar/input.rb".freeze, "lib/minitar/output.rb".freeze, "lib/minitar/posix_header.rb".freeze, "lib/minitar/reader.rb".freeze, "lib/minitar/writer.rb".freeze, "test/minitest_helper.rb".freeze, "test/support/tar_test_helpers.rb".freeze, "test/test_issue_46.rb".freeze, "test/test_minitar.rb".freeze, "test/test_tar_header.rb".freeze, "test/test_tar_input.rb".freeze, "test/test_tar_output.rb".freeze, "test/test_tar_reader.rb".freeze, "test/test_tar_writer.rb".freeze] - s.homepage = "https://github.com/halostatue/minitar/".freeze + s.extra_rdoc_files = ["CHANGELOG.md".freeze, "CODE_OF_CONDUCT.md".freeze, "CONTRIBUTING.md".freeze, "CONTRIBUTORS.md".freeze, "LICENCE.md".freeze, "Manifest.txt".freeze, "README.md".freeze, "SECURITY.md".freeze, "docs/bsdl.txt".freeze, "docs/ruby.txt".freeze] + s.files = ["CHANGELOG.md".freeze, "CODE_OF_CONDUCT.md".freeze, "CONTRIBUTING.md".freeze, "CONTRIBUTORS.md".freeze, "LICENCE.md".freeze, "Manifest.txt".freeze, "README.md".freeze, "Rakefile".freeze, "SECURITY.md".freeze, "docs/bsdl.txt".freeze, "docs/ruby.txt".freeze, "lib/minitar.rb".freeze, "lib/minitar/input.rb".freeze, "lib/minitar/output.rb".freeze, "lib/minitar/posix_header.rb".freeze, "lib/minitar/reader.rb".freeze, "lib/minitar/writer.rb".freeze, "test/minitest_helper.rb".freeze, "test/support/tar_test_helpers.rb".freeze, "test/test_issue_46.rb".freeze, "test/test_minitar.rb".freeze, "test/test_tar_header.rb".freeze, "test/test_tar_input.rb".freeze, "test/test_tar_output.rb".freeze, "test/test_tar_reader.rb".freeze, "test/test_tar_writer.rb".freeze] + s.homepage = "https://github.com/halostatue/minitar".freeze s.licenses = ["Ruby".freeze, "BSD-2-Clause".freeze] - s.rdoc_options = ["--main".freeze, "README.rdoc".freeze] + s.rdoc_options = ["--main".freeze, "README.md".freeze] s.required_ruby_version = Gem::Requirement.new(">= 3.1".freeze) - s.rubygems_version = "3.5.17".freeze - s.summary = "The minitar library is a pure-Ruby library that provides the ability to deal with POSIX tar(1) archive files".freeze + s.rubygems_version = "3.5.23".freeze + s.summary = "The minitar library is a pure-Ruby library that operates on POSIX tar(1) archive files".freeze s.specification_version = 4 - s.add_development_dependency(%q.freeze, ["~> 5.24".freeze]) + s.add_development_dependency(%q.freeze, ["~> 5.25".freeze]) s.add_development_dependency(%q.freeze, ["~> 0.2".freeze]) s.add_development_dependency(%q.freeze, ["~> 4.0".freeze]) - s.add_development_dependency(%q.freeze, ["~> 1.0".freeze]) - s.add_development_dependency(%q.freeze, ["~> 1.1".freeze]) - s.add_development_dependency(%q.freeze, ["~> 1.7".freeze]) - s.add_development_dependency(%q.freeze, ["~> 1.0".freeze]) + s.add_development_dependency(%q.freeze, ["~> 1.0".freeze]) s.add_development_dependency(%q.freeze, ["~> 1.0".freeze]) s.add_development_dependency(%q.freeze, ["~> 1.0".freeze]) s.add_development_dependency(%q.freeze, [">= 10.0".freeze, "< 14".freeze]) @@ -37,5 +34,4 @@ Gem::Specification.new do |s| s.add_development_dependency(%q.freeze, ["~> 1.0".freeze]) s.add_development_dependency(%q.freeze, ["~> 1.0".freeze]) s.add_development_dependency(%q.freeze, ["~> 1.0".freeze]) - s.add_development_dependency(%q.freeze, ["~> 0.21".freeze]) end