$ snapcraft
Pulling deps
Downloading 'node-v6.14.2-linux-x64.tar.gz'[============================================================================================================================================] 100%
Sorry, an error occurred in Snapcraft:
Traceback (most recent call last):
File "/usr/bin/snapcraft", line 9, in <module>
load_entry_point('snapcraft==2.43.1', 'console_scripts', 'snapcraft')()
File "/usr/lib/python3/dist-packages/click/core.py", line 716, in __call__
return self.main(*args, **kwargs)
File "/usr/lib/python3/dist-packages/click/core.py", line 696, in main
rv = self.invoke(ctx)
File "/usr/lib/python3/dist-packages/click/core.py", line 1037, in invoke
return Command.invoke(self, ctx)
File "/usr/lib/python3/dist-packages/click/core.py", line 889, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib/python3/dist-packages/click/core.py", line 534, in invoke
return callback(*args, **kwargs)
File "/usr/lib/python3/dist-packages/click/decorators.py", line 17, in new_func
return f(get_current_context(), *args, **kwargs)
File "/usr/lib/python3/dist-packages/snapcraft/cli/_runner.py", line 93, in run
ctx.forward(lifecyclecli.commands["snap"])
File "/usr/lib/python3/dist-packages/click/core.py", line 552, in forward
return self.invoke(cmd, **kwargs)
File "/usr/lib/python3/dist-packages/click/core.py", line 534, in invoke
return callback(*args, **kwargs)
File "/usr/lib/python3/dist-packages/snapcraft/cli/lifecycle.py", line 136, in snap
project = _execute(steps.PRIME, parts=[], **kwargs)
File "/usr/lib/python3/dist-packages/snapcraft/cli/lifecycle.py", line 35, in _execute
lifecycle.execute(step, project_config, parts)
File "/usr/lib/python3/dist-packages/snapcraft/internal/lifecycle/_runner.py", line 90, in execute
executor.run(step, part_names)
File "/usr/lib/python3/dist-packages/snapcraft/internal/lifecycle/_runner.py", line 194, in run
self._handle_step(part_names, part, step, current_step, cli_config)
File "/usr/lib/python3/dist-packages/snapcraft/internal/lifecycle/_runner.py", line 208, in _handle_step
getattr(self, "_run_{}".format(current_step.name))(part)
File "/usr/lib/python3/dist-packages/snapcraft/internal/lifecycle/_runner.py", line 250, in _run_pull
self._run_step(step=steps.PULL, part=part, progress="Pulling")
File "/usr/lib/python3/dist-packages/snapcraft/internal/lifecycle/_runner.py", line 327, in _run_step
getattr(part, step.name)()
File "/usr/lib/python3/dist-packages/snapcraft/internal/pluginhandler/__init__.py", line 415, in pull
self._runner.pull()
File "/usr/lib/python3/dist-packages/snapcraft/internal/pluginhandler/_runner.py", line 83, in pull
"override-pull", self._override_pull_scriptlet, self._sourcedir
File "/usr/lib/python3/dist-packages/snapcraft/internal/pluginhandler/_runner.py", line 162, in _run_scriptlet
scriptlet_name, function_call.strip()
File "/usr/lib/python3/dist-packages/snapcraft/internal/pluginhandler/_runner.py", line 218, in _handle_builtin_function
function(**function_args)
File "/usr/lib/python3/dist-packages/snapcraft/internal/pluginhandler/__init__.py", line 435, in _do_pull
self.plugin.pull()
File "/usr/lib/python3/dist-packages/snapcraft/plugins/nodejs.py", line 158, in pull
self._npm_install(rootdir=self.sourcedir)
File "/usr/lib/python3/dist-packages/snapcraft/plugins/nodejs.py", line 191, in _npm_install
self.installdir, clean_target=False, keep_tarball=True
File "/usr/lib/python3/dist-packages/snapcraft/internal/sources/_tar.py", line 70, in provision
self._extract(tarball, dst)
File "/usr/lib/python3/dist-packages/snapcraft/internal/sources/_tar.py", line 108, in _extract
tar.extractall(members=filter_members(tar), path=dst)
File "/usr/lib/python3.5/tarfile.py", line 1988, in extractall
for tarinfo in members:
File "/usr/lib/python3/dist-packages/snapcraft/internal/sources/_tar.py", line 82, in filter_members
members = tar.getmembers()
File "/usr/lib/python3.5/tarfile.py", line 1747, in getmembers
self._load() # all members, we first have to
File "/usr/lib/python3.5/tarfile.py", line 2340, in _load
tarinfo = self.next()
File "/usr/lib/python3.5/tarfile.py", line 2279, in next
tarinfo = self.tarinfo.fromtarfile(self)
File "/usr/lib/python3.5/tarfile.py", line 1082, in fromtarfile
buf = tarfile.fileobj.read(BLOCKSIZE)
File "/usr/lib/python3.5/gzip.py", line 274, in read
return self._buffer.read(size)
File "/usr/lib/python3.5/_compression.py", line 68, in readinto
data = self.read(len(byte_view))
File "/usr/lib/python3.5/gzip.py", line 469, in read
uncompress = self._decompressor.decompress(buf, size)
zlib.error: Error -3 while decompressing data: invalid block type
We would appreciate it if you created a bug report at
https://launchpad.net/snapcraft/+filebug with the above text included.
On Fri, Sep 21, 2018 at 12:16:42PM -0000, Aleksandr Bogdanov wrote:
> $ snapcraft
> Pulling deps
> Downloading 'node-v6.
> Sorry, an error occurred in Snapcraft:
> Traceback (most recent call last):
> [... snip ...]
> File "/usr/lib/
> data = self.read(
> File "/usr/lib/
> uncompress = self._decompres
> zlib.error: Error -3 while decompressing data: invalid block type
Hello,
Based solely on this traceback, it looks very much like a tarball is being
downloaded, decompressed, and probably untarred, without first checking
integrity via a GPG signature or at least an SHA-256 obtained by a trusted
mechanism.
Did I read this correctly?
Is this intentional or is this an accidental oversight?
If this is intentional, are users made aware of the risks involved?
Thanks