Per PEP-706 (Filter for tarfile.extractall), Python 3.12 adds a warning for unpacking tarballs, and 3.14 will change default behaviour. This affects tools that unpack source distributions.
It’s a chance to write down how the unarchiving should work, and what kind of metadata sdists should preserve.
It seems like a PEP is the best way for this, so I looked a bit into how tools unpack sdists, and tried to write something in standardese.
Note that generally, after a packaging tool unpacks a sdist it immediately executes unpacked code. So this proposal is not about solving security issues.
Does the following sound reasonable?
Extracting a source distribution archive should normally use the
filter added in :pep:
We clarify details, and specify the behaviour for tools that cannot use the
The source distribution (sdist) is defined as a tar archive.
The tar format is designed to capture all metadata of Unix-like files.
Some of these are dangerous, unnecessary for source code, and/or
As explained in :pep:
706, when extracting a tarball, one should always either
limit the allowed features, or explicitly give the tarball total control.
For source distributions, the
data filter introduced in :pep:
is enough. It allows slighty more features than
commonly used in packaging workflows).
However, not all tools can use the
so we specify an explicit set of behaviours and expectations.
This PEP specifies an explicit set of expectations.
The aim is that the current behaviour of
setuptools.archive_util.unpack_tarfile is valid,
except cases deemed too dangerous to allow.
Another consideration is ease of implementation for non-Python tools.
Tools are allowed to ignore this PEP when running on Python pithout tarfile
The feature has been backported to all versions of Python supported by
python.org. Vendoring it in third-party libraries is tricky,
and we should not force all tools to do so.
This shifts the responsibility to keep up with security updates from libraries
to the users.
Common tools (
zip) don’t preserve Unix permissions (mode bits).
Telling users to not rely on them in sdists, and allowing tools to handle
them relatively freely, seems fair.
The only exception is the executable permission.
We recommend, but not require, that tools preserve the it.
Given that scripts are generally platform-specific, it seems fitting to
say that keeping them executable is tool-specific behaviour.
Note that while
git preserves executability,
zip (and thus
doesn’t do it natively. (It is possible to encode it in “external attributes”,
ZipFile.extract does not honor that.)
The following will be added to
the PyPA source distribution format spec <https://packaging.python.org/en/latest/specifications/source-distribution-format/>_
under Source distribution archive features:
Because extracting tar files as-is is dangerous, and the results are
platform-specific, archive features of source distributions are limited.
When extracting a source distribution, tools MUST either use
TarFile.extractall(..., filter='data')), OR
follow the Unpacking without the data filter section below.
As an exception, on Python interpreters without
706), tools that normally use that filter (directly on indirectly)
MAY warn the user and ignore this specification.
The trade-off between usability (e.g. fully trusting the archive) and
security (e.g. refusing to unpack) is left up to the tool.
Tools that do not use the
data filter directly (e.g. for backwards
compatibility, allowing additional features, or not using Python) MUST follow
(At the time of this writing, the
data filter also follows this section,
but it may get out of sync in the future.)
The following files are invalid in a
Upon encountering such an entry, tools SHOULD notify the user,
MUST NOT unpack the entry, and MAY abort with a failure:
- Files that would be placed outside the destination directory.
- Links (symbolic or hard) pointing outside the destination directory.
- Device files (including pipes).
The following are also invalid. Tools MAY treat them as above,
but are NOT REQUIRED to do so:
- Files with a
..component in the filename or link target.
- Links pointing to a file that is not part of the archive.
Tools MAY unpack links (symbolic or hard) as regular files,
using content from the archive.
Leading slashes in file names SHOULD be dropped.
(This is nowadays standard behaviour for
mode(Unix permission) bit, tools MUST either:
- use the platform’s default for a new file/directory (respectively),
- set the bit according to the archive, or
- use the bit from
0o644) for non-executable files or
0o755) for executable files and directories.
modebits (setuid, setgid, sticky) MUST be cleared.
It is RECOMMENDED to preserve the user executable bit.
To create a portable sdist, tools SHOULD use only
for non-executable files, and
0o755) for executable files
Users MAY rely on the user read and write permissions being set.
The other bits are tool- and platform-specific.
(Platforms where these permissions are not set by default MAY be ignored.)
Tool authors are encouraged to consider how hints for further
tarfile documentation apply for their tool.
The existing behaviour is unspecified, and treated differently by different
This PEP makes the expectations explicit.
There is no known case of backwards incompatibility, but some project out there
probably does rely on details that aren’t guaranteed.
This PEP bans the most dangerous of those features, and the rest is
data filter is believed safe against common exploits,
and is a single place to amend if flaws are found in the future.
The explicit specification includes protections from the
The PEP is aimed at authors of packaging tools, who should be fine with
a PEP and an updated packaging spec.
This document is placed in the public domain or under the
CC0-1.0-Universal license, whichever is more permissive.