23 Sep
2022
23 Sep
'22
2:01 a.m.
I encourage anyone using tarfile in their projects to double-check you're doing so safely[2].
I looked at Nova and Glance this morning and I think we're good. The only use in nova is in the vmwareapi driver, which does use tarfile to pull out a vmdk file, but it does so in memory and streams it direct to vmfs without extracting it to the local disk. Glance's only use is in the ova processing, which extracts the ovf and disk image from the tarfile, but it processes the ovf in memory and then streams the disk image to a uuid-based-name file on disk. So I think those are okay at least, although I'm happy for others to check my work of course. --Dan