Drop support for .tar.gz files (remove Archive_tar from core)

[jenlampton]

The archive_tar library is only used in one instance for Backdrop: the user interface that allows people to upload modules via installer module. (Installer module also allows browse/install from backdropcms.org, and that would not be affected).

This year we've had several security releases specifically to address vulnerabilities in archive_tar.

I would like to propose that we remove this from core, and thus only support the upload of .zip files.

This is likely something that would need to wait until 2.x, so labeling as such.

[quicksketch]

Just a note that currently all packages we publish to GitHub are only available as ZIP files. So all module installs and upgrades use ZIP currently.

I'm sure there are many differences between zip and tar.gz files, but one of the issues that make tar.gz files problematic is that they fully preserve filesystem characteristics such as symlinks and file permissions. Zip files discard that information and really only store the files. I think generally this makes it a "safer" archival format, although less flexible and capable.

[jenlampton]

I was thinking about this the other day and I think we can do it in 1.x by adding an admin setting to enable .tar.gx files, disabled for new sites. Maybe disabled for all sites?

[klonos]

Having it as an option, and keeping it disabled by default makes sense to me, especially since this functionality relies on a 3rd-party library. This will provide a mitigation mechanism, so when/if there are security updates for that 3rd-party library, we can be "downgrading" the severity, and apply the security fix at a pace that suits our capacity (instead of having to decide on whether to rush a security release, or delay).