chore: Update version to 6.5.29

[add-uos]

• update version to 6.5.29

log: update version to 6.5.29

Summary by Sourcery

Chores:

• Update Debian packaging metadata to reflect version 6.5.29.

[github-actions]

TAG Bot

TAG: 6.5.29
EXISTED: no
DISTRIBUTION: unstable

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Update Debian packaging metadata to bump the project version to 6.5.29 in the changelog.

File-Level Changes

Change	Details	Files
Bump packaged application version to 6.5.29 in Debian changelog metadata.	Update the top changelog entry version number to 6.5.29. Adjust associated log/entry text to reflect the new 6.5.29 version.	debian/changelog

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

你好！我是CodeGeeX。我已仔细审查了你提供的 Git Diff 输入。本次修改主要涉及 deepin-compressor 项目的 Debian Changelog 更新，记录了版本号升级至 6.5.29 以及一系列的修复和优化。

由于本次 Diff 仅包含 debian/changelog 的文本变更，不包含实际的 C++/Qml 代码逻辑，我将从变更日志规范和关联的代码安全性/逻辑两个维度进行审查，并给出改进意见。

一、 变更日志规范审查

1. 重复的条目

+  * [skip CI] Translate deepin-compressor.ts in ru
+  * [skip CI] Translate deepin-compressor.ts in ru

改进意见：存在两条完全相同的俄语翻译提交记录。在规范的 Changelog 中，应将相同类型的更改合并，或者删除重复项。建议合并为一条，或者如果代表两次独立的提交，建议在描述上加以区分。

2. 提交信息分类与排序
目前日志混合了杂项、修复和安全更新，且顺序略显随意。
改进意见：按照开源社区惯例，建议将同类别的修改进行归类，并按重要性降序排列（如：安全 > 缺陷修复 > 性能优化 > 杂项/文档），这样能让维护者和用户快速抓住重点。例如：

  * fix(security): harden symlink target validation during extraction
  * fix(security): allow symlink creation, check path escape only during file writes (#381)
  * fix: handle wrong password when processing longname-extract
  * fix: handle password prompt and missing list in long filename extraction
  * fix: optimize handleLongNameExtract by batching extraction
  * chore: Update version to 6.5.29
  * [skip CI] Translate deepin-compressor.ts in ru

3. 日期格式检查

+ -- zhanghongyuan <zhanghongyuan@uniontech.com>  Thu, 28 May 2026 20:28:41 +0800

改进意见：日期显示为 2026年5月28日。请确认这是否是笔误（如本意是 2025 或 2024）。Debian Changelog 要求使用 RFC 2822 格式的准确日期，如果日期填写未来时间，可能会导致打包工具（如 dpkg-buildpackage）发出警告或产生不可预期的行为。

---

二、 关联代码逻辑与安全性审查

虽然 Diff 中没有实际代码，但 Changelog 中提到了几个非常关键的安全和逻辑修复，针对这些描述，我对底层代码提出以下审查意见和改进建议：

1. 符号链接安全修复

+  * fix(security): allow symlink creation, check path escape only during file writes (#381)
+  * fix(security): harden symlink target validation during extraction

审查意见：这是本次更新中最核心的安全修复。解压压缩包时处理符号链接是典型的 Zip Slip / 路径穿越攻击向量。
代码改进建议：

• 创建时验证：在创建符号链接时，不仅要验证链接文件本身的路径没有穿越（如 ../../../etc/passwd），还必须严格验证链接指向的目标路径。
• 相对路径与绝对路径：如果压缩包内包含指向绝对路径（如 /etc/shadow）的软链接，解压时应当拒绝或降级为普通文件，除非用户明确指定允许解压绝对路径软链接。
• 延迟验证的风险：Changelog 提到 "check path escape only during file writes"（仅在写入文件时检查路径穿越）。这意味着如果恶意软链接指向了 /tmp/evil，而后续解压的文件正好写入 /tmp/evil，就会覆盖敏感文件。因此，在创建软链接的那一刻，就必须对其 target 进行 realpath 校验或前缀匹配校验，确保 target 不会逃逸出解压目标目录。

2. 长文件名提取与密码处理

+  * fix: optimize handleLongNameExtract by batching extraction
+  * fix: handle wrong password when processing longname-extract
+  * fix: handle password prompt and missing list in long filename extraction

审查意见：这三个修复紧密相关，通常针对的是 tar/tar.gz 等格式中超过 100/155 字节的长文件名（GNU tar 或 POSIX tar 扩展）。
代码改进建议：

• 批处理的内存风险：采用批处理提取优化性能时，需注意内存消耗。如果遇到恶意构造的压缩包，包含数万个长文件名文件，一次性批量读取或处理可能会导致 OOM（内存溢出）。建议批处理设置合理的上限（如每 100 个文件处理一次）。
• 状态机重置：长文件名的解析通常涉及前缀和名称的拼接。在批处理或遇到错误（如密码错误）中断后重新提取时，必须确保长文件名的解析缓冲区（状态机）被彻底清空和重置，否则可能导致后续文件名拼接错乱，进而引发路径穿越或崩溃。
• 密码提示的异步阻塞：在批处理提取中弹出密码提示框，需确保 UI 线程不会阻塞解压线程，同时解压线程需正确挂起等待密码输入，避免超时或死锁。

总结

本次变更日志记录了重要的安全性和稳定性更新。建议：

1. 修正 Changelog 中的重复项和可能存在的日期错误。
2. 对底层代码中的 Symlink 校验逻辑进行二次复核，确保在 symlink() 系统调用前，target 路径已被严格规范化并限制在安全目录内。
3. 长文件名的批处理优化需增加防恶意构造的内存保护机制。

如果你能提供涉及这些修复的实际 C++ 代码 Diff，我可以为你提供更深入的代码级审查和性能分析！

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: add-uos, lzwind

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepin-bot]

TAG Bot

✅ Tag created successfully

📋 Tag Details

• Tag Name: 6.5.29
• Tag SHA: 3c1bb1415906de53b8feada8d9d0b2b1625e9294
• Commit SHA: 8c72e2df8dec50759b9eebfc1821ef450cf508e1
• Tag Message:

  Release deepin-compressor 6.5.29
  
  

• Tagger:
  • Name: add-uos
• Distribution: unstable