The version of package tar 1.29 could be updated. Some more recent versions which fix CVEs exist
We can't upgrade the version of tar without being cautious. The host tar is used to create the archives in the VCS download backends (git, cvs, svn, hg...) and tar 1.30 and forward have changed the wau they generate the archives. So, all the archives we had generated before 1.30 was released are not bit-for-bit reproducible (even though the extracted content would be), so the hashes we have for those archives would not match. Hence we need to keep host-tar to 1.29. For the target variant, this is less important of course, but so far no one submitted a patch. It's also that we do not have many packages for which the host and target versions are different.
Created attachment 8261 [details] patch for tar package update Thanks for the explanations. Attached a patch made by my colleague which keeps the host version to 1.29 Regards
Please submit the patch using git send-email so it becomes visible on patchwork.
I'm on a corporate network and not part of buildroot mailing list (and don't necessarily want to be) so I'm not sure how to proceed
(In reply to Dominique Tronche from comment #4) OK, I submitted the patch after improving the commit message based on Yann's comments: https://patchwork.ozlabs.org/patch/1197080/
Thanks for your help Regards
We are now using tar 1.32 for the target. We had to keep tar 1.29 for the host, though.