Security pitfalls of .tar.asc

[Jason at zx2c4.com (Jason A. Donenfeld)]

Hi list,

The upcoming cgit 1.2 release will have support for attaching .asc
signatures to tarballs. Adding a .tar.xz.asc is straightforward and
works as expected. But there's also display logic for showing .tar.asc
signatures next to .tar.xz files. The intent is to do something like
this:

$ curl -LO https://git.zx2c4.com/cgit/snapshot/cgit-1.1.tar.xz
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
100 86268    0 86268    0     0   122k      0 --:--:-- --:--:-- --:--:--  123k
$ curl -LO https://git.zx2c4.com/cgit/snapshot/cgit-1.1.tar.asc
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
100   858    0   858    0     0   2150      0 --:--:-- --:--:-- --:--:--  2177
$ unxz cgit-1.1.tar.xz
$ gpg --verify cgit-1.1.tar.asc
gpg: assuming signed data in 'cgit-1.1.tar'
gpg: Signature made Thu 05 Jul 2018 02:34:20 AM CEST
gpg:                using RSA key AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
gpg:                issuer "jason at zx2c4.com"
gpg: Good signature from "Jason A. Donenfeld <Jason at zx2c4.com>" [ultimate]

This works fine, but there's something a bit troubling about it: it
means that users are instructed to run untrusted tarballs through
`unxz`, which is big and complicated and could have nasty
vulnerabilities. My understanding is that this is desired because
.tar.xz is not stable -- xz might do different things between versions
or compression levels -- whereas git considers its .tar output to be a
stable format. So I can see why it'd be desirable to host .tar.asc
instead of .tar.xz.asc. But from a security perspective, this might be
sub-optimal.

Thoughts?

Regards,
Jason