A "tarbomb" is an archive file that has more than one directory at the
top level, which is (fortunately) unusual for .tar files. By default,
tar extracts archive members "as is" in the current directory. If the
archive has many top level members then it becomes very hard to make the
difference between what was just extracted versus what was already
there. As extraction is recursive this gets much worse because the
problem can repeat itself in subdirectories. As the last but not least
nail in the coffin, tar silently overwrites existing files by default.
This commit is admittedly an "incompatible build API change" meaning any
higher level build or packaging script that was consuming source release
tarballs (as opposed to git cloning the source) will require a small
change. Consumers of release tarballs must be rare though because the
output of "make dist" has already been broken by commit
c00d39c71b ("Add rimage as a git submodule") anyway yet no one noticed
yet.
Signed-off-by: Marc Herbert <marc.herbert@intel.com>