This zip-bomb technique would be worthless for a simple tool scanning suffixes of files as the files wouldn't be uncompressed at all. Also, since .zip wouldn't be on the allowed extension list in zip files, such a file would be automatically chosen for manual approval.
No problem so far with the automatic approval idea.
That's what wowui.incgamers.net does, and it's turned into a game of cat and mouse between the site admins and malicious software creators. The last attack was something along the lines of an executable inside of a zip file, inside of another zip file, and their virus scanner wasn't smart enough to recursively extract.
But that is why I said to check the extensions of the files in the zip file (or at least that is what I meant). If only lua, toc, wav, txt and other similar harmless files are in the zip, then automatically accept the file. Otherwise continue with the manual approval. If they can make that for SVN, zip should be no problem.
2 months ago, a malicious author uploaded 3 different zip files that contained a trojan to uiwow.incgamers.net, and it passed their automated virus scanning system. These addons were passed off as Omen, Curse updater and wowace updater.
Is also possible via SVN... unless I am mistaken.
Anyway, wow wont run the virus files so there shouldn't be any real problem.
Anyway, posts and project pages are not delayed in update and I will just post links to alternate download pages. Takes away some of the enjoyment of writing addons for people, though. Maybe this is why other addons have been removed from curse.com, I don't know..
No thanks. I have experienced too many problems with curse.com to move guildads there. Maybe if I see 1 year of near-flawless operation... ;-) and then only if the SVN log/history can be preserved (I often have to go back to old revisions to check something).
It was my other addon, GuildAds, that I upload versions of manually. About 6 hours after I uploaded the file, it finally was available for download. In the future, I think I have to provide download links on sourceforge.net (where GuildAds SVN is hosted) as well. The latency on curse.com is just too annoying.