Use tarfile filters (PEP 706) when extracting sdists?

[encukou]

Hello,
New security releases of Python add a filter argument to TarFile.extractall, which allows filtering common security issues.
I assume the the security issues are moot here, since build executes unpacked code right after the extractall.
Python 3.12 will raise a DeprecationWarning if filter is not specified. I assume build will at least want to avoid the warning.
Python 3.14 will change the default to tarfile.data_filter.

What are your thoughts on how to best handle this? Happy to send a PR after a discussion.

Possible solutions I see:

• Use data_filter on Pythons that support it. Accept that the behaviour will change from previous versions.
• Use data_filter if available, but only to raise exceptions (files/links outside target, device files), use existing mechanism if the filter doesn't fail. (There's another choice: abort the operation, or merely skip “bad” files?)
• Use the fully_trusted filter to silence warnings and preserve existing behaviour.

See this issue in pip: pypa/pip#12111

Does this need a PEP?

[layday]

Feel free to provide feedback on #609.

[encukou]

Ah, my apologies, I missed the PR!