It tells you how it's compressed and how to decompress it if it knows how. OpenBSD's tar doesn't support xz so it can't help there, but does support gzip so it suggests using -z.
Not letting untrusted input automatically increase the attack surface it's exposed to is a feature.
>Not letting untrusted input automatically increase the attack surface it's exposed to is a feature.
How is that a feature? The user's explicitly asking for this.
This feature reminds me of vim, that suggests closing with ":quit" when you press C-x C-c (i.e. the keychord to close emacs). It knows full well what you want to do and even has special code to handle it, but then insists to hand you more work.
Vim suggests closing with ":quit" when you hit C-c; the C-x is irrelevant.
Upon receiving a C-c, it does not know full well what the user wants to do.
When vim receives a C-c from you (or someone who just stumbled into vim and doesn't know how to exit) the user wants to exit.
When vim receives a C-c from me, it's because I meant to kill the process I spawned from vim, and it ended before the key was pressed. I very much do not want it to quit on me at that point.
`tar -xf` is not "explicitly asking" for gzip. `tar -zxf` is "explicitly asking" for gzip.
I don't really care what vim does, that's a different argument. There have been many vulnerabilities in gzip, and in tar implementations that let untrusted input choose how it gets parsed, those vulnerabilities might as well be in tar itself.
Not letting untrusted input automatically increase the attack surface it's exposed to is a feature.