Extracts an OCI image layer -- a gzipped tar -- into a directory.

Why not :erl_tar: it refuses absolute and ..-escaping symlinks as an anti-symlink-attack measure, with no opt-out. A container root filesystem legitimately contains absolute symlinks (/bin/sh -> /bin/busybox and many more), so :erl_tar.extract cannot assemble OCI layers. This module reads the tar itself and creates every entry, symlinks included.

It understands the ustar format plus the GNU long-name (L/K) and PAX extended-header (x/g) extensions. Character/block devices and FIFOs are skipped -- creating them needs privilege and images rarely ship them in layers.

OCI whiteout markers are honoured so layers stack correctly: .wh.<name> deletes a lower-layer entry, and .wh..wh..opq empties a directory of its lower-layer contents. The markers themselves are never written.