Re: Registering a media type for Debian binary packages ?

To: debian-devel@lists.debian.org
Subject: Re: Registering a media type for Debian binary packages ?
From: Charles Plessy <plessy@debian.org>
Date: Sun, 19 Jan 2014 12:26:21 +0900
Message-id: <[🔎] 20140119032621.GB32218@falafel.plessy.net>
In-reply-to: <[🔎] 21190.44665.512477.310883@chiark.greenend.org.uk> <[🔎] 20140103104756.GA32339@gaara.hadrons.org>

Hi Guillem, Ian, and everybody,

I attached here is an updated proposal for declaring a mime type for Debian
binary packages, plus a patch against the previous version.

Here is an explanation about my motivation.

As the maintainer of the mime-support package, I receive requests to update the
file /etc/mime.types, to associate file suffixes with media types.  In the
absence of requests, I can get information for new associations from the
Internet Assigned Numbers Authority (IANA).

    http://www.iana.org/assignments/media-types

The IANA is very flexible for registering new types and these registrations
include a list of file suffixes to associate with.  (Unfortunately, it is not
machine-readable).

I strongly beleive in the point 2 of our Social Contract, about propagating
changes upstream and “give back to the free software community”.  When I am
requested to add a non-registered type to /etc/mime.types, I am therefore
asking systematically to the requester to consider going through the IANA
first.  (In case the modification is needed for making our next stable release
better, I will of course not stand in the way of an update).

In parallel, the IANA itself, through RFC 6838, welcomes the registration
of new media types.

    http://tools.ietf.org/html/rfc6838#section-1.1

See also the paragraph on unregistered types:

    “with the simplified registration procedures described above for vendor
     and personal trees, it should rarely, if ever, be necessary to use
     unregistered types.”

    http://tools.ietf.org/html/rfc6838#section-3.4

In this context, old unregistered media types starting with 'x-' are
progressifely being registered without this deprecated prefix.

Given the effort I am asking to the people requesting changes in
/etc/mime.types, I would like Debian to give the example as well.

Since the media type of Debian binary packages is unclear (there are at least
two alternative in circulation), I am proposing to register an official media
type in the vendor tree.

While the unofficial types may stay in circulation for a long time, I think
that it is worth the effort, especially given that the work is 90 % done now.

I took care of your other comments directly by changing the text. here are some
answers when it was not possible.

Le Fri, Jan 03, 2014 at 11:47:56AM +0100, Guillem Jover a écrit :
> 
> > with administrator privileges during installation.  It is therefore essential
> > to trust the origin of the package.  The recommended way is to download
> > packages from APT (Advanced Packaging Tool) archives that are authenticated with
> > a trusted cryptographic key (see the manual page of apt-secure for details).
> > As a lesser alternative for cases where APT tools are not available, the
> > package should be downloaded with secured protocols such as HTTPS.  There also
> > exists a mechanism for signing packages directly (called ‘debsigs’), but it is
> > not deployed.
> 
> Could this be made generic as to not recommend a specific frontend
> implementation, but just what's needed from it? Some systems do not
> use apt, some users might want to use something else, etc. But maybe
> that's not how other mime type entries are written?

Here, I intend “APT archives” to be about the format, not to suggest that only
apt-get should be used.  I could phrase it better.  Suggestions are welcome.


> > The Debian binary packages are manipulated by system programs such as ‘dpkg’,
> > ‘apt-get’, graphical front-ends such as ’Synaptic’ but also generic archive
> > decompressors such as ‘File Roller’.  After downloading a package with a web
> > browser or after clicking on its icon, front-ends or decompressors are usually
> > started.
> 
> I'm not sure that frontends are usually started when downloading raw
> .debs from the net, though.

Indeed, with Epiphany browser or Chrome, no front-end is proposed despite the
media type is indicated in the HTTP headers.  I consider it a bug.  With
Iceweasel, it worked.

Have a nice Sunday.

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

Type name:
application

Subtype name:
vnd.debian.binary-package

Required parameters:
None.

Optional parameters:
None.

Encoding considerations:
binary

Security considerations:

Debian binary packages can contain scripts executing arbitrary commands during
installation, which is done with administrator privileges.  It is therefore
essential to trust the origin of the package.  The recommended way is to
download packages from APT (Advanced Packaging Tool) archives that are
authenticated with a trusted cryptographic key (see the manual page of
apt-secure for details).  As a lesser alternative for cases where APT tools are
not available, the package should be downloaded with secured protocols such as
HTTPS.  There also exists a mechanism for signing packages directly (called
‘debsigs’), but it is not deployed.

The contents of the Debian binary packages are placed inside tar archives
(possibly compressed) wrapped in an ar archive (see the ‘deb’ manual page for
details on the format); it is therefore possible to inspect them with standard
UNIX tools (although the recommended way is through the command ‘dpkg-deb’)
without actually installing the package and therefore without executing the
package's scripts.  An estimate of the uncompressed size of the package may be
available in its ‘control’ file, but it can only be trusted if the package
itself is trusted (a malicious person can design a package containing small
compressed files that become extremely large after decompression).

Since the Debian packages vehiculate programs to be installed on a computer,
the monitoring of a user's downloads over non-secured transport protocols such
as HTTP or FTP may reveal information pertaining to the user's privacy, or
suggest information related to the system's security such as the precise
version numbers of programs in use.

Interoperability considerations:

Arbitrary Debian binary packages can be installed on any system where the
‘dpkg’ package manager is used, but it is recommended to only install packages
that have been built for a release matching the distribution installed on the
system.

Published specification:
http://manpages.debian.org/cgi-bin/man.cgi?query=deb&manpath=Debian+unstable+sid

http://manpages.debian.org/deb

Applications that use this media type:

The Debian binary packages are manipulated by system programs such as ‘dpkg’,
‘apt-get’, graphical front-ends such as ’Synaptic’ but also generic archive
decompressors such as ‘File Roller’.  After downloading a package with a web
browser or after clicking on its icon, front-ends or decompressors are usually
started.

Fragment identifier:
None.

Restrictions on usage:
None.

Additional information:

Deprecated alias names for this type:
application/x-debian-package
application/x-deb

Magic number(s):
Version 2.0 files start with the following string:
!<arch>\ndebian-binary

File extension(s):
deb

Macintosh file type code(s):
None.

Object Identifier(s) or OID(s):
None.

Person & email address to contact for further information:
The Debian Policy mailing list <debian-policy&lists.debian.org>

Intended usage:
Common

Author:
Charles Plessy <plessy&debian.org>

Change controller:
The Debian Project <http://www.debian.org>

--- vnd.debian.package.old	2014-01-19 12:24:18.410664663 +0900
+++ vnd.debian.package	2014-01-19 12:25:27.519522133 +0900
@@ -15,21 +15,25 @@
 
 Security considerations:
 
-Debian binary packages can contain arbitrary commands that will be executed
-with administrator privileges during installation.  It is therefore essential
-to trust the origin of the package.  The recommended way is to download
-packages from APT (Advanced Packaging Tool) archives that are authenticated with
-a trusted cryptographic key (see the manual page of apt-secure for details).
-As a lesser alternative for cases where APT tools are not available, the
-package should be downloaded with secured protocols such as HTTPS.  There also
-exists a mechanism for signing packages directly (called ‘debsigs’), but it is
-not deployed.
-
-The contents of the Debian binary packages are compressed (see the ‘deb’ manual
-page for details on the format); it is therefore possible to inspect them
-without actually install the package.  An estimate of the uncompressed size of
-the package may be available in its ‘control’ file, but it can only be trusted
-if the package itself is trusted.
+Debian binary packages can contain scripts executing arbitrary commands during
+installation, which is done with administrator privileges.  It is therefore
+essential to trust the origin of the package.  The recommended way is to
+download packages from APT (Advanced Packaging Tool) archives that are
+authenticated with a trusted cryptographic key (see the manual page of
+apt-secure for details).  As a lesser alternative for cases where APT tools are
+not available, the package should be downloaded with secured protocols such as
+HTTPS.  There also exists a mechanism for signing packages directly (called
+‘debsigs’), but it is not deployed.
+
+The contents of the Debian binary packages are placed inside tar archives
+(possibly compressed) wrapped in an ar archive (see the ‘deb’ manual page for
+details on the format); it is therefore possible to inspect them with standard
+UNIX tools (although the recommended way is through the command ‘dpkg-deb’)
+without actually installing the package and therefore without executing the
+package's scripts.  An estimate of the uncompressed size of the package may be
+available in its ‘control’ file, but it can only be trusted if the package
+itself is trusted (a malicious person can design a package containing small
+compressed files that become extremely large after decompression).
 
 Since the Debian packages vehiculate programs to be installed on a computer,
 the monitoring of a user's downloads over non-secured transport protocols such
@@ -41,9 +45,12 @@
 
 Arbitrary Debian binary packages can be installed on any system where the
 ‘dpkg’ package manager is used, but it is recommended to only install packages
-that have been built for a given release of Debian or a Debian derivative.
+that have been built for a release matching the distribution installed on the
+system.
 
 Published specification:
+http://manpages.debian.org/cgi-bin/man.cgi?query=deb&manpath=Debian+unstable+sid
+
 http://manpages.debian.org/deb
 
 Applications that use this media type:
@@ -61,11 +68,14 @@
 None.
 
 Additional information:
+
 Deprecated alias names for this type:
-None.
+application/x-debian-package
+application/x-deb
+
 Magic number(s):
-Files usually start with the following string:
-!<arch>
+Version 2.0 files start with the following string:
+!<arch>\ndebian-binary
 
 File extension(s):
 deb

Reply to:

Follow-Ups:
- Re: Registering a media type for Debian binary packages ?
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Registering a media type for Debian binary packages ?
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- Re: Registering a media type for Debian binary packages ?
  - From: Guillem Jover <guillem@debian.org>

Prev by Date: Bug#735927: general: X *always* crashes when ram is full
Next by Date: libtiff5 transition mass bug filing
Previous by thread: Re: Registering a media type for Debian binary packages ?
Next by thread: Re: Registering a media type for Debian binary packages ?
Index(es):
- Date
- Thread