Bug#792853: debian-policy: please disallow colons in upstream_version

To: Jakub Wilk <jwilk@debian.org>, 792853@bugs.debian.org
Subject: Bug#792853: debian-policy: please disallow colons in upstream_version
From: Guillem Jover <guillem@debian.org>
Date: Sun, 19 Jul 2015 17:40:17 +0200
Message-id: <[🔎] 20150719154016.GA13721@gaara.hadrons.org>
Reply-to: Guillem Jover <guillem@debian.org>, 792853@bugs.debian.org
In-reply-to: <[🔎] 20150719114814.GA4973@jwilk.net>
References: <[🔎] 20150719114814.GA4973@jwilk.net>

Hi!

On Sun, 2015-07-19 at 13:48:14 +0200, Jakub Wilk wrote:
> Package: debian-policy
> Severity: wishlist

> Policy §5.6.12 reads: “The <upstream_version> may contain only alphanumerics
> and the characters ‘.’  ‘+’ ‘-’ ‘:’ ‘~’ (full stop, plus, hyphen, colon,
> tilde) and should start with a digit. […] if there is no <epoch> then colons
> are not allowed.”
> 
> But in practice:
> 
> 1) There's been never a package with a colon in upstream_version in the
> archive.
> 
> 2) A colon in upstream_version implies a colon in the filename. Some
> software might not tolerate such filenames; see bug #645895 for discussion.

The problem with dpkg-source is just a matter of its assumptions related
to epochs, otherwise it can handle colons just fine.

,---
$ dpkg-source -x pkg_1:1-1.dsc
dpkg-source: warning: extracting unsigned source package (pkg_1:1-1.dsc)
dpkg-source: info: extracting pkg in pkg-1:1
dpkg-source: info: unpacking pkg_1:1.orig.tar.xz
dpkg-source: info: unpacking pkg_1:1-1.debian.tar.xz
$ dpkg-parsechangelog -lpkg-1\:1/debian/changelog -SVersion
1:1:1-1
`---

> 3) dpkg in unstable won't even let you build a package with such version:
>
> $ head -n1 debian/changelog
> adequate (1:1:1) UNRELEASED; urgency=low
> $ dpkg-buildpackage -S
> […]
> dpkg-genchanges -S >../adequate_1:1_source.changes
> dpkg-genchanges: error: invalid filename adequate_1:1.dsc
> dpkg-buildpackage: error: dpkg-genchanges gave error exit status 255

Ah, thanks! That's an accidental regression introduced in dpkg 1.18.0,
which I've just fixed now locally, but I'm pondering if it's worth
including the fix in the upcoming 1.18.2 release, given the following:

4) GNU tar considers a colon the delimiter for a hostname, and tries to
   establish a network connection that will most probably fail, which
   affects both packing and unpacking. You have to use --force-local to
   avoid that, and I doubt upstreams might be bothered to do so, or
   inflict that onto their users:

   ,---
   $ tar -tf pkg_1\:1.orig.tar.xz
   tar: Cannot connect to pkg_1: resolve failed
   $ tar -tf pkg_1\:1.orig.tar.xz --force-local
   pkg-1:1/
   `---

> Therefore, I'd like to propose to disallow colons in upstream_version.

So, in principle 2) and 3) are mostly problems in dpkg, 1) might be a
quite good indication that upstreams do not usually do this, and 4) a
very strong deterrent for them to do so.

I'm ambivalent on disallowing this in Debian, and even if policy ends
up disallowing it might still make sense to allow it in dpkg in case
someone outside Debian is using such thing (although I'm having a bit
of a hard time seeing this being used in practice).

Thanks,
Guillem

Reply to:

Follow-Ups:
- Bug#792853: debian-policy: please disallow colons in upstream_version
  - From: Russ Allbery <rra@debian.org>

References:
- Bug#792853: debian-policy: please disallow colons in upstream_version
  - From: Jakub Wilk <jwilk@debian.org>

Prev by Date: Re: #741573: Menu Policy and Consensus
Next by Date: Bug#792853: debian-policy: please disallow colons in upstream_version
Previous by thread: Bug#792853: debian-policy: please disallow colons in upstream_version
Next by thread: Bug#792853: debian-policy: please disallow colons in upstream_version
Index(es):
- Date
- Thread