Bug#918438: orig tarball components with uppercase letters
Hi. I'm afraid I have opened a can of worms. Now I will enumerate
the worms for your delectation and delight. Luckily I think the worms
are not too slimy or numerous, even though one of them has eaten the
firefox package and is consequently very large.
dpkg-source format `3.0 (quilt)' supports what it calls `additional
orig tarballs', named
The documentation in dpkg-source(1) says
component can only contain alphanumeric characters and hyphens
This allows the possibility of uppercase letters . But of course
distinguishing case of letters is troublesome for some computers.
This specification makes it possible for two different source package
component files to exist with names which differ only in the case of
some of the letters - perhaps, even two files which are part of the
very same package version and must necessarily exist side by side.
It seems obvious to me that any reliance on case here is undesirable.
Furthermore, I discovered this by discovering that an important actual
package (firefox) uses upppercase letters in many of its orig tarball
(I erroneously mishandled this case in dgit, due to not reading the
spec properly. This caused lossage to a Debian downstream. #916926.)
I would like to arrange, somehow, that our tools and policies ensure
that filename clashes cannot occur even on case-insensitive
I don't think we can solve this in dpkg. All it could is reject all
uppercase letters. That is not backward compatible: we don't want to
add to the situations where it is not possible to edit and rebuild an
old source package.
It might be possible to address this in tools like dak and reprepro by
having them apply their uniqueness restrictions to case-smashed
versions of the filenames. However this seems fiddly and ugly to me.
Also it is not ideal to do this so late in the package management
workflow. (We've had trouble with orig filename reuse in the past...)
I suggest instead that we deprecate uppercase letters in quilt orig
component names in Debian policy, and back that up with a lintian
warning. This is in some sense over-restrictive since it forbids even
situations where the filenames are case-insensitively-unique.
Existing packages would need to transition their arrangements for orig
handling so that the origs had all-lowercase names; this would be a
mild extra inconvenience for them, but would not have to be done in
any kind of hurry.
Eventually, when everything is converted, the restriction could be
made firm (MUST; lintian error) and that would get us into a situation
where we can't accidentally mess this up in the future.
What do you think ?
I have CC'd various people, including in particular the firefox
maintainers (who I am proposing to inconvenience - sorry about that).
 Technically the spec also allows the possibility of non-ASCII
letters and numbes but I doubt anyone would read that that was
intended and I am confident that dpkg-source would actually reject
Ian Jackson <firstname.lastname@example.org> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.