"malicious" package in sid and testing
Dear Debian QA Group,
a few days ago I reported bug #904699
as nothing happened since then, I started to hunt down the reason
for this bug, and what I found made me kind of speechless.
As I expected the reported problem is not in cdebootstrap itself
and not even in debian-installer (it is actually reported
from a d-i library call) but in the package list and metadata instead
I've used snapshot.debian.org to find since when the problem exists,
and found it has been introduced on July 8th.
Looking at the changes I probably found the reason.
Please have a closer look at the meta data of package
librust-winapi-dev - as this is just wrong.
The package has
Size: 744344
but
Installed-Size: 5839
How is that even possible?
But it's worse, the package has a Provides: line
and quotes 1336(!) packages making that single
line more than 57 kByte length. Yes. seriously. But no, that's insane.
It breaks debian-installer (you can't install testing or sid
with it right now) and it breaks cdebootstrap - and most probably
any other package that uses d-i libraries to parse the packagelist
I'm writing you because to me - and I hope I'm terribly wrong
about this - this looks just like a malicious joke as in "look,
I can break your C code with an extra long line. It wouldn't have
happened if you used rust" - but that's just my mind trying to
find an explanation why somebody would define a >57kB line in
the package metadata.
And as I just want to avoid some unnecessary fighting or insulting
or anything similar I thought it would be best to contact a third party
to have a look at this issue
I'm not sure you are the right group to contact about this, but I'm sure
if you are not you can redirect it to whereever it should go.
Thanks for reading and addressing this issue.
Nicolai
Reply to: