Re: Security page APT line
On 11 Jan 2023 2:19 PM, Boyuan Yang wrote:
This is somehow an interesting case. The use of is semantically
correct since these spaces are indeed non-breaking to form a single APT
line.
I disagree. The spaces separating the line of text I'm typing are not
non-breaking, but this is still a single line. The spaces do break up
the line into individual words.
The APT parser also seems to disagree, as described below.
If you are indeed using any reasonably-modern web browser when copy-pasting
this APT line and still gets the " ", please let us know. Ideally a
step-by-step instruction on reproducing the issue would be great.
It's not copying the text " ", it's copying a unicode non-breaking
space character. APT's sources.list parser faithfully does not break on
a non-breaking space, so it sees the line as a single token. With
regular (i.e., not non-breaking) whitespace, the parser will break the
line up into tokens, the first being "deb", the second being
"http://security.debian.org/debian-security";, etc. But if the whitespace
is non-breaking, it sees a single token
"deb http://security.debian.org/debian-security bullseye-security main contrib non-free";,
which is invalid.
My setup is Windows 10 connected to Debian Bullseye using the built-in
OpenSSH client and Windows Terminal as my terminal emulator. Everything
is up-to-date or close to it as far as I can tell. That I'm getting
those non-breaking spaces persisting through copy & paste might be
specific to my environment, though I think it's a reasonable (in fact
the correct) thing for a browser/text editor/terminal application to do.
Here's one very specific route to replicate:
1.) SSH in to Debian using Windows Terminal, authenticate as a non-root
user, get a bash prompt.
2.) Enter the command: "sudo apt-get update; echo $?", with the result
Hit:1 https://download.docker.com/linux/debian bullseye InRelease
Hit:2 http://debian.uchicago.edu/debian bullseye InRelease
Hit:3 http://debian.uchicago.edu/debian bullseye-updates InRelease
Hit:4 https://apt.syncthing.net syncthing InRelease
Reading package lists... Done
0
3.) Enter the text "echo '", but do not press enter.
4.) Visit https://www.debian.org/security/ in Firefox.
5.) On the page, select
"deb http://security.debian.org/debian-security bullseye-security main contrib non-free";
using the mouse, right-click and choose copy from the context menu.
6.) Switch back to the terminal and right-click to paste the line in,
then complete the command with "' | sudo tee
/etc/apt/sources.list.d/99-non-breaking-space-repro.list"
7.) Enter the command: "sudo apt-get update; echo $?", with the result
E: Malformed line 1 in source list
/etc/apt/sources.list.d/99-non-breaking-space-repro.list (type)
E: The list of sources could not be read.
100
8.) Enter the command: "hexdump -C
/etc/apt/sources.list.d/99-non-breaking-space-repro.list", with the result:
00000000 64 65 62 c2 a0 68 74 74 70 3a 2f 2f 73 65 63 75
|deb..http://secu|
00000010 72 69 74 79 2e 64 65 62 69 61 6e 2e 6f 72 67 2f
|rity.debian.org/|
00000020 64 65 62 69 61 6e 2d 73 65 63 75 72 69 74 79 c2
|debian-security.|
00000030 a0 62 75 6c 6c 73 65 79 65 2d 73 65 63 75 72 69
|.bullseye-securi|
00000040 74 79 c2 a0 6d 61 69 6e c2 a0 63 6f 6e 74 72 69
|ty..main..contri|
00000050 62 c2 a0 6e 6f 6e 2d 66 72 65 65 0a |b..non-free.|
0000005c
9.) Note that "64 65 62", the UTF-8/ASCII for "deb", is followed by "c2
a0", the UTF-8 encoding for a non-breaking space, rather than "20", the
UTF-8/ASCII for a space character.
10.) Enter the command "sudo rm
/etc/apt/sources.list.d/99-non-breaking-space-repro.list"
11.) Enter the text "echo '", but do not press enter.
12.) Switch back to https://www.debian.org/security/ in Firefox. On the
page, select
"deb http://security.debian.org/debian-security bullseye-security main contrib non-free";
using the mouse, right-click and choose copy from the context menu.
13.) Switch back to the terminal and right-click to paste the line in.
Do not complete the command. Instead, manually delete each non-breaking
space and type a regular space to replace it. Then complete the command
with "' | sudo tee /etc/apt/sources.list.d/99-corrected-security-line.list"
14.) Enter the command: "sudo apt-get update; echo $?", with the result
Get:1 http://security.debian.org/debian-security bullseye-security
InRelease [48.4 kB]
Hit:2 http://debian.uchicago.edu/debian bullseye InRelease
Hit:3 https://download.docker.com/linux/debian bullseye InRelease
Hit:4 http://debian.uchicago.edu/debian bullseye-updates InRelease
Get:5 http://security.debian.org/debian-security bullseye-security/main
amd64 Packages [214 kB]
Get:6 http://security.debian.org/debian-security bullseye-security/main
Translation-en [139 kB]
Get:7 http://security.debian.org/debian-security
bullseye-security/non-free amd64 Packages [528 B]
Get:8 http://security.debian.org/debian-security
bullseye-security/non-free Translation-en [344 B]
Hit:9 https://apt.syncthing.net syncthing InRelease
Fetched 402 kB in 1s (473 kB/s)
Reading package lists... Done
0
15.) Enter the command: "hexdump -C
/etc/apt/sources.list.d/99-corrected-security-line.list", with the result:
00000000 64 65 62 20 68 74 74 70 3a 2f 2f 73 65 63 75 72 |deb
http://secur|
00000010 69 74 79 2e 64 65 62 69 61 6e 2e 6f 72 67 2f 64
|ity.debian.org/d|
00000020 65 62 69 61 6e 2d 73 65 63 75 72 69 74 79 20 62
|ebian-security b|
00000030 75 6c 6c 73 65 79 65 2d 73 65 63 75 72 69 74 79
|ullseye-security|
00000040 20 6d 61 69 6e 20 63 6f 6e 74 72 69 62 20 6e 6f | main
contrib no|
00000050 6e 2d 66 72 65 65 0a |n-free.|
00000057
16.) Note that "64 65 62", the UTF-8/ASCII for "deb", is followed by
"20", the UTF-8/ASCII for a space character, rather than "c2 a0", the
UTF-8 encoding for a non-breaking space.
Reply to: