Bug#768069: apt command line package name interpretation
Package: apt
Version: 0.9.7.9+deb7u5
apt interprets package names containing `-', `+' and `+' specially,
even when they are supplied as simple command line arguments. These
characters are, of course, literals in package names, which may occur
anywhere other than at the start.
This is a problem because commands such as
apt-get remove b.sh
apt-get remove bonnie++
apt-get install bonnie+.
ought to mean to operate on the specified literal package names,
regardless of whether the named packages `exist' (i.e., are known
to this instance of apt).
Otherwise it is almost impossible for a program which calls apt to
reliable `unparse' the command line: that is, to convert an intended
operation into a command line which instructs apt to always execute
the specified operation.
In some circumstances this could be a security problem.
Unfortunately this syntax is probably baked-in in some callers, so we
will have to have a transition plan. At the very least, apt should
currently warn whenever an ambiguous string is interpreted other than
as a literal package name.
I am thinking of submitting a patch which allows ambiguous package
name specifications to be handled in one of three specified ways,
according to the configuration:
- always treat as literal
- always treat as literal, with warning if behaviour changed
- current behaviour, with warning if behaviour could change
Would such a patch be welcome ? We can then have a conversation about
what the default should be.
I would like to press ahead with this regardless of agreement on
replacement metasyntax.
Ian.
Reply to: