[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#768069: apt command line package name interpretation



Control: severity -1 wishlist

On Tue, Nov 04, 2014 at 05:46:08PM +0000, Ian Jackson wrote:
> Package: apt
> Version: 0.9.7.9+deb7u5
> 
> apt interprets package names containing `-', `+' and `+' specially,
> even when they are supplied as simple command line arguments.  These
> characters are, of course, literals in package names, which may occur
> anywhere other than at the start.
> 
> This is a problem because commands such as
>    apt-get remove b.sh
>    apt-get remove bonnie++
>    apt-get install bonnie+.
> ought to mean to operate on the specified literal package names,
> regardless of whether the named packages `exist' (i.e., are known
> to this instance of apt).
> 
> Otherwise it is almost impossible for a program which calls apt to
> reliable `unparse' the command line: that is, to convert an intended
> operation into a command line which instructs apt to always execute
> the specified operation.

The only time an issue can appear is if you have two or more packages
ending in + or - where one is a prefix of the other. As long as we
do not have such packages in the archive, there is no issue.

> 
> In some circumstances this could be a security problem.

In which?

> 
> Unfortunately this syntax is probably baked-in in some callers, so we
> will have to have a transition plan.  At the very least, apt should
> currently warn whenever an ambiguous string is interpreted other than
> as a literal package name.
> 
> I am thinking of submitting a patch which allows ambiguous package
> name specifications to be handled in one of three specified ways,
> according to the configuration:
>    - always treat as literal
>    - always treat as literal, with warning if behaviour changed
>    - current behaviour, with warning if behaviour could change
> 
> Would such a patch be welcome ?  We can then have a conversation about
> what the default should be.
> 
> I would like to press ahead with this regardless of agreement on
> replacement metasyntax.

I do not agree about deprecating this just because you say you want
something else. It works just fine in practice.

If you want a replacement, how about allowing +/- prefixes
instead? That does not seem ambigous, unless I'm missing
something.

But I'm not sure it's worth the effort.

-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

Be friendly, do not top-post, and follow RFC 1855 "Netiquette".
    - If you don't I might ignore you.


Reply to: