Bug#768069: apt command line package name interpretation

To: Ian Jackson <ijackson@chiark.greenend.org.uk>, 768069@bugs.debian.org
Subject: Bug#768069: apt command line package name interpretation
From: Julian Andres Klode <jak@debian.org>
Date: Tue, 4 Nov 2014 19:06:29 +0100
Message-id: <[🔎] 20141104185948.GA17111@debian.org>
Mail-followup-to: Julian Andres Klode <jak@debian.org>, Ian Jackson <ijackson@chiark.greenend.org.uk>, 768069@bugs.debian.org
Reply-to: Julian Andres Klode <jak@debian.org>, 768069@bugs.debian.org
In-reply-to: <[🔎] 21593.4320.279709.878054@chiark.greenend.org.uk>
References: <[🔎] 21593.4320.279709.878054@chiark.greenend.org.uk>

Control: severity -1 wishlist

On Tue, Nov 04, 2014 at 05:46:08PM +0000, Ian Jackson wrote:
> Package: apt
> Version: 0.9.7.9+deb7u5
> 
> apt interprets package names containing `-', `+' and `+' specially,
> even when they are supplied as simple command line arguments.  These
> characters are, of course, literals in package names, which may occur
> anywhere other than at the start.
> 
> This is a problem because commands such as
>    apt-get remove b.sh
>    apt-get remove bonnie++
>    apt-get install bonnie+.
> ought to mean to operate on the specified literal package names,
> regardless of whether the named packages `exist' (i.e., are known
> to this instance of apt).
> 
> Otherwise it is almost impossible for a program which calls apt to
> reliable `unparse' the command line: that is, to convert an intended
> operation into a command line which instructs apt to always execute
> the specified operation.

The only time an issue can appear is if you have two or more packages
ending in + or - where one is a prefix of the other. As long as we
do not have such packages in the archive, there is no issue.

> 
> In some circumstances this could be a security problem.

In which?

> 
> Unfortunately this syntax is probably baked-in in some callers, so we
> will have to have a transition plan.  At the very least, apt should
> currently warn whenever an ambiguous string is interpreted other than
> as a literal package name.
> 
> I am thinking of submitting a patch which allows ambiguous package
> name specifications to be handled in one of three specified ways,
> according to the configuration:
>    - always treat as literal
>    - always treat as literal, with warning if behaviour changed
>    - current behaviour, with warning if behaviour could change
> 
> Would such a patch be welcome ?  We can then have a conversation about
> what the default should be.
> 
> I would like to press ahead with this regardless of agreement on
> replacement metasyntax.

I do not agree about deprecating this just because you say you want
something else. It works just fine in practice.

If you want a replacement, how about allowing +/- prefixes
instead? That does not seem ambigous, unless I'm missing
something.

But I'm not sure it's worth the effort.

-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

Be friendly, do not top-post, and follow RFC 1855 "Netiquette".
    - If you don't I might ignore you.

Reply to:

Follow-Ups:
- Bug#768069: apt command line package name interpretation
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Bug#768069: apt command line package name interpretation
  - From: "Jonathan David Amery" <jdamery@ysolde.ucam.org>

References:
- Bug#768069: apt command line package name interpretation
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Bug#768069: apt command line package name interpretation
Next by Date: Processed: Re: Bug#768069: apt command line package name interpretation
Previous by thread: Bug#768069: apt command line package name interpretation
Next by thread: Bug#768069: apt command line package name interpretation
Index(es):
- Date
- Thread