Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#706778: debian-policy: Please explicitly forbid "-" at the start of Deb822 field names

0 views
Skip to first unread message

Niels Thykier

unread,
May 4, 2013, 2:40:01 PM5/4/13
to
Package: debian-policy
Severity: minor

Policy §5.1 states that:

"""
[...] The field name is composed of US-ASCII characters excluding
control characters, space, and colon (i.e., characters in the ranges
33-57 and 59-126, inclusive). Field names must not begin with the
comment character, #.
"""

This suggests that (e.g.)

"-Field: value"

is a valid field. Or (a bit more screwed):

"-----BEGIN: PGP SIGNATURE-----"

would be the field "-----BEGIN" with a value of "PGP SIGNATURE-----".

I would like recommend that the Policy explicitly forbids the use of
"-" at the start of a field name.

~Niels


--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Guillem Jover

unread,
May 5, 2013, 10:30:02 PM5/5/13
to
On Sat, 2013-05-04 at 20:27:50 +0200, Niels Thykier wrote:
> Package: debian-policy
> Severity: minor

> Policy �5.1 states that:
>
> """
> [...] The field name is composed of US-ASCII characters excluding
> control characters, space, and colon (i.e., characters in the ranges
> 33-57 and 59-126, inclusive). Field names must not begin with the
> comment character, #.
> """
>
> This suggests that (e.g.)
>
> "-Field: value"
>
> is a valid field. Or (a bit more screwed):
>
> "-----BEGIN: PGP SIGNATURE-----"
>
> would be the field "-----BEGIN" with a value of "PGP SIGNATURE-----".

Which is problematic because clearsigned messages need to be
dash-escaped, and I don't think any of our tools parsing these will
unescape them. Please see #696234 for a lengthier discussion on this,
where I wrongly thought dpkg/dpkg-dev already rejected those, but I've
checked now and it does not. :/

> I would like recommend that the Policy explicitly forbids the use of
> "-" at the start of a field name.

I concur completely, and I'm considering rejecting such fields from
dpkg 1.17.x, for the reason above.

Thanks,
Guillem

Russ Allbery

unread,
May 6, 2013, 12:40:01 AM5/6/13
to
Guillem Jover <gui...@debian.org> writes:
> On Sat, 2013-05-04 at 20:27:50 +0200, Niels Thykier wrote:

>> I would like recommend that the Policy explicitly forbids the use of
>> "-" at the start of a field name.

> I concur completely, and I'm considering rejecting such fields from
> dpkg 1.17.x, for the reason above.

I also agree and am happy to second a patch.

--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>

Charles Plessy

unread,
Sep 15, 2013, 10:40:01 PM9/15/13
to
Le Sun, May 05, 2013 at 09:30:04PM -0700, Russ Allbery a écrit :
> Guillem Jover <gui...@debian.org> writes:
> > On Sat, 2013-05-04 at 20:27:50 +0200, Niels Thykier wrote:
>
> >> I would like recommend that the Policy explicitly forbids the use of
> >> "-" at the start of a field name.
>
> > I concur completely, and I'm considering rejecting such fields from
> > dpkg 1.17.x, for the reason above.
>
> I also agree and am happy to second a patch.

Hello everybody,

how about the attched patch ? I named ‘-’ hyphen because it is how it is
consistently called in the Policy (but unfortunately not in the
machine-readable specification for Debian copyright files).

Guillem, Russ, given your very positive opinion about the change, shall I list
you as seconding this patch ?

Have a nice day,

--
Charles Plessy
Tsurumi, Kanagawa, Japan
0001-Policy-Control-data-fields-must-not-start-with-a-hyp.patch

Russ Allbery

unread,
Sep 15, 2013, 10:50:01 PM9/15/13
to
Charles Plessy <ple...@debian.org> writes:

> how about the attched patch ? I named ‘-’ hyphen because it is how it
> is consistently called in the Policy (but unfortunately not in the
> machine-readable specification for Debian copyright files).

> Guillem, Russ, given your very positive opinion about the change, shall
> I list you as seconding this patch ?

Looks good to me. Seconded.

Guillem Jover

unread,
Sep 16, 2013, 9:50:01 AM9/16/13
to
Hi!

On Mon, 2013-09-16 at 11:32:14 +0900, Charles Plessy wrote:
> > Guillem Jover <gui...@debian.org> writes:
> > > I concur completely, and I'm considering rejecting such fields from
> > > dpkg 1.17.x, for the reason above.

I've got a local commit now rejecting these, targetted for 1.17.2.

> how about the attched patch ? I named ‘-’ hyphen because it is how it is
> consistently called in the Policy (but unfortunately not in the
> machine-readable specification for Debian copyright files).

Yeah I think hyphen is the correct word to use, I'll unify the wording
in dpkg too, there's some mentions of dash there.

> Guillem, Russ, given your very positive opinion about the change, shall I list
> you as seconding this patch ?

I'm happy to second such change, although I've a nitpicking comment…

> diff --git a/upgrading-checklist.sgml b/upgrading-checklist.sgml
> index b58b740..883af61 100644
> --- a/upgrading-checklist.sgml
> +++ b/upgrading-checklist.sgml
> @@ -40,6 +40,10 @@ picking your way through this list.
> Unreleased.
>
> </p><p><taglist>
> +<tag>5.1</tag>
> + <item>Control data fields must not start with the hyphen character
> + (<tt>-</tt>) because it interferes with clearsigning control data files.
> + </item>
> <tag>5.4, 5.6.24</tag>
> <item><tt>Checksums-Sha1</tt> and <tt>Checksums-Sha256</tt> are now
> mandatory in <file>.dsc</file> files.

Strictly speaking the problem is with (all?) deb822 parsers that do
not dash-unescape clearsigned messages not with the possibly
dash-escaped control files, proper dash-escaping is there precisely
to avoid any interference from initial dashes.

And the reason to ban initial hyphens is because they do not make
sense in field names and I don't think it's worth updating all
parsers.

Thanks,
Guillem

Charles Plessy

unread,
Sep 22, 2013, 6:50:02 AM9/22/13
to
Thanks Guillem,

I will replace "because it interferes with clearsigning control data files" by
"to avoid potential confusions when parsing clearsigned control data files that
were not properly unescaped".

Have a nice day,

--
Charles Plessy
Tsurumi, Kanagawa, Japan


Charles Plessy

unread,
Oct 17, 2013, 7:10:02 PM10/17/13
to
Le Sun, Sep 22, 2013 at 07:39:19PM +0900, Charles Plessy a écrit :
> Le Mon, Sep 16, 2013 at 03:45:51PM +0200, Guillem Jover a écrit :
> > On Mon, 2013-09-16 at 11:32:14 +0900, Charles Plessy wrote:
> > >
> > > </p><p><taglist>
> > > +<tag>5.1</tag>
> > > + <item>Control data fields must not start with the hyphen character
> > > + (<tt>-</tt>) because it interferes with clearsigning control data files.
> > > + </item>
> > > <tag>5.4, 5.6.24</tag>
> > > <item><tt>Checksums-Sha1</tt> and <tt>Checksums-Sha256</tt> are now
> > > mandatory in <file>.dsc</file> files.
> >
> > Strictly speaking the problem is with (all?) deb822 parsers that do
> > not dash-unescape clearsigned messages not with the possibly
> > dash-escaped control files, proper dash-escaping is there precisely
> > to avoid any interference from initial dashes.
> >
> > And the reason to ban initial hyphens is because they do not make
> > sense in field names and I don't think it's worth updating all
> > parsers.
>
> I will replace "because it interferes with clearsigning control data files" by
> "to avoid potential confusions when parsing clearsigned control data files that
> were not properly unescaped".

Pushed with that change, cheers.
0 new messages