Bernhard R. Link:
> * Ximin Luo [191223 12:58]:
>> dpkg and all other debian tools support it right now. It is only reprepro
>> with this artifical constraint, which makes it not work for packages that
>> are processable by dpkg and other debian tools.
>
> If it is artifical, then it is
* Ximin Luo [191223 12:58]:
> dpkg and all other debian tools support it right now. It is only reprepro
> with this artifical constraint, which makes it not work for packages that are
> processable by dpkg and other debian tools.
If it is artifical, then it is artifically high. It is 128 times
Bernhard R. Link:
> [..]
>
> As the comment describes, accepting arbitrary long control data would
> open all kind of security issues and require quite some hard to properly
> test code. Most of the attacks enabled by having longer control chunks
> might be able to mitigated some way, but that
* Ximin Luo [191223 09:16]:
> A long-term fix would be to fix this:
>
> line 151-166:
> if (f->size - f->ofs <= 2048) {
> /* Adding code to enlarge the buffer in this case
>* is risky as hard to test properly.
>*
Control: reassign -1 reprepro 5.3.0-1
Control: retitle -1 reprepro imposes arbitrary limits on control files that are
successfully parsed by other debian tools
Ximin Luo:
> [..]
> I'll take a look at reprepro in the next 2-3 weeks; arbitrary limits like
> 256K should be pretty easy to fix (have
Hello Ximin,
On Thu, 17 Oct 2019, Ximin Luo wrote:
> >> Do you have some concrete suggestions on how to improve the tool to reduce
> >> this "abuse"?
> >
> > Yes, I gave you one.
>
> It doesn't work.
Look, I'm not a cargo/rust expert, I won't design the tool for you but I
implemented
Ximin Luo writes:
> Raphael Hertzog:
>> Don't abuse the "Provides" field when you have such a volume of
>> interfaces to document.
>
> Can you please explain why 256 KB provides field is "abuse"?
The Packages index is a shared resource by all packages and every Debian
user has to download and
Raphael Hertzog:
> On Thu, 17 Oct 2019, Ximin Luo wrote:
>> Can you please explain why 256 KB provides field is "abuse"?
>
> Because that's the amount of metadata required for 250 common packages.
>
So? There are some Debian packages that have much more than 250 times the data
of common
On Thu, 17 Oct 2019, Ximin Luo wrote:
> Can you please explain why 256 KB provides field is "abuse"?
Because that's the amount of metadata required for 250 common packages.
> Do you have some concrete suggestions on how to improve the tool to reduce
> this "abuse"?
Yes, I gave you one.
> BTW,
Ximin Luo:
> Raphael Hertzog:
>> On Thu, 17 Oct 2019, Ximin Luo wrote:
>>> Control: tags -1 + wontfix
>>
>> This is clearly not acceptable. You can't ignore problems like this one.
>> I saw you already broke debian-installer once with the former packages
>> that overflowed the 16K limit of
Raphael Hertzog:
> On Thu, 17 Oct 2019, Ximin Luo wrote:
>> Control: tags -1 + wontfix
>
> This is clearly not acceptable. You can't ignore problems like this one.
> I saw you already broke debian-installer once with the former packages
> that overflowed the 16K limit of cdebootstrap. Now it's
11 matches
Mail list logo
