Hello, this is an update on the situation of quoted %-escapes in mailcap rules:
Of the 86 packages that are affected in buster: - 39 have been fixed by the maintainers independently (presumably thanks to the lintian tag): audacity cgoban clustalx debian-edu-config djview4 drumkv1 feh geeqie ginkgocadx gpa graphicsmagick hatari html2text inkscape ivtools-bin juce-tools ktikz less ngraph-gtk njplot odt2txt okular okular-extra-backends padthv1 puredata-gui pyxplot qgis qtikz rhythmbox samplv1 sweethome3d sxiv synthv1 tkinfo valentina xarchiver xchm xli xmedcon - 4 have been removed: smpeg-gtv writetype xcftools xchat - 6 have been fixed as a result of #950319, reported by Frank Loeffler: libreoffice-base libreoffice-calc libreoffice-draw libreoffice-impress libreoffice-math libreoffice-writer - 9 have been fixed (or pending upload) as a result of my own bug reports: docx2txt emboss flowblade info katarakt man-db mutt stopmotion tar - 28 (the remaining) have open bug reports reported by me: alsaplayer-daemon(#987421) alsaplayer-gtk(#987421) alsaplayer-text(#987421) alsaplayer-xosd(#987421) caca-utils(#987422) carmetal(#987401) congruity(#985593) dia(#987402) fbi(#987403) freeplane(#985597) gnumeric(#985598) gthumb(#985599) imagemagick-6.q16(#987691) imagemagick-6.q16hdri(#987691) k4dirstat(#987694) latexdraw(#985601) libgsm-tools(#987404) mgetty-viewfax(#987424) most(#987405) mysql-workbench(#987693) neomutt(#982681) openshot-qt(#982953) planner(#987406) qgo(#987414) smpeg-plaympeg(#987692) tenace(#987416) ttyrec(#987407) vorbis-tools(#982951) As of now, all but one (#987405) are without reply. I've made an effort to speed up the adoption of the lintian policy, but I still think it is vital to have the policy written in the man page. Two years ago this issue was blocking my work, so I carefully read all the documentation provided by the mime-support package, but found no useful information at all. At that time I was not aware of archived bug #90483 which is basically a duplicate of this one. I would have saved so many hours if the outcome of #90483 had been documented. In my opinion, no divergence with other platforms has been avoided, just hidden. Only if the divergence is visible, it can be fixed. Only if there is a clear way to assign responsibility for security problems, they can be fixed. Even within Debian there are different mailcap components incompatible with each other. My response to the "wait and see" argument is that 20+ years of bad security and inconvenience is enough. My response to the "mailcap is dead" argument is "I wish!". The lintian tag is a big improvement, but some people still think it's not official enough, for example the libreoffice maintainer was reluctant to follow it. Possibly, the Debian Policy Manual is also a good place to reach maintainers: https://www.debian.org/doc/debian-policy/ch-opersys.html#registration-of-media-type-handlers-with-mailcap-entries Thanks, MNZ
