Package: useradd,adduser Control: found -1 passwd/1:4.15.2-2 Hello adduser Maintainers!
src:shadow carried for a very long time a Debian-specific patch to relax its user- and group-name checking (without --badname). Looking at the old bug reports that were "fixed" using that patch, what people seemingly wanted were A) allow uppercase characters in names B) allow purely numeric names A was fixed upstream a long time ago and is permissible. B seems like a bad idea to me, because in a lot of places there is no namespace separation between user/group names and IDs. Allowing purely numeric names can only cause trouble. With this research in mind, and the fact that no other distro seems to need "anything goes" rules, I dropped the Debian-specific patch in 1:4.15.2-2. However, adduser has an explicit test to allow "bob;>/hacked", which now fails. For src:shadow, I would really like to not have a divergence from upstream in this regard. I think if we have clear requirements then we (I) can submit them upstream and I would expect upstream to accept patches. I do feel that making the case for "bob;>/hacked" would be very hard. Do the adduser maintainers have specific requirements in mind for the allowable names? useradd is supposed to follow this regex: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*$\? (Note that it open-codes that as a per-character check instead, but if that's buggy it can be fixed.) Chris PS: in the meantime src:shadow will re-apply the historic Debian patch, but please let's sort this out for trixie.
