* Ximin Luo <infini...@debian.org> [191223 12:58]:
> dpkg and all other debian tools support it right now. It is only reprepro
> with this artifical constraint, which makes it not work for packages that are
> processable by dpkg and other debian tools.
If it is artifical, then it is artifically high. It is 128 times more than
what almost every single package needs and more than five times what the most
absurd package before needed and twice what other tools are said to have
had as limit there. I will increase it in reprepro (and maybe might make it
configurable to some extent), but there will always be an upper limit.
> Are you suggesting that dpkg and other tools have a concrete security problem?
dpkg does not check checksums of index files, so it is likely
uneffected. If apt has no limit then that likely makes some attacks
needlessly easy (though it might have other mitigations in that regard,
and there are less things apt has to care about the way it is typically
used).
Accepting absurd input without confirmation is never a secure way to handle
things, though.
Bernhard R. Link
