[Aptitude-devel] Pre-Install-Pkgs breaks interactive programs (was: Bug#662983: When called by aptitude, apt-listbugs crash and precludes the package upgrade)

[Daniel Hartwig]

[added deity@ as it concerns APT protocols]

On 9 March 2012 01:59, Francesco Poli <invernomuto at paranoici.org> wrote:
> On Thu, 8 Mar 2012 10:50:44 +0800 Daniel Hartwig wrote:
>
>> On 8 March 2012 10:49, Daniel Hartwig <mandyke at gmail.com> wrote:
>> >
>> > Apt-listbugs could try harder to avoid directly reading from /dev/tty
>> >
>>
>> Of course, here I am refering to reading from stdin instead.
>
> I wonder whether this is at all possible...
>
> I am not 100 % sure, since I was not involved in apt-listbugs
> development at the time when these parts of the code were initially
> laid out, but I think that one of the main reasons why apt-listbugs
> needs to explicitly open "/dev/tty" is that it needs to perform the
> following steps (when run in "apt" mode):
>
>  * first it reads the input provided by apt-get or aptitude or other
> compatible package manager through the Pre-Install-Pkgs hook info
> protocol version 2 (see /etc/apt/apt.conf.d/10apt-listbugs , I am sure
> the Aptitude Development Team members are more knowledgeable than me
> about this protocol); this input is provided to apt-listbugs on its
> STDIN, as through a pipe
>
>  * when this input ends (EOF), apt-listbugs needs to be able to become
> interactive and ask questions to the user, and get answers from STDIN,
> and possibly also run a web browser (that could be a textual browser,
> depending on the user preferences) and let the user interact with the
> browser, until it exits and comes back to the apt-listbugs interactive
> prompt
>
> Currently, apt-listbugs does all this by opening "/dev/tty", after the
> input provided by apt(itude) ends.
> I don't know whether there's a better way to achieve this result,
> without being limited by the security fix for CVE-2005-4890...
>
>
> Any idea?
> I haven't found much documentation about these tricks in Ruby...  :-(
>

Ok.  That all makes sense to me.  I had not taken a detailed look as
the use of /dev/tty immediately struck me as being out of place.

AFAIK apt-listbugs is the only program which attempts to be
interactive on this hook.

APT team:

[Programs run via 'su' do not have access to /dev/tty.]

It appears that the Pre-Install-Pkgs hook [1] does not consider the
needs of interactive programs to have access to stdin from the user.

Is this an intentional choice?  Interactive programs are not advised
for this hook?

If not, could the protocol be updated to send the package list on a new
FD rather than stdin?


Regards

[1] apt/apt-pkg/dpkg/dpkgpm.cc:274