Bug#977355: UserWarning: cannot parse package relationship "i", returning it raw

[Stuart Prescott]

On Monday, 14 December 2020 21:42:08 AEDT Raphaël Hertzog wrote:
> This is due to a buggy package containing a dependency on "i" (it's
> libmagics++-dev, bug filed already) but I don't see any reason for deb822
> to fail on this dependency. It's a very short package name that we should
> likely not allow in Debian but I don't a reason to not be able to parse
> it (in particular when nothing else in the build machinery choked on that
> dependency, starting with dpkg-gencontrol).
> 
> Please update the __dep_RE regex to accept single-character dependencies:
> 
>    1421     __dep_RE = re.compile(
>    1422         r'^\s*(?P<name>[a-zA-Z0-9.+\-]{2,})'

Policy demands that package names be at least two characters long which is 
where this requirement originally came from. On the other hand, policy also 
demands that the package name start with [a-z0-9] and be all lower case and 
this regex doesn't enforce either of those requirements.

https://www.debian.org/doc/debian-policy/ch-controlfields.html#source

This is the classic "should we validate the input?" problem that python-debian 
always struggles with. In other places, we've made the strictness of 
validation optional, but that doesn't look to be feasible here.

I guess it's reasonable to simply allow a single character to start, as in:

	(?P<name>[a-zA-Z0-9][a-zA-Z0-9.+\-]*)

(that still disallows packages to start with . + -)

cheers
Stuart

-- 
Stuart Prescott    http://www.nanonanonano.net/   stuart at nanonanonano.net
Debian Developer   http://www.debian.org/         stuart at debian.org
GPG fingerprint    90E2 D2C1 AD14 6A1B 7EBB 891D BBC1 7EBB 1396 F2F7