Bug#768069: apt command line package name interpretation

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Julian Andres Klode writes ("Re: Bug#768069: apt command line package name interpretation"):
> Control: severity -1 wishlist
...
> The only time an issue can appear is if you have two or more packages
> ending in + or - where one is a prefix of the other. As long as we
> do not have such packages in the archive, there is no issue.

It can happen if anyone anywhere in the world ever creates any such
pair of packages.  apt is not just for Debian - it is for our
downstreams, too.

> > In some circumstances this could be a security problem.
> 
> In which?

For example, someone could attempt to allow a user to only install
packages.  If the user requests to install a package whose name ends
in `-', the corresponding package will be removed.

> If you want a replacement, how about allowing +/- prefixes
> instead? That does not seem ambigous, unless I'm missing
> something.

Yes, +/- prefixes would work for this, but - prefixes conflict with
option names.

That `.' is a metacharacter is a problem too.

Ian.