Ran into this today, breaking dep:

> dep ensure
The following errors occurred while deducing packages:
  * "pault.ag/go/debian/control": unable to deduce repository and source type for "pault.ag/go/debian/control": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://pault.ag/go/debian/control?go-get=1": Get https://pault.ag/go/debian/control?go-get=1: x509: certificate has expired or is not yet valid

validateParams: could not deduce external imports' project roots

Would be really helpful if you could renew the cert

because lolz

it's currently sucky

to write stuff back out

It isn't documented that one has to use pault.ag/go/debian and can't use github.com/paultag/go-debian as alternative. This should be documented in README.md.

$ go get pault.ag/go/debian/control && echo OK || echo FAIL
OK

$ go get github.com/paultag/go-debian/control && echo OK || echo FAIL
../github.com/paultag/go-debian/control/changes.go:33:2: use of internal package not allowed
FAIL

Alternatively it might be worth to just get rid of the internal package or to make it public.

error on load file : xz: LZMA2 dictionary size exceeds max

file: google-chrome-beta_107.0.5304.68-1_amd64.deb

in particular, the Ar could be streamed if we're clever

add tests for dsc and changes file validation

Attached is an archive with .deb files, all taken from the Ubuntu or Debian package repository. They all use XZ compression and none of them can currently be opened with the library. They all result in one of the following errors:

1. xz: file format not recognized
2. xz: data is truncated or corrupt

problem-deb2.tgz

example: http://mirrors.aliyun.com/ubuntu/pool/main/l/linux-aws/linux-image-unsigned-5.15.0-1004-aws_5.15.0-1004.6_amd64.deb

file list:

$ tar -xvf linux-image-unsigned-5.15.0-1004-aws_5.15.0-1004.6_amd64.deb 
x debian-binary
x control.tar
x data.tar

If a field has a trailing newline, it can be marshaled as a separate paragraph.

I see that in parsing you take special precautions for the case of a line that is a single space/tab followed by a period (https://github.com/paultag/go-debian/blob/master/control/parse.go#L228-L230) to treat that as an empty line. But when you marshal a property that has trailing newlines you don't currently take any special precautions.

Meaning that when I go to marshal an array of objects I can end up with:

ID: 1
Description: Description here
 and continues here.

Name: Object1

ID: 2
Description: Single-line desc
Name: Object2

which now gets improperly parsed.

Would you argue that it's the client's responsibility to prune such trailing newlines before serializing? Or would you be open to a PR that alters the serialization behavior to take advantage of that special case mention above and translate trailing newlines to include a leading whitespace and a period so that it gets rendered like so:

ID: 1
Description: Description here
 and continues here.
 .
Name: Object1

ID: 2
Description: Single-line desc
Name: Object2

I believe that could be parsed properly.

The version module is very strongly based o the now named lib/dpkg/version.c dpkg implementation, down to structure and symbol names. But neither the license nor copyright seem to have been preserved. :(

Looks like some recently merged code prevents this package from building with recent Go:

go test
# => changes.go:33:2: use of internal package not allowed

go version
#=> go version go1.10.3 darwin/amd64

Encountered this when attempting to create a PR for #95

for some reason I can't Unmarshal into a type Foos []Foo, func (f *Foos) UnmarshalControl

Hi @paultag,

I'm one of the authors of https://github.com/xor-gate/debpkg. We had some discussion in issue xor-gate/debpkg#26 about exposing internals of debian packages. Your package seems to used for only reading debian package and the debpkg package only for writing packages. What do you think to combine forces and create one library for both read/write of debian packages? Currently we use debpkg in production and it is very stable for our usecase (debianize golang applications).

Kind regards,
Jerry Jacobs

Thanks to #13, I've tracked down the source of why I can't parse debian/control of src:golang:

Line "# DO NOT EDIT THIS FILE. EDIT debian/control.* instead!\n" is not 'key: val'

It super sucks right now.

At the least, we should likely operate on io.Reader / io.Writer or something.

Also, the code's a disaster.

As a field, if I update either of the fields it depends on, it doesn't update. 😉

If I parse a .changes file with ParseChangesFile, I would assume that changes.Move would know the full path of the changes file and make no assumptions about the current work directory.

Should Move() and Rename() range over AbsFiles() instead of just Files?

The HTTPS certificate for https://pault.ag/go/debian expired on 3/28. This is breaking dep ensure for us.

I'm trying to use control to unmarshal a Release file, e.g.:

type Release struct {
	Origin        string
	Suite         string
	Codename      string
	Architectures []string
	Components    []string
	MD5Sum        []control.MD5FileHash
	SHA1          []control.SHA1FileHash
	SHA256        []control.SHA256FileHash
}

r := &Release{}
err := control.Unmarshal(r, reader)

But I get a panic:
panic: runtime error: index out of range
at:
pault.ag/go/debian/control/filehash.go:133

Which is in:
func (c *FileHash) unmarshalControl(algorithm, data string) error

Firstly, is this the right way to use those FileHash fields?

Secondly, things seem a bit odd with if len(data) < 4:

1. Do you mean to check the length of vals?
2. Why 4? I would have thought the length should be 3?
   cb136f28a8c971d4299cc68e8fdad93a8ca7daf3 1131 dput-ng_1.9.dsc

Jeff

This is probably a mistake :)

they likely mostly leak files

No members ought to have a trailing slash ever, so always remove it.

Thanks guillem!

Thanks to @stapelberg for fixing the EOF stuff. Never was happy with that. Worth a minor bump!

as requested by @aviau

use reflection to load control vars, and all sorts of pretty neat magic.

The Paragraph#Set function is on the paragraph value not a pointer. Therefore, the assignment to Order may not be visible outside that function.

	p.Order = append(p.Order, key)

It is possible (if Order has capacity) that the append call updates the underlying array. If append allocates a new array, the change will not be visible.

Simplest example showing the problem:

package main

import (
	"fmt"

	"pault.ag/go/debian/control"
)

func main() {
	par := control.Paragraph{Order: nil, Values: map[string]string{}}
	par.Set("key", "value")
	fmt.Printf("par: %#v\n", par)
}

Output:

par: control.Paragraph{Values:map[string]string{"key":"value"}, Order:[]string(nil)}

Workaround: Build the internals of Paragraph by hand and do not rely on Set.

somehow be able to pull substvars out

Packages built on modern debians are not installable on old debians, due to used compression (data.tar.xz). I need to forbid such packages to get to repositories for old systems. It would be nice to pass filename of control and data tar to caller (e.g. by extending 'deb' struct).

not just ignore them

read clearsigned things

even in an interface name (It's Unmarshallable)

Hey! It looks pault.ag is down. This is breaking dep ensure for us. Thanks.

…this is because it treats any as a wildcard, matching anything (even arch:all).

Correct me if I’m wrong, but I think arch:all should not be matched by any. After all, that’s the critical distinction between the two, right?

Do you want me to send a PR to fix this or do you want to fix it yourself? :)

Can support for SHA512 be added?

The Docker repository's Release files contain SHA512 hashes.
https://apt.dockerproject.org/repo/dists/ubuntu-xenial/Release

Source: fluxbox (1.3.6~rc1-1) is valid. We should find some way to store that

https://wiki.debian.org/RepositoryFormat#A.22Release.22_files:

The "Release" files, "Packages" and "Sources" indicies, and files called "Index" that are used for translations and differences are control files, as defined in Policy, Chapter 5. In addition to the rules for control files, field names shall be generated using the case defined in this document, that is, code creating repositories shall be case-sensitive, but code reading repositories should not be case-sensitive.

I guess this aplies also to .changes files.

It will be neat to have option to either ignore case or require proper case (i.e., "raise error" when decoding key that matches key from struct only case-insensitively).

At present, archive members can only be read in order: continuing to the next one consumes all data from the existing LimitedReader.

This makes it somewhat more difficult than it would otherwise be to check debsig-style signatures (for which an io.MultiReader(controlReader, dataReader) would otherwise be the perfect thing to pass to openpgp.CheckDetachedSignature) without (necessarily and unambiguously) copying everything into RAM.

At the expense of requiring a seekable file handle on the underlying file, one could switch from a LimitedReader interface to a SectionReader, to make reads still possible after ar.Next() has been called.

See blakesmith/ar#11 for a concrete idea of what's being proposed. (I'd be happy to provide a concrete implementation here as well should it be welcome; implemented above on top of blakesmith/ar before discovering that go-debian existed).

since it's a hell of a lot cleaner

I hate the FooFile convention we've grown. Ideas? cc @tianon

Parsing -----BEGIN PGP as a control file results in a crash

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x5626de]

goroutine 1 [running]:
pault.ag/go/debian/control.(*ParagraphReader).decodeClearsig(0xc000010710, 0x0, 0xc0000cf000, 0xf)
	/home/paultag/.goenvs/fuzz/src/pault.ag/go/debian/control/parse.go:294 +0x3ae
pault.ag/go/debian/control.NewParagraphReader(0x5d6a20, 0xc000062240, 0x0, 0x7f036c650000, 0x0, 0x5d6b20)
	/home/paultag/.goenvs/fuzz/src/pault.ag/go/debian/control/parse.go:137 +0x153
pault.ag/go/debian/control.NewDecoder(0x5d6a20, 0xc000062240, 0x0, 0x57d720, 0x10000c000010601, 0x6f22a8)
	/home/paultag/.goenvs/fuzz/src/pault.ag/go/debian/control/decode.go:90 +0x75
pault.ag/go/debian/control.Unmarshal(0x5979c0, 0xc0000947f0, 0x5d6a20, 0xc000062240, 0x0, 0xc0000106f0)
	/home/paultag/.goenvs/fuzz/src/pault.ag/go/debian/control/decode.go:71 +0x5a
pault.ag/go/debian/control.ParseControl(0xc000062240, 0x5b3778, 0x6, 0x4320cf, 0xc000000300, 0x200000003)
	/home/paultag/.goenvs/fuzz/src/pault.ag/go/debian/control/control.go:147 +0x126
_/home/paultag/dev/local/debian-fuzz.Fuzz(0x7f03681fc000, 0xf, 0x200000, 0x3)
	/home/paultag/dev/local/debian-fuzz/debian.go:13 +0xef
go-fuzz-dep.Main(0xc0000a1f80, 0x1, 0x1)
	/tmp/go-fuzz-build890815257/goroot/src/go-fuzz-dep/main.go:36 +0x1b6
main.main()
	/tmp/go-fuzz-build890815257/gopath/src/_/home/paultag/dev/local/debian-fuzz/go.fuzz.main/main.go:15 +0x52
``

go-debian shouldn't grow that stuff; need to patch all things using the API

The HTTPS certificate for https://pault.ag/go/debian expired on 1/23. This is breaking dep ensure for us.

Thanks