What counts as "'serious usage' of apt-ftparchive"? [LWN.net]

What counts as "'serious usage' of apt-ftparchive"?

Posted Nov 26, 2025 13:51 UTC (Wed) by ATLief (subscriber, #166135)
Parent article: APT Rust requirement raises questions

I use apt-ftparchive to distribute custom builds to all of my personal devices and to share them with friends. I don't make any money with it, though.

Would that count as "serious usage"?

to post comments

What counts as "'serious usage' of apt-ftparchive"?

Posted Nov 26, 2025 16:50 UTC (Wed) by smcv (subscriber, #53363) [Link]

If you trust (or are responsible for) those custom builds, it doesn't really matter whether this is serious usage or not, because presumably you aren't expertly crafting them to exploit bugs in apt-ftparchive (if you did, you'd only be hurting yourself and your users, which you can do more easily by putting something malicious in the packages). The point at which you start using it to parse a .deb that might have been maliciously crafted by an attacker (like Launchpad PPAs) is the point at which bugs become security vulnerabilities.

(Probably Launchpad should be mitigating this by running apt-ftparchive in a sandbox that has no read access to anything non-public except for the target PPA's per-PPA signing key, and no write access to anything except the target PPA's metadata; and for all I know, maybe they already do.)

What counts as "'serious usage' of apt-ftparchive"?

Posted Nov 26, 2025 18:31 UTC (Wed) by edgewood (subscriber, #1123) [Link]

In addition to what smcv wrote, adding Rust to apt-ftparchive would only make a (negative) difference to you if you want to develop apt-ftparchive and don't want to learn Rust, or if you use it on one of the four legacy platforms that the article discusses.