No validation on metadata fields can break packages
It's possible to provide random data via install_if
(and potentially other metadata fields), that are fed directly to the package control data, which in turn will break the index (package file format error).
Should we add validation to those fields so that we know it's not garbage?
This commit for example set install_if
to:
install_if="$
# The group tag is just to easily find this APKBUILD by some scripts for automation
# group=kde-applications
which was fed directly into the apk .PKGINFO file:
install_if = $ # The group tag is just to easily find this APKBUILD by some scripts for automation # group=kde-applications pkgname=23.04.3-r1 nftables
and the package was successfully added to the index. But afterwards, any attempt to add new packages to the index failed with:
>>> kdeconnect: Updating the community/s390x repository index...
ERROR: kdeconnect-nftables-23.04.3-r1.apk: package file format error
>>> ERROR: kdeconnect: Failed to create index
After fixing the packages, this was fixed by removing the old package from the index with abuild cleanoldpkg; abuild cleanpkg
and building it again.