On Wed, May 13, 2026 at 09:08:59AM -0600, Theo de Raadt wrote:
> Job Snijders <job@bsd.nl> wrote:
> > On Wed, May 13, 2026 at 09:01:11AM -0600, Theo de Raadt wrote:
> > > I suspect most limited-length pax will skip files, print a warning for
> > > each file, and carry on.  (That is how our code used to behave).
> > 
> > Debian pax just exits with an error.
> > 
> > > Now, you want rpki-client to skip files, print a warning, and carry on.
> > > 
> > > In either case, the files are skipped.
> > > 
> > > I don't understand the difference.
> > 
> > I think it is good to encourage sane RPKI CA behaviour by imposing
> > restrictions in rpki-client.
> > 
> > For the first time since I started recording history for this (1/1/2026)
> > there is a CA (which is only 2 days old) that chooses to use 100+
> > character long filenames for their ROA. This is because they encode
> > the full ROA payload as hexadecimals in the filename. ROA filenames
> > should be fixed-length opaque identifiers. The 'payload as the filename'
> > scheme does not align with documented best current practices and wastes
> > resources.
> > 
> > Best to nip this in the bud and disallow it.
> 
> You could limit filenames inside a directory to 14 characters, to satisfy
> all Unix variants.

We could, but then instead of 1 smalL CA that would put all 55,000 CAs
in non-compliance. Your suggestion seems unproductive.

> I think you are upset about long paths for other reasons, and have hunted
> for a justification.

I fail to see what your assertion adds to the discussion at hand. Have
you been bribed by the Long Filename cartel? :)