From: Job Snijders Subject: Re: rpki-client: limit the filename length in Manifest listings to something reasonable To: Theo de Raadt Cc: tech@openbsd.org Date: Wed, 13 May 2026 15:05:45 +0000 On Wed, May 13, 2026 at 09:01:11AM -0600, Theo de Raadt wrote: > I suspect most limited-length pax will skip files, print a warning for > each file, and carry on. (That is how our code used to behave). Debian pax just exits with an error. > Now, you want rpki-client to skip files, print a warning, and carry on. > > In either case, the files are skipped. > > I don't understand the difference. I think it is good to encourage sane RPKI CA behaviour by imposing restrictions in rpki-client. For the first time since I started recording history for this (1/1/2026) there is a CA (which is only 2 days old) that chooses to use 100+ character long filenames for their ROA. This is because they encode the full ROA payload as hexadecimals in the filename. ROA filenames should be fixed-length opaque identifiers. The 'payload as the filename' scheme does not align with documented best current practices and wastes resources. Best to nip this in the bud and disallow it. Kind regards, Job