RFE: Add --nomanifests disabler

[n3npq]

RPM attempts to read CLI file arguments as a manifest if a header cannot be read from the file.

Since manifests are parsed free field, rpm behavior can become quite complex, particularly when ../../.. relative paths are parsed.

There's a slew of mostly unimportant issues (IMHO: manifests are a very minor unused feature in RPM) that can/will be discovered by fuzzing.

Hence there needs to be a means to disable manifest reading from the rpm CLI

[pmatilai]

Um, there already is such a disabler since prehistoric times (certainly it was in 4.4.x already) and working just fine (it's even tested in the testsuite), only it's --nomanifest instead of your suggested plural.

[n3npq]

Good.

Meanwhile I suggest you look at the refactored lib/rpminstall.c tryReadManifest(). There is no logic there preventing the call.

[n3npq]

You might also consider supporting manifests to be downloaded and treated like lists of urls to download. shrug

[n3npq]

The real problem is that there are two places where manifests are read: lib/rpminstall.c (extremely old code) should be extended to use rpmgi* argument processing, thereby removing duplicated code and simplifying rpminstall.c.

Don't forget to move the popt entry from poptQV.c if/when you do so.