On Sun, 18 Nov 2018, Guillem Jover wrote:
Source: config-package-dev
Source-Version: 5.5
Severity: important
User: [email protected]
Usertags: dpkg-db-access-blocker
Hi!
This package contain scripts that directly access the dpkg internal
database [S], instead of using the correct public interface
«dpkg --verify» (note that it currently does not return an error exit
code when it finds modified files, that will be fixed in 1.19.3, but
you can always just check the output).
[S] check-files.mk, dh_configpackage
Both check-files.mk and dh_configpackage use dpkg-query --control-path
$package md5sums, and only fall back to /var/lib/dpkg/info when that
option doesn't exit. Is that enough?
(I can drop the fallback if you'd like - we wanted to support backports to
LTSes but that code was written in 2011 so any current supported release
certainly has --control-path. Relatedly, we could probably switch to
--control-show at this point too if you'd like, but see also
https://bugs.debian.org/735021 .)
I suppose we could use dpkg --verify, which would in theory simplify
the code because (if I'm testing it right) it handles conffiles and
non-conffiles just the same, and so we don't need a special case for
dpkg-query -W'${Conffiles}'. But there are two downsides to it:
- It's less efficient, since it verifies all files in the package instead
of just the one we want to check.
- As far as I can tell, it doesn't distinguish "This file has not been
modified" from "I have no md5sums for this file". It's very rare to see a
package with a missing or incomplete md5sums control file these days, but
we do handle that case currently (we print an error if it's incomplete,
and a warning if the package has no md5sums at all) and I'd like to keep
handling it.
Do you think you can extend the --verify interface to support querying an
individual file by name, and print an error if the file could not be
verified?
If you can do a dpkg --verify-file (where dpkg figures out the package
name, and prints an error if the file is unknown or the owning package
doesn't provide md5sums) then I can skip most of the complexity in what
I'm doing and just call that in newer versions of dpkg. :) I could also
use a dpkg --verify "$package" --verify-file "$file", or something.
--
Geoffrey Thomas
https://ldpreload.com
[email protected]