On Sun, 18 Nov 2018, Guillem Jover wrote:

Source: config-package-dev
Source-Version: 5.5
Severity: important
User: [email protected]
Usertags: dpkg-db-access-blocker

Hi!

This package contain scripts that directly access the dpkg internal
database [S], instead of using the correct public interface
«dpkg --verify» (note that it currently does not return an error exit
code when it finds modified files, that will be fixed in 1.19.3, but
you can always just check the output).

 [S] check-files.mk, dh_configpackage

Both check-files.mk and dh_configpackage use dpkg-query --control-path $package md5sums, and only fall back to /var/lib/dpkg/info when that option doesn't exit. Is that enough?

(I can drop the fallback if you'd like - we wanted to support backports to LTSes but that code was written in 2011 so any current supported release certainly has --control-path. Relatedly, we could probably switch to --control-show at this point too if you'd like, but see also https://bugs.debian.org/735021 .)

I suppose we could use dpkg --verify, which would in theory simplify the code because (if I'm testing it right) it handles conffiles and non-conffiles just the same, and so we don't need a special case for dpkg-query -W'${Conffiles}'. But there are two downsides to it:

- It's less efficient, since it verifies all files in the package instead of just the one we want to check.

- As far as I can tell, it doesn't distinguish "This file has not been modified" from "I have no md5sums for this file". It's very rare to see a package with a missing or incomplete md5sums control file these days, but we do handle that case currently (we print an error if it's incomplete, and a warning if the package has no md5sums at all) and I'd like to keep handling it.

Do you think you can extend the --verify interface to support querying an individual file by name, and print an error if the file could not be verified?

If you can do a dpkg --verify-file (where dpkg figures out the package name, and prints an error if the file is unknown or the owning package doesn't provide md5sums) then I can skip most of the complexity in what I'm doing and just call that in newer versions of dpkg. :) I could also use a dpkg --verify "$package" --verify-file "$file", or something.

--
Geoffrey Thomas
https://ldpreload.com
[email protected]

Reply via email to