On Wed, 14 Nov 2018 03:22:18 +0100 Guillem Jover wrote:
> Source: starplot
> Source-Version: 0.95.5-8.3
> Severity: important
> User: debian-d...@lists.debian.org
> Usertags: dpkg-db-access-blocker
>
> Hi!
>
> This package contains a helper script [H], which directly accesses
> the dpkg internal database. Instead of using one of the public
> interfaces provided by dpkg. The code could probably be replaced
> with a file trigger.
>
> [H] debian/starplot.sh
>
> This is a problem for several reasons, because even though the layout and
> format of the dpkg database is administrator friendly, and it is expected
> that those might need to mess with it, in case of emergency, this
> “interface” does not extend to other programs besides the dpkg suite of
> tools. The admindir can also be configured differently at dpkg build or
> run-time. And finally, the contents and its format, will be changing in
> the near future.
>
> In addition the logic used in that script is not reliable, as those
> files will get updated when some other package takes over some of its
> files, or on a reinstall, etc.
>
> Thanks,
> Guillem
>
>
Hi,
It is not clear to me that this script is being used by any package
itself. AFAICT, packages use register-stardata[1] instead of that
script which makes this a likely case of "inert" use instead.
Thanks,
~Niels
[1]
https://sources.debian.org/src/stardata-common/0.8/src/register-stardata.c/
