[Pkg-salt-team] Bug#944970: salt: Modules access internal dpkg databases
Guillem Jover
guillem at debian.org
Sun Nov 17 21:52:21 GMT 2019
Source: salt
Source-Version: 2018.3.4+dfsg1-7
Severity: important
User: debian-dpkg at lists.debian.org
Usertags: dpkg-db-access-blocker
Hi!
This package contains modules («salt/modules/dpkg.py» and
«salt/modules/alternatives.py»), which directly access the dpkg
internal database, instead of using one of the public interfaces
provided by dpkg.
In «salt/modules/dpkg.py» module, the function _get_pkg_install_time()
should be switched to use something like:
«dpkg-query --showformat '${Package} ${db-fsys:Last-Modified}\n' --show $pkg»
to get the mtime from .list files.
The function _get_pkg_ds_avail(), should be switched to use something
like:
«dpkg-query --print-avail»
to get the available database dump.
In the «salt/modules/alternatives.py», the show_link() function should
be switched to something like:
«update-alternatives --query $name»
This is a problem for several reasons, because even though the layout and
format of the dpkg database is administrator friendly, and it is expected
that those might need to mess with it, in case of emergency, this
“interface” does not extend to other programs besides the dpkg suite of
tools. The admindir can also be configured differently at dpkg build or
run-time. And finally, the contents and its format, will be changing in
the near future.
Thanks,
Guillem
More information about the pkg-salt-team
mailing list