Bug#944951: cabal-debian: Code accesses internal dpkg database

Guillem Jover guillem at debian.org
Sun Nov 17 19:18:00 GMT 2019


Source: cabal-debian
Source-Version: 5.0-1
Severity: important
User: debian-dpkg at lists.debian.org
Usertags: dpkg-db-access-blocker

Hi!

This package contains a module («src/Debian/Debianize/Prelude.hs»),
which directly accesses the dpkg internal database, instead of using
one of the public interfaces provided by dpkg.

The code in dpkgFileMap, should be switched to use:

  «dpkg-query --listfiles»

to fetch the package files list. To avoid a performance hit, the code
should batch multiple packages on each call, taking into account
command-line length limits. Each package will get a paragraph separated
by a blank line (even if it is not installed).

The code in buildDebVersionMap, should be switched to use something
like:

  «dpkg-query ----shoformat '${Package} ${Version}\n' --show»


This is a problem for several reasons, because even though the layout and
format of the dpkg database is administrator friendly, and it is expected
that those might need to mess with it, in case of emergency, this
“interface” does not extend to other programs besides the dpkg suite of
tools. The admindir can also be configured differently at dpkg build or
run-time. And finally, the contents and its format, will be changing in
the near future.

Thanks,
Guillem



More information about the Pkg-haskell-maintainers mailing list