Bug#944951: cabal-debian: Code accesses internal dpkg database
Guillem Jover
guillem at debian.org
Sun Nov 17 19:18:00 GMT 2019
Source: cabal-debian
Source-Version: 5.0-1
Severity: important
User: debian-dpkg at lists.debian.org
Usertags: dpkg-db-access-blocker
Hi!
This package contains a module («src/Debian/Debianize/Prelude.hs»),
which directly accesses the dpkg internal database, instead of using
one of the public interfaces provided by dpkg.
The code in dpkgFileMap, should be switched to use:
«dpkg-query --listfiles»
to fetch the package files list. To avoid a performance hit, the code
should batch multiple packages on each call, taking into account
command-line length limits. Each package will get a paragraph separated
by a blank line (even if it is not installed).
The code in buildDebVersionMap, should be switched to use something
like:
«dpkg-query ----shoformat '${Package} ${Version}\n' --show»
This is a problem for several reasons, because even though the layout and
format of the dpkg database is administrator friendly, and it is expected
that those might need to mess with it, in case of emergency, this
“interface” does not extend to other programs besides the dpkg suite of
tools. The admindir can also be configured differently at dpkg build or
run-time. And finally, the contents and its format, will be changing in
the near future.
Thanks,
Guillem
More information about the Pkg-haskell-maintainers
mailing list