Bug#944965: debsums: Script accesses internal dpkg database

Guillem Jover guillem at debian.org
Sun Nov 17 21:00:34 GMT 2019


Source: debsums
Source-Version: 2.2.4
Severity: important
User: debian-dpkg at lists.debian.org
Usertags: dpkg-db-access-blocker

Hi!

This package contains the «debsums» program, which directly accesses
the dpkg internal database, instead of using one of the public
interfaces provided by dpkg.

The debsums program should be switched to use something like:

  «dpkg-query --control-show $pkg md5sums»

to get the md5sums file contents. If the file is missing an error will
be returned. While this is not ideal, because this interface does not
allow batching, at least it will stop accessing the internal database.
I will be adding in the near future a new virtual field to dpkg-query
to be able to fetch all md5sums for all packages with something like:

  «dpkg-query \
    --showformat 'Package: ${Package}\nMd5sums: ${db-fsys:Md5sums}\n' \
    --show»

The other question though, is whether it still makes sense to ship
debsums, with «dpkg --audit» checking for missing md5sums files,
«dpkg --verify» checking for hash mismatches, and «dpkg --unpack»
generating these when the to be installed does not provide one?


This is a problem for several reasons, because even though the layout and
format of the dpkg database is administrator friendly, and it is expected
that those might need to mess with it, in case of emergency, this
“interface” does not extend to other programs besides the dpkg suite of
tools. The admindir can also be configured differently at dpkg build or
run-time. And finally, the contents and its format, will be changing in
the near future.

Thanks,
Guillem



More information about the pkg-perl-maintainers mailing list