[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Package verification and "/usr/bin/install" tool replacements

On Sat, Oct 04, 2003 at 04:39:49AM +1000, Kim Lester wrote:

> Some of the ideas I have implemented include a "pkg info" file in each 
> package
> containing the
> 	pathname
> 	uid, gid (numeric)
> 	md5sum,
> 	size (useful to humans)
> 	mode
> 	symlink target (for symlinks)
> a pkgverify command can be run on an installed package and the contents 
> of this
> pkginfo file are used to ensure the pkg is installed correctly. The 
> tool can also optionally
> correct missing/broken dirs, symlinks  as well as uid, ,gid, mode info.

The problem that you will encounter is that a package can be correctly
installed, but without having the permissions on the filesystem match what
is in the .deb.  This is normal and to be expected.

One problem you will encounter is that of directory permissions/ownership.
Since multiple packages can contain the same directory with different
permissions, there is no authoritative source of "correct" information.

Another is that it is permitted (and indeed quite common) for packages to
change permissions and ownership in the postinst script.  In fact, this is
currently the _only_ way to change user/group ownership for a
dynamically-created user.  Adam Heath was talking about implementing a
better way to do this at the source package level, but as far as I know it
does not exist yet.

These issues would produce many false positives for any such system based on
Debian packages, and any attempts to auto-fix would very likely break
perfectly valid installations.

 - mdz

Reply to: