Re: Status of deb(5) format support in Debian
On Sat, 2013-08-03 at 23:25:30 +0100, Colin Watson wrote:
> On Fri, Aug 02, 2013 at 04:09:20AM +0200, Guillem Jover wrote:
> > The other side of the support I've been pondering about is extending
> > dpkg-deb so that .deb files can be modified in conformant ways, stuff
> > like inserting _-style members, or appending extra ones at the end,
> > which would cover the needs of several other tools.
> For the Ubuntu archive, it bothers me that it currently has code that
> pokes about with ar to verify that the .deb has a sane format. I don't
> see a way to do this efficiently with dpkg-deb, though; "dpkg-deb -I"
> stops at the control member and doesn't even care if the data member is
> entirely missing, while "dpkg-deb --fsys-tarfile" and similar will
> process the entire data member, which will be inefficient on large
> If I haven't just missed something, would it be possible to have a
> "dpkg-deb --verify" option that just checks for conformance with deb(5)?
> That would be simpler for this application than having to write new
> bindings against a (new?) libdpkg interface.
Ah, I like that, I've noted it down to come back to it when I rework
the dpkg-deb code. I could also just modify -I to check for the data
member, but the output is not easily parseable and a --verify option
seems better in all other ways.
But, a full --verify would need to process the data.tar also to check
if it's comformant, so you'd get bad performance on that too. But it
could just have different modes, like just for the 'container' or 'full'
or something along those lines.
> That said, the manual verification does give us the ability to have the
> archive enforce things like "amazing new compression support is only
> available as of $release", which is perhaps useful. So maybe the
> dpkg-deb option shouldn't be just an assertion, but should instead print
> out a machine-readable list of properties of the .deb; then we could
> check which properties are permitted. What do you think?
I like that too, it could either be part of --verify --verbose, or a
new option, the output could be deb822-style. Also noted.
But feel free to file a bug report if you want.