[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#905469: marked as done (lintian: warn against direct access to the dpkg database)

Your message dated Thu, 09 Aug 2018 14:40:32 +0000
with message-id <E1fnm76-0000Pp-Gz@fasolo.debian.org>
and subject line Bug#905469: fixed in lintian 2.5.96
has caused the Debian Bug report #905469,
regarding lintian: warn against direct access to the dpkg database
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
905469: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905469
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: lintian
Version: 2.5.94
Severity: wishlist

Hi!

The entire dpkg database, its layout and files are an internal interface
to dpkg, no program or package (in theory) should be accessing it other
than dpkg itself and any of the dpkg suite tools. While by design the
database is all editable by the admin, that's a supported property
intended and reserved for sentient beings, not for automatic tools,
even though it's not a practice that should be recommended.

AFAIR this was communicated in the past (but cannot find references
now) as part of the multiarch database layout change, and there's even
already a test to detect direct accesses to dpkg's status files.

This is one blocker that is getting in the way of deploying mtree
support as the dpkg database store, because .list, .md5sums and
.conffiles are intended to disappear from under /var/lib/dpkg/info/,
and that will break all these packages and programs.

I think currently the only exceptions that might be allowed are:

  * Any package modifying (harmful) prerm scripts in the database,
    because we do not currently have any way to mark this yet.
    <https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_Can_dpkg_be_told_to_avoid_invoking_a_harmful_prerm_from_an_installed_package_on_upgrade.3F>
  * And any frontend that might currently be accessing
    /var/lib/dpkg/info, because libdpkg-dev was neither a PIC library
    until PIE was globally enabled in dpkg, nor did it contain the db
    handling code, which was restricted to the dpkg binary itself.
    I think apt/cupt and similar would be grandfathered for now, until
    both libdpkg-dev contains such support (should come in dpkg 1.19.1)
    and these have switched over.

Anything else, should be:

  * Using «dpkg --status» for package status.
  * Using «dpkg --status» for Conffiles field.
  * Using «dpkg-query --listfiles» for file lists.
  * Using «dpkg-query --control-(list|show)» to get control file
    information.
  * etc, happy to provide more alternatives to current uses.

Thanks,
Guillem

--- End Message ---
--- Begin Message --- 
Source: lintian
Source-Version: 2.5.96

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 905469@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 09 Aug 2018 13:44:29 +0000
Source: lintian
Binary: lintian
Architecture: source all
Version: 2.5.96
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 lintian    - Debian package checker
Closes: 513544 646192 903470 904852 905469
Changes:
 lintian (2.5.96) unstable; urgency=medium
 .
   * Summary of tag changes:
     + Added:
       - incomplete-creative-commons-license
       - maintainer-script-should-not-use-dpkg-database-directly
       - package-contains-upstream-installation-documentation
     + Removed:
       - no-upstream-changelog
       - package-contains-upstream-install-documentation
 .
   * checks/changelog-file.{desc,pm}:
     + [CL] Drop no-upstream-changelog; it is rarely actionable and simply
       introduces unnecessary noise and/or requiring an override. It had
       additionally been disabled in the Ubuntu profile since 2011.
       (Closes: #513544, #646192)
   * checks/cruft.desc:
     + [CL] Tidy the description of the license-problem-cc-by-nc-sa and
       license-problem-non-free-img-lenna tags.
   * checks/files.{desc,pm}:
     + [BR] Improve package-contains-documentation-outside-usr-share-doc
       by checking if README includes 'this directory' (Closes: #904852)
     + [CL] Rename package-contains-upstream-install-documentation tag to
       package-contains-upstream-installation-documentation.
   * checks/source-copyright.{desc,pm}:
     + [CL] Check for Creative Commons license texts that use the incomplete
       "human-readable" summary.  (Closes: #903470)
 .
   * data/scripts/maintainer-script-bad-command:
     + [CL] Warn about packages that directly query the dpkg database in
       their maintainer scripts.  Thanks, Guillem Jover!  (Closes: #905469)
   * data/spelling/corrections:
     + [PW] Add a number of corrections.
Checksums-Sha1:
 69f4faf0502d70bf084a15dcb876324362596a68 3511 lintian_2.5.96.dsc
 6bd43967ed23395447f29d0a7e065d67d63af293 1579988 lintian_2.5.96.tar.xz
 f0776f6cf180d5645b9b9adcfb2ad40f9f3de50d 1129268 lintian_2.5.96_all.deb
 7860707b49e1ab92d129c9c6af78e1387b8a477c 16193 lintian_2.5.96_amd64.buildinfo
Checksums-Sha256:
 34f9655d125bdd923a40015a86c63c82d627466e20ac96b44d5c4dd313692779 3511 lintian_2.5.96.dsc
 ca8ff33feeac6fc8c0379998fecd613cefb58a493a6565e7ec5312462f678897 1579988 lintian_2.5.96.tar.xz
 4feceb58d2d925256453682a9ece7315134f7788859a3329313fe0a5a6f665f9 1129268 lintian_2.5.96_all.deb
 3c3061e13b8ec8ad83f745a0737aa4c4bf134a93555f9fcd477667c2d02fc131 16193 lintian_2.5.96_amd64.buildinfo
Files:
 601e7f42cbd464de381d228e400f68c1 3511 devel optional lintian_2.5.96.dsc
 1d3e0b8fc26f83502b8fa968456185b7 1579988 devel optional lintian_2.5.96.tar.xz
 f4e62b5137c3c302a0863c1a43d1f149 1129268 devel optional lintian_2.5.96_all.deb
 0a5f04e7849f1d3cbf2d1313115610a3 16193 devel optional lintian_2.5.96_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAltsSfYACgkQHpU+J9Qx
HlhSmQ/9GEsRg2ozNO37dOLioiYyb8639OAF981G0pOQw0aYHPZs7MswBk1Weg6/
msy/K9opp+iEomqJ3y5oARghWZWrg5XoLzED3LgV5sTtS7brXDavQ/xjobMiGCLO
zNxYutbLRMxaoTcjQ0OciFd5DhUAKSCbzS1sSqM+obEs5IElxmgO+EIyipG0/2t+
T4RNQOW7ZTaYYvvPqv3V8lsKnjFxWXsIWtqYuc1JWUEvCjD7lSbfxHWf8FhC+dJW
IrbqVMvgK2RLEkB/DbzAMLEDmexbBPstKTwDJFSttIN7No+7QGGefwR4Bd8omGrF
tn+oXL/rlw2EJQkTvC09UFaqEAD64TeYieNfFzRaW0y9PZGvNhlT20Fm44CK/N5a
nL4pIRyC3hX+f+xCyDTp9bCurJuoMuQ60jUiM050/rRsslRhB8GzLcRrJhroIDQF
zCrXQU7r39whq/w+iP11OJ8Oso+sYE7LrbzKFMwx8jZtOgifrljhb7XR2kKMlIRC
IftxVqIAaYVlgKi0s/thE3GMwXimwcSLJrt1NW5AFf2pVwGUVWfTzIemsTprjSz2
soeH+N2hP78x23dWvX2KAqFr8g/AgDHfa4n+ggblyeBI1UA0vB9P1m7T20YLg+Kr
xlLdR/LnKUG2XWLsgAtLSaoDsuNAp3hxNKVDXz8+IyQ0+U5To0I=
=2o+U
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: