Bug#944983: live-build: Scripts access internal dpkg database

To: submit@bugs.debian.org
Subject: Bug#944983: live-build: Scripts access internal dpkg database
From: Guillem Jover <guillem@debian.org>
Date: Sun, 17 Nov 2019 23:45:17 +0100
Message-id: <[🔎] 20191117224517.GN30024@gaara.hadrons.org>
Reply-to: Guillem Jover <guillem@debian.org>, 944983@bugs.debian.org

Source: live-build
Source-Version: 1:20190315
Severity: important
User: debian-dpkg@lists.debian.org
Usertags: dpkg-db-access-blocker

Hi!

This package contains several scripts, which directly access the dpkg
internal database, instead of using one of the public interfaces
provided by dpkg.

The script «scripts/build/chroot_live-packages» checks for the presence
of the .list file to assert whether a package is installed. It should
be switched to use something else. For example the package status from
«dpkg-query».

The other scripts, even though do mess with the internal database, seem
to be installer code, and as long as it is executed before any dpkg in
that chroot, then it might assume historical database layouts, although
I'd rather we found a way to avoid those usages too (but let's ignore
these for now).


This is a problem for several reasons, because even though the layout and
format of the dpkg database is administrator friendly, and it is expected
that those might need to mess with it, in case of emergency, this
“interface” does not extend to other programs besides the dpkg suite of
tools. The admindir can also be configured differently at dpkg build or
run-time. And finally, the contents and its format, will be changing in
the near future.

Thanks,
Guillem

Reply to:

Prev by Date: Bug#944980: live-config: Components access internal dpkg database
Next by Date: persistence
Previous by thread: Bug#944980: live-config: Components access internal dpkg database
Next by thread: persistence
Index(es):
- Date
- Thread