Bug#944967: multistrap: Script accesses internal dpkg database

To: submit@bugs.debian.org
Subject: Bug#944967: multistrap: Script accesses internal dpkg database
From: Guillem Jover <guillem@debian.org>
Date: Sun, 17 Nov 2019 22:26:04 +0100
Message-id: <[🔎] 20191117212604.GE30024@gaara.hadrons.org>
Reply-to: Guillem Jover <guillem@debian.org>, 944967@bugs.debian.org

Source: multistrap
Source-Version: 2.2.10
Severity: important
User: debian-dpkg@lists.debian.org
Usertags: dpkg-db-access-ctrl

Hi!

This package contains the «multistrap» program, which directly accesses
the dpkg internal database, instead of using one of the public
interfaces provided by dpkg.

The check_bin_sh() function should be switched to use something like:

  «dpkg-query --control-path dash postinst»

to get at the pathname within the database, even though what it tries
to do next is not very kosher. :) But perhaps this code can be removed
now though?

The native() function, I'm not sure what's the intention there TBH,
but it could be replaced with a loop over all installed packages and
then --control-path.


This is a problem for several reasons, because even though the layout and
format of the dpkg database is administrator friendly, and it is expected
that those might need to mess with it, in case of emergency, this
“interface” does not extend to other programs besides the dpkg suite of
tools. The admindir can also be configured differently at dpkg build or
run-time. And finally, the contents and its format, might change in
the future.

Thanks,
Guillem

Reply to:

Prev by Date: Bug#859706: Still there in 10.2
Next by Date: Processed: reassign 944854 to cyrus-common, notfound 944705 in 1.0.7+ds-1, found 944705 in 1.0.7+ds1-1 ...
Previous by thread: Bug#859706: Still there in 10.2
Next by thread: Processed: reassign 944854 to cyrus-common, notfound 944705 in 1.0.7+ds-1, found 944705 in 1.0.7+ds1-1 ...
Index(es):
- Date
- Thread