[Pkg-aide-maintainers] Bug#879272: Bug#815188: aide: 30_aide_apt uses apt internals

Julian Andres Klode jak at debian.org
Sat Oct 21 12:19:25 UTC 2017 

On Sat, Oct 21, 2017 at 01:35:54PM +0200, Marc Haber wrote:
> tags #879272 wontfix
> 
> On Sat, Oct 21, 2017 at 01:16:25PM +0200, Julian Andres Klode wrote:
> > Whatever that's doing it seems broken. It does not support compressed indexes,
> > nor will it work if we suddenly change some filenames, for example, because if
> > we moved to a hash based layout. I announced to do the former this month, see
> > <20170909144829.ulxdkz6w2awnja7e at jak-x230> for details.
> 
> I understand that this is a knee-jerk response of the apt maintainers.
> 
> The aide rule for apt NEEDS to "use" apt internals so that aide can
> avoid creating false alarms for files that apt changes. To report
> unexpected changes in files, it needs to know which files are expected
> to change.

I don't see why you can't just query apt for locations and which files
there are. We have tools for that.

apt-get indextargets can tell you all compressed (or uncompressed) index file
names (but not pdiffs or Release files, so you can add them). So, just
add all of apt-get indextargets --format '$(FILENAME)' to the list of
variable files? (this gives you Packages, Sources, and Contents,
Translations, and other index files with correct compressors). You could
also strip compressors from that name (see the KEEPCOMPRESSEDAS field),
and then append .IndexDiff to handle pdiffs. This also solves the apt-file
problem.

Per-component release files as in
        echo "$LISTSDIR/${HOST}${HOSTPATH}_dists_${dist}_${c}_source_(Sources|Release)$ VarFile"
are not fetched, so drop that?

Preferably also don't hardcode /var/lib/apt/lists and friends, but use

 eval $(apt-config shell VARDIR Dir::State/d)
 eval $(apt-config shell LISTSDIR Dir::State::Lists/d)
 eval $(apt-config shell VARDIR Dir::Cache/d)
 eval $(apt-config shell CACHEDIR Dir::Cache::Archives/d)
 eval $(apt-config shell LOGDIR Dir::Log/d)

So you actually check the directories apt uses if they have been
reconfigured.

You also do some parsing or something of sources.list files, does that
work with deb822-style sources files?


> The aide maintainers are aware that aide will always be "behind" the
> packages, but since maintainers don't bother to tell aide beforehand
> when they change their package layout, this is something that cannot be
> avoided. We are trying to stay current especially for a package as
> important as apt, but of course that does not always work.
> 
> The only way to stop aide from "using" apt internals this way would be
> to have apt ship an /etc/aide/aide.conf.d/31_apt_apt file containing
> current rules reflecting the files that apt regularly changes on
> updates.
> 
> Please indicate whether you want to do that in future, and we will
> happily remove our own apt rule from aide. Until this has been sorted
> out, we need to continue shipping a rule "using" apt internals with
> aide, hence the "wontfix" tag.

Nah, that stuff is too nasty.

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev
                  |  Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline').  Thank you.

More information about the Pkg-aide-maintainers mailing list