Bug#944965: debsums: Script accesses internal dpkg database

[Axel Beckert]

Control: tag -1 moreinfo

Dear Guillem,

Guillem Jover wrote:
> This package contains the «debsums» program, which directly accesses
> the dpkg internal database, instead of using one of the public
> interfaces provided by dpkg.

JFTR: This is not true. I didn't find a single place in the debsums
script where $admindir is accessed directly. Instead it is always
passed to a dpkg, dpkg-query or dpkg-divert call as you asked for.

The only script which accesses *.md5sums files and only to see if they
exist, is debsums_init which is meant to be removed anyway, once
https://lintian.debian.org/tags/no-md5sums-control-file.html is down
to zero as it actually generates that file. But since there are
currently over 60 packages on that list, this won't be anytime soon.

> The admindir can also be configured differently at dpkg build or
> run-time.

Well, that's exactly what we do: We configure dpkg's admindir at
run-time!

W only use $admindir and provide it to dpkg as parameter because
debsums supports to also check chroots. And since chroots might be of
a different architecture (or for forensic purposes), we don't want to
use the dpkg binary inside the chroot, i.e. we need to provide at
least the location to dpkg. And for that, we need to know it.

Leaves the build-time configuration of the admindir: How can I query
dpkg for the build-time location of its admindir?

And how can I determine the admindir of a chroot with a call to an
external dpkg binary outside the chroot, which, as I understand you,
can have a different admindir.

> The debsums program should be switched to use something like:
> 
>   «dpkg-query --control-show $pkg md5sums»
>
> to get the md5sums file contents. If the file is missing an error
> will be returned.

I just tried "dpkg-query --control-show sendfile md5sums" in a minimal
pbuilder chroot where I just installed sendfile to see how that error
looks like.

To my surprise, despite sendfile_2.1b.20080616-6_amd64.deb does not
contain a files with md5sums, "dpkg-query --control-show sendfile
md5sums" works and /var/lib/dpkg/info/sendfile.md5sums exists.

So it seems as if dpkg now automatically generates md5sums files if
not present. Just checked dpkg's changelog and this feature seems to
exist since 2012.

Which means that debsums_init is actually obsolete since 2012.

So I will happily remove debsums_init with the next upload.:-)

> If the file is missing an error will be returned.

So how can this file be missing if dpkg generates them?

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE