Source: rkhunter Source-Version: 1.4.6-3 Severity: important User: debian-d...@lists.debian.org Usertags: dpkg-db-access-blocker
Hi! This package contains a script that directly access the dpkg internal database [S], instead of using the correct public interface «dpkg --verify» (note that it currently does not return an error exit code when it finds modified files, that will be fixed in 1.19.3, but you can always just check the output). If the code also needs to check whether the package is installed it could use something like «dpkg-query --showformat='${db:Status-Status}' --show PKGNAME» (or use a format of '${binary:Package} ${db:Status-Status}\n' and then pass no package name to get all packages). [S] files/rkhunter This is a problem for several reasons, because even though the layout and format of the dpkg database is administrator friendly, and it is expected that those might need to mess with it, in case of emergency, this “interface” does not extend to other programs besides the dpkg suite of tools. The admindir can also be configured differently at dpkg build or run-time. And finally, the contents and its format, will be changing in the near future. Thanks, Guillem