Source: open-infrastructure-system-tools Source-Version: 20190301-lts1-1 Severity: important User: debian-d...@lists.debian.org Usertags: dpkg-db-access-blocker
Hi! This package contains several components (system-config) and scripts (system-build), which directly access the dpkg internal database, instead of using one of the public interfaces provided by dpkg. All these components (system-config) check the presence of the .list file to assert whether a package is installed. These components should be switched to use something else. Either check the status for each of these components (via dpkg-query), or these checks should be refactored into the call site which could do the checks over the entire database with a single call to «dpkg-query --show» instead of calling it once per package. The script «scripts/build/chroot_live-packages» should be changed to do something similar to the above. The other script, even though do mess with the internal database, seem to be installer code, and as long as it is executed before any dpkg in that chroot, then it might assume historical database layouts, although I'd rather we found a way to avoid those usages too (but let's ignore these for now). This is a problem for several reasons, because even though the layout and format of the dpkg database is administrator friendly, and it is expected that those might need to mess with it, in case of emergency, this “interface” does not extend to other programs besides the dpkg suite of tools. The admindir can also be configured differently at dpkg build or run-time. And finally, the contents and its format, will be changing in the near future. Thanks, Guillem