Source: live-build Source-Version: 1:20190315 Severity: important User: debian-d...@lists.debian.org Usertags: dpkg-db-access-blocker
Hi! This package contains several scripts, which directly access the dpkg internal database, instead of using one of the public interfaces provided by dpkg. The script «scripts/build/chroot_live-packages» checks for the presence of the .list file to assert whether a package is installed. It should be switched to use something else. For example the package status from «dpkg-query». The other scripts, even though do mess with the internal database, seem to be installer code, and as long as it is executed before any dpkg in that chroot, then it might assume historical database layouts, although I'd rather we found a way to avoid those usages too (but let's ignore these for now). This is a problem for several reasons, because even though the layout and format of the dpkg database is administrator friendly, and it is expected that those might need to mess with it, in case of emergency, this “interface” does not extend to other programs besides the dpkg suite of tools. The admindir can also be configured differently at dpkg build or run-time. And finally, the contents and its format, will be changing in the near future. Thanks, Guillem