Rewrite dpkginfo probe without using APT #2046
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
0intro
force-pushed
the
dpkginfo-no-apt
branch
from
bc49ce4 to
9f752e2
Compare
|
Are there any potential behaviour changes? |
There shouldn't be. The new One thing that the APT library did was to return only the packages installed for the current architecture. I don't think it really matters in practice, because the multiple architecture support is only used to install 32-bit libraries on 64-bits systems. Also, it didn't even work properly before, because the APT configuration ( |
0intro
force-pushed
the
dpkginfo-no-apt
branch
from
9f752e2 to
b7088b9
Compare
| else | ||
| snprintf(path, PATH_MAX, "/var/lib/dpkg/status"); | ||
|
|
||
| f = fopen(path, "r"); |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
There was a problem hiding this comment.
LGTM! Thanks!
But, I'd like to ask you to also update the docs, CI config and generic spec file (remove libapt dep) within the same PR. (See: https://github.com/search?q=repo%3AOpenSCAP%2Fopenscap%20apt-devel&type=code)
0intro
force-pushed
the
dpkginfo-no-apt
branch
from
b7088b9 to
484c4e0
Compare
I've just updated the docs, CI config and spec file. Let me know if I have missed anything. |
|
Hold on a bit. Python 3.12 kicked us right in the fork. |
|
And new kernel :( |
|
Okay, we are good to go. Can you please rebase and have another go for CI? |
This change rewrites the dpkginfo probe without using the APT library. The dpkginfo now parses the list of installed package (/var/lib/dpkg/status) directly, instead of relying on the APT library. This prevents loading the full list of packages in memory and various issues related to the use of the APT library. The dpkginfo probe is now stateless and doesn't require init and fini functions. Also, the dpkginfo_get_by_name function can now be called from multiple threads without having to be protected by a lock. The dependency on the APT library has been removed from OpenSCAP.
0intro
force-pushed
the
dpkginfo-no-apt
branch
from
484c4e0 to
557ddee
Compare
|
It's green now (except CodeQL). |
|
Thank you! |
This change rewrites the dpkginfo probe without using the APT library.
The dpkginfo now parses the list of installed package (
/var/lib/dpkg/status) directly, instead of relying on the APT library.This prevents loading the full list of packages in memory and various issues related to the use of the APT library.
The dpkginfo probe is now stateless and doesn't require init and fini functions. Also, the
dpkginfo_get_by_namefunction can now be called from multiple threads without having to be protected by a lock.The dependency on the APT library has been removed from OpenSCAP.