On Wed, 14 Nov 2018 03:22:18 +0100 Guillem Jover <guil...@debian.org> wrote: > Source: starplot > Source-Version: 0.95.5-8.3 > Severity: important > User: debian-d...@lists.debian.org > Usertags: dpkg-db-access-blocker > > Hi! > > This package contains a helper script [H], which directly accesses > the dpkg internal database. Instead of using one of the public > interfaces provided by dpkg. The code could probably be replaced > with a file trigger. > > [H] debian/starplot.sh > > This is a problem for several reasons, because even though the layout and > format of the dpkg database is administrator friendly, and it is expected > that those might need to mess with it, in case of emergency, this > “interface” does not extend to other programs besides the dpkg suite of > tools. The admindir can also be configured differently at dpkg build or > run-time. And finally, the contents and its format, will be changing in > the near future. > > In addition the logic used in that script is not reliable, as those > files will get updated when some other package takes over some of its > files, or on a reinstall, etc. > > Thanks, > Guillem > >
Hi, It is not clear to me that this script is being used by any package itself. AFAICT, packages use register-stardata[1] instead of that script which makes this a likely case of "inert" use instead. Thanks, ~Niels [1] https://sources.debian.org/src/stardata-common/0.8/src/register-stardata.c/
