Linux+: Applications 15 – Package Verification and other actions with dpkg

J

Jarret W. Buse

Guest
Linux+: Applications 15 – Package Verification and other actions with dpkg

After packages have been installed or updated, it can be important to verify the package files which have been installed on the system. Verification can help to determine if files from the package have been changed in any way.

The command dpkg has the following syntax:

dpkg <actions> <options> <package_names>

NOTE: The command must have one action and zero or more options. Most of these require Root privileges, so place sudo before dpkg when needed.

The actions covered in this article are:

· -V (--verify)

Verification of files can occur in two ways. Either a specific package can be verified or all packages can be checked. To check a specific package, use the following syntax:

dpkg –V <package_name>

For example, to check the bash package, the command would be: dpkg –V bash.

To check all packages on the system, the command would be: dpkg –V. Be aware that checking all packages can be time consuming. After issuing the command in the terminal, the system may appear to have stalled. Give it a few minutes and items should start appearing.

The output is given as an RPM output. For example, to run the command to verify bash (dpkg –V bash), the output might be similar to:

mint@mint ~ $ dpkg -V bash
??5?????? c /etc/bash.bashrc
??5?????? c /etc/skel/.bashrc
mint@mint ~ $


The output is defined as the following:

· S – noted change in the file size
· M – difference in the file's mode
· 5 – divergence of the file’s MD5 checksum
· D – discrepancy in the file's major and minor numbers
· L - noted change in the file's symbolic link contents
· U – difference in the file’s ownership
· G – divergence in the file's group
· T – discrepancy in the file’s modification time
· c – noted change in the file which is apparently a configuration file. Most often configuration files are often changed and rarely verify
· <file> - displays the file and full path which has not correctly verified

In the example above for the bash package, it is noted that file “/etc/bash.bashrc” is a configuration file and the MD5 checksum has changed. The same is true for the “/etc/skel/.bashrc” file.

Another example, such as the following:

S.5....T c /etc/passwd

Here, the file size, MD5 Checksum and timestamp have all been altered since the package was installed.

Other actions for the dpkg command which do not fit in a category are:

· -D(octal), --debug=(octal)
· --force-help
· --help
· --version

For help with debugging options, use the “--D(octal)” action. The octal value is given as one of the following:

· 1 General help progress information
· 2 Invocation and status of maintainer scripts
· 10 Output for each file processed
· 100 A lot of output for each file processed
· 20 Output for each configuration file
· 200 A lot of output for each configuration file
· 40 Displays dependencies and conflicts
· 400 A lot of dependencies/conflicts output
· 10000 Trigger activation and processing
· 20000 A lot of output regarding triggers
· 40000 Major amounts of output regarding triggers
· 1000 Extra information about e.g. the dpkg/info dir
· 2000 Extreme amounts of output information

For example, I could debug at level 2000 and install a package named “package1.deb” by using the following command:

sudo dpkg --debug=2000 –i package1.deb

To force certain actions, you can use the “--force-action”. The list of actions available to force are:

· all: Turns on (or off) all force options.
· downgrade: Install a package, even if newer version of it is already installed.
· configure-any: Configure also any unpacked but unconfigured packages on which the current package depends.
· hold: Process packages even when marked "hold".
· remove-reinstreq: Remove a package, even if it's broken and marked to require reinstallation. This may, for example, cause parts of the package to remain on the system, which will then be forgotten by dpkg.
· remove-essential: Remove, even if the package is considered essential. Essential packages contain mostly very basic Unix commands. Removing them might cause the whole system to stop working, so use with caution.
· depends: Turn all dependency problems into warnings.
· depends-version: Don't care about versions when checking dependencies.
· breaks: Install, even if this would break another package.
· conflicts: Install, even if it conflicts with another package. This is dangerous, for it will usually cause overwriting of some files.
· confmiss: If a conffile is missing and the version in the package did change, always install the missing conffile without prompting. This is dangerous, since it means not preserving a change (removing) made to the file.
· confnew: If a conffile has been modified and the version in the package did change, always install the new version without prompting, unless the --force-confdef is also specified, in which case the default action is preferred.
· confold: If a conffile has been modified and the version in the package did change, always keep the old version without prompting, unless the --force-confdef is also specified, in which case the default action is preferred.
· confdef: If a conffile has been modified and the version in the package did change, always choose the default action without prompting. If there is no default action it will stop to ask the user unless --force-confnew or --force-confold is also been given, in which case it will use that to decide the final action.
· confask: If a conffile has been modified always offer to replace it with the version in the package, even if the version in the package did not change. If any of --force-confmiss, --force-confnew, --force-confold, or --force-confdef is also given, it will be used to decide the final action.
· overwrite: Overwrite one package's file with another's file.
· overwrite-dir: Overwrite one package's directory with another's file.
· overwrite-diverted: Overwrite a diverted file with an undiverted version.
· unsafe-io: Do not perform safe I/O operations when unpacking. Currently, this implies not performing file system syncs before file renames, which is known to cause substantial performance degradation on some file systems. Unfortunately the ones that require the safe I/O on the first place due to their unreliable behaviour causing zero-length files on abrupt system crashes.
· architecture: Process packages with wrong or no architecture.
· bad-version: Process packages with wrong versions.
· bad-path: PATH is missing important programs, so problems are likely.
· not-root: Try to (de)install things even when not root.
· bad-verify: Install a package even if it fails authenticity check.

For example, to uninstall a package (package1.deb) when not root, use the command:

dpkg --force-not-root package1.deb

To get help for dpkg, use the --help action. When used, a message will be displayed of all actions and options available.

To determine the version of the dpkg command, the action “--version” is used.
 

Attachments

  • slide.jpg
    slide.jpg
    3.1 KB · Views: 6,799

Members online


Latest posts

Top