Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is dpkg-query -W sufficient for the manifest? #61

Open
setharnold opened this issue Dec 9, 2020 · 6 comments
Open

Is dpkg-query -W sufficient for the manifest? #61

setharnold opened this issue Dec 9, 2020 · 6 comments

Comments

@setharnold
Copy link

I generated a manifest on a Bionic system with dpkg-query -W, copied it to a focal machine, and ran cvescan -p all -m manifest-post.txt. The output is surprising:

$ cvescan -p all -m manifest-post.txt 
✅ Ubuntu vulnerability datbase successfully downloaded! 
✅ Scan complete!
 
CVE ID            PRIORITY    PACKAGE      FIXED VERSION     REPOSITORY
CVE-2018-1000858  medium      gnupg-agent  2.2.4-1ubuntu1.2  Ubuntu Archive
CVE-2019-14855    low         gnupg-agent  2.2.4-1ubuntu1.3  Ubuntu Archive

Summary
------------------------------------  ------
Ubuntu Release                        bionic
Installed Packages                    1261
CVE Priority                          All
Unique Packages Fixable by Patching   1
Unique CVEs Fixable by Patching       2
Vulnerabilities Fixable by Patching   2
Fixes Available by `apt-get upgrade`  2
------------------------------------  ------

gnupg-agent isn't actually installed according to dpkg -l, but it is included in dpkg-query -W output all the same:

$ dpkg -l gnupg-agent | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version          Architecture Description
+++-==============-================-============-====================================================================
rc  gnupg-agent    2.2.4-1ubuntu1.1 all          GNU privacy guard - cryptographic agent (dummy transitional package)
$ dpkg-query -W | grep gnupg-agent
gnupg-agent	2.2.4-1ubuntu1.1

Thanks

@mssalvatore
Copy link
Contributor

mssalvatore commented Dec 9, 2020

@setharnold No, it's not. See #56 and #53

@techalchemy
Copy link
Collaborator

@setharnold @mssalvatore as a work-around until 3.0, do you see any issues with using the following to remove previously uninstalled items from the manifest?

$ grep -v -f <(dpkg --get-selections | awk '$2 ~ /deinstall/ {print $1}') <(dpkg-query -W)

@philroche
Copy link

If it helps, the cloud image manifests published to http://cloud-images.ubuntu.com/releases/focal/release/ are generated using

dpkg-query --show --admindir="/var/lib/dpkg"

See https://git.launchpad.net/ubuntu/+source/livecd-rootfs/tree/live-build/functions?h=ubuntu/focal-updates#n46 for more details.

@techalchemy
Copy link
Collaborator

@philroche that still turns up previously installed packages for me -- for example, zfs-zed is no longer installed locally and ideally won't show up in a manifest:

$ dpkg -l | grep '^rc' | tail -1       Wed 16 Dec 2020 09:28:15 PM UTC
rc  zfs-zed                                       0.7.12-1ubuntu5                             amd64        OpenZFS Event Daemon

but it does show up in standard queries:

$ dpkg-query --show --admindir="/var/lib/dpkg" | grep 'zfs-zed'
zfs-zed	0.7.12-1ubuntu5

@philroche
Copy link

@techalchemy Interesting. I'll check to see if any cloud-images are affected by this. I'll also update https://github.com/CanonicalLtd/ubuntu-package-manifest too

@philroche that still turns up previously installed packages for me -- for example, zfs-zed is no longer installed locally and ideally won't show up in a manifest:

$ dpkg -l | grep '^rc' | tail -1       Wed 16 Dec 2020 09:28:15 PM UTC
rc  zfs-zed                                       0.7.12-1ubuntu5                             amd64        OpenZFS Event Daemon

but it does show up in standard queries:

$ dpkg-query --show --admindir="/var/lib/dpkg" | grep 'zfs-zed'
zfs-zed	0.7.12-1ubuntu5

@philroche
Copy link

I have confirmed that Ubuntu cloud image manifests are not affected as any package removal that I can find uses apt-get remove --purge which means it will not show up in the manifest.

I have tested this locally now too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants