1

I manage a number of Debian servers and usually track the Debian stable repository but occasionally install from the Debian testing repository or third party sources. For audit purposes, on each machine, for all packages currently installed, I would like to compare the installed package version against the package version in a particular repository, ie the Debian stable repository.

Using aptitude search patterns I can identify installed packages that are or are not available from the Debian stable repository:

aptitude search "?installed?origin(Debian)?archive(stable)"
aptitude search "?installed?not(?origin(Debian)?archive(stable))"

But for the packages that are available from the Debian stable repository I am not able determine whether the installed version matches the version in the repository.

I suppose it might be possible to use apt pinning to force a downgrade:

Package:      *
Pin:          release n=stable, o=Debian
Pin-Priority: 1001

And then use dry run mode to check which packages would be affected:

apt-get update
apt-get --dry-run upgrade

But mitigating the risks of using apt pinning over 1000 would require a separate configuration for apt, which seems more complicated than it needs to be.

A possibility going forward would be to set up a private repository, and only install from the Debian stable repository or the private repository. Then, if a package was available from the private repository, it could be assumed (for audit purposes) to not have been installed from the Debian stable repository. As long as packages are never installed manually, this could work reasonably well. But setting up a private repository seems a bit overkill for what could be one simple command.

Is there a better way to audit package versions? Or even better, to audit package signatures?

Monica For CEO
  • 330
  • 1
  • 17
  • So this is your question? "on each machine, for all packages currently installed, I would like to compare the installed package version against the package version in a particular repository?" – Danila Ladner Sep 26 '13 at 20:24
  • Yes, and just discovered answer, but not able to post for another 8 hours because just recently signed up. Like so: aptitude search "?installed?not(?narrow(?installed,?origin(Debian)?archive(stable)))" Using `?narrow` compares package names **and** versions, so the above compares installed package names and versions against the package names and versions from the Debian stable repository, and then inverts the match to find installed packages which do not match the version in the Debian stable repository. – Monica For CEO Sep 26 '13 at 20:40
  • 1
    why don't you use "apt-cache policy " in loop from results of "dpkg --get-selections"?, but again if your solution worked, that is all you need. – Danila Ladner Sep 26 '13 at 20:45
  • Thanks! Sending results from `aptitude search "?installed?not(?narrow(?installed,?origin(Debian)?archive(stable)))"` to `apt-cache policy package name` is perfect. – Monica For CEO Sep 26 '13 at 20:59

1 Answers1

0

Like so:

aptitude search "?installed?not(?narrow(?installed,?origin(^Debian$)?archive(^stable$)))"

Using ?narrow compares package names and versions, so the above compares installed package names and versions against the package names and versions from the Debian stable repository, and then inverts the match to find installed packages which do not match the version in the Debian stable repository.

Danila Ladner's suggestion from the comments was also helpful; I fed the results from the aptitude command to apt-cache policy <package> in order to see version detail for the packages that came up in the initial search and needed a closer look.

Community
  • 1
Monica For CEO
  • 330
  • 1
  • 17
  • So the single letter output of the above command, I show two results: # aptitude search "?installed?not(?narrow(?installed,?origin(^Debian$)?archive(^stable$)))" i A accountsservice - query and manipulate user account informat i acl - Access control list utilities i acpi-support-base - scripts for handling base ACPI events such i acpid - Advanced Configuration and Power Interface i adwaita-icon-theme - default icon theme of GNOME – John Greene Sep 11 '16 at 20:18
  • In other words, if a letter 'A' appears, that means what? – John Greene Sep 11 '16 at 20:19
  • The `A` indicates that the package was automatically installed. Referring to `man aptitude` and looking at the `search` command: Each search result is listed on a separate line. The first character of each line indicates the current state of the package...the second character indicates the stored action (if any; otherwise a blank space is displayed) to be performed on the package....if the third character is A, the package was automatically installed. – Monica For CEO Sep 12 '16 at 05:20