6

I'm trying to limit the risk in using third-party APT repositories. The scenario I'm trying to protect against is a malicious package being introduced into a third-party repo with a newer version than the version I have installed from Debian.

Lately whenever I've added a new APT source, I've used APT pinning to make only certain packages installable from that source, like so:

Package: * Pin: origin debian.nabijaczleweli.xyz Pin-Priority: -1 Package: systemd-zram Pin: origin debian.nabijaczleweli.xyz Pin-Priority: 500

Note that I am using Pin: origin <hostname> rather than Origin: <tag> to do this. If I understand correctly, the origin tag is controlled by the repo itself (in the Releases file) and can easily be set to debian, either maliciously or because of ignorance. (I have seen this in the wild.) By contrast, the origin hostname is derived from the URI specified in sources.list.

This seems to work just fine, and now I want to apply this to all my third-party APT sources. To do this, I need to know which packages I've installed from each third-party repository. The problem is, I can't seem to find a way to get a list of installed packages and their origin URIs or hostnames.

Aptitude is happy to show you Origin URI on its package information screen¹, but does not include a search predicate for it nor will it display it in package lists.

dpkg-query and apt-cache can give me a lot of information about packages, but I haven't yet found a way to get the origin URI or hostname.

I assume I could parse the contents of /var/lib/apt/lists/*_Packages myself, using the first part of the filename as the origin hostname, but I'd prefer not to subject myself to that.

So:

  1. Is this scenario even worth considering? Maybe there are so many ways that a compromised repo can screw me over that I should learn to stop worrying and love the bomb.

  2. Am I correct that the Releases file's Origin field is less reliable an indication of a package's provenance than the origin hostname used in Pin: origin <hostname>?

  3. Is there a way to get a list of all installed packages along with their origin hostnames?

Thanks!

¹The screenshot on that page is too old to depict the Origin-URI field being shown, but modern versions of Aptitude show the complete URI of the package here.

Improve this question

2 Answers 2

Reset to default
2

Seems aptitude is dumb... for the logic you want.

A workaround is to resort to Python:

import apt CACHE = apt.Cache() for pkg in CACHE: if not pkg.installed: continue for orig in pkg.candidate.origins if pkg.candidate else []: if len(orig.site) == 0: continue print(pkg, pkg.candidate.version, orig.site)

UPDATE The package apt comes with:

bash# dpkg -S /usr/lib/python3/dist-packages/apt/__init__.py python3-apt: /usr/lib/python3/dist-packages/apt/__init__.py
Improve this answer
2
  • The apt package is not part of Python3's "batteries included". Neither did I find something which looks to be relevant in pypi. The nearest one I found was apt-wrapper but its documentation does not include this use case. Can you please add also instructions how to find the apt package to be imported? Commented Feb 25, 2023 at 14:49
  • 2
    @OmerZak one year later you probably already found this but for those who'd stumble by the apt module referred to by gavenkoa can be made available by installing the python3-apt Debian package. Commented Feb 18, 2024 at 13:35
1

This seems to work for me, except apt is not considered as having a stable API:

LC_ALL=C apt list --installed | grep -F '[installed,local]'
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.