November 30, 2006

Housekeeping utilities for Debian packages

Author: Bruce Byfield

For all the efficiency and continued evolution of Debian's APT tools, some gaps in package management functionality remain. One of the largest ones is that, when a package is removed, any other packages that depend on it are not removed. The result is a growing number of orphans on the system -- that is, packages that serve no purpose for the system as a whole, although in some cases they continue to be useful individually. Similarly, while you can keep track of security announcements for Debian or distributions derived from it, the basic package system has no way of telling you which vulnerabilities might affect your system. To compensate for these lacks, you can turn to a group of housekeeping tools that make maintaining your Debian system easier and more efficient.

As experienced users might expect, you need to have some sense of the Debian package and repository systems to make full -- and safe user of these packages. If you don't already know about Debian's three suites of repositories, Debian's priority ratings for packages, or the difference between depends, recommends, and suggests, read Debian's Package Management FAQ before using any of these programs to maintain your system.

Even if you are familiar with Debian package management, use these housekeeping tools with care. None of them is an automatic maintenance tool so much as a source of more information that will let you make more intelligent judgments about package maintenance.

debfoster

The debfoster package is a wrapper for dpkg and apt that helps you keep track of orphans. The package is officially deprecated by its developers, on the grounds that aptitude provides the same functionality within the APT family. However, many continue to use debfoster, perhaps because, like me, they find it easier to use than aptitude's awkward text-based interface, and like the more detailed information that it provides.

The first time you run debfoster, it asks which orphans you want to keep it installed. This file is stored at /var/lib/debfoster/keepers so that debfoster can refer to it later.

After that, each time that you run debfoster, you are asked what whether you want to keep or remove new or orphaned packages. Besides the choices of y (yes) or n (no), you can choose p (prune: that is, remove not only the package but all others that depend on it), i (show package information), s (skip), or x (remove all orphans without asking further questions). You can also chose u to undo your answer to the previous question, an option that allows you to back out of disaster, since debfoster acts on your choices only after all questions are asked. If you really panic, you can select q to stop debfoster altogether, although its most recent question will be waiting for you the next time you run the program. If you are feeling confident, you can avoid debfoster's interrogation by running debfoster -f to have all questions answered with no, or debfoster -q to have all questions answered with yes.

At other times, running debfoster provides information about your system. Entering debfoster -v generates a list of packages that have been removed, while debfoster -s lists all current orphans. Similarly, you can see a list of all dependencies for a particular package using debfoster -d packagename or debfoster -r packagename for a list of packages that are only installed because the specified package and none other requires them. You can also modify debfoster's behavior by editing /etc/debfoster.conf, whose comments provide a thorough guide to every option.

To further assist debfoster in providing information, you can use the format debfoster packagename to install programs, so that you don't need to run the program separately from apt-get. Adding a minus sign after the package name removes the package, while adding the -u option after the command upgrades it, if possible.

deborphan

The deborphan package generates a list of orphans. Although all orphans are not necessarily packages that you can safely remove, you can use deborphan to create a list of possible removals that you can confirm by further investigation with the Debian package listings.

If you run deborphan without any options, you receive a report only on orphaned libraries with a rating of 2 or greater (important) on the Debian package system's ratings. Moreover, the program reports in nice mode, including not only packages on which no other package depends, but also ones that no other packages suggest or recommend.

You can tighten these defaults with a number of options. The -libdevel option adds packages in the libdevel section of the repository to the report, while the -a option includes all packages. Similarly, adding --priority=level changes the priority rate of the report's content, and the -n option turns off nice mode, so that only dependencies are considered in compiling the report. You can also use the -P option to list the priority rating for each orphaned package to help you assess whether you want to remove it, or -d to list all package installed and what packages depend on them.

As you learn what is installed in your system, you can avoid wading through reports full of packages that you know you want to leave alone by using the option --exclude=list to specify a text file that contains a comma-separated list of packages that deborphan ignores. A more sophisticated choice is to use the keepfile that deborphan maintains at /var/lib/deborphan/keep for the same purpose. You add packages to the keepfile using -A package and remove them with -R package, and you can view the file with -L.

Even more importantly, you can use --guess-options to have deborphan make recommendations about which packages you can safely remove. Guess options include strings representing common programming languages such as perl and python, but also a number of others, such as doc and all. The guesses made by deborphan seem reasonably reliable, but use them the way that an experienced writer uses the spellchecker in a word processor: as a way to reduce drudgery, rather than a substitute for your own judgment. Otherwise, you may find that your deletions of options brings your system down.

debsecan

The Debian Security Analyzer (debsecan) reports vulnerabilities for the system it runs on based on Debian Security Advisories.

To get the most exact information for your system, in most cases, run debsecan --suite suite, using the name of the suite rather than its description. For instance, specify sarge rather than unstable. Some packages in the results may be listed as obsolete, meaning that you should update them and any packages dependent on them. However, if your system runs packages from more than one suite, as many do, then run the command without any options. In either case, you can add a package name to the command to receive a report of vulnerabilities for that package only. Another option is the --only-fix option, which reports only vulnerabilities for which a fix is ready -- although, because Debian advisories do not always originate within the project, the package with the fix may not be available yet.

By default, debsecan reports use a summary format, but you can use the --format format option to specify other formats. The simple format, for example, lists only the package names involved, while the bug format lists only the known vulnerabilities, and the packages format lists only the binary packages affected. For those who want the most information, the detail format is available.

If you choose, you can create a whitelist of packages whose vulnerabilities are not included. The white list is maintained by a series of options: --add-whitelist, --remove-whitelist, and --show-whitelist. Using a whitelist may be an option if you temporarily want to avoid updating because you are worried about stability, or if you are waiting for a package with the fix.

Another option is to use --mailto mailbox --format report to send a report to an email address on the system instead of listing it in the shell. You can also use the command debsecan-create-cron to run debsecan automatically. If you do, then running the command debsecan -cron will tell you whether vulnerability data has already been updated for the day.

Conclusion

Why bother with these packages? After all, the average hard drive these days is large enough to have room for any number of orphaned packages without running out of space, and the security-conscious can run apt-get upgrade each day, or, if using Etch, rely on the Update Manager to inform them of updated packages.

The answer is that these utilities allow for more conscientious system maintenance. Orphaned packages and system vulnerabilities are both potential security risks, so you can never know too much about them, even if your only concern is a home workstation. Debfoster, deborphan, and debsecan all give you information on your system that can help you make more intelligent decisions -- and that makes all of them worth knowing.

Bruce Byfield is a computer journalist who writes regularly for NewsForge, Linux.com and IT Manager's Journal.

Click Here!