Why is checkinstall no longer being maintained?
Why is checkinstall no longer being maintained?
You really should ask the creator but I can make an educated guess: It is considered a security hazard. And not just a small one.
Martin F. Krafft author of "Debian system" (-> Amazon):
Checkinstall is limited in what it can do. To be precise, the packages it creates can only install files, and checkinstall does not care where it installs them. You can overwrite files in
/home
directories with checkinstall, among other things. The generated packages can not modify files. If the installation routine modifies existing files, they will be part of the generated package in their entirety.A horror scenario occurs when an installation routine adds a user by modification of
/etc/passwd
, which is subsequently included in the package. Installation of the package causes/etc/passwd
to be completely replaced, and the deinstallation of the package removes the file, breaking the system in half.The generated packages also fail to register their configuration files with dpkg, therefore paving the way for upgrades that overwrite local configuration file changes.
In light of these problems, it is probably a good idea to avoid but for the rarest cases.
Related videos on Youtube
evaristegd
Updated on September 18, 2022Comments
-
evaristegd almost 2 years
The command
checkinstall
has been recommended many times in this forum, as a replacement ofmake install
. However when one goes to the official website, the "Recent news" section shows Dec 2016 as the most recent date.
Edit: I read the post Is there any checkinstall alternative?, and I cloned the git repository of
checkinstall
. As of April 2019, thegit log
command shows only around 1 commit per year in the last 3 years.Q1: Is that amount of commits enough to maintain the package?
Q2: Why is checkinstall not on Github? On platforms like that one you would be able to see the last commits and latest releases without the need of cloning the entire repo onto your computer.-
N0rbert about 5 yearsPossible duplicate of Is there any Checkinstall alternative since its too old?
-
evaristegd about 5 years@N0rbert thank you for pointing that out. I have updated my post.
-
-
evaristegd about 5 yearsthank you. Is that extract written in the book?
-
Rinzwind about 5 yearsYes I have a copy of in at work ;)
-
Hi-Angel over 3 yearsThat is some dubious claim. If you got an adversary project that does something bad to your system upon running
make install
, then there's no difference if you screw your system withmake install
orcheckinstall
. The latter at least tracks what and where was installed. The point of the project is to be a better "make install". Sure, would be nice to have some security here, but in absence of alternatives what can you do. There's no point in telling "let's not use it because it's less secure". Like, less secure than what? -
foobrew over 3 yearsI'll just add that I've had checkinstall actually mess up my boot drive enough that I was forced to completely reinstall the OS. It was a few years ago so I don't remember the details but I recall it had something to do with how it was building fake roots. This was from simply trying to build a .deb package for emacs so nothing too fancy. Since then, I only use it in a VM spun up temporarily just for that purpose.