Why is checkinstall no longer being maintained?

apt 18.04 software-installation uninstall checkinstall
5,303

Why is checkinstall no longer being maintained?

You really should ask the creator but I can make an educated guess: It is considered a security hazard. And not just a small one.

Martin F. Krafft author of "Debian system" (-> Amazon):

Checkinstall is limited in what it can do. To be precise, the packages it creates can only install files, and checkinstall does not care where it installs them. You can overwrite files in /home directories with checkinstall, among other things. The generated packages can not modify files. If the installation routine modifies existing files, they will be part of the generated package in their entirety.

A horror scenario occurs when an installation routine adds a user by modification of /etc/passwd, which is subsequently included in the package. Installation of the package causes /etc/passwd to be completely replaced, and the deinstallation of the package removes the file, breaking the system in half.

The generated packages also fail to register their configuration files with dpkg, therefore paving the way for upgrades that overwrite local configuration file changes.

In light of these problems, it is probably a good idea to avoid but for the rarest cases.

Share:
5,303

Related videos on Youtube

evaristegd
Author by

evaristegd

Updated on September 18, 2022

Comments

  • evaristegd
    evaristegd almost 2 years

    The command checkinstall has been recommended many times in this forum, as a replacement of make install. However when one goes to the official website, the "Recent news" section shows Dec 2016 as the most recent date.

    Edit: I read the post Is there any checkinstall alternative?, and I cloned the git repository of checkinstall. As of April 2019, the git log command shows only around 1 commit per year in the last 3 years.

    Q1: Is that amount of commits enough to maintain the package?
    Q2: Why is checkinstall not on Github? On platforms like that one you would be able to see the last commits and latest releases without the need of cloning the entire repo onto your computer.

  • evaristegd
    evaristegd about 5 years
    thank you. Is that extract written in the book?
  • Rinzwind
    Rinzwind about 5 years
    Yes I have a copy of in at work ;)
  • Hi-Angel
    Hi-Angel over 3 years
    That is some dubious claim. If you got an adversary project that does something bad to your system upon running make install, then there's no difference if you screw your system with make install or checkinstall. The latter at least tracks what and where was installed. The point of the project is to be a better "make install". Sure, would be nice to have some security here, but in absence of alternatives what can you do. There's no point in telling "let's not use it because it's less secure". Like, less secure than what?
  • foobrew
    foobrew over 3 years
    I'll just add that I've had checkinstall actually mess up my boot drive enough that I was forced to completely reinstall the OS. It was a few years ago so I don't remember the details but I recall it had something to do with how it was building fake roots. This was from simply trying to build a .deb package for emacs so nothing too fancy. Since then, I only use it in a VM spun up temporarily just for that purpose.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Mysql Installation Problems with 18.04
Problems installing Java 8 onto Ubuntu 18.04 - Errors on oracle-java8-installer and java-common
Why do I need to enable `universe` repo in 18.04 - isn't it default enabled?
Completely remove Budgie
GPG Not Working
Uninstall jupyter with pip
Unable to locate package python-pygoocanvas
Ubuntu 18.04.1 can not install VirtualBox-6.0
Trying to install xfce4 on Ubuntu server 18.04.1
I can't install Steam properly!