I manage a number of Debian servers and usually track the Debian stable repository but occasionally install from the Debian testing repository or third party sources. For audit purposes, on each machine, for all packages currently installed, I would like to compare the installed package version against the package version in a particular repository, ie the Debian stable repository.
Using aptitude search patterns I can identify installed packages that are or are not available from the Debian stable repository:
aptitude search "?installed?origin(Debian)?archive(stable)"
aptitude search "?installed?not(?origin(Debian)?archive(stable))"
But for the packages that are available from the Debian stable repository I am not able determine whether the installed version matches the version in the repository.
I suppose it might be possible to use apt pinning to force a downgrade:
Package: *
Pin: release n=stable, o=Debian
Pin-Priority: 1001
And then use dry run mode to check which packages would be affected:
apt-get update
apt-get --dry-run upgrade
But mitigating the risks of using apt pinning over 1000 would require a separate configuration for apt, which seems more complicated than it needs to be.
A possibility going forward would be to set up a private repository, and only install from the Debian stable repository or the private repository. Then, if a package was available from the private repository, it could be assumed (for audit purposes) to not have been installed from the Debian stable repository. As long as packages are never installed manually, this could work reasonably well. But setting up a private repository seems a bit overkill for what could be one simple command.
Is there a better way to audit package versions? Or even better, to audit package signatures?
Like so:
Using
?narrow
compares package names and versions, so the above compares installed package names and versions against the package names and versions from the Debian stable repository, and then inverts the match to find installed packages which do not match the version in the Debian stable repository.Danila Ladner's suggestion from the comments was also helpful; I fed the results from the aptitude command to
apt-cache policy <package>
in order to see version detail for the packages that came up in the initial search and needed a closer look.