9

The command checkinstall has been recommended many times in this forum, as a replacement of make install. However when one goes to the official website, the "Recent news" section shows Dec 2016 as the most recent date.

Edit: I read the post Is there any checkinstall alternative?, and I cloned the git repository of checkinstall. As of April 2019, the git log command shows only around 1 commit per year in the last 3 years.

Q1: Is that amount of commits enough to maintain the package?
Q2: Why is checkinstall not on Github? On platforms like that one you would be able to see the last commits and latest releases without the need of cloning the entire repo onto your computer.

evaristegd
  • 383

1 Answers1

13

Why is checkinstall no longer being maintained?

You really should ask the creator but I can make an educated guess: It is considered a security hazard. And not just a small one.

Martin F. Krafft author of "Debian system" (-> Amazon):

Checkinstall is limited in what it can do. To be precise, the packages it creates can only install files, and checkinstall does not care where it installs them. You can overwrite files in /home directories with checkinstall, among other things. The generated packages can not modify files. If the installation routine modifies existing files, they will be part of the generated package in their entirety.

A horror scenario occurs when an installation routine adds a user by modification of /etc/passwd, which is subsequently included in the package. Installation of the package causes /etc/passwd to be completely replaced, and the deinstallation of the package removes the file, breaking the system in half.

The generated packages also fail to register their configuration files with dpkg, therefore paving the way for upgrades that overwrite local configuration file changes.

In light of these problems, it is probably a good idea to avoid but for the rarest cases.

Community
  • 1
Rinzwind
  • 309,379