Check for "genuine packages"

[widhalmt]

We could use a more thorough check of which packages were installed:

• Were the packages provided by the actual vendor (e.g. Icinga) or were they custom built by the user or someone else?
• Are these release packages or devel snapshots?

I know, that's not possible to determine on every platform but where we can, we should collect the information.

Background: At least once we took some time hunting down a bug only to realize that the user had built custom packages using wrong libraries. The tool worked more or less but had some issues that were directly linked to using the wrong libraries. Since this is all but common it took us quite a while to find out.

[lazyfrosch]

There is not really a good way to do it.

Apart from checksuming effective files on disk, we can not further audit the packages the software was installed from - it is usually only present on disk for a some time after installation.

We could add collect information about repositories, but this is not really a good indication for where the packages are from. Release packages are often not present in enterprise environment, so not helpful either.

[widhalmt]

We built a way for rpm into Icinga Diagnostics. https://github.com/Icinga/icinga2-diagnostics/blob/master/icinga-diagnostics.sh#L127

I'd be totally fine if we take what we can get and if a distribution lacks a way, then maybe just put out a hint telling us that there's no information about that available. But I don't want to miss an option just because one of the supported distributions is not capable of doing it.

I'm not so much interested in where the packages came from, more if they come from the original vendor. Given, that could mean we would have to provide a list of keys.

As functionality is to be split up between parts of support collector I don't think anymore, it's a good thing to have this within the collector part. But the collector should check whether the files belong to a package and if so, which key signed the package. If that information is available.

[lazyfrosch]

Very much possible to check the signature, but not really reliable and merely an indication in my eyes.

Also I don't think there is a way to implement a similar way for deb-based systems.