DevOps Box of Secrets

Joaquín Menchaca (智裕)

Feb 26, 2018·1 min read

There comes a time where you need open a Debian package, whether to verify the contents or to learn some of the secrets inside the box, such as install and config scripts, systems integration — such as init scripts: sysVinit, upstart, systemd, or general best practices.

Using Debian Package Utility

On a Debian or Ubuntu system this should be very easy using the dpkg utility. For example, with the Oracle WebUpdate team installer:

dpkg --extract oracle-java8-installer_8u161-1~webupd8~0_all.deb .

When Debian Package Utility

Unfortunately this doesn’t always work…

A Debian package is a GNU archive, and thus uses the ar tool. Inside are further compressed components, e.g. control and data. In the case of Oracle, they use tar-gzip. You unarchive everything using the following pattern:

mkdir -p output/data output/control && cd output
ar vx ../oracle-java8-installer_8u161-1~webupd8~0_all.deb
tar -xzvf data.tar.gz -C data
tar -xzvf control.tar.gz -C control
rm *.gz

File System Prerequisite

In case this is not obvious, this only works on a file system that supports symbolic links, or at least emulates symbolic links.

Thus, this will definitely not work on Linux guest on Windows host, where NTFS mounted as vboxsf file system under Virtualbox.