wpkg --audit | -C

Short Hand

wpkg -C

Options Comments
--admindir Define the administration directory, where the database of the installed packages resides.
--debug Define a set of flags of things to print out for debug purposes.
--instdir Define the installation directory, where the data files are installed on the target.
--quiet Not used.
--root Define the installation root path.
--verbose Prints out additional information in the output.

The --audit command goes through the complete list of all the packages installed on the specified target. For each package it tries to load the package and check the MD5 sum of every single installed (unpacked) file. Whenever anything fails it prints out an error describing the problem.

Invalid Package in the Target Database

The package is loaded from the database. If there is a problem loading the package then the audit command continues after it generated an error for that package. In most cases, such packages can only be fixed by deleting them from the database:

rm -rf <admindir>/var/lib/wpkg/<package-name>

Note: use that command at your own risk!

Invalid Status

The package generates errors if the status of that package is not considered valid. Any package that failed installation is generally marked as half-installed or half-configured and viewed as invalid by the audit command.

Fixing those packages is done by either removing them or re-installing them without the use of the --skip-same-version option.

MD5 Sum Check

The files MD5 sums are checked only if they were installed (unpacked). In other words, only if the package status is one of:

  • Unpacked
  • Installed
  • Half-Configured

The audit process goes through all the files present in the list of files of each package and reads their MD5 sum from the md5sums file. It then loads the files currently installed on disk and computes their MD5 sums. If their MD5 sums from the md5sums file do not match the MD5 computed from the files read on disk, then the audit process writes out an error about the file as it was modified on disk.

Note that configuration files are expected to be modified (those listed in the conffiles file found in the control tarball.) These files are silently ignored by default. When you use the --verbose command line option, the audit process writes one line about such files, but these are not considered errors.

Checking a Non-Installed Package

It is possible to check a package in a similar way when that package was not yet installed. This is done with the --verify command.

Checking a Project Directory

Before creating a source package it can be a good idea to run a check on your project directory. This is done with the --verify-project command. This ensures that all the expected files are available and thus increase your chances that the entire --build process will function as expected.


This process is NOT considered secure, as in, verifying that no one tempered with the installation unless you somehow manage the database in a such a way that users on the system cannot ever be modifying it. (i.e. otherwise the hackers could simply update the md5sums files with MD5 sums of their new files.) Later we may offer a way to check such md5sums over a network. although that too has its limits.