I am curious regarding how many packages existed on my system. Then I got to wondering how many are Google projects? How many are Apache projects? Are all packages fully installed?

§Get a list of packages into sqlite

First, one needs to create the sqlite3 file. The following bash script generates a .csv file with a header (that’s the echo command on the third line) and a dpkg-query incantation. Then the script prepares a sqlite file and imports the .csv as a SQLite table.

Yup, the .csv generation contains a minute hack. There are no restrictions on where commas may appear in most of these fields printed out using dpkg-query. However, by convention & in practice, I didn’t find any commas. But, you have been warned™.

tempfile=$(mktemp -t debianpackagecsv.XXXXXXXXXXXXX)
{
    echo 'Package,Version,Architecture,Homepage,Status'
    dpkg-query -W -f '"${Package}","${Version}","${Architecture}","${Homepage}","${Status}"\n'
} > "$tempfile"
sqlite3 packages.sqlite3 <<EOF
DROP TABLE IF EXISTS packages;
.mode csv
.import ${tempfile} packages
EOF
rm "$tempfile"
sqlite3 packages.sqlite3 'SELECT COUNT(*) FROM packages'
6143

As of my typing this text on my daily driver, this computer has 6182 packages installed. If the above number does not match 6182, it is probably due to installing more bloat, er, I mean, packages.

§All fully installed packages (no config files)

Okay, now are all packages fully installed? This is Debian funny business.

sqlite3 packages.sqlite3 '
SELECT COUNT(*)
FROM packages
WHERE Status = "install ok installed"'
6034

Nope. The numbers don’t match. Something to look into, perhaps for another post.

If it ain’t broke, don’t fix it.

Or that’s what I like to remind myself when the personal computer tries to siphon off my time.

§Google installed packages

Now let’s see how many packages are installed with Google in the Homepage?

sqlite3 packages.sqlite3 '
SELECT Package,Architecture,Homepage
FROM packages
WHERE Status = "install ok installed" AND Homepage LIKE "%google%";'
aidl amd64 https://android.googlesource.com/platform/system/tools/aidl
android-libboringssl amd64 https://android.googlesource.com/platform/external/boringssl
dmtracedump amd64 https://android.googlesource.com/platform/art
fonts-croscore all https://www.google.com/get/noto/
fonts-crosextra-carlito all https://github.com/googlefonts/carlito
fonts-droid-fallback all https://android.googlesource.com/platform/frameworks/base/
fonts-noto all https://www.google.com/get/noto/
fonts-noto-color-emoji all https://fonts.google.com/noto/specimen/Noto+Color+Emoji
fonts-noto-core all https://www.google.com/get/noto/
fonts-noto-extra all https://www.google.com/get/noto/
fonts-noto-mono all https://www.google.com/get/noto/
fonts-noto-ui-core all https://www.google.com/get/noto/
fonts-noto-ui-extra all https://www.google.com/get/noto/
fonts-noto-unhinted all https://www.google.com/get/noto/
fonts-quicksand all https://fonts.google.com/specimen/Quicksand
fonts-roboto all https://github.com/google/roboto
fonts-roboto-slab all https://fonts.google.com/specimen/Roboto+Slab
fonts-roboto-unhinted all https://github.com/google/roboto
googletest all https://github.com/google/googletest
libaom3 amd64 https://aomedia.googlesource.com/aom/
libaom3 i386 https://aomedia.googlesource.com/aom/
libbrotli-dev amd64 https://github.com/google/brotli
libbrotli1 amd64 https://github.com/google/brotli
libbrotli1 i386 https://github.com/google/brotli
libcap-dev amd64 https://sites.google.com/site/fullycapable/
libcap2 amd64 https://sites.google.com/site/fullycapable/
libcap2 i386 https://sites.google.com/site/fullycapable/
libcap2-bin amd64 https://sites.google.com/site/fullycapable/
libdouble-conversion3 amd64 https://github.com/google/double-conversion
liberror-prone-java all https://github.com/google/error-prone
libgav1-1 amd64 https://chromium.googlesource.com/codecs/libgav1/
libgav1-1 i386 https://chromium.googlesource.com/codecs/libgav1/
libgoogle-gson-java all https://github.com/google/gson
libgtest-dev amd64 https://github.com/google/googletest
libguava-java all https://github.com/google/guava
libguice-java all https://github.com/google/guice
libhwy1t64 amd64 https://github.com/google/highway
libhwy1t64 i386 https://github.com/google/highway
libjarjar-java all http://code.google.com/p/jarjar/
libjs-prettify all https://github.com/google/code-prettify/
libjsr305-java all http://code.google.com/p/jsr-305/
liblc3-1 amd64 https://github.com/google/liblc3
libldacbt-abr2 amd64 https://android.googlesource.com/platform/external/libldac
libldacbt-enc2 amd64 https://android.googlesource.com/platform/external/libldac
libphonenumber8 amd64 https://github.com/googlei18n/libphonenumber/
libprotobuf-lite32t64 amd64 https://github.com/google/protobuf/
libprotobuf32t64 amd64 https://github.com/google/protobuf/
libprotoc32t64 amd64 https://github.com/google/protobuf/
libre2-11 amd64 https://github.com/google/re2
libsharpyuv-dev amd64 https://developers.google.com/speed/webp/
libsharpyuv0 amd64 https://developers.google.com/speed/webp/
libsharpyuv0 i386 https://developers.google.com/speed/webp/
libsnappy1v5 amd64 https://google.github.io/snappy/
libsnappy1v5 i386 https://google.github.io/snappy/
libwebp-dev amd64 https://developers.google.com/speed/webp/
libwebp7 amd64 https://developers.google.com/speed/webp/
libwebp7 i386 https://developers.google.com/speed/webp/
libwebpdecoder3 amd64 https://developers.google.com/speed/webp/
libwebpdemux2 amd64 https://developers.google.com/speed/webp/
libwebpmux3 amd64 https://developers.google.com/speed/webp/
libwebpmux3 i386 https://developers.google.com/speed/webp/
libwoff1 amd64 https://github.com/google/woff2
libxnnpack0.20241108 amd64 https://github.com/google/XNNPACK
libyuv0 amd64 https://chromium.googlesource.com/libyuv/libyuv/
libyuv0 i386 https://chromium.googlesource.com/libyuv/libyuv/
libzopfli1 amd64 https://github.com/google/zopfli
python3-brotli amd64 https://github.com/google/brotli
python3-protobuf amd64 https://github.com/google/protobuf/
zipalign amd64 https://android.googlesource.com/platform/build

Whew! Thanks for scrolling. 69 packages. I didn’t know about zopfli. Apparently zopfli is a C library for compressing data using DEFLATE, gzip, and zlib compression formats. Moreover, zopfli is designed to generate the most compressed DEFLATE, gzip, zlib data. Meaning it’s slow to run but the storage sizes of the compressed data are less than other existing libraries.

Sidenote, apparently libarchive exists on a LOT of computers. Most infosec fans would agree that zlib is already a great supply chain attack vector if only for the sheer number of developers deploying zlib. Libarchive is getting up there! Libarchive ships on modern Windows and macOS. File interchange formats are hard to get right. Could libarchive be ripe for security research?

§Apache packages

Similar invocation to the Google query. This time filter on Homepages with “Apache” in their text.

ant all http://ant.apache.org
ant-optional all http://ant.apache.org
apache2 amd64 https://httpd.apache.org/
apache2-bin amd64 https://httpd.apache.org/
apache2-data all https://httpd.apache.org/
apache2-doc all https://httpd.apache.org/
apache2-utils amd64 https://httpd.apache.org/
ivy all https://ant.apache.org/ivy/
libapache-pom-java all http://maven.apache.org/pom/asf/
libapr1t64 amd64 https://apr.apache.org/
libaprutil1-dbd-sqlite3 amd64 https://apr.apache.org/
libaprutil1-ldap amd64 https://apr.apache.org/
libaprutil1t64 amd64 https://apr.apache.org/
libbcel-java all http://commons.apache.org/bcel/
libbsf-java all http://commons.apache.org/bsf
libcommons-cli-java all http://commons.apache.org/cli/
libcommons-codec-java all http://commons.apache.org/codec/
libcommons-collections3-java all https://commons.apache.org/collections/
libcommons-compress-java all https://commons.apache.org/proper/commons-compress/
libcommons-io-java all https://commons.apache.org/proper/commons-io/
libcommons-lang-java all http://commons.apache.org/lang/
libcommons-lang3-java all https://commons.apache.org/lang/
libcommons-logging-java all https://commons.apache.org/proper/commons-logging/
libcommons-parent-java all https://commons.apache.org
libcommons-text-java all https://github.com/apache/commons-text
libfelix-framework-java all https://felix.apache.org/
libfelix-gogo-runtime-java all https://felix.apache.org/documentation/subprojects/apache-felix-gogo.html
libfelix-osgi-obr-java all http://felix.apache.org/site/apache-felix-osgi-bundle-repository.html
libfelix-resolver-java all https://felix.apache.org
libfontbox-java all https://pdfbox.apache.org
libgeronimo-annotation-1.3-spec-java all http://geronimo.apache.org
libgeronimo-interceptor-3.0-spec-java all https://geronimo.apache.org
libhttpclient-java all http://hc.apache.org/httpcomponents-client-ga/index.html
libhttpcore-java all http://hc.apache.org/httpcomponents-core-ga/index.html
liblog4j2-java all https://logging.apache.org/log4j/2.x/
libmaven-archiver-java all http://maven.apache.org/shared/maven-archiver/
libmaven-file-management-java all https://maven.apache.org/shared/file-management/
libmaven-jar-plugin-java all http://maven.apache.org/plugins/maven-jar-plugin/
libmaven-parent-java all http://maven.apache.org/
libmaven-resolver-java all https://maven.apache.org/resolver/index.html
libmaven-shared-io-java all http://maven.apache.org/shared/maven-shared-io/
libmaven-shared-utils-java all http://maven.apache.org/shared/maven-shared-utils/
libmaven3-core-java all http://maven.apache.org
libpdfbox-java all https://pdfbox.apache.org
libwagon-file-java all http://maven.apache.org/wagon/
libwagon-http-java all http://maven.apache.org/wagon/
libwagon-provider-api-java all http://maven.apache.org/wagon/
libxbean-reflect-java all http://geronimo.apache.org/xbean/
libxerces-c3.2t64 amd64 https://xerces.apache.org/xerces-c/
libxerces2-java all http://xerces.apache.org/xerces2-j/
libxml-commons-external-java all https://xerces.apache.org/xml-commons/
libxml-commons-resolver1.1-java all http://xml.apache.org/commons/

Yup 128 packages. Thanks for scrolling!

I hadn’t heard of ivy before. Upon a cursory flick through ivy’s homepage, it purportedly is the dependency resolver used in Apache Ant. Ant is a build tool not dissimilar to make in that it streamlines taking files and transforming the said files into derived data. One common example: a dependency manager can be employed to track dependencies when compiling a program from source code.

§Something to try?

Something to try, for the curious: basic package stats — how many packages do you have installed? More pressingly, consider a stroll through the installed package list. Research a few unfamiliar packages. Do this a lot and you’ll understand virtually every individual software package on your computer.