Chisel-wrapper doesn't merge dpkg status entries when performing multiple installations on the same rootfs

[lbussell]

Thanks to the addition of the chisel manifest, we can now use chisel to perform multiple subsequent installations of slices on the same rootfs. Until the chisel manifest is more widely adopted by vulnerability scanning tools, we need to maintain the dpkg cache file so that scanners don't report false negatives.

When using chisel-wrapper to perform a second cut on the same rootfs, when targeting the same dpkg status file, it will overwrite the existing status file rather than append or merge changes from newly installed packages.

Example:

RUN chisel-wrapper --generate-dpkg-status /rootfs/var/lib/dpkg/status -- \
    --release ubuntu-24.04 --root /rootfs/ \
        <package>_<slice>

As a workaround, you can generate a new status file and append it to the old file, as described in rockcrafters/dotnet#21 (comment):

RUN chisel-wrapper --generate-dpkg-status /new-dpkg-status -- \
    --release ubuntu-24.04 --root /rootfs/ \
        <package>_<slice> \
    && cat /new-dpkg-status >> /rootfs/var/lib/dpkg/status

However, the chisel-wrapper tool should automatically handle cleanly merging the two status files when it is asked to generate a dpkg status file where one already exists.

Related:

• add use case-specific doc for libicu rockcrafters/dotnet#21 (comment)
• [RFC] Record installed slices in --root and install only what's missing chisel#10