Hi! We got a request to add audit support to dpkg [R], and as initially mentioned on the bug report it seems the AUDIT_SOFTWARE_UPDATE format does not appear to be documented, so while looking into all this, got several questions. [R] <https://bugs.debian.org/931748> >From the rpm implementation and auparse/normalize.c I gather that it would contain the following fields, applied to dpkg: * primary field would be "sw" which would contain something like «"nginx_1.18.0-5_amd64"», I assume that the format differing from the one in rpm is fine as that would be keyed on the next field? * secondary field would be "sw_type" which would be «dpkg». * field "op", which would contain entries different to rpm, such as «unpack», «configure», «install», «remove», «purge», not sure if that might be a problem? * field "key_enforce", I take to denote whether a cryptographic verification has been performed on the .deb archive? With values «0» or «1». (This would depend on whether debsig-verify(1) has been configured to be executed or not.) * field "gpg_res", to denote whether the aforementioned verification succeeded or not? With values «0» or «1». And while dpkg can indeed use GnuPG to verify signatures from archives, the name feels too implementation specific, perhaps it could be renamed so that it would not be very confusing, in case someone implements a check based on say x509 certificates? * field "root_dir", to denote the installation root directory, which would map to dpkg --instdir value, with a value such as «"/"». Anything else I might have missed or might be worth taking into account while adding the support?

Guillem