[Rpm-maint] Feature request: Improved speed for 'rpm -qa'
James Olin Oden
james.oden at gmail.com
Wed Dec 20 16:41:59 UTC 2006
On 12/20/06, Bill Nottingham <notting at redhat.com> wrote:
> James Olin Oden (james.oden at gmail.com) said:
> > You can controll access with SE Linux all you want but there is no way
> > for me to tell that someone installed a rogue package without checking
> > digests at some point (maybe they were in a hurry) and that now I'm
> > looking at infomation from that rogue packets header without checking
> > digests on query.
>
> You also don't know if they wrote over the binaries on the filesystem,
> etc. I'm just of the opinion that the database is the wrong place
> to be enforcing these checks, but, to each their own.
>
I don't have a strong oppinion here, especially since I am only
security mindful and certainly not an expert/wearer of the black
robes. The main thing I wanted everybody to consider is that some
RedHat customer or set of customers likely requested this
functionality, and they likely thought through the request very well.
Honestly, when I first ran into this (back in RedHat 9 days) it was
somewhat annoying, and I did not understand it. Now I understand more
why one might want to do this, but I certainly have never considered
all the implications. I suspect though that someone has.
As it is its completely configurable by setting the macro
_vsflags_query to 0x00f00. This turns off the db header digest checks
at system wide if its changed in /etc/rpm/macros. Searching for it
in /var/lib/rpm/macros will deliver some level of documentation (ala
comments).
Obviously thats not non-programmer configuration, but its easiest
enough to do. Again it could certainly be made easier...james
More information about the Rpm-maint
mailing list