[Rpm-maint] [PATCH 07/19] Add rpmpols struct plus some helper functions
Steve Lawrence
slawrence at tresys.com
Fri Feb 12 20:23:08 UTC 2010
On Fri, 2010-02-05 at 12:26 -0500, James Antill wrote:
> On Tue, 2010-02-02 at 15:25 -0500, Steve Lawrence wrote:
>
> > rpmpolsSaveStave
> > Save the policies changes to the rpm database. Due to security reasons,
> > policy is not removed when the package that installed it is removed. Because
> > of this, we need a way to keep track of which policies have been installed
> > and their properties. To accomplish this, we create pseudo packages
> > (akin to gpg-pubkey) containing the necessary information and update the
> > rpm database.
>
> Yeh, this is a really bad idea IMO. Esp. given how/when you are
> creating the packages.
> If you are going to use rpm headers, use them and make them go away on
> package removal
We can't remove the pseudo packages on package removal. These pseudo
packages contain information about the policy modules installed on the
system. We can't automatically remove policy modules when the packages
they came from are removed because of potential security risks. Since
we can't remove the policies, we can't remove the pseudo packages.
> if you want packages specific for policy, create
> those at build time (and maybe use requires to help them not go away).
We don't want packages specific for policy (we'll respond to that in
another email). We are only using the pseudo packages because we need a
way save policy information beyond the life of real packages. I'm all
for using another method of storing this information if this is
considered polluting the rpm database, but rpm doesn't seem to have
anything else available that has the ease of updating/querying, and
adding a new storage mechanism just for policy seems like unnecessary
bloat.
More information about the Rpm-maint
mailing list