[Rpm-maint] [rpm-software-management/rpm] Also apply signatures to config files (#374)

Jeff Johnson notifications at github.com
Sat Feb 10 02:42:39 UTC 2018


One might well ask: Why sign any "mutable" file?

The (rather inchoate) answer supplied in the original RFE for signing %config files is (iiuc) was 1) so that IMA policy can be written against %config files and 2) so that %config files in a package will have an ima signature in an xattr.

The same reasoning applies to %ghost files which are "owned" (with usual perms/uid/gid metadata) by a package. The content of %ghost files is usually generated in %buildroot using touch(1), so the appropriate signature for %ghost files would be a signature on an empty (but "mutable") file.

The main reason for treating %ghost like empty %config files is to remove special cases peculiar to rpm packaging that show up later as RFE's.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/374#issuecomment-364620067
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20180209/e80aa073/attachment.html>


More information about the Rpm-maint mailing list