[Rpm-maint] [rpm-software-management/rpm] Also apply signatures to config files (#374)
Jeff Johnson
notifications at github.com
Sun Feb 11 16:40:35 UTC 2018
Perhaps an example will illustrate ...
rpm already has a per-transaction option --replacefiles that ignores the additional mechanisms (I.e. renaming) used for %config file installation.
What rpm lacks is an ability to apply --replacefiles to only some of the %config files in the packages being installed in a single transaction. One possible implementation would permit masking off the %config bit for individual files when accessing the value, based on whatever logic one chooses to implement.
Applying ima signatures to %config files (or not) is essentially the same problem as --replacefiles with the further complexity that there is a loadable module.
Regex's are certainly powerful, but the file name path is the obvious choice for selection and globs are sufficient to match paths, at least until one wants negated matches (like grep -v) which globs cannot express.
What needs to be changed in the patch is left to maintainers, and a full blown path matching configuration is likely overkill for the specific proposal here.
Personally, I believe that adding an incomplete opt-in mechanism that will generate false positives on mutable %config/%ghost files is foolish.
Instead, disable %config (and %ghost) in packaging and metadata, either by policy, configuration, or masking, because those rpm "features" were not designed to interact well with a ima signature integrity framework.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/374#issuecomment-364765483
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20180211/da330d32/attachment.html>
More information about the Rpm-maint
mailing list