On Fri, Jan 22, 2010 at 03:06:24PM -0500, Peter Jones wrote:
Well, the standard IIRC does want them to be separate, though again it's important to realize that this check isn't meant to protect against an attack, but rather to check against erroneous corruption of the binary. It seems unlikely that such corruption would change the checksum to match the errors ;)
The separate /lib directory tree seems the way to go, to me. That way the checksum files could be named the same as what they check, no magic needed.
teach fipscheck to ask rpmlib ? rpm -V. We already have this method.