Hello,
I have 2 bugzillas asking for %verify to be added to %config files. I am wondering if this is a good idea at all. The issue is that if you wanted to verify whether or not config files have changed, then this causes you to lose that ability. Adding --noscript to the verify command does not make rpm suddenly report the issues it was hiding. Does this mean that rpm is not working right? Or does this mean that we cannot use rpm for integrity checking for any package that has %verify attributes for config files?
Thanks, -Steve
PS - Anyone wanting to experiment can use the setup package and change the /etc/hosts file to verify what I am saying.
Steve Grubb (sgrubb@redhat.com) said:
I have 2 bugzillas asking for %verify to be added to %config files. I am wondering if this is a good idea at all. The issue is that if you wanted to verify whether or not config files have changed, then this causes you to lose that ability. Adding --noscript to the verify command does not make rpm suddenly report the issues it was hiding. Does this mean that rpm is not working right? Or does this mean that we cannot use rpm for integrity checking for any package that has %verify attributes for config files?
%verify is for turning off specific verification checks for files we *know* are going to change from what's in the RPM package/db. /etc/passwd is an obvious example; users will be added there, and the fact that the passwd file does not match the packaged version is not a verification issue.
Bill
On Thursday 05 November 2009 10:27:30 am Bill Nottingham wrote:
Steve Grubb (sgrubb@redhat.com) said:
I have 2 bugzillas asking for %verify to be added to %config files. I am wondering if this is a good idea at all. The issue is that if you wanted to verify whether or not config files have changed, then this causes you to lose that ability. Adding --noscript to the verify command does not make rpm suddenly report the issues it was hiding. Does this mean that rpm is not working right? Or does this mean that we cannot use rpm for integrity checking for any package that has %verify attributes for config files?
%verify is for turning off specific verification checks for files we *know* are going to change from what's in the RPM package/db. /etc/passwd is an obvious example; users will be added there, and the fact that the passwd file does not match the packaged version is not a verification issue.
And there is no way to ask rpm to tell us what is different even if we wanted that?
-Steve
On Thu, Nov 05, 2009 at 10:43:58AM -0500, Steve Grubb wrote:
On Thursday 05 November 2009 10:27:30 am Bill Nottingham wrote:
Steve Grubb (sgrubb@redhat.com) said:
I have 2 bugzillas asking for %verify to be added to %config files. I am wondering if this is a good idea at all. The issue is that if you wanted to verify whether or not config files have changed, then this causes you to lose that ability. Adding --noscript to the verify command does not make rpm suddenly report the issues it was hiding. Does this mean that rpm is not working right? Or does this mean that we cannot use rpm for integrity checking for any package that has %verify attributes for config files?
%verify is for turning off specific verification checks for files we *know* are going to change from what's in the RPM package/db. /etc/passwd is an obvious example; users will be added there, and the fact that the passwd file does not match the packaged version is not a verification issue.
And there is no way to ask rpm to tell us what is different even if we wanted that?
Correct -- rpm records checksums of files, not the file's contents.
-Toshio