[Secure Coding] master: Packaging: Adjust RPM flags of key-related files (f5803d1)

fweimer at fedoraproject.org fweimer at fedoraproject.org
Fri Jun 6 14:42:23 UTC 2014 

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git

On branch  : master

>---------------------------------------------------------------

commit f5803d1403f9adf1cb54dd5ab93bb649d5e07c88
Author: Florian Weimer <fweimer at redhat.com>
Date:   Fri Jun 6 13:32:50 2014 +0200

    Packaging: Adjust RPM flags of key-related files


>---------------------------------------------------------------

 defensive-coding/en-US/Tasks-Packaging.xml |   17 +++++++++++++----
 1 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/defensive-coding/en-US/Tasks-Packaging.xml b/defensive-coding/en-US/Tasks-Packaging.xml
index 5562f45..3e3feab 100644
--- a/defensive-coding/en-US/Tasks-Packaging.xml
+++ b/defensive-coding/en-US/Tasks-Packaging.xml
@@ -86,11 +86,20 @@ fi
 
 %files
 %dir %attr(0755,%{tlsuser},%{tlsuser]) %{tlsdir}
-%ghost %attr(0600,%{tlsuser},%{tlsuser}) %{tlskey}
-%ghost %attr(0644,%{tlsuser},%{tlsuser}) %{tlscert}
+%ghost %attr(0600,%{tlsuser},%{tlsuser}) %config(noreplace) %{tlskey}
+%ghost %attr(0644,%{tlsuser},%{tlsuser}) %config(noreplace) %{tlscert}
       </programlisting>
     </example>
     <para>
+      The files containing the key material are marked as ghost
+      configuration files.  This ensures that they are tracked in the
+      RPM database as associated with the package, but RPM will not
+      create them when the package is installed and not verify their
+      contents (the <literal>%ghost</literal>), or delete the files
+      when the package is uninstalled (the
+      <literal>%config(noreplace)</literal> part).
+    </para>
+    <para>
       If the <emphasis>directory</emphasis>
       <literal>%{tlsdir}</literal> <emphasis>is owned by</emphasis>
       <literal>root</literal>, use the code in <xref
@@ -114,8 +123,8 @@ fi
 
 %files
 %dir %attr(0755,root,root]) %{tlsdir}
-%ghost %attr(0600,%{tlsuser},%{tlsuser}) %{tlskey}
-%ghost %attr(0644,root,root) %{tlscert}
+%ghost %attr(0600,%{tlsuser},%{tlsuser}) %config(noreplace) %{tlskey}
+%ghost %attr(0644,root,root) %config(noreplace) %{tlscert}
       </programlisting>
     </example>
     <para>

More information about the security mailing list