| 1 |
>The first approach (new tripwire-<package>) ebuilds could be done without |
| 2 |
>directly involving the package maintainer, but as you point out, would |
| 3 |
>increase the number of ebuilds. I doubt we'd get to the stage of |
| 4 |
>duplicating every package in portage however - that's a major job ;-) |
| 5 |
> |
| 6 |
>The second approach would be, where each package is 'tripwire aware' is |
| 7 |
>definitely the cleanest solution, but requires input from package |
| 8 |
>maintainers. |
| 9 |
> |
| 10 |
>A third possible solution would be to develop a standalone package which |
| 11 |
>contains <package> -> policy mappings for many packages. It could |
| 12 |
>perhaps, scan the emerge log or /var/db/pkg and create conf.d/ entries |
| 13 |
>accordingly. |
| 14 |
|
| 15 |
I think all three approaches are too much work for a very small |
| 16 |
improvement in results. You can use Tripwire with global categories like |
| 17 |
"userland binaries", "configuration files", etc... with good results (I |
| 18 |
do). Per-package configuration seems overkill to me. |
| 19 |
|
| 20 |
Also note that the first two solutions are not realistic : even if it |
| 21 |
was very interesting to do so, I don't see anyone approve changing all |
| 22 |
ebuilds (or doubling all ebuilds) just to make one package work better. |
| 23 |
Better start your own tripwire-aware distribution... |
| 24 |
|
| 25 |
That said, the third approach is possible : it's a lot of work, but at |
| 26 |
least it does not require infrastructure or global ebuild changes ;) |
| 27 |
|
| 28 |
-K |
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-security@g.o mailing list |
Archives