1 |
>The first approach (new tripwire-<package>) ebuilds could be done without |
2 |
>directly involving the package maintainer, but as you point out, would |
3 |
>increase the number of ebuilds. I doubt we'd get to the stage of |
4 |
>duplicating every package in portage however - that's a major job ;-) |
5 |
> |
6 |
>The second approach would be, where each package is 'tripwire aware' is |
7 |
>definitely the cleanest solution, but requires input from package |
8 |
>maintainers. |
9 |
> |
10 |
>A third possible solution would be to develop a standalone package which |
11 |
>contains <package> -> policy mappings for many packages. It could |
12 |
>perhaps, scan the emerge log or /var/db/pkg and create conf.d/ entries |
13 |
>accordingly. |
14 |
|
15 |
I think all three approaches are too much work for a very small |
16 |
improvement in results. You can use Tripwire with global categories like |
17 |
"userland binaries", "configuration files", etc... with good results (I |
18 |
do). Per-package configuration seems overkill to me. |
19 |
|
20 |
Also note that the first two solutions are not realistic : even if it |
21 |
was very interesting to do so, I don't see anyone approve changing all |
22 |
ebuilds (or doubling all ebuilds) just to make one package work better. |
23 |
Better start your own tripwire-aware distribution... |
24 |
|
25 |
That said, the third approach is possible : it's a lot of work, but at |
26 |
least it does not require infrastructure or global ebuild changes ;) |
27 |
|
28 |
-K |
29 |
|
30 |
-- |
31 |
gentoo-security@g.o mailing list |