[Pkg-aide-maintainers] Bug#542621: aide: new feature: ignore files changed by system updates

Hannes von Haugwitz hannes at vonhaugwitz.com
Sun Aug 30 19:42:56 UTC 2009


Marc Haber <mh+debian-packages at zugschlus.de> wrote:
> On a second and third though, why don't you implement this in a
> dedicated binary so that a normal update round can be like
> 
>   - update system
>   - run aide --update
>   - filter output through new program to see only changes that didn't
>     come from a package
>   - decide whether to cp aide.db.new to aide.db
> 
> That way, the complicated stuff can be implemented, for example, in
> perl, since it is not mandatory.

That would be an option. But I think the filter should also work for
single package installations via aptitude install or dpkg -i. So how to
implement that in an automatic way?

> Very nice. Please consider implementing this as a patch to the actual
> aide binary which can be submitted upstream. This may be a feature to
> be of big use outside Debian..

I can do that, but as far as I can judge the truncation of the "Detailed
changes" part has to be done further on in the cron job script.

> Not that I know of. This might be worthwhile to implement upstream as
> well.
> 

see below

> If I can choose, it would be a language that doesn't need a run-time
> environment or an interpreter on the target system. aide may be used
> on systems that need to be small, thus perl, python, ruby, java and
> other interpreted or bytecode languages are ruled out. The more I
> think about this, the more I get convinced that shell is just right
> for the cron job which is mandatory on all systems. For more complex
> systems, "plug-ins" to the cron job could be in other languages,
> provided that the cron job basically continues to work without these
> plug-ins.

Beside your option above I think we have two more options to handle
package changes:

On the one hand we could filter the aide log by adding a plug-in system
to the cron job and writing a filter program which filters the new and
changed files related to package changes.

On the other hand we could modify the aide database before and after
every package change. Thereby it would be possible to also filter
removed files. This requires a new option to aide binary which
allows to partially updating the aide database from a list of files and
a way to run a program before and after every dpkg run. Is that possible?

regards,

Hannes







More information about the Pkg-aide-maintainers mailing list