[Pkg-aide-maintainers] Bug#542621: aide: new feature: ignore files changed by system updates

Hannes von Haugwitz hannes at vonhaugwitz.com
Mon Aug 31 06:36:57 UTC 2009


Marc Haber <mh+debian-packages at zugschlus.de> wrote:

> On Sun, Aug 30, 2009 at 09:42:56PM +0200, Hannes von Haugwitz wrote:
>> Marc Haber <mh+debian-packages at zugschlus.de> wrote:
>> That would be an option. But I think the filter should also work for
>> single package installations via aptitude install or dpkg -i. So how to
>> implement that in an automatic way?
> 
> a single package installation doesn't create _that_ much noise, I'd
> handle this the same as a system update, or manually.

It depends. Look at openoffice.org-common or sun-java6-demo package for
example.

> 
>> On the other hand we could modify the aide database before and after
>> every package change. Thereby it would be possible to also filter
>> removed files. This requires a new option to aide binary which
>> allows to partially updating the aide database from a list of files and
>> a way to run a program before and after every dpkg run. Is that possible?
> 
> I don't know for dpkg, but apt has pre/post hooks. And I think that
> upstream would accept a patch to update only parts of the database,
> but be aware that an attacker would be able to use that function to
> hide his local changes as well.
> 

I think the "plug-in system" option would be the easiest to implement
while the "modify database" option is the better approach but
essentially harder to develop.

So how to proceed?

regards,

Hannes





More information about the Pkg-aide-maintainers mailing list