[pkg-discuss] Verifying what pkg install/image-update actually does

[Bart Smaalders]

Jordan Brown wrote:
> Bart Smaalders wrote:
>> Of course, we supply the elf hashes of the binaries in signed
>> manifests... so that auditing can be performed as desired.
> 
> I think you're missing the point.  *Your* tools can audit just fine. The 
> problem is that all the *other* tools that people use to do audits, and 
> in particular the tools that they use to compare their systems against 
> the golden master that they are supposed to be copies of, will be 
> looking at the file en toto, not pulling it apart.
> 
>> If this is unacceptable, all Java packages must be replaced completely
>> if any component inside changes, and there will be far more service
>> disruptions during patching operations.
> 
> ... unless you catch the spurious change upstream, so that the file with 
> the spurious change is never propagated into the repository in the first 
> place.
> 

We could change the way publication works, I suppose; we may make that
change to make life easier for those folks.  I'd leave the logic the same
in the client, though.

> 
> Or pressure the people who build jar files to have a mode where they 
> suppress the date and time stamps, setting them to some artificial 
> value.  (This could be done either by the build that constructs the jar 
> file, or as part of the jar tool itself.)

Let's not go down that path.

- Bart

-- 
Bart Smaalders			Solaris Kernel Performance
barts at cyber.eng.sun.com		http://blogs.sun.com/barts
"You will contribute more with mercurial than with thunderbird."