tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Package automation in /etc/daily

On Sun, Jan 17, 2010 at 4:32 PM, Joerg Sonnenberger
<> wrote:
> On Sun, Jan 17, 2010 at 04:00:48PM +0000, Julio Merino wrote:
>>      check_packages             Checks the digital signature of all files
>>                                 installed by packages against the expected
>>                                 values stored in the packages database.
> Doesn't have practical value to prevent "attacks" -- MD5 is simply too
> weak.

Most, if not all, of the checks in daily are not bullet proof.  See

Still, running this is cheap and can let admins catch obvious
problems.  Certainly not simple attacks, but mistakes and/or broken
packages overriding files.

>>      fetch_pkg_vulnerabilities  Refreshes the local database of package vul-
>>                                 nerabilities.
> Must be done by default, should be done with -u.
>>      pkg_dbdir  Location of the packages database.  If unset, defaults to the
>>                 value of the PKG_DBDIR environment variable (typically set
>>                 from /etc/profile) or to /var/db/pkg.
> I don't think support for non-default locations should be included...
> E.g. use whatever pkg_admin is configured for.

Can the default value of pkg_admin be changed in the base system?

I constantly set PKG_DBDIR in /etc/profile in all my installs because
the /var/db/pkg value is broken.  And I want this to "just work".

Julio Merino

Home | Main Index | Thread Index | Old Index