Bart Smaalders wrote: > Of course, we supply the elf hashes of the binaries in signed > manifests... so that auditing can be performed as desired.
I think you're missing the point. *Your* tools can audit just fine. The problem is that all the *other* tools that people use to do audits, and in particular the tools that they use to compare their systems against the golden master that they are supposed to be copies of, will be looking at the file en toto, not pulling it apart. > If this is unacceptable, all Java packages must be replaced completely > if any component inside changes, and there will be far more service > disruptions during patching operations. ... unless you catch the spurious change upstream, so that the file with the spurious change is never propagated into the repository in the first place. Or pressure the people who build jar files to have a mode where they suppress the date and time stamps, setting them to some artificial value. (This could be done either by the build that constructs the jar file, or as part of the jar tool itself.) _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
