One might well ask: Why sign any "mutable" file?

The (rather inchoate) answer supplied in the original RFE for signing %config 
files is (iiuc) was 1) so that IMA policy can be written against %config files 
and 2) so that %config files in a package will have an ima signature in an 

The same reasoning applies to %ghost files which are "owned" (with usual 
perms/uid/gid metadata) by a package. The content of %ghost files is usually 
generated in %buildroot using touch(1), so the appropriate signature for %ghost 
files would be a signature on an empty (but "mutable") file.

The main reason for treating %ghost like empty %config files is to remove 
special cases peculiar to rpm packaging that show up later as RFE's.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
Rpm-maint mailing list

Reply via email to