```
During the %check target, no files that existed before are expected to be
modified. This change adds a validation to the rpmbuild command, which will
store file hashes, and compare them after compilation again.
Note: this is only a simple demonstrator that cannot handle large projects, and
@nmanthey pushed 1 commit.
2c26ff0d2f023e24c65b57b1bc25256b5e8846e8 rpmbuild,check: verify file hashes
--
View it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3039/files/9c34a39a7716123e3ad2adf755db12f5db83dc98..2c26ff0d2f023e24c65b57b1bc25256b5e8846e8
You are receiving this b
I understand the difference between %build and %check, as well as the problem
of this could be worked around by future actors. I would still like to
understand the potential as a building blocks for hardening.
Do you see a path for a hashing-like validation in the %check phase that could
be ena
Yes, this approach will never be complete. Something like the proposed feature
is only a building block. For the other stages, there could also be the
requirement to not modify files that have been available already. IMHO, other
attack vectors should be addressed with other tools.
What data wou