[Rpm-maint] [rpm-software-management/rpm] [RFC] rpmbuild, check: verify file hashes (PR #3039)

2024-04-15 Thread norbert manthey
``` During the %check target, no files that existed before are expected to be modified. This change adds a validation to the rpmbuild command, which will store file hashes, and compare them after compilation again. Note: this is only a simple demonstrator that cannot handle large projects, and

Re: [Rpm-maint] [rpm-software-management/rpm] [RFC] rpmbuild, check: verify file hashes (PR #3039)

2024-04-16 Thread norbert manthey
@nmanthey pushed 1 commit. 2c26ff0d2f023e24c65b57b1bc25256b5e8846e8 rpmbuild,check: verify file hashes -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/3039/files/9c34a39a7716123e3ad2adf755db12f5db83dc98..2c26ff0d2f023e24c65b57b1bc25256b5e8846e8 You are receiving this b

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: ensure unwritable buildroot during %check (Issue #3010)

2024-04-18 Thread norbert manthey
I understand the difference between %build and %check, as well as the problem of this could be worked around by future actors. I would still like to understand the potential as a building blocks for hardening. Do you see a path for a hashing-like validation in the %check phase that could be ena

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: ensure unwritable buildroot during %check (Issue #3010)

2024-04-18 Thread norbert manthey
Yes, this approach will never be complete. Something like the proposed feature is only a building block. For the other stages, there could also be the requirement to not modify files that have been available already. IMHO, other attack vectors should be addressed with other tools. What data wou