On Mon, Feb 01, 2010 at 01:38:13PM -0500, Toshio Kuratomi wrote: > > 1) The present packages need to be fixecd. Sounds like fipscheck, hmaccalc, > and openssh. They are violating the FHS which is prohibited by the > Guidelines. Ralf, have you opened bugs? > > 2) We need to decide where to place the files. I don't know what uses them, > so I'm not entirely certain about this. Here's some suggestions: > * If each binary checks itself then %{_libdir}/%{name}/$PROGNAME.hmac > seems reasonable. > * If there are one of more programs (fipscheck?) that check the integrity > of other binaries then we probably want a directory structure that is > namespaced by itself and allows that other program to lookup the > checksum for the binary. Something like: > %{_libdir}/hmac%{_bindir}/$PROGNAME.hmac > %{_libdir}/hmac%{_sbindir}/$PROGNAM2.hmac > Caught j-rod and pjones on IRC who had the following insights: * Each binary is supposed to perform an integrity check of itself when it starts. So each binary needs to be able to find its hmac file. * hazy recollection is that fipscheck is meant to check the integrity of any binray with checksums. So we do need to use a directory structure that fipscheck can use to find the checksums. If I could get some input from the people who actually deal with fipscheck and this standard, that this is the way forward, I'll write up the Guidelines. -Toshio
Attachment:
pgpYRakagcO9H.pgp
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel