FSDB

[Paul Nasrat]

On Mon, Aug 11, 2003 at 02:14:11PM -0700, Florin Andrei wrote:
> On Mon, 2003-08-11 at 14:02, Geoff Reedy wrote:
> > On Mon, Aug 11, 2003 at 01:42:32PM -0700, Florin Andrei <florin at sgi.com> said
 
> > This sounds a lot like what can already be done with a command like rpm -Va.
> 
> Yes and no.
> 
> Yes, it's the same idea.
> 
> No, because with FSDB the signatures will be stored somewhere else, on a
> trusted site, not on the system itself (not even on the owner's
> network). 

There already exists rpmdb-redhat, which you can use (possibly from
readonly media): 

rpm -V --dbpath /usr/lib/rpmdb/i386-redhat-linux/redhat/ foo

However a couple of caveats apply:

1) This doesn't seem to be kept in sync with errata, which I can
understand as if you have it installed it's an extra package to update
each time, I guess you could have rpmdb-redhat-errata too.
2) You can't trust it on your system, but no reason you can't have it
from ro media as it's static
3) You don't know you can trust your rpm binary, so I guess a statically
linked one on ro media along with the db would be useful 
4) This possibly doesn't help with lkm/rootkits which may be able to do
evil things intercepting your rpm calls.  I don't know of any that do
this automagically (quick google), but certainly a bootable cd with rpm,
rpmdb-redhat pluss errata db entries would be simple to maintain.

Paul