Comment # 5 on bug 1172521 from
(In reply to Thorsten Kukuk from comment #4)
> 
> > > With read-only root filesystems and transactional-updates, this is a bad
> > > idea.
> > 
> > What exactly is a bad idea, please?
> 
> Everything below /usr should never be modified by a script, at runtime or
> anything else. You even don't know if it is possible or not. Additional,
> this prevents from checking /usr if somebody tampered with it or not

oh, sorry, I have overlooked that it actually happens in %post...

> 
> So the %post will never be executed again and can be removed, including the
> PreReq line.

With the fix from 2016g it should at least be never executed twice :) .
Removing the %post phase could cause some problems only to the systems where
these files are not symlinks, so (according to you) systems which were last
updated 10 years ago. Yes, there should be no such running system.

Regarding the "PreReq: filesystem, coreutils": I see why it can be removed.
Just by curiosity: Is it even possible that a system does not have these
packages later than at the very beginning?

> 
> Another question is the "%verify(not link md5 size mtime)
> %{_datadir}/zoneinfo/posixrules" line.
> This prevents our tools to find out if somebody tampered with /usr. Which is
> already bad. As this file is coming from the package itself, I don't see a
> need for it.

What does this %verify actually do, please?

> Another question coming up is: does zic or something else modifies this
> file? If yes, we need another solution for this, with "Carwos", "MicroOS",
> "Kubic", "Transactional Server", /usr is read-only and this file cannot be
> modified by the admin. Another reason why the %verify statement is bad: it
> prevents us from finding such cases early, where tools modify data below

>From zic manual page:

"""
       -p timezone
              Use timezone's rules when handling nonstandard TZ strings like
              "EET-2EEST" that lack transition rules.  zic will act as if the
              input contained a link line of the form

                   Link  timezone  posixrules
"""
zic.8.txt contains more information about this option:
"""
              This feature is obsolete and poorly supported.  Among other
              things it should not be used for timestamps after the year 2037,
              and it should not be combined with -b slim if timezone's
              transitions are at standard time or Universal Time (UT) instead
              of local time.
"""
Yes, it could relink the symlink. And I wonder why this "obsolete" notice isn't
in an installed man page... More of this, we actually use this feature in our
spec file to generate posixrules.


You are receiving this mail because: