I use Rkhunter to check the installed packages for unallowed modifications. Unfortunately by default, Rkhunter also reports all official openSUSE Tumbleweed updates. E.g. Warning: The file properties have changed: File: /bin/rpm Current inode: 9841456 Stored inode: 9847931 Warning: The file properties have changed: File: /bin/sort Current inode: 9830433 Stored inode: 9830466 I usually check some of the reported packages, if they were recently updated. For the example the packages coreutils (contains /bin/sort) and rpm (contains /bin/rpm): mybox:~ # rpm -qf /bin/sort coreutils-8.27-3.1.x86_64 mybox:~ # rpm -qf /bin/rpm rpm-4.13.0.1-5.4.x86_64 One of my criterias I check is the RPM build time. For coreutils all available times are in a short time interval: mybox:~ # rpm -q --queryformat '%{NAME}\nBUILDTIME: %{BUILDTIME:date}\nCHANGELOGTIME: %{CHANGELOGTIME:date}\nFILEMTIMES: %{FILEMTIMES:date}\nINSTALLTIME: %{INSTALLTIME:date}\n' coreutils coreutils BUILDTIME: Wed Aug 16 14:00:00 2017 CHANGELOGTIME: Wed Aug 16 14:00:00 2017 FILEMTIMES: Mon Aug 21 11:58:19 2017 INSTALLTIME: Tue Aug 22 14:26:00 2017 But I do not understand the long time interval between build time/file mtimes for package rpm: mybox:~ # rpm -q --queryformat '%{NAME}\nBUILDTIME: %{BUILDTIME:date}\nCHANGELOGTIME: %{CHANGELOGTIME:date}\nFILEMTIMES: %{FILEMTIMES:date}\nINSTALLTIME: %{INSTALLTIME:date}\n' rpm rpm BUILDTIME: Wed Jul 26 14:00:00 2017 CHANGELOGTIME: Wed Jul 26 14:00:00 2017 FILEMTIMES: Mon Aug 14 18:21:05 2017 INSTALLTIME: Thu Aug 17 00:31:12 2017 Does it mean, that the package rpm was build on July 26, tested until August 14, then somehow repacked to refresh the file mtimes and three days later (August 17) I installed the update? Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org