Versioned Conffiles was Re: Contrasting BSIGN and TRIPWIRE
Oscar Levi wrote:
> My next project is to implement version control for system
> configuration files. This can integrate with bsign, too, in that the
> administrator can sign (bless) the edited config files as part of the
> standard process. If someone is really paranoid, he can use a
> smartcard for signature generation and/or a NFS mount of the system
> being adminstered to isolate encryption from a vulnerable system.
I would like to see RCS support for system configuration files - something like:
If when the user says they would like to install a new conffile from the
If there is an RCS directory for the conffile then check in the old version,
and check in the new Debian version, giving it a suitable label (saying which
package version it came from etc.
This could supplement (where RCS was available) the various different systems
which keep multiple old conf files (such as the rotated apache conf files
system - which I really like BTW)