From: Ingo Schwarze Subject: Re: text files in /etc/changelist stored as checksums only To: Daniel Jakots , sthen@openbsd.org, jmc@openbsd.org Cc: tech@openbsd.org Date: Tue, 25 Mar 2025 12:56:37 +0100 Hi Daniel, Stuart, and Jason, Daniel Jakots wrote on Wed, Mar 19, 2025 at 06:21:37PM -0400: > The manpage could maybe be amended to mention the password/secret > aspect as it was mentioned in the commit that introduced the feature: > https://github.com/openbsd/src/commit/1e94625a312dd2d8958cd9bab647e9427d701c46 Here is a shot at polishing a few aspects in this page: * Tighten a few wordings, reducing duplicate words and statements. * Qualify "configuration files" with "several" because as it stands, the text allows the misunderstanding that *all* configuration files would be added to the list by default. * Files do not "begin with" a plus sign, but are prefixed. * Avoid a parenthetic remark, turning it into a complete sentence, mentioning the aspect of secrets. OK? Ingo Index: changelist.5 =================================================================== RCS file: /cvs/src/share/man/man5/changelist.5,v diff -u -r1.10 changelist.5 --- changelist.5 28 May 2024 05:09:19 -0000 1.10 +++ changelist.5 25 Mar 2025 11:45:13 -0000 @@ -24,8 +24,9 @@ The .Pa /etc/changelist file is a simple text file containing the names of files to be backed up -and checked for modification by the system security script, -.Xr security 8 . +and checked for modification by the system +.Xr security 8 +script. It is checked daily by the .Pa /etc/daily script. @@ -33,10 +34,8 @@ .Xr daily 8 for further details. .Pp -Each line of the file contains the name of a file, -specified by its absolute pathname, -one per line. -By default, configuration files in +Each line of the file contains the absolute pathname of one file. +By default, several configuration files in .Pa /etc , .Pa /root , and @@ -78,13 +77,13 @@ .Pp Files in .Pa /etc/changelist -beginning with a +prefixed by a .Sq + -character -.Pq generally non-text files -are stored as +character are stored as .Xr sha256 1 checksums. +During installation, that prefix is used for non-text files +and for files that may contain secrets. Results are mailed in the following format: .Bd -unfilled -offset indent ======