Has there been any discussion of the merits, possibility or difficulty or making tripwire prelink-aware? I haven't found any mention in the forums.
At the very least there should be a mention of prelink somewhere in the documentation or even on this website - ntallen's message is the first mention of prelink in association with tripwire that I have found. Having just spent a whole day trying to work out why all of my binary files had been tagged following a new installation of tripwire, I would have found it extremely useful!! I was not aware of prelink until this.
The best time to install tripwire is as soon after a new installation as practical. To not mention that all files will be affected by prelink soon after a new installation is an oversight that ought to be remedied else it devalues the product. When faced with a sudden 500+ increase in file changes, what confidence would the installer then have that his system isn't already compromised?
Any binary file updated subsequently is then subject to the same problem - tripwire flags it as changed, the db is updated and then it changes again when prelink runs - very frustrating I can imagine and an unnecessary distraction.
The tripwire package is clearly very powerful and extremely useful but only when it's not with degraded with avoidable clutter.
prelink should be run immediately before tripwire is run/checked and both as soon after an update as is practical.
New OS install -> updates -> prelink -> install tripwire and initialise tripwire db
Package update -> prelink -> run & update tripwire db
I have certainly seen this in the reports I receive. I have learned to use Tripwire to look for the obvious "shouldn't be" conditions. I expect to see Tripwire report changes to /bin /sbin /lib directories after an update.
It would indeed be nice to see more accuracy in reporting. but it's all good