During my recent Gentoo update session, I was once again confronted with the inconvenience of not having my /etc/ directory under version management. This time, I thought I had the ideal SCM for this job: Git.
I found a blog post of a chap who has done the same. It includes a few notes I might not have thought about on my own and also a few very cool Debian tricks.
One of the steps that I might have overlooked myself is that it’s essential to make the .git directory group/world inaccessible with
chmod go-rwx. If I would have forgotten this, a smart attacker might use my Git repo to access forbidden file contents.
The author also describes a cool Post-Invoke for Debian’s dpkg that will automatically stage and commit configuration changes made by apt/dpkg (although, later, he mentions that Debian has gotten a package could etckeeper that does this automatically.
Now I would like to learn how I can let Gentoo’s etc-update do as much. In its /etc/dispatch-conf.conf I can only find the option to use (of all things) RCS to track replaced configuration files in a special directory (/etc/config-archive/ by default). Hopefully, there is some drop-in replacement for etc-update which does this and which can rid me of etc-update’s awkward interface at once.