During my recent Gentoo update session, I was once again confronted with the inconvenience of not having my /etc/ directory under version management. This time, I thought I had the ideal SCM for this job: Git.
I found a blog post of a chap who has done the same. It includes a few notes I might not have thought about on my own and also a few very cool Debian tricks.
One of the steps that I might have overlooked myself is that it’s essential to make the .git directory group/world inaccessible with chmod go-rwx
. If I would have forgotten this, a smart attacker might use my Git repo to access forbidden file contents.
The author also describes a cool Post-Invoke for Debian’s dpkg that will automatically stage and commit configuration changes made by apt/dpkg (although, later, he mentions that Debian has gotten a package could etckeeper that does this automatically.
Now I would like to learn how I can let Gentoo’s etc-update do as much. In its /etc/dispatch-conf.conf I can only find the option to use (of all things) RCS to track replaced configuration files in a special directory (/etc/config-archive/ by default). Hopefully, there is some drop-in replacement for etc-update which does this and which can rid me of etc-update’s awkward interface at once.
As a small comment, it would be a must to track a separate branch in which the config files appear as if they had never been user-modified.
This is important, because a file like make.conf in my Gentoo system contains all kinds of comments that no longer apply and lack comments that should be there.
Tonight, we were at Jeroen’s place to configure an VPN on his Debian server. This brought up the question whether he was already tracking changes to his /etc directory in Git.
Using DPkg’s Post-Invoke hooks, it’s possible to nicely integrate Git with Debian’s APT/DPkg. Ideally, like halfgaar mentions in the previous comment, I want a solution that keeps the package maintainer’s version of each configuration file in a separate branch from my local changes so that I can use Git’s powerful merge and diff tools to compare and upgrade versions as packages get upgraded. Then, if Debian could just get out of the way with its own awkward mechanism of selecting new or old version of each updated configuration file…
I just learned that etckeeper (Debian package) probably isn’t able to do exactly what I want it to be able to. etcgit seems to be an approach that is more in sync with the above-mentioned desire, although it hasn’t turned up in the official Debian package repository yet.