On Thu, Feb 07, 2013 at 04:49:43PM +0200, Zeeshan Ali (Khattak) wrote: > On Thu, Feb 7, 2013 at 10:56 AM, Christophe Fergeau <cfergeau@xxxxxxxxxx> wrote: > > On Thu, Feb 07, 2013 at 02:16:52AM +0200, Zeeshan Ali (Khattak) wrote: > >> On Wed, Feb 6, 2013 at 3:23 PM, Christophe Fergeau <cfergeau@xxxxxxxxxx> wrote: > >> > On Wed, Feb 06, 2013 at 03:17:00PM +0200, Zeeshan Ali (Khattak) wrote: > >> >> Why not let apps decide that? We are giving them info on the signed > >> >> status of drivers and they can make an informed decision. > >> > > >> > This is exactly my point, applications cannot say "I'm only using signed > >> > drivers, don't disable signature checking" with the current series as far > >> > as I understand it. > >> > >> If applications are only going to use signed drivers, they don't need > >> to disable anything. So really there is no app that is going to need > >> this API but to get this very important work in, I'll live with a bit > >> of redundant API. > > > > Yes, applications using signed drivers will not need to disable anything. > > However, my understanding is that you want to use *unsigned* drivers in > > your application, in that case you need to disable signature verification. > > You are designing the whole thing with the nominal case being unsigned > > drivers being case, which makes sense for your use case. > > Not at all. I'm providing application with information that drivers > are signed or not. Yes > Based on that they can make a decision. If they > decide to use unsigned drivers, there is absolutely no reason any app > would want to disable some checks as well. I think applications should be able to control whether the OS they install will have DriverSigningPolicy=Ignore set or not. And this should default to not be 'Ignore'. So if you want to be able to install unsigned drivers, you need to be able disable signature checking (ie tell the install script to add this line). > Unless you could specify a > (not hypothetical) usecase or example of an app that would want such a > thing, I don't think there is any need for what you are asking for. Once again, this is a security feature. You keep pretending it's not, waving it away, but this doesn't change the fact that this improves the system security, and you are going to disable this without letting any control to the library user on this. > Especially since I told you the problems with making this configurable > in the last mail. 'this is complicated' is not necessarily a good reason for not doing something. But let's first focus on what we do about this signature checking stuff, I haven't really looked at the mail where you describe the problems you have yet. > Moreover, even as security measure, its doubtful that MS thought of an > application being invovled in the process. The common use case > involves only the user and MS' software (mainly the installer). Its a > very usual thing to not trust users to know exactly what they are > doing. They can get malicious drivers from anywhere and try to install > them. In case of libosinfo, there is going to be an app involved, > making the decision for the user. But once the system is installed, the user will be in control of the OS, and signature checking will still be disabled! And this patch is disabling this even when no unsigned drivers are involved at all. > Unless you can point out any usecase, I'm not going to add confusing > API just to satisfy some particular proprietary vendor. Ok, then we should not do all this work to support unsigned drivers, or to postinstall windows drivers, and we can drop this patch series (in other words, not a useful argument at all). Christophe
Attachment:
pgpMwu0b09av5.pgp
Description: PGP signature
_______________________________________________ Libosinfo mailing list Libosinfo@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libosinfo