Przemek Klosowski <przemek.klosowski@xxxxxxxx> writes: > On 01/22/2010 11:11 AM, Ralf Corsepius wrote: >> Does it really mandate pollution /usr/bin and thus $PATH? > OK, I see, you don't object to the checksums in principle, just to the > location of the files. I don't believe that FIPS requires a specific > location for the checksums---it's just that they are to be found > somewhere. I can see two possible solutions: > - fipscheck looks for the checksum in some standard location, for > instance /lib/lib64/hmac/usr/bin/xyz, similar to how it was done in RHEL5 > - we find a way to stick the checksum in the executable itself, either > by being clever about computing a checksum that will agree with the > executable AFTER the checksum is written in (I have no idea how to do > that) or by excluding the checksum field from the checksum calculation. I'm far from an expert in this, but I thought the intent of the FIPS standard here was to check the executables against some *separately stored* validation information. Standard or not, your second suggestion seems rather pointless --- an embedded checksum is 100% useless from any security perspective, since someone who could modify the file could change the checksum too. (I'm assuming it's just a checksum and not any sort of digital signature.) The separate /lib directory tree seems the way to go, to me. That way the checksum files could be named the same as what they check, no magic needed. regards, tom lane -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
