Re: Fedora 34 Change: Signed RPM Contents (late System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

* Peter Robinson:

> On Tue, Jan 5, 2021 at 6:41 PM Florian Weimer <fweimer@xxxxxxxxxx> wrote:
>>
>> * Ben Cotton:
>>
>> > During signing builds, the files in it will be signed with IMA
>> > signatures..  These signatures will be made with a key that’s kept by
>> > the Fedora Infrastructure team, and installed on the sign vaults.
>>
>> What is the impact on RPM database size?
>
> They're stored in xattr so it shouldn't have any noticeable impact,
> although Patrick can confirm the details of that.

If the signatures end up in RPM headers, they will land in the RPM
database, too.

“rpm -qla | wc -l” shows around 28,589 files for me, in the Fedora 33
container image.  / seems to need 183 MiB right now.  If the signatures
land in the RPM database and the file system, I expect at least 96 bytes
per file signature (digests in the header are traditionally hex-encoded,
I think).  That translates to 2.6 MiB, or ~1.4% size increase.

But quite likely there is some per-block overhead, so the numbers should
be worse.

>> Will GPLv3 packages be excluded, or will the signing keys be provided
>> upon request?
>
> The public key?

The private key.  IMA is typically used for some form of remote
attestation, I think.  I'm not sure if it is possible to distribute
hardware with IMA enforcement.  And as long as enforcement can be turned
of trivially (as required by the GPLv3, as far as I can tell), IMA seems
to be pretty useless.

Thanks,
Florian
-- 
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux